AWS Security ChangesHomeSearch

AWS lambda documentation change

Service: lambda · 2025-04-03 · Documentation low

File: lambda/latest/dg/configuration-codesigning.md

Summary

Updated code signing documentation with clearer explanations of validation checks, enforcement policies, and operational impacts. Removed redundant API operation lists and restructured content flow.

Security assessment

The changes enhance documentation for code signing (a security feature) but do not address a specific disclosed vulnerability. Updates clarify how security controls work (e.g., validation checks, Warn/Enforce policies) without indicating remediation of an active exploit.

Diff

diff --git a/lambda/latest/dg/configuration-codesigning.md b/lambda/latest/dg/configuration-codesigning.md
index 5d662bcba..3d57adf95 100644
--- a//lambda/latest/dg/configuration-codesigning.md
+++ b//lambda/latest/dg/configuration-codesigning.md
@@ -5 +5 @@
-Signature validationConfiguring code signing with the Lambda API
+Signature validation
@@ -9 +9 @@ Signature validationConfiguring code signing with the Lambda API
-Code signing for AWS Lambda helps to ensure that only trusted code runs in your Lambda functions. When you enable code signing for a function, Lambda checks every code deployment and verifies that the code package is signed by a trusted source.
+Code signing helps ensure that only trusted code is deployed to your Lambda functions. Using AWS Signer, you can create digitally signed code packages for your functions. When you [add a code signing configuration to a function](./configuration-codesigning-create.html), Lambda verifies that all new code deployments are signed by a trusted source. Because code signing validation checks run at deployment time, there is no impact on function execution.
@@ -11 +11 @@ Code signing for AWS Lambda helps to ensure that only trusted code runs in your
-###### Note
+###### Important
@@ -13 +13 @@ Code signing for AWS Lambda helps to ensure that only trusted code runs in your
-Functions defined as container images do not support code signing.
+Code signing configurations only prevent new deployments of unsigned code. If you add a code signing configuration to an existing function that has unsigned code, that code keeps running until you deploy a new code package.
@@ -15,7 +15 @@ Functions defined as container images do not support code signing.
-To verify code integrity, use [AWS Signer](https://docs.aws.amazon.com/signer/latest/developerguide/Welcome.html) to create digitally signed code packages for functions and layers. When a user attempts to deploy a code package, Lambda performs validation checks on the code package before accepting the deployment. Because code signing validation checks run at deployment time, there is no performance impact on function execution.
-
-You also use AWS Signer to create _signing profiles_. You use a signing profile to create the signed code package. Use AWS Identity and Access Management (IAM) to control who can sign code packages and create signing profiles. For more information, see [Authentication and Access Control](https://docs.aws.amazon.com/signer/latest/developerguide/accessctrl-toplevel.html) in the _AWS Signer Developer Guide_.
-
-Lambda layers follow the same signed code package format as function code packages. When you add a layer to a function that has code signing enabled, Lambda checks that the layer is signed by an allowed signing profile. When you enable code signing for a function, all layers that are added to the function must also be signed by one of the allowed signing profiles.
-
-You can configure code signing to log changes to AWS CloudTrail. Successful and blocked deployments to functions are logged to CloudTrail with information about the signature and validation checks.
+When you enable code signing for a function, any [layers](./chapter-layers.html) that you add to the function must also be signed by an allowed signing profile.
@@ -29,16 +23 @@ Lambda performs the following validation checks when you deploy a signed code pa
-  1. Integrity – Validates that the code package has not been modified since it was signed. Lambda compares the hash of the package with the hash from the signature.
-
-  2. Expiry – Validates that the signature of the code package has not expired.
-
-  3. Mismatch – Validates that the code package is signed with one of the allowed signing profiles for the Lambda function. A mismatch also occurs if a signature is not present.
-
-  4. Revocation – Validates that the signature of the code package has not been revoked.
-
-
-
-
-The signature validation policy defined in the code signing configuration determines which of the following actions Lambda takes if any of the validation checks fail:
-
-  * Warn – Lambda allows the deployment of the code package, but issues a warning. Lambda issues a new Amazon CloudWatch metric and also stores the warning in the CloudTrail log.
-
-  * Enforce – Lambda issues a warning (the same as for the Warn action) and blocks the deployment of the code package.
+  1. **Integrity** : Validates that the code package has not been modified since it was signed. Lambda compares the hash of the package with the hash from the signature.
@@ -45,0 +25 @@ The signature validation policy defined in the code signing configuration determ
+  2. **Expiry** : Validates that the signature of the code package has not expired.
@@ -46,0 +27 @@ The signature validation policy defined in the code signing configuration determ
+  3. **Mismatch** : Validates that the code package is signed with an allowed signing profile
@@ -47,0 +29 @@ The signature validation policy defined in the code signing configuration determ
+  4. **Revocation** : Validates that the signature of the code package has not been revoked.
@@ -49 +30,0 @@ The signature validation policy defined in the code signing configuration determ
-You can configure the policy for the expiry, mismatch, and revocation validation checks. Note that you cannot configure a policy for the integrity check. If the integrity check fails, Lambda blocks deployment.
@@ -51 +31,0 @@ You can configure the policy for the expiry, mismatch, and revocation validation
-## Configuring code signing with the Lambda API
@@ -53 +32,0 @@ You can configure the policy for the expiry, mismatch, and revocation validation
-To manage code signing configurations with the AWS CLI or AWS SDK, use the following API operations:
@@ -55 +34 @@ To manage code signing configurations with the AWS CLI or AWS SDK, use the follo
-  * [ListCodeSigningConfigs](https://docs.aws.amazon.com/lambda/latest/api/API_ListCodeSigningConfigs.html)
+When you create a code signing configuration, you can use the [UntrustedArtifactOnDeployment](https://docs.aws.amazon.com/lambda/latest/api/API_CodeSigningPolicies.html#lambda-Type-CodeSigningPolicies-UntrustedArtifactOnDeployment) parameter to specify how Lambda should respond if the expiry, mismatch, or revocation checks fail. You can choose one of these actions:
@@ -57 +36 @@ To manage code signing configurations with the AWS CLI or AWS SDK, use the follo
-  * [CreateCodeSigningConfig](https://docs.aws.amazon.com/lambda/latest/api/API_CreateCodeSigningConfig.html)
+  * `Warn`: This is the default setting. Lambda allows the deployment of the code package, but issues a warning. Lambda issues a new Amazon CloudWatch metric and also stores the warning in the CloudTrail log.
@@ -59,20 +38 @@ To manage code signing configurations with the AWS CLI or AWS SDK, use the follo
-  * [GetCodeSigningConfig](https://docs.aws.amazon.com/lambda/latest/api/API_GetCodeSigningConfig.html)
-
-  * [UpdateCodeSigningConfig](https://docs.aws.amazon.com/lambda/latest/api/API_UpdateCodeSigningConfig.html)
-
-  * [DeleteCodeSigningConfig](https://docs.aws.amazon.com/lambda/latest/api/API_DeleteCodeSigningConfig.html)
-
-
-
-
-To manage the code signing configuration for a function, use the following API operations:
-
-  * [CreateFunction](https://docs.aws.amazon.com/lambda/latest/api/API_CreateFunction.html)
-
-  * [GetFunctionCodeSigningConfig](https://docs.aws.amazon.com/lambda/latest/api/API_GetFunctionCodeSigningConfig.html)
-
-  * [PutFunctionCodeSigningConfig](https://docs.aws.amazon.com/lambda/latest/api/API_PutFunctionCodeSigningConfig.html)
-
-  * [DeleteFunctionCodeSigningConfig](https://docs.aws.amazon.com/lambda/latest/api/API_DeleteFunctionCodeSigningConfig.html)
-
-  * [ListFunctionsByCodeSigningConfig](https://docs.aws.amazon.com/lambda/latest/api/API_ListFunctionsByCodeSigningConfig.html)
+  * `Enforce` Lambda issues a warning (the same as for the `Warn` action) and blocks the deployment of the code package.
@@ -87,2 +46,0 @@ To manage the code signing configuration for a function, use the following API o
-  * [Updating a code signing configuration](./config-codesigning-config-update.html)
-