or run

npx @tessl/cli init

Version

Tile

Overview

Evals

Files

docs

account-settings.md alias-version-management.md client-management.md concurrency-performance.md event-source-mapping.md function-invocation.md function-management.md function-url-management.md high-level-invocation.md index.md layer-management.md permissions-policies.md runtime-management.md security-code-signing.md tagging.md waiters-polling.md

tile.json

Security and Code Signing

Comprehensive code signing configuration and security management for Lambda functions, enabling trusted code deployment through digital signatures and secure code integrity validation.

Capabilities

Code Signing Configuration Management

Manages code signing configurations that define trusted publishers and signing requirements for Lambda functions.

Create Code Signing Configuration

Creates a new code signing configuration with trusted signing profiles.

/**
 * Creates code signing configuration with trusted publishers for function deployment security
 * @param request Configuration creation parameters including signing profiles and policies
 * @return CreateCodeSigningConfigResult containing configuration details and ARN
 * @throws ServiceException if service encounters an error
 * @throws InvalidParameterValueException if parameters are invalid
 */
CreateCodeSigningConfigResult createCodeSigningConfig(CreateCodeSigningConfigRequest request);

public class CreateCodeSigningConfigRequest {
    /** Configuration description (optional) - up to 256 characters */
    private String description;
    /** Allowed publishers (required) - list of trusted signing profile ARNs */
    private AllowedPublishers allowedPublishers;
    /** Code signing policies (optional) - signature validation policies */
    private CodeSigningPolicies codeSigningPolicies;
}

public class AllowedPublishers {
    /** Signing profile version ARNs (required) - trusted publisher identities */
    private List<String> signingProfileVersionArns;
}

public class CodeSigningPolicies {
    /** Untrusted artifact on deployment (optional) - WARN or ENFORCE */
    private CodeSigningPolicy untrustedArtifactOnDeployment;
}

public enum CodeSigningPolicy {
    WARN,    // Log warning but allow deployment
    ENFORCE  // Block deployment of untrusted artifacts
}

public class CreateCodeSigningConfigResult {
    /** Code signing configuration */
    private CodeSigningConfig codeSigningConfig;
}

public class CodeSigningConfig {
    /** Configuration ARN */
    private String codeSigningConfigArn;
    /** Configuration ID */
    private String codeSigningConfigId;
    /** Configuration description */
    private String description;
    /** Allowed publishers */
    private AllowedPublishers allowedPublishers;
    /** Code signing policies */
    private CodeSigningPolicies codeSigningPolicies;
    /** Creation timestamp */
    private String createdDate;
    /** Last modified timestamp */
    private String lastModified;
}

Get Code Signing Configuration

Retrieves details for a specific code signing configuration.

/**
 * Retrieves code signing configuration details including publishers and policies
 * @param request Configuration retrieval parameters including ARN
 * @return GetCodeSigningConfigResult containing complete configuration details
 * @throws ServiceException if service encounters an error
 * @throws ResourceNotFoundException if configuration does not exist
 */
GetCodeSigningConfigResult getCodeSigningConfig(GetCodeSigningConfigRequest request);

public class GetCodeSigningConfigRequest {
    /** Code signing configuration ARN (required) */
    private String codeSigningConfigArn;
}

public class GetCodeSigningConfigResult {
    /** Code signing configuration */
    private CodeSigningConfig codeSigningConfig;
}

Update Code Signing Configuration

Updates an existing code signing configuration's publishers and policies.

/**
 * Updates code signing configuration publishers and policies
 * @param request Configuration update parameters including ARN and new settings
 * @return UpdateCodeSigningConfigResult containing updated configuration
 * @throws ServiceException if service encounters an error
 * @throws ResourceNotFoundException if configuration does not exist
 * @throws InvalidParameterValueException if parameters are invalid
 */
UpdateCodeSigningConfigResult updateCodeSigningConfig(UpdateCodeSigningConfigRequest request);

public class UpdateCodeSigningConfigRequest {
    /** Code signing configuration ARN (required) */
    private String codeSigningConfigArn;
    /** Updated description (optional) */
    private String description;
    /** Updated allowed publishers (optional) */
    private AllowedPublishers allowedPublishers;
    /** Updated code signing policies (optional) */
    private CodeSigningPolicies codeSigningPolicies;
}

public class UpdateCodeSigningConfigResult {
    /** Updated code signing configuration */
    private CodeSigningConfig codeSigningConfig;
}

Delete Code Signing Configuration

Deletes a code signing configuration that is not associated with any functions.

/**
 * Deletes code signing configuration (must not be associated with functions)
 * @param request Configuration deletion parameters including ARN
 * @return DeleteCodeSigningConfigResult indicating successful deletion
 * @throws ServiceException if service encounters an error
 * @throws ResourceNotFoundException if configuration does not exist
 * @throws ResourceConflictException if configuration is still in use
 */
DeleteCodeSigningConfigResult deleteCodeSigningConfig(DeleteCodeSigningConfigRequest request);

public class DeleteCodeSigningConfigRequest {
    /** Code signing configuration ARN (required) */
    private String codeSigningConfigArn;
}

public class DeleteCodeSigningConfigResult {
    // Empty result indicating successful deletion
}

List Code Signing Configurations

Lists all code signing configurations in the account and region.

/**
 * Lists all code signing configurations with pagination support
 * @param request Configuration listing parameters including pagination
 * @return ListCodeSigningConfigsResult containing configuration list
 * @throws ServiceException if service encounters an error
 */
ListCodeSigningConfigsResult listCodeSigningConfigs(ListCodeSigningConfigsRequest request);

public class ListCodeSigningConfigsRequest {
    /** Pagination marker (optional) */
    private String marker;
    /** Maximum items to return (optional, range: 1-10000) */
    private Integer maxItems;
}

public class ListCodeSigningConfigsResult {
    /** Pagination marker for next page */
    private String nextMarker;
    /** List of code signing configurations */
    private List<CodeSigningConfig> codeSigningConfigs;
}

Function Code Signing Association

Manages the association between Lambda functions and code signing configurations.

Associate Code Signing Configuration with Function

Associates a code signing configuration with a Lambda function to enforce signing requirements.

/**
 * Associates code signing configuration with function to enforce signature validation
 * @param request Association parameters including function name and configuration ARN
 * @return PutFunctionCodeSigningConfigResult containing association details
 * @throws ServiceException if service encounters an error
 * @throws ResourceNotFoundException if function or configuration does not exist
 * @throws ResourceConflictException if function is being updated
 * @throws CodeSigningConfigNotFoundException if configuration is invalid
 */
PutFunctionCodeSigningConfigResult putFunctionCodeSigningConfig(PutFunctionCodeSigningConfigRequest request);

public class PutFunctionCodeSigningConfigRequest {
    /** Code signing configuration ARN (required) */
    private String codeSigningConfigArn;
    /** Function name (required) - name, ARN, or partial ARN */
    private String functionName;
}

public class PutFunctionCodeSigningConfigResult {
    /** Code signing configuration ARN */
    private String codeSigningConfigArn;
    /** Function name */
    private String functionName;
}

Get Function Code Signing Configuration

Retrieves the code signing configuration associated with a function.

/**
 * Retrieves function's code signing configuration details
 * @param request Function code signing retrieval parameters including function name
 * @return GetFunctionCodeSigningConfigResult containing configuration ARN
 * @throws ServiceException if service encounters an error
 * @throws ResourceNotFoundException if function does not exist
 * @throws CodeSigningConfigNotFoundException if no configuration is associated
 */
GetFunctionCodeSigningConfigResult getFunctionCodeSigningConfig(GetFunctionCodeSigningConfigRequest request);

public class GetFunctionCodeSigningConfigRequest {
    /** Function name (required) - name, ARN, or partial ARN */
    private String functionName;
}

public class GetFunctionCodeSigningConfigResult {
    /** Code signing configuration ARN */
    private String codeSigningConfigArn;
    /** Function name */
    private String functionName;
}

Remove Code Signing Configuration from Function

Removes code signing configuration association from a function.

/**
 * Removes code signing configuration from function (disables signature validation)
 * @param request Configuration removal parameters including function name
 * @return DeleteFunctionCodeSigningConfigResult indicating successful removal
 * @throws ServiceException if service encounters an error
 * @throws ResourceNotFoundException if function does not exist
 * @throws ResourceConflictException if function is being updated
 * @throws CodeSigningConfigNotFoundException if no configuration is associated
 */
DeleteFunctionCodeSigningConfigResult deleteFunctionCodeSigningConfig(DeleteFunctionCodeSigningConfigRequest request);

public class DeleteFunctionCodeSigningConfigRequest {
    /** Function name (required) - name, ARN, or partial ARN */
    private String functionName;
}

public class DeleteFunctionCodeSigningConfigResult {
    // Empty result indicating successful removal
}

List Functions by Code Signing Configuration

Lists all functions that use a specific code signing configuration.

/**
 * Lists functions using specific code signing configuration
 * @param request Function listing parameters including configuration ARN and pagination
 * @return ListFunctionsByCodeSigningConfigResult containing function list
 * @throws ServiceException if service encounters an error
 * @throws ResourceNotFoundException if configuration does not exist
 */
ListFunctionsByCodeSigningConfigResult listFunctionsByCodeSigningConfig(ListFunctionsByCodeSigningConfigRequest request);

public class ListFunctionsByCodeSigningConfigRequest {
    /** Code signing configuration ARN (required) */
    private String codeSigningConfigArn;
    /** Pagination marker (optional) */
    private String marker;
    /** Maximum items to return (optional, range: 1-10000) */
    private Integer maxItems;
}

public class ListFunctionsByCodeSigningConfigResult {
    /** Pagination marker for next page */
    private String nextMarker;
    /** List of function ARNs using the configuration */
    private List<String> functionArns;
}

Usage Examples

Creating Code Signing Configuration

AWSLambda lambdaClient = AWSLambdaClientBuilder.defaultClient();

// Create allowed publishers with trusted signing profiles
AllowedPublishers allowedPublishers = new AllowedPublishers()
    .withSigningProfileVersionArns(
        "arn:aws:signer:us-east-1:123456789012:signing-profile/MyProfile/1234567890",
        "arn:aws:signer:us-east-1:123456789012:signing-profile/TrustedPublisher/987654321"
    );

// Configure strict enforcement policy
CodeSigningPolicies policies = new CodeSigningPolicies()
    .withUntrustedArtifactOnDeployment(CodeSigningPolicy.ENFORCE);

CreateCodeSigningConfigRequest request = new CreateCodeSigningConfigRequest()
    .withDescription("Production code signing for critical functions")
    .withAllowedPublishers(allowedPublishers)
    .withCodeSigningPolicies(policies);

CreateCodeSigningConfigResult result = lambdaClient.createCodeSigningConfig(request);
String configArn = result.getCodeSigningConfig().getCodeSigningConfigArn();
System.out.println("Created code signing config: " + configArn);

Associating Configuration with Function

// Associate code signing configuration with function
PutFunctionCodeSigningConfigRequest associateRequest = new PutFunctionCodeSigningConfigRequest()
    .withFunctionName("critical-payment-processor")
    .withCodeSigningConfigArn(configArn);

PutFunctionCodeSigningConfigResult associateResult = lambdaClient.putFunctionCodeSigningConfig(associateRequest);
System.out.println("Associated function with code signing configuration");

// Verify association
GetFunctionCodeSigningConfigRequest verifyRequest = new GetFunctionCodeSigningConfigRequest()
    .withFunctionName("critical-payment-processor");

GetFunctionCodeSigningConfigResult verifyResult = lambdaClient.getFunctionCodeSigningConfig(verifyRequest);
System.out.println("Function uses config: " + verifyResult.getCodeSigningConfigArn());

Updating Code Signing Configuration

// Add new trusted publisher to existing configuration
List<String> updatedPublishers = new ArrayList<>();
updatedPublishers.add("arn:aws:signer:us-east-1:123456789012:signing-profile/MyProfile/1234567890");
updatedPublishers.add("arn:aws:signer:us-east-1:123456789012:signing-profile/TrustedPublisher/987654321");
updatedPublishers.add("arn:aws:signer:us-east-1:123456789012:signing-profile/NewPublisher/555666777");

AllowedPublishers updatedAllowedPublishers = new AllowedPublishers()
    .withSigningProfileVersionArns(updatedPublishers);

UpdateCodeSigningConfigRequest updateRequest = new UpdateCodeSigningConfigRequest()
    .withCodeSigningConfigArn(configArn)
    .withDescription("Updated production code signing with new publisher")
    .withAllowedPublishers(updatedAllowedPublishers);

UpdateCodeSigningConfigResult updateResult = lambdaClient.updateCodeSigningConfig(updateRequest);
System.out.println("Updated configuration with " + 
    updateResult.getCodeSigningConfig().getAllowedPublishers().getSigningProfileVersionArns().size() + 
    " trusted publishers");

Managing Multiple Configurations

// List all code signing configurations
ListCodeSigningConfigsRequest listRequest = new ListCodeSigningConfigsRequest()
    .withMaxItems(50);

ListCodeSigningConfigsResult listResult = lambdaClient.listCodeSigningConfigs(listRequest);
for (CodeSigningConfig config : listResult.getCodeSigningConfigs()) {
    System.out.println("Config: " + config.getCodeSigningConfigId());
    System.out.println("Description: " + config.getDescription());
    System.out.println("Publishers: " + config.getAllowedPublishers().getSigningProfileVersionArns().size());
    
    // List functions using this configuration
    ListFunctionsByCodeSigningConfigRequest functionsRequest = 
        new ListFunctionsByCodeSigningConfigRequest()
            .withCodeSigningConfigArn(config.getCodeSigningConfigArn());
    
    ListFunctionsByCodeSigningConfigResult functionsResult = 
        lambdaClient.listFunctionsByCodeSigningConfig(functionsRequest);
    
    System.out.println("Functions using config: " + functionsResult.getFunctionArns().size());
    for (String functionArn : functionsResult.getFunctionArns()) {
        System.out.println("  " + functionArn);
    }
}

Code Signing Deployment Pipeline

public class CodeSigningDeploymentManager {
    private final AWSLambda lambdaClient;
    private final String productionConfigArn;
    
    public CodeSigningDeploymentManager(AWSLambda lambdaClient, String productionConfigArn) {
        this.lambdaClient = lambdaClient;
        this.productionConfigArn = productionConfigArn;
    }
    
    /**
     * Deploy function with code signing validation
     */
    public void deploySignedFunction(String functionName, FunctionCode signedCode) {
        try {
            // First, associate code signing configuration if not already set
            ensureCodeSigningConfigured(functionName);
            
            // Update function code - Lambda will validate signature
            UpdateFunctionCodeRequest updateRequest = new UpdateFunctionCodeRequest()
                .withFunctionName(functionName)
                .withS3Bucket(signedCode.getS3Bucket())
                .withS3Key(signedCode.getS3Key())
                .withS3ObjectVersion(signedCode.getS3ObjectVersion());
            
            UpdateFunctionCodeResult result = lambdaClient.updateFunctionCode(updateRequest);
            System.out.println("Deployed signed code. SHA256: " + result.getCodeSha256());
            
        } catch (InvalidCodeSignatureException e) {
            System.err.println("Code signature validation failed: " + e.getMessage());
            throw new RuntimeException("Deployment blocked due to invalid signature", e);
        }
    }
    
    private void ensureCodeSigningConfigured(String functionName) {
        try {
            lambdaClient.getFunctionCodeSigningConfig(
                new GetFunctionCodeSigningConfigRequest().withFunctionName(functionName));
            // Configuration already exists
        } catch (CodeSigningConfigNotFoundException e) {
            // Associate production code signing configuration
            lambdaClient.putFunctionCodeSigningConfig(
                new PutFunctionCodeSigningConfigRequest()
                    .withFunctionName(functionName)
                    .withCodeSigningConfigArn(productionConfigArn));
            
            System.out.println("Associated function with code signing configuration");
        }
    }
}

Exception Handling

Common exceptions when working with code signing:

ResourceNotFoundException: Function or code signing configuration does not exist
ResourceConflictException: Function is being updated or configuration is in use
CodeSigningConfigNotFoundException: Function has no code signing configuration
InvalidCodeSignatureException: Function code signature is invalid or untrusted
InvalidParameterValueException: Invalid configuration parameters or ARNs
ServiceException: General service errors
TooManyRequestsException: Rate limiting exceeded

Best Practices

Security Configuration

Use ENFORCE policy for production environments to block unsigned code
Regularly rotate signing profiles and update configurations
Maintain separate configurations for different environments (dev, staging, prod)
Monitor code signing validation failures through CloudWatch logs

Publisher Management

Use specific signing profile version ARNs for better control
Implement approval processes for adding new trusted publishers
Document and audit all signing profile changes
Use separate signing profiles for different teams or applications

Deployment Integration

Integrate code signing validation into CI/CD pipelines
Implement automated signature verification before deployment
Use signed container images for container-based Lambda functions
Test code signing configurations in non-production environments first

Monitoring and Compliance

Set up CloudWatch alarms for code signing validation failures
Log all code signing events for audit purposes
Regularly review and update trusted publisher lists
Implement compliance reporting for signed vs. unsigned deployments