Code integrity
Code integrity is the foundation of any secure application. Ensuring that the code running in your Lambda functions is exactly what you expect it to be is crucial for preventing unauthorized modifications and injections. Here, we will delve into several methods to ensure the integrity of your Lambda function code.
Code signing
Code signing is a crucial method for verifying the integrity of your Lambda function code. By attaching a digital signature, Lambda ensures that only signed and authorized code packages are deployed. This process adds a robust layer of security by confirming that the code has not been altered since it was signed. Lambda allows you to configure your functions to alert or reject any deployments of unsigned code or code that is signed by unauthorized entities.
To achieve this level of security, AWS Signer is the go-to service within the AWS ecosystem. It allows you to create a signing profile by specifying the code signing configurations and certificates. Once your Lambda function code is packaged into a ZIP file and uploaded to an S3 bucket, AWS Signer takes over. It signs the code package based on the specified signing profile and returns the signed package to the designated S3 location. Finally, when deploying the function in Lambda, the service validates the signature, ensuring it aligns with the approved signing profile.
Lambda layers
Lambda layers are a distribution mechanism for libraries, custom runtimes, and other function dependencies. Layers are versioned and can be shared across multiple functions. Ensuring the integrity of these layers is equally important, as they can be a vector for malicious code. Hence, it is essential to always ensure that you are using layers from trusted sources. When using layers, make sure you apply the same level of scrutiny and security controls as you would for your primary function code. This includes code reviews, package scanning, and code signing.