Alchemy

Appearance

CodeSigningConfig

The CodeSigningConfig resource lets you manage AWS Lambda CodeSigningConfigs for validating the code integrity of your Lambda functions.

Resource Documentation

The CodeSigningConfig allows you to define a configuration that specifies the allowed publishers of your Lambda code and the policies regarding the code signing. This is essential for maintaining the integrity and security of your serverless applications.

Minimal Example

Create a basic CodeSigningConfig with required properties and a description:

ts
import AWS from "alchemy/aws/control";

const codeSigningConfig = await AWS.Lambda.CodeSigningConfig("basicCodeSigningConfig", {
  Description: "Basic Code Signing Configuration for my Lambda functions",
  AllowedPublishers: {
    SigningProfileVersionArns: [
      "arn:aws:signer:us-west-2:123456789012:signing-profiles/my-signing-profile"
    ]
  }
});

Advanced Configuration

Configure a CodeSigningConfig with custom signing policies and tags for management:

ts
const advancedCodeSigningConfig = await AWS.Lambda.CodeSigningConfig("advancedCodeSigningConfig", {
  Description: "Advanced Code Signing Configuration with policies",
  AllowedPublishers: {
    SigningProfileVersionArns: [
      "arn:aws:signer:us-west-2:123456789012:signing-profiles/my-signing-profile"
    ]
  },
  CodeSigningPolicies: {
    UntrustedArtifactOnDeployment: "Enforce"
  },
  Tags: [
    { Key: "Environment", Value: "Production" },
    { Key: "Project", Value: "LambdaSecurity" }
  ]
});

Example with Custom Policies

Define a CodeSigningConfig that includes specific code signing policies for untrusted artifacts:

ts
const policyCodeSigningConfig = await AWS.Lambda.CodeSigningConfig("policyCodeSigningConfig", {
  Description: "Code Signing Config with strict policies",
  AllowedPublishers: {
    SigningProfileVersionArns: [
      "arn:aws:signer:us-west-2:123456789012:signing-profiles/my-other-signing-profile"
    ]
  },
  CodeSigningPolicies: {
    UntrustedArtifactOnDeployment: "Warn",
    UntrustedArtifactOnUpdate: "Enforce"
  }
});

This example demonstrates how to set up a CodeSigningConfig that warns when untrusted artifacts are deployed but enforces policies on updates, providing a balance between security and flexibility.