Profile Applicability:
- Level 1
Description:
AWS Lambda functions can be configured with code signing to ensure that only trusted code is deployed and executed. Code signing verifies the authenticity of the Lambda function code, making it resistant to tampering or malicious changes. Enabling code signing helps ensure that the deployed code has not been altered, improving the security and integrity of the Lambda functions.
Rationale:
Code signing provides an additional layer of security by allowing you to verify that the code deployed to Lambda functions is from a trusted source and has not been tampered with. This helps mitigate the risk of introducing malicious code into your environment, ensuring that only signed and verified code runs within your Lambda functions. This also enhances compliance with security standards and frameworks like SOC 2, HIPAA, and NIST.
Impact:
Pros:
Ensures code integrity by verifying the source and authenticity of Lambda function code.
Reduces the risk of deploying unauthorized or malicious code to Lambda functions.
Enhances compliance with industry regulations and internal security policies.
Cons:
May require additional configuration and administrative effort to set up and manage code signing.
Requires the use of trusted signing authorities, potentially introducing complexities in managing certificates.
Default Value:
By default, AWS Lambda does not have code signing enabled. Code signing must be manually configured for each Lambda function.
Pre-requisites:
Access to AWS Management Console or AWS CLI with sufficient permissions to configure Lambda functions and code signing.
Knowledge of how to create and manage signing certificates.
A trusted signing authority or mechanism in place to sign Lambda function code.
Remediation:
Test Plan:
Using AWS Console:
Test Lambda Function After Code Signing:
Ensure that after enabling code signing, the Lambda function performs as expected.
Test the function by deploying signed code and verifying that the deployment is successful and the function operates without errors.
Using AWS CLI:
Verify Lambda Function Access:
After deploying the signed code, run the following command to test the Lambda function:
aws lambda invoke --function-name <function-name> output.txt
Check for Permission Errors:
Ensure that no permission errors occur when invoking the function with the signed code.
Implementation Plan:
Using AWS Console:
Log into the AWS Management Console and navigate to Lambda.
Create a signing profile and associate it with the Lambda function.
Enable code signing for the Lambda function.
Deploy only signed code to Lambda functions.
Test the function to ensure it operates as expected with the signed code.
Using AWS CLI:
Create a code signing profile using the CLI.
Associate the code signing profile with the Lambda function using the update function configuration command.
Ensure that only signed code is deployed to the Lambda function.
Test the Lambda function after deploying the signed code.
Backout Plan:
Using AWS Console:
If issues arise after enabling code signing, navigate to the Lambda function and disable code signing.
Revert the function configuration to the previous state and remove the code signing association.
Test the Lambda function to ensure it continues to work without code signing.
Using AWS CLI:
To roll back code signing, use the following command to update the Lambda function's configuration:
aws lambda update-function-configuration --function-name <function-name> --code-signing-config-arn ""Test the Lambda function after rolling back the changes.