Top / Amazon Web Service / AWS Lambda / Code Signing Config

AWS Lambda Code Signing Config

This page shows how to write Terraform and CloudFormation for Lambda Code Signing Config and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_lambda_code_signing_config (Terraform)

The Code Signing Config in Lambda can be configured in Terraform with the resource name aws_lambda_code_signing_config. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

lambda_code_signing_config.tf#L4
resource "aws_lambda_code_signing_config" "lambda_code_signing_config" {
  count = var.enable_code_signing_config ? 1 : 0

  description = var.lambda_code_signing_config_description

  dynamic "allowed_publishers" {
signer.tf#L10
resource "aws_lambda_code_signing_config" "abc-signer-profile-config" {
  allowed_publishers {
    signing_profile_version_arns = [aws_signer_signing_profile.abc-signer-profile.version_arn]
  }
  policies {
    untrusted_artifact_on_deployment = "Enforce"
lambda_code_signing_config.tf#L4
resource "aws_lambda_code_signing_config" "lambda_code_signing_config" {
  count = var.enable_code_signing_config ? 1 : 0

  description = var.lambda_code_signing_config_description

  dynamic "allowed_publishers" {
main.tf#L10
resource "aws_lambda_code_signing_config" "example" {
  allowed_publishers {
    signing_profile_version_arns = [aws_signer_signing_profile.example.version_arn]
  }
  policies {
    untrusted_artifact_on_deployment = "Enforce"

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Provides a Lambda Code Signing Config resource. A code signing configuration defines a list of allowed signing profiles and defines the code-signing validation policy (action to be taken if deployment validation checks fail). For information about Lambda code signing configurations and how to use them, see [configuring code signing for Lambda functions][1]

>> from Terraform Registry

Tips: Best Practices for The Other AWS Lambda Resources

In addition to the aws_lambda_permission, AWS Lambda has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_lambda_permission

Ensure to limit your Lambda function permission as much as possible

It is better for limiting the Lambda function permission to set `source_arn` if the ARN can be specified to grant permissions.

Review your AWS Lambda settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::Lambda::CodeSigningConfig (CloudFormation)

The CodeSigningConfig in Lambda can be configured in CloudFormation with the resource name AWS::Lambda::CodeSigningConfig. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

shared.yml#L400
    Type: "AWS::Lambda::CodeSigningConfig"
    Properties:
      Description: Smoke Turner Code Signing
      AllowedPublishers:
        SigningProfileVersionArns:
          - !GetAtt SigningProfile.ProfileVersionArn
template.yml#L130
    Type: "AWS::Lambda::CodeSigningConfig"
    Properties:
      Description: OrganizationSetup Code Signing
      AllowedPublishers:
        SigningProfileVersionArns:
          - !Ref SigningProfileVersionArn
template.yml#L123
    Type: "AWS::Lambda::CodeSigningConfig"
    Properties:
      Description: OrganizationSetup Code Signing
      AllowedPublishers:
        SigningProfileVersionArns:
          - !Ref SigningProfileVersionArn
template.yml#L123
    Type: "AWS::Lambda::CodeSigningConfig"
    Properties:
      Description: OrganizationSetup Code Signing
      AllowedPublishers:
        SigningProfileVersionArns:
          - !Ref SigningProfileVersionArn
management.yml#L112
    Type: "AWS::Lambda::CodeSigningConfig"
    Properties:
      Description: Smoke Turner Code Signing
      AllowedPublishers:
        SigningProfileVersionArns:
          - !Ref SigningProfileVersionArn
function_with_signing_profile.json#L60
      "Type": "AWS::Lambda::CodeSigningConfig",
      "Properties": {
        "CodeSigningPolicies": {
          "UntrustedArtifactOnDeployment": "Enforce"
        },
        "AllowedPublishers": {
function_with_signing_profile.json#L60
      "Type": "AWS::Lambda::CodeSigningConfig",
      "Properties": {
        "CodeSigningPolicies": {
          "UntrustedArtifactOnDeployment": "Enforce"
        },
        "AllowedPublishers": {
function_with_signing_profile.json#L60
      "Type": "AWS::Lambda::CodeSigningConfig",
      "Properties": {
        "CodeSigningPolicies": {
          "UntrustedArtifactOnDeployment": "Enforce"
        },
        "AllowedPublishers": {
function_with_signing_profile.json#L5
  { "LogicalResourceId":"MySignedFunctionCodeSigningConfig", "ResourceType":"AWS::Lambda::CodeSigningConfig" }
template.json#L1223
    "AWS::Lambda::CodeSigningConfig": {
      "Type": "AWS::Lambda::CodeSigningConfig",
      "Properties": {}
    },
    "AWS::RDS::DBSecurityGroup": {
      "Type": "AWS::RDS::DBSecurityGroup",

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

Details about a Code signing configuration.

>> from AWS CloudFormation Documentation

The Other Related AWS Lambda Resources

Frequently asked questions

What is AWS Lambda Code Signing Config?

AWS Lambda Code Signing Config is a resource for Lambda of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Lambda Code Signing Config?

For Terraform, the asrkata/SebastianUA-terraform, karl-cardenas-coding/aws-code-signing-example and SebastianUA/terraform source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the smoketurner/cf-organization-templates, gilyas/aws-control-tower-org-setup-sample and aws-samples/aws-control-tower-org-setup-sample source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents