How to Implement Code Signing in AWS CDK

What is Code Signing?

Code signing ensures your Lambda function code is authentic and untampered. Using AWS Signer, your CI/CD pipeline signs your Lambda artifact, and Lambda only accepts deployments from trusted signatures.

Why It’s Important

• Prevents unapproved code from being deployed

• Strengthens supply chain security

• Creates an audit trail for compliance

Step 1: Add Code Signing in CDK

import * as signer from 'aws-cdk-lib/aws-signer';
import * as lambda from 'aws-cdk-lib/aws-lambda';

const profile = new signer.SigningProfile(this, 'Profile', {
  platform: signer.Platform.AWS_LAMBDA_SHA384_ECDSA,
});

const csc = new lambda.CodeSigningConfig(this, 'CSC', {
  signingProfiles: [profile],
  untrustedArtifactOnDeployment: lambda.UntrustedArtifactOnDeployment.ENABLED,
});

new lambda.Function(this, 'MyFn', {
  runtime: lambda.Runtime.NODEJS_20_X,
  handler: 'index.handler',
  code: lambda.Code.fromAsset('lambda'),
  codeSigningConfig: csc,
});

Step 2: Sign the Artifact in CI/CD

1. Build and zip your Lambda code.

2. Upload the zip to an unsigned S3 bucket.

3. Start a Signer job.

4. Wait for completion and download the signed file.

5. Deploy the signed artifact with CDK.

- name: Start signing job
  run: |
    JOB=$(aws signer start-signing-job \
      --profile-name LambdaSigningProfile \
      --source s3={bucketName=unsigned,key=hello.zip} \
      --destination s3={bucketName=signed,prefix=signed/} \
      --query jobId --output text)

Step 3: Enforce Security

• Attach the CodeSigningConfig to all Lambdas.

• Use IAM to restrict who can sign.

• Monitor signer activity with CloudTrail.

Final Thoughts

Code signing adds a powerful security layer with minimal CDK changes. Once your pipeline signs artifacts and Lambda enforces trust, your deployments are safer — and your production environment is more secure.

Pro tip: Reuse a single signing profile across multiple Lambdas for consistency.