This project demonstrates how to implement AWS Lambda code signing using Terraform, creating an automated, end-to-end security framework that prevents unauthorized code execution while maintaining operational efficiency.
For a detailed walkthrough, see the accompanying blog post: Ensure Code Integrity for AWS Lambda Functions with Automated Code Signing Using Terraform.
In today's cloud-native landscape, ensuring the integrity and authenticity of serverless functions is critical for maintaining security and compliance. AWS Lambda code signing provides a robust security mechanism that guarantees only trusted, unmodified code executes in your Lambda functions. By implementing digital signatures, you can verify code integrity and authenticate the source.
This solution creates a comprehensive code signing pipeline that automatically signs Lambda deployment packages and enforces signature validation at runtime.
The architecture includes:
- AWS Signer: Creates signing profiles and jobs using the SHA384-ECDSA algorithm with a 135-month signature validity period
- Amazon S3: Stores original and signed Lambda code with versioning enabled
- AWS Lambda: Deployed with code signing enforcement in a VPC environment
- AWS KMS: Provides encryption for CloudWatch logs and SQS dead letter queue
- VPC Configuration: Isolates Lambda execution in private subnets with VPC endpoints for CloudWatch Logs and SQS
| File | Description |
|---|---|
lambda_signer.tf |
AWS Signer signing profile, signing job, and code signing configuration |
lambda.tf |
Lambda function resource with code signing enforcement |
storage.tf |
S3 bucket with versioning for Lambda source code |
kms.tf |
KMS key and policy for CloudWatch and Lambda encryption |
kms_storage.tf |
KMS key for S3 bucket encryption |
vpc.tf |
VPC and private subnet configuration |
vpc_endpoint.tf |
VPC endpoints for CloudWatch Logs and SQS |
security_group.tf |
Security groups for Lambda and VPC endpoints |
iam_role.tf |
IAM roles and policies with least privilege access |
cloudwatch.tf |
CloudWatch log group with KMS encryption |
sqs.tf |
SQS dead letter queue for error handling |
data.tf |
Data sources (caller identity) and local values |
variables.tf |
Input variables with defaults |
provider.tf |
Terraform provider configuration |
backend.tf |
State management configuration |
lambda_function/handler.py |
Sample Lambda function code |
- Terraform >= 1.0
- AWS CLI configured with credentials that have necessary service permissions
- AWS account with appropriate permissions for AWS Signer, Lambda, S3, and VPC services
- Basic understanding of AWS Lambda, Terraform, and infrastructure as code concepts
- Clone the repository:
git clone https://github.com/aws-samples/sample-aws-lambda-code-signing-terraform
cd sample-aws-lambda-code-signing-terraform-
Review and modify variables in
variables.tfas needed. -
Initialize Terraform:
terraform init- Plan the deployment:
terraform plan- Apply the configuration:
terraform applyAfter deployment completes, verify the setup:
- Verify the signing profile is active:
aws signer list-signing-profiles --query "profiles[].{Name:profileName,Status:status}" --output table- Confirm the signing job completed successfully:
aws signer list-signing-jobs --status Succeeded --query "jobs[0].{JobId:jobId,Status:status,SignedObject:signedObject}" --output table- Verify the Lambda function has code signing enforced:
aws lambda get-function-code-signing-config --function-name <YOUR-FUNCTION-NAME> --query "{CodeSigningConfigArn:CodeSigningConfigArn}" --output tableKey variables you can customize:
| Variable | Description | Default |
|---|---|---|
region |
AWS region for deployment | us-east-2 |
name |
Application name prefix | app-7 |
vpc_cidr |
VPC CIDR block | 12.25.15.0/25 |
subnet_cidr_private |
Private subnet CIDR blocks | ["12.25.15.0/26", "12.25.15.64/26"] |
retention_in_days |
CloudWatch log group retention | 365 |
deletion_window_in_days |
KMS key deletion window | 7 |
- Code signing enforcement prevents execution of unsigned or tampered code
- KMS encryption for CloudWatch logs and SQS messaging
- VPC isolation with private subnets (no internet access)
- VPC endpoints for private connectivity to AWS services
- IAM roles with minimal required permissions
- S3 bucket versioning and encryption for artifact integrity
- X-Ray tracing enabled for monitoring and observability
- Automatic KMS key rotation enabled
To avoid incurring future charges, destroy the resources:
terraform destroyThis removes all resources including the Lambda function, S3 bucket, VPC components, KMS keys, signing profile, and code signing configuration.
If you find any issues or have suggestions for improvement, feel free to open an issue or submit a pull request. Contributions are always welcome!
For detailed contribution guidelines, please see CONTRIBUTING.md.
Please note that this project is released with a Code of Conduct. By participating in this project you agree to abide by its terms.
This code is released under the MIT No Attribution License. See LICENSE.