mnapoli
commented
2 years ago Thanks for opening this, do you have more details on what we should do to implement this?
Closed yhortuk closed 1 year ago
mnapoli
commented
2 years ago Thanks for opening this, do you have more details on what we should do to implement this?
yhortuk
commented
2 years ago @mnapoli This article https://aws.amazon.com/blogs/security/best-practices-and-advanced-patterns-for-lambda-code-signing/ illustrates the process of sharing the signed layer (scroll to Cross-account validation for Lambda layers)
From my understanding the following steps need to be done:
AWS Account: 1) Create a signing profile in AWS Signer 2) Create a versioned S3 bucket
Publish: 1) Upload layer code to the created S3 bucket 2) Execute a signing command to generate a signed zip 3) Publish the signed zip file as a new layer version
Docs: 1) On the layers section add information about a signing procedure and share an ARN of the signing profile, so it can be referenced in deployments as a trusted signature.
P/S: I can try to apply a modification to the codebase to show the process. In case it would be useful, not sure how well it aligns with a huge refactoring of layers in the pending pull request. Just let me know if I can help with anything on this matter.
mnapoli
commented
1 year ago Given the complexity this seems to introduce, I don't have the bandwidth to implement that at the moment.
Contributions are welcome, but I'll mark this one as "not planned" for now. Thanks for the info though, we might revisit this later!
Expected:
I can setup signing profile for improved security during app deployment and successfully deploy an application. https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/authoring-codesigning.html
Actual:
It fails or shows warning during stack deployment since bref layer isn't part of a trusted signing profile.
Lambda layers follow the same signed code package format as function code packages. When you add a layer to a function that has code signing enabled, Lambda checks that the layer is signed by an allowed signing profile. When you enable code signing for a function, all layers that are added to the function must also be signed by one of the allowed signing profiles.
https://docs.aws.amazon.com/lambda/latest/dg/configuration-codesigning.html#config-codesigning-valid
Possible solution:
Sign layers during publishing and share aws sigining profile arn so it can be added to the list of allowed signing profiles during deployment. https://aws.amazon.com/blogs/security/best-practices-and-advanced-patterns-for-lambda-code-signing/