Demystifying AWS Signer

September 14 2023

A Guide to Secure Software Distribution 

Secure software distribution is a critical aspect of modern software development. It ensures that the software packages users receive are authentic, unaltered, and safe to use. One of the key techniques used to achieve this is code signing

Code signing is a security process that involves digitally signing software executables and scripts to confirm their origin and integrity. It uses cryptographic signatures to verify that the code has not been tampered with since it was signed. 

What is AWS Signer? 

AWS Signer is a fully managed service that helps in signing code to protect it from tampering and unauthorized changes. It does this by creating a digital signature for your code. The signature is verified when the code is deployed, ensuring that the code has not been tampered with.  

AWS Signer provides a robust platform for securing code. Its key components include:  

  •  Signer Profile

These define how code is signed, including which signing platform and certificate to use. 

  •  Signing Job

These represent the actual signing process for specific code artifacts. 

  •  Signing Platforms

AWS Signer supports various signing platforms, ensuring flexibility in the signing process. 

  •  Signing Certificates

Code signing certificates are used to verify the authenticity of the signed code. 

Using AWS Signer is straightforward

  1. Configure S3 bucket

Working with the AWS signer begins with this. Create source and destination buckets for the package. The package will be taken out of the source bucket by AWS Signer, signed, and then put into the destination bucket.  

If you’re configuring for learning purposes, you can further streamline the process by using the same bucket.   

2. Create a signing profile

Set up your signing profile and configure your signing platform. 

Navigate to the AWS signer page, click on Create signing profile, enter a profile name, and select profile platform, signature validity, and tags. 

3. Configure code signing for AWS Lambda

A Lambda function can have a code signing configuration associated with it. The code signing configurations will provide the permitted signing profiles and the function’s policy for validating signatures. The signature validation policy specifies what happens when an attempt is made to deploy an unsigned package. 

There are two possible results when a package is unsigned. 

A warning is given, but the function package is still deployed. 

After the issuance of a warning, the deployment function is disabled. 

Code signing setups can be enabled on both existing and new functions.  

4. Sign the code

Create signing jobs for the code you want to sign. 

Navigate to the Lambda configurations you just created and add the code signing profile.   

5. Verify the code

  AWS Signer takes care of the signing process and provides a signed code. 

What are the costs of using AWS Signer?

Absolutely nothing! There is no additional charge to use AWS Signer with AWS IoT Device Management, AWS Lambda, Amazon ECR, Amazon EKS, or third-party container services. 

 For instance, if you use Signer with Lambda, you only pay for Lambda runtime and the storage of signed and unsigned objects (such as your code zip file) in Amazon S3. 

Benefits of using AWS Signer

  • Protects your code from tampering and unauthorized changes 
  • Helps to comply with security regulations
  • Makes deploying secure code to Production easier

AWS Code Signing can help you to comply with security regulations. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires organizations to protect the confidentiality, integrity, and availability of protected health information (PHI). AWS Code Signing can help you meet this requirement by protecting your code from tampering and unauthorized changes. 

Cross-Account use case

AWS Code Signer can be used across AWS accounts to protect any type of code that you want to deploy to production. This includes code for Lambda Functions and container registry.  

In a distributed environment, powered by serverless technology on AWS, maintaining the security and integrity of our code is essential. To achieve this, we can implement a cross-account robust signing process using AWS Signer.  

In a centralized Security Account, we can set up a dedicated AWS Signer profile, meticulously configured to ensure seamless and secure code signing. To facilitate the signing process, we also have to establish source and destination S3 buckets, providing a structured workflow for code storage and signing.  

To secure access to S3 buckets we will also employ S3 Access Control List (ACLs) to exert granular control over the access to these buckets, allowing us to restrict permissions to only authorized AWS accounts.  

This multi-layered approach to code signing safeguards our approach and streamlines our code deployment pipeline, ensuring only verified and authorized code is delivered to our production pipeline. 

In the world of software distribution, security is paramount. AWS Signer offers a reliable solution for code signing, helping developers and organizations maintain the trustworthiness of their software. By following best practices and integrating Signer into your development workflow, you can bolster your applications’ security and gain your users’ trust.

Previous Post Next Post