AWS Signer のアイコン

AWS Signer Specialized2019年〜

A service that signs and verifies code to ensure only trusted code is deployed

About 2 min read

What It Does

AWS Signer cryptographically signs Lambda function deployment packages, IoT device firmware, container images, and other code to verify they haven't been tampered with. Signing profiles manage signature expiration and platform settings.

Use Cases

Tamper prevention through Lambda function code signing, firmware update verification for IoT devices, automated code signing in CI/CD pipelines, and implementing code signing for compliance requirements.

Everyday Analogy

Think of a notary public. A notary (Signer) stamps an official seal (signature) on important documents (code), certifying they haven't been altered. The recipient (Lambda) checks the seal before accepting the document.

What Is Signer?

AWS Signer is a managed code signing service. Combined with Lambda's code signing configuration, it can reject deployment of unsigned or tampered code. Signing keys are managed by AWS, eliminating the need for key storage and rotation operations.

Signing Profiles and Verification

Signing profiles define the platform (Lambda, IoT) and expiration period for signatures. Call the Signer API in your CI/CD pipeline to sign code, then enable signature verification in Lambda's code signing configuration. If code with an invalid signature is deployed, Lambda either warns or rejects the deployment. Signing job history is recorded in CloudTrail. For practical know-how on signing profiles and verification, technical books on Amazon are a helpful resource.

Getting Started

Create a signing profile in the Signer console, specifying the platform (Lambda) and expiration period. Create a code signing configuration in the Lambda console and associate it with the signing profile. Apply the code signing configuration to a Lambda function, and only signed code can be deployed.

Things to Watch Out For

  • Signer itself is free - there are no charges for signing jobs
  • Lambda code signing can be set to either 'warn' or 'enforce' for unsigned code deployments
共有するXB!

Related Services

AWS Lambda iconAWS LambdaA serverless compute service that runs code without server managementAWS IoT Core iconAWS IoT CoreA managed service for securely connecting IoT devices to the cloud and processing messagesAWS CodePipeline iconAWS CodePipelineA service for building and automating CI/CD pipelines from source to deploymentAWS KMS iconAWS KMSA managed encryption key service for securely creating and managing keys used to encrypt data

Related Articles

Code Signing with AWS Signer - Ensuring Trust for Lambda Functions and Container ImagesApply code signing to Lambda functions and container images, enforce signature verification in CI/CD pipelines, and handle compromises through signature revocation.

More in This Category

IAM Access Analyzer iconIAM Access Analyzer SpecializedA service that detects externally accessible resources and unused access permissionsAWS Certificate Manager iconAWS Certificate Manager EssentialA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Artifact iconAWS Artifact SpecializedA service for on-demand access to AWS compliance reports and agreementsAWS Audit Manager iconAWS Audit Manager SpecializedA service that automates evidence collection and assessment for compliance auditsAWS CloudHSM iconAWS CloudHSM SpecializedA service for managing encryption keys using dedicated hardware security modulesAmazon Cognito iconAmazon Cognito PopularA service that provides authentication, authorization, and user management for web and mobile applicationsAmazon Detective iconAmazon Detective SpecializedA service that automatically analyzes security findings and investigates root causesAWS Directory Service iconAWS Directory Service SpecializedA service that provides managed Active Directory on AWS

Similar Articles and Services

Code Signing with AWS Signer - Ensuring Trust for Lambda Functions and Container ImagesApply code signing to Lambda functions and container images, enforce signature verification in CI/CD pipelines, and handle compromises through signature revocation.How AWS Signature Version 4 (SigV4) Works - The Cryptographic Mechanics of API AuthenticationA cryptographic deep dive into the 4-step SigV4 signing process (canonical request creation, string-to-sign construction, signing key derivation, signature calculation) used for AWS API authentication, plus an overview of SigV4A and presigned URLs.Why AWS APIs Return XML - The Evolution from Query APIs to REST JSONExplore the historical reasons why S3 and EC2 APIs return XML responses, the differences between Query APIs and REST APIs, the evolution of authentication from Signature V2 to V4, and the complexity that SDKs abstract away.Domain Registration and DNS Migration with Amazon Route 53 - Registrar Transfers and Zone ConfigurationA comprehensive walkthrough covering domain registration, transfers from other registrars, public and private hosted zone design, and enabling DNSSEC.AWS Private Certificate AuthorityA managed certificate authority that issues and manages private certificates for internal organizational use