AWS Signer is a fully managed service that helps you securely sign code, containers, and other files to ensure integrity and authenticity. It integrates with AWS services like Lambda and ECR, verifying that only trusted code and container images are deployed in the environment. AWS Signer supports compliance by allowing organizations to digitally sign artifacts using cryptographic keys.
In this Cloud Lab, you’ll create an S3 bucket and add a deployment package for the Lambda function. After that, you’ll create signer profiles in AWS Signer and sign the deployment package in the S3 bucket with them. Next, you’ll create a code signing configuration in AWS Lambda that will only allow the deployment of a package signed by a specific signer profile. You’ll also test the functionality of AWS Signer by attempting to create a Lambda function with deployment files signed by a different signer profile.
After creating a signed Lambda function, you’ll create an ECR repository and an EC2 instance. Using the EC2 instance, you’ll build a Docker container image, push it to the ECR repository, and sign it with a signer profile. After signing, you’ll tamper with the Dockerfile and observe if it impacts the signature or the integrity of the container image in the ECR repository.
After the completion of this Cloud Lab, the provisioned architecture will be similar to the following:
