AWS Lambda function is not configured to validate code-signing
Description
This policy ensures that an AWS Lambda function has been properly configured to validate code-signing. If not correctly set up, it could mean that your AWS Lambda function is running code that has not been authenticated. This lack of validation raises a significant security concern, as your service could be running code that has been tampered with or injected with malicious code. This could lead to unauthorized access, data leaks, or compromise of the service. Therefore, it is vital to check and ensure that Lambda functions are enforced to validate code-signing for security.
Code Example
resource "aws_lambda_function" "example" {
function_name = "example"
s3_bucket = aws_signer_signing_job.job.signed_object[0].s3[0].bucket
s3_key = aws_signer_signing_job.this.signed_object[0].s3[0].key
handler = "exports.test"
runtime = "nodejs12.x"
+ code_signing_config_arn = aws_lambda_code_signing_config.example.arn
}
resource "aws_lambda_code_signing_config" "example" {
allowed_publishers {
signing_profile_version_arns = [aws_signer_signing_profile.example.version_arn]
}
policies {
untrusted_artifact_on_deployment = "Enforce"
}
}Remediation
Terraform
- Resource: aws_lambda_function
- Arguments: code_signing_config_arn
To address the issue, you need to enable the code-signing configuration for your AWS Lambda function. Code-signing adds an extra layer of security to your application by ensuring that the deployed code is not tampered with.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0320 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_272 |