AWS Lambda Code Signing Config
This page shows how to write Terraform and CloudFormation for Lambda Code Signing Config and write them securely.
aws_lambda_code_signing_config (Terraform)
The Code Signing Config in Lambda can be configured in Terraform with the resource name aws_lambda_code_signing_config
. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_lambda_code_signing_config" "lambda_code_signing_config" {
count = var.enable_code_signing_config ? 1 : 0
description = var.lambda_code_signing_config_description
dynamic "allowed_publishers" {
resource "aws_lambda_code_signing_config" "abc-signer-profile-config" {
allowed_publishers {
signing_profile_version_arns = [aws_signer_signing_profile.abc-signer-profile.version_arn]
}
policies {
untrusted_artifact_on_deployment = "Enforce"
resource "aws_lambda_code_signing_config" "lambda_code_signing_config" {
count = var.enable_code_signing_config ? 1 : 0
description = var.lambda_code_signing_config_description
dynamic "allowed_publishers" {
resource "aws_lambda_code_signing_config" "example" {
allowed_publishers {
signing_profile_version_arns = [aws_signer_signing_profile.example.version_arn]
}
policies {
untrusted_artifact_on_deployment = "Enforce"
Parameters
-
arn
optional computed - string -
config_id
optional computed - string -
description
optional - string -
id
optional computed - string -
last_modified
optional computed - string -
allowed_publishers
list block-
signing_profile_version_arns
required - set of string
-
-
policies
list block-
untrusted_artifact_on_deployment
required - string
-
Explanation in Terraform Registry
Provides a Lambda Code Signing Config resource. A code signing configuration defines a list of allowed signing profiles and defines the code-signing validation policy (action to be taken if deployment validation checks fail). For information about Lambda code signing configurations and how to use them, see [configuring code signing for Lambda functions][1]
Tips: Best Practices for The Other AWS Lambda Resources
In addition to the aws_lambda_permission, AWS Lambda has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_lambda_permission
Ensure to limit your Lambda function permission as much as possible
It is better for limiting the Lambda function permission to set `source_arn` if the ARN can be specified to grant permissions.
AWS::Lambda::CodeSigningConfig (CloudFormation)
The CodeSigningConfig in Lambda can be configured in CloudFormation with the resource name AWS::Lambda::CodeSigningConfig
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: "AWS::Lambda::CodeSigningConfig"
Properties:
Description: Smoke Turner Code Signing
AllowedPublishers:
SigningProfileVersionArns:
- !GetAtt SigningProfile.ProfileVersionArn
Type: "AWS::Lambda::CodeSigningConfig"
Properties:
Description: OrganizationSetup Code Signing
AllowedPublishers:
SigningProfileVersionArns:
- !Ref SigningProfileVersionArn
Type: "AWS::Lambda::CodeSigningConfig"
Properties:
Description: OrganizationSetup Code Signing
AllowedPublishers:
SigningProfileVersionArns:
- !Ref SigningProfileVersionArn
Type: "AWS::Lambda::CodeSigningConfig"
Properties:
Description: OrganizationSetup Code Signing
AllowedPublishers:
SigningProfileVersionArns:
- !Ref SigningProfileVersionArn
Type: "AWS::Lambda::CodeSigningConfig"
Properties:
Description: Smoke Turner Code Signing
AllowedPublishers:
SigningProfileVersionArns:
- !Ref SigningProfileVersionArn
"Type": "AWS::Lambda::CodeSigningConfig",
"Properties": {
"CodeSigningPolicies": {
"UntrustedArtifactOnDeployment": "Enforce"
},
"AllowedPublishers": {
"Type": "AWS::Lambda::CodeSigningConfig",
"Properties": {
"CodeSigningPolicies": {
"UntrustedArtifactOnDeployment": "Enforce"
},
"AllowedPublishers": {
"Type": "AWS::Lambda::CodeSigningConfig",
"Properties": {
"CodeSigningPolicies": {
"UntrustedArtifactOnDeployment": "Enforce"
},
"AllowedPublishers": {
{ "LogicalResourceId":"MySignedFunctionCodeSigningConfig", "ResourceType":"AWS::Lambda::CodeSigningConfig" }
"AWS::Lambda::CodeSigningConfig": {
"Type": "AWS::Lambda::CodeSigningConfig",
"Properties": {}
},
"AWS::RDS::DBSecurityGroup": {
"Type": "AWS::RDS::DBSecurityGroup",
Parameters
-
Description
optional - String -
AllowedPublishers
required - AllowedPublishers -
CodeSigningPolicies
optional - CodeSigningPolicies
Explanation in CloudFormation Registry
Details about a Code signing configuration.
Frequently asked questions
What is AWS Lambda Code Signing Config?
AWS Lambda Code Signing Config is a resource for Lambda of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Lambda Code Signing Config?
For Terraform, the asrkata/SebastianUA-terraform, karl-cardenas-coding/aws-code-signing-example and SebastianUA/terraform source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the smoketurner/cf-organization-templates, gilyas/aws-control-tower-org-setup-sample and aws-samples/aws-control-tower-org-setup-sample source code examples are useful. See the CloudFormation Example section for further details.