{Lambda}AWS Lambda でのコード署名の設定

AWS

https://docs.aws.amazon.com/ja_jp/lambda/latest/dg/configuration-codesigning.html
https://dev.classmethod.jp/articles/lambda-support-verify-code-sign/


コンテナイメージとして定義された関数では、コード署名はサポートされません。


-- 1. コマンド等のインストール

-- 1.1 aws cli version 2 インストール

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

aws --version

-- 2. S3 バケットを作成する

aws s3 mb s3://bucket123

aws s3 ls

-- 3. バケットバージョニングの有効化

aws s3api put-bucket-versioning \
--bucket bucket123 \
--versioning-configuration Status=Enabled

aws s3api get-bucket-versioning \
--bucket bucket123

 

-- 4. IAMロール作成
vim role01.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

aws iam create-role \
--role-name role01 \
--assume-role-policy-document file://role01.json


-- 5. ポリシーをロールにアタッチ
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole \
--role-name role01

-- 6. Lambda関数作成

vim func01.py

#!/usr/bin/python
def lambda_handler(event, context):
    print(event)
    return 'OK'


chmod 755 func01.py
zip -r func01.zip func01.py

 

aws lambda create-function \
--function-name func01 \
--handler func01.lambda_handler \
--zip-file fileb://func01.zip \
--runtime python3.8 \
--role arn:aws:iam::999999999999:role/role01


aws lambda list-functions | grep func01

aws lambda get-function --function-name func01

 

-- 7. 署名プロファイルの作成

aws signer put-signing-profile \
--profile-name profile01 \
--platform-id AWSLambda-SHA384-ECDSA \
--signature-validity-period '{"value": 1,"type": "DAYS"}'


aws signer list-signing-profiles

 

-- 8. Lambdaのコード署名設定を作成

aws lambda list-code-signing-configs

aws lambda create-code-signing-config \
--description csc01 \
--allowed-publishers '{"SigningProfileVersionArns" : ["arn:aws:signer:ap-northeast-1:999999999999:/signing-profiles/profile01/1111111111"]}' \
--code-signing-policies '{"UntrustedArtifactOnDeployment": "Enforce"}'

 

-- 9. Lamba関数のコード署名による検証を有効化


aws lambda put-function-code-signing-config \
--code-signing-config-arn arn:aws:lambda:ap-northeast-1:999999999999:code-signing-config:csc-22222222222222222 \
--function-name func01

aws lambda get-function-code-signing-config \
--function-name func01


-- 10. コード署名が有効になっていることの確認


vim func01.py

#!/usr/bin/python
def lambda_handler(event, context):
    print(event)
    return 'OK!'

zip -r func01.zip func01.py

 

aws lambda update-function-code \
--function-name func01 \
--zip-file fileb://func01.zip

An error occurred (CodeVerificationFailedException) when calling the UpdateFunctionCode operation:
 Lambda cannot deploy the function. The function or layer might be signed using a signature 
 that the client is not configured to accept. 

 

-- 11. 署名対象のLambdaのコードをS3にアップロード

aws s3 cp func01.zip s3://bucket123

aws s3 ls s3://bucket123 --recursive

aws s3api list-object-versions --bucket bucket123


-- 12. 署名ジョブの作成

aws signer start-signing-job \
--source 's3={bucketName=bucket123,key=func01.zip,version=aYVGtCOzO91236MSH82bLbkkDz8djb5G}' \
--destination 's3={bucketName=bucket123,prefix=signed/}' \
--profile-name profile01

aws signer list-signing-jobs

-- 13. 生成物確認

aws s3 ls s3://bucket123 --recursive
aws s3api list-object-versions --bucket bucket123

mkdir signed
cd signed
aws s3 cp s3://bucket123/signed/5cdd6b37-f240-1234-b527-66fc028e975b.zip .
unzip 5cdd6b37-f240-1234-b527-66fc028e975b.zip

head -n 10 META_INF/aws_signer_signature_v1.0.SF


-- 14. コード署名付きのパッケージをデプロイ


aws lambda update-function-code \
--function-name func01 \
--s3-bucket bucket123 \
--s3-key signed/5cdd6b37-f240-1234-b527-66fc028e975b.zip \
--s3-object-version le7iJfnehq.lAAAADcljQO0SVZdiOkin

aws lambda get-function --function-name func01

 

-- 15. クリーンアップ

-- Lamba関数のコード署名による検証を無効化

aws lambda delete-function-code-signing-config \
--function-name func01


aws lambda get-function-code-signing-config \
--function-name func01


-- Lambdaのコード署名設定の削除
aws lambda list-code-signing-configs

aws lambda delete-code-signing-config \
--code-signing-config-arn arn:aws:lambda:ap-northeast-1:999999999999:code-signing-config:csc-22222222222222222


-- 署名プロファイルの取り消し

aws signer list-signing-profiles

aws signer revoke-signing-profile \
--profile-name profile01 \
--profile-version 1111111111 \
--reason reason01 \
--effective-time 2022-02-01T00:00:00.000+0000

 

-- lambda関数の削除
aws lambda list-functions | grep func01

aws lambda delete-function --function-name func01


-- ロールの削除
aws iam list-roles | grep role01

aws iam detach-role-policy \
--role-name role01 \
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

aws iam delete-role --role-name role01

 

-- 全バージョンの削除

aws s3api list-object-versions --bucket bucket123

aws s3api delete-object --bucket bucket123 --key func01.zip --version-id "aYVGtCOzO91236MSH82bLbkkDz8djb5G"
aws s3api delete-object --bucket bucket123 --key signed/5cdd6b37-f240-1234-b527-66fc028e975b.zip --version-id "le7iJfnehq.lAAAADcljQO0SVZdiOkin"

 

-- S3バケットの削除
aws s3 ls
aws s3 rb s3://bucket123 --force