Signing a lambda code with AWS Signer if the lambda uses AppConfig Layer

I'm not using the AppConfig layer, but the AWS Parameters And Secrets Lambda Extension which is also an AWS provided extension.

I searched around for a long time trying to find the code signing profile that AWS would use to sign the layer with no luck. Eventually I manually downloaded the layer to my computer using the AWS CLI and curl:

URL=$(aws lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:177933569100:layer:AWS-Parameters-and-Secrets-Lambda-Extension-Arm64:11 --query Content.Location --output text) && curl $URL -o tempLayer.zip

After unzipping the layer, I noticed it was missing META_INF folder that is added during signing. This means AWS didn't sign the layer. I just checked the AppConfig layer and it is unsigned too.

Ideally AWS would provide a signed version of the layers and the signing profile arn, but they don't right now. So you have 2 options:

Option 1: Set your lambda's code signing config to warn on untrusted artifact deployment

• I don't really like this option since it allows unsigned code to be deployed and issues a warning it is. Then you have to monitor the warning or create an alarm. When you have multiple AWS accounts this becomes a pain and is likely to be missed, which makes having code signing pointless in my opinion.

Option 2: Download the layer and sign it yourself like the rest of your code

• I think this is a better option, but does mean that you need to check for new versions of the layer from time to time.

I wrote a script in my package.json to download the layer to a location in my git repo, which might be helpful.

"downloadParametersAndSecretsLambdaExtension": "URL=$(aws lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:177933569100:layer:AWS-Parameters-and-Secrets-Lambda-Extension-Arm64:11 --query Content.Location --output text) && curl $URL -o tempLayer.zip && unzip tempLayer.zip -d directory/location/for/layer/files && rm -f tempLayer.zip"

Yes, it's possible to sign the code of a Lambda function using AWS Signer even if the Lambda uses the AppConfig layer or any other layer. The key is to ensure that both the Lambda function and the layer are signed using compatible signing profiles.

Here's a step-by-step guide:

Sign the Layer:

• Before you can sign a Lambda function that uses a layer, you must first sign the layer itself using AWS Signer.
• Create a signing profile in AWS Signer. This profile will contain the necessary information about the signing platform and the signature algorithm.
• Use AWS Signer to sign the layer using the created signing profile.

Obtain the Signing Profile ARN:

• After creating the signing profile, you can obtain its ARN (Amazon Resource Name) from the AWS Signer console or using AWS CLI.
• This ARN will be used to configure the CodeSigningConfig of the Lambda function.

Configure Lambda's CodeSigningConfig:

• Create a CodeSigningConfig in AWS Lambda.
• In the CodeSigningConfig, specify the ARN of the signing profile you used to sign the layer.
• Ensure that the CodeSigningConfig allows the signature profile used to sign the layer. This is crucial for the Lambda function to be able to use the signed layer.

** Sign the Lambda Function:**

• Now, sign the Lambda function using AWS Signer with the appropriate signing profile.
• Update the Lambda function's configuration to use the signed layer and the CodeSigningConfig you created.

Deploy the Lambda Function:

• Once everything is signed and configured correctly, you can deploy the Lambda function. AWS Lambda will verify the signatures of both the function and the layer during deployment. If there's a mismatch or if the signatures are invalid, the deployment will fail.

Verify the Signature:

• After deployment, you can use AWS Lambda's GetFunction API call to verify that the function and its layers are signed. The response will include the CodeSigningConfigArn and the SignedUrl for the function and each layer.

Remember, the key is to ensure that both the Lambda function and its layers are signed using compatible signing profiles. If they aren't, the deployment will fail due to signature verification errors.

I hope this helps! If you have further questions or need more detailed steps, please let me know.