Detections
Analytics

Ensure Code Signing is enabled for AWS Lambda functions

HIGH

Description

Code signing for AWS Lambda helps ensure that only trusted code runs in a Lambda function. When enabled, code signing checks every deployment and verifies that the package is signed by a trusted source.

Remediation

In AWS Console -

  1. Sign in to the AWS console and go to the Lambda console.
  2. In the navigation pane under Additional resources, select Code signing configurations.
  3. Select Create configuration.
  4. For Description, enter a descriptive name for the configuration.
  5. Under Signing profiles, add up to 20 signing profiles to the configuration. For Signing profile version ARN, choose a profile version's Amazon Resource Name (ARN), or enter the ARN. To add an additional signing profile, choose Add signing profiles.
  6. Under Signature validation policy, choose Warn or Enforce.
  7. Select Create configuration.

In Terraform -

  1. In the aws_lambda_function resource, set the code_signing_config_arn field to the appropriate ARN.
  2. If a code signing configuration was not created in the console UI, an aws_lambda_code_signing_config may be necessary.

References:
https://docs.aws.amazon.com/lambda/latest/dg/configuration-codesigning.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#code_signing_config_arn
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_code_signing_config

Policy Details

Rule Reference ID: AC_AWS_0616
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_lambda_function
Resource Category: Serverless
Resource Type: Lambda

Frameworks