awslambdaPractitioner

Automate AWS Lambda Code Integrity with Terraform and Code Signing

5 min read AWS DevOps BlogMay 18, 2026Reviewed for accuracy

Practitioner — Hands-on experience recommended

In today's cloud-native world, ensuring the integrity of your code is paramount. AWS Lambda code signing provides a robust security mechanism that guarantees only trusted, unmodified code executes in your functions. This is crucial for preventing malicious code from running in production, which can lead to data breaches and service disruptions.

The implementation utilizes AWS Signer to create signing profiles and jobs using the SHA384-ECDSA cryptographic algorithm. With Terraform, you can automate the entire code signing pipeline, ensuring that your Lambda deployment packages are automatically signed and that signature validation is enforced at runtime. Key configuration parameters include platform_id, which defines the cryptographic algorithm, and untrusted_artifact_on_deployment, which enforces rejection of unsigned or improperly signed code. This setup not only enhances security but also streamlines your deployment process across multiple environments.

In production, be aware that you need an AWS account with the right permissions for AWS Signer, Lambda, S3, and VPC services. Ensure Terraform is version 1.0 or higher, and that your AWS CLI is configured correctly. This setup can significantly improve your security posture, but it requires careful configuration to avoid pitfalls, such as misconfigured permissions or overlooked signing profiles.

Key takeaways

→Implement AWS Signer with SHA384-ECDSA for strong cryptographic security.
→Automate code signing with Terraform to ensure consistent deployments.
→Enforce signature validation at runtime to reject untrusted code.
→Use versioning in S3 to manage your Lambda source code effectively.
→Enable automatic key rotation for enhanced security of your KMS keys.

Why it matters

In production, automated code signing significantly reduces the risk of running untrusted code, enhancing your application's security and reliability. This is crucial for maintaining user trust and compliance with security standards.

Code examples

HCL

1resource "aws_signer_signing_profile" "lambda_signing_profile" {
2     platform_id = "AWSLambda-SHA384-ECDSA"
3     name        = "${replace(var.name, "-", "_")}_lambda_signing_profile_${random_string.suffix.result}"
4     signature_validity_period {
5       value = 135
6       type  = "MONTHS"
7     }
8   }

HCL

1resource "aws_lambda_code_signing_config" "configuration" {
2     allowed_publishers {
3       signing_profile_version_arns = [aws_signer_signing_profile.lambda_signing_profile.version_arn]
4     }
5     policies {
6       untrusted_artifact_on_deployment = "Enforce"
7     }
8     description = "Code signing configuration for ${var.name} Lambda function."
9   }

HCL

1resource "aws_lambda_function" "lambda_run" {
2  s3_bucket        = aws_signer_signing_job.build_signing_job.signed_object[0].s3[0].bucket
3  s3_key           = aws_signer_signing_job.build_signing_job.signed_object[0].s3[0].key
4  source_code_hash = data.archive_file.python_file.output_base64sha256
5  function_name    = var.name
6  role             = aws_iam_role.lambda_role.arn
7  handler          = "handler.lambda_handler"
8  runtime          = "python3.12"
9  
10  code_signing_config_arn = aws_lambda_code_signing_config.configuration.arn
11  
12  kms_key_arn = aws_kms_key.encryption.arn
13  vpc_config {
14    subnet_ids         = aws_subnet.private[*].id
15    security_group_ids = [aws_security_group.lambda.id]
16  }
17  tracing_config {
18    mode = "Active"
19  }
20  dead_letter_config {
21    target_arn = aws_sqs_queue.dlq.arn
22  }
23}