Code sign the Sentry lambda layer to use in code signed lambdas

[regexj-twinkl]

Problem Statement

In updating our lambdas to take use lambda code-signing I've run into the issue that the Sentry lambda layer is not signed and therefore cannot be used in a code-signed lambda.

Please release a code-signed lambda and with it the version_arn of the signing profile so that we can use the lambda layer in code-signed lambdas.

Solution Brainstorm

See here for reference: https://aws.amazon.com/blogs/security/best-practices-and-advanced-patterns-for-lambda-code-signing/

In particular if you scroll down to the section about using lambda layers in code-signed lambdas it is possible so long as the layer is signed and the code signing config includes the signing profile version arn of the publisher in the allowed publishers:

aws lambda create-code-signing-config \
--description "Allow layers from publisher" \
--allowed-publishers SigningProfileVersionArns="<publisher-signing-profile-version-arn>,<consumer-signing-profile-version-arn>" \
--code-signing-policies "UntrustedArtifactOnDeployment"="Enforce"

In terraform we would have something like this:

resource "aws_signer_signing_profile" "signing" {
  platform_id = "AWSLambda-SHA384-ECDSA"
}

resource "aws_lambda_code_signing_config" "signing" {
  allowed_publishers {
    signing_profile_version_arns = [
      aws_signer_signing_profile.signing.version_arn,
      <version_arn for the signing profile of the Sentry Lambda layer>
    ]
  }
  policies {
    untrusted_artifact_on_deployment = "Enforce"
  }

  depends_on = [aws_signer_signing_profile.signing]
}

On this page where you share the arn of the lambda layer, it could also include the version_arn of the signing profile: https://docs.sentry.io/platforms/javascript/guides/aws-lambda/layer/

[AbhiPrasad]

This makes sense, but I don't think the team has bandwidth in the next couple months to tackle this with everything else going on, so going to backlog this. PRs are welcome if you'd like to help out in the meantime!