# Using code signing to verify code integrity with Lambda
Code signing helps ensure that only trusted code is deployed to your Lambda functions. Using AWS Signer, you can create digitally signed code packages for your functions. When you [add a code signing configuration to a function](configuration-codesigning-create.md), Lambda verifies that all new code deployments are signed by a trusted source. Because code signing validation checks run at deployment time, there is no impact on function execution.
**Important**
Code signing configurations only prevent new deployments of unsigned code. If you add a code signing configuration to an existing function that has unsigned code, that code keeps running until you deploy a new code package.
When you enable code signing for a function, any [layers](chapter-layers.md) that you add to the function must also be signed by an allowed signing profile.
There is no additional charge for using AWS Signer or code signing for AWS Lambda.
## Signature validation
Lambda performs the following validation checks when you deploy a signed code package to your function:
1. **Integrity**: Validates that the code package has not been modified since it was signed. Lambda compares the hash of the package with the hash from the signature.
1. **Expiry**: Validates that the signature of the code package has not expired.
1. **Mismatch**: Validates that the code package is signed with an allowed signing profile
1. **Revocation**: Validates that the signature of the code package has not been revoked.
When you create a code signing configuration, you can use the [UntrustedArtifactOnDeployment](https://docs.aws.amazon.com/lambda/latest/api/API_CodeSigningPolicies.html#lambda-Type-CodeSigningPolicies-UntrustedArtifactOnDeployment) parameter to specify how Lambda should respond if the expiry, mismatch, or revocation checks fail. You can choose one of these actions:
+ `Warn`: This is the default setting. Lambda allows the deployment of the code package, but issues a warning. Lambda issues a new Amazon CloudWatch metric (`SignatureValidationErrors`) and also stores the warning in the CloudTrail log.
+ `Enforce` Lambda issues a warning (the same as for the `Warn` action) and blocks the deployment of the code package.
**Topics**
+ [
## Signature validation
](#config-codesigning-valid)
+ [
# Creating code signing configurations for Lambda
](configuration-codesigning-create.md)
+ [
# Configuring IAM policies for Lambda code signing configurations
](config-codesigning-policies.md)
+ [
# Using tags on code signing configurations
](tags-csc.md)
# Creating code signing configurations for Lambda
To enable code signing for a function, you create a *code signing configuration* and attach it to the function. A code signing configuration defines a list of allowed signing profiles and the policy action to take if any of the validation checks fail.
**Note**
Functions defined as container images do not support code signing.
**Topics**
+ [
## Configuration prerequisites
](#config-codesigning-prereqs)
+ [
## Creating code signing configurations
](#config-codesigning-config-console)
+ [
## Enabling code signing for a function
](#config-codesigning-function-console)
## Configuration prerequisites
Before you can configure code signing for a Lambda function, use AWS Signer to do the following:
+ Create one or more [signing profiles](https://docs.aws.amazon.com/signer/latest/developerguide/signing-profiles.html).
+ Use a signing profile to [create a signed code package for your function](https://docs.aws.amazon.com/signer/latest/developerguide/lambda-workflow.html).
## Creating code signing configurations
A code signing configuration defines a list of allowed signing profiles and the signature validation policy.
**To create a code signing configuration (console)**
1. Open the [Code signing configurations page](https://console.aws.amazon.com/lambda/home#/code-signing-configurations) of the Lambda console.
1. Choose **Create configuration**.
1. For **Description**, enter a descriptive name for the configuration.
1. Under **Signing profiles**, add up to 20 signing profiles to the configuration.
1. For **Signing profile version ARN**, choose a profile version's Amazon Resource Name (ARN), or enter the ARN.
1. To add an additional signing profile, choose **Add signing profiles**.
1. Under **Signature validation policy**, choose **Warn** or **Enforce**.
1. Choose **Create configuration**.
## Enabling code signing for a function
To enable code signing for a function, add a code signing configuration to the function.
**Important**
Code signing configurations only prevent new deployments of unsigned code. If you add a code signing configuration to an existing function that has unsigned code, that code keeps running until you deploy a new code package.
**To associate a code signing configuration with a function (console)**
1. Open the [Functions page](https://console.aws.amazon.com/lambda/home#/functions) of the Lambda console.
1. Choose the function for which you want to enable code signing.
1. Open the **Configuration** tab.
1. Scroll down and choose **Code signing**.
1. Choose **Edit**.
1. In **Edit code signing**, choose a code signing configuration for this function.
1. Choose **Save**.
# Configuring IAM policies for Lambda code signing configurations
To grant permission for a user to access Lambda code signing API operations, attach one or more policy statements to the user policy. For more information about user policies, see [Identity-based IAM policies for Lambda](access-control-identity-based.md).
The following example policy statement grants permission to create, update, and retrieve code signing configurations.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:CreateCodeSigningConfig",
"lambda:UpdateCodeSigningConfig",
"lambda:GetCodeSigningConfig"
],
"Resource": "*"
}
]
}
```
------
Administrators can use the `CodeSigningConfigArn` condition key to specify the code signing configurations that developers must use to create or update your functions.
The following example policy statement grants permission to create a function. The policy statement includes a `lambda:CodeSigningConfigArn` condition to specify the allowed code signing configuration. Lambda blocks `CreateFunction` API requests if the [CodeSigningConfigArn](https://docs.aws.amazon.com/lambda/latest/api/API_CreateFunction.html#lambda-CreateFunction-request-CodeSigningConfigArn) parameter is missing or does not match the value in the condition.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowReferencingCodeSigningConfig",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"lambda:CodeSigningConfigArn": "arn:aws:lambda:us-east-1:111122223333:code-signing-config:csc-0d4518bd353a0a7c6"
}
}
}
]
}
```
------
# Using tags on code signing configurations
You can tag code signing configurations to organize and manage your resources. Tags are free-form key-value pairs associated with your resources that are supported across AWS services. For more information about use cases for tags, see [Common tagging strategies](https://docs.aws.amazon.com//tag-editor/latest/userguide/best-practices-and-strats.html#tag-strategies) in the *Tagging AWS Resources and Tag Editor Guide*.
You can use the AWS Lambda API to view and update tags. You can also view and update tags while managing a specific code signing configuration in the Lambda console.
**Topics**
+ [
## Permissions required for working with tags
](#csc-tags-required-permissions)
+ [
## Using tags with the Lambda console
](#tags-csc-console)
+ [
## Using tags with the AWS CLI
](#tags-csc-cli)
## Permissions required for working with tags
To allow an AWS Identity and Access Management (IAM) identity (user, group, or role) to read or set tags on a resource, grant it the corresponding permissions:
+ **lambda:ListTags**–When a resource has tags, grant this permission to anyone who needs to call `ListTags` on it. For tagged functions, this permission is also necessary for `GetFunction`.
+ **lambda:TagResource**–Grant this permission to anyone who needs to call `TagResource` or perform a tag on create.
Optionally, consider granting the **lambda:UntagResource** permission as well to allow `UntagResource` calls to the resource.
For more information, see [Identity-based IAM policies for Lambda](access-control-identity-based.md).
## Using tags with the Lambda console
You can use the Lambda console to create code signing configurations that have tags, add tags to existing code signing configurations, and filter code signing configurations by tag.
**To add a tag when you create a code signing configuration**
1. Open [Code signing configurations](https://console.aws.amazon.com/lambda/home#/code-signing-configurations) in the Lambda console.
1. From the header of the content pane, Choose **Create configuration**.
1. In the section at the top of the content pane, set up your code signing configuration. For more information about configuring code signing configurations, see [Using code signing to verify code integrity with Lambda](configuration-codesigning.md).
1. In the **Tags** section, choose **Add new tag**.
1. In the **Key** field, enter your tag key. For information about tagging restrictions, see [Tag naming limits and requirements](https://docs.aws.amazon.com//tag-editor/latest/userguide/best-practices-and-strats.html#id_tags_naming_best_practices) in the *Tagging AWS Resources and Tag Editor Guide*.
1. Choose **Create configuration**.
**To add a tag to an existing code signing configuration**
1. Open [Code signing configurations](https://console.aws.amazon.com/lambda/home#/code-signing-configurations) in the Lambda console.
1. Choose the name of your code signing configuration.
1. In the tabs below the **Detail** pane, choose **Tags**.
1. Choose **Manage tags**.
1. Choose **Add new tag**.
1. In the **Key** field, enter your tag key. For information about tagging restrictions, see [Tag naming limits and requirements](https://docs.aws.amazon.com//tag-editor/latest/userguide/best-practices-and-strats.html#id_tags_naming_best_practices) in the *Tagging AWS Resources and Tag Editor Guide*.
1. Choose **Save**.
**To filter code signing configurations by tag**
1. Open [Code signing configurations](https://console.aws.amazon.com/lambda/home#/code-signing-configurations) in the Lambda console.
1. Choose the search box.
1. From the dropdown list, select your tag from below the **Tags** subheading.
1. Select **Use: "tag-name"** to see all code signing configurations tagged with this key, or choose an **Operator** to further filter by value.
1. Select your tag value to filter by a combination of tag key and value.
The search box also supports searching for tag keys. Enter the name of a key to find it in the list.
## Using tags with the AWS CLI
You can add and remove tags on existing Lambda resources, including code signing configurations, with the Lambda API. You can also add tags when creating an code signing configuration, which allows you to keep a resource tagged through its entire lifecycle.
### Updating tags with the Lambda tag APIs
You can add and remove tags for supported Lambda resources through the [TagResource](https://docs.aws.amazon.com/lambda/latest/api/API_TagResource.html) and [UntagResource](https://docs.aws.amazon.com/lambda/latest/api/API_UntagResource.html) API operations.
You can call these operations using the AWS CLI. To add tags to an existing resource, use the `tag-resource` command. This example adds two tags, one with the key *Department* and one with the key *CostCenter*.
```
aws lambda tag-resource \
--resource arn:aws:lambda:us-east-2:123456789012:resource-type:my-resource \
--tags Department=Marketing,CostCenter=1234ABCD
```
To remove tags, use the `untag-resource` command. This example removes the tag with the key *Department*.
```
aws lambda untag-resource --resource arn:aws:lambda:us-east-1:123456789012:resource-type:resource-identifier \
--tag-keys Department
```
### Adding tags when creating a code signing configuration
To create a new Lambda code signing configuration with tags, use the [CreateCodeSigningConfig](https://docs.aws.amazon.com//lambda/latest/api/API_CreateCodeSigningConfig.html) API operation. Specify the `Tags` parameter. You can call this operation with the `create-code-signing-config` AWS CLI command and the `--tags` option. For more information about the CLI command, see [create-code-signing-config](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/create-code-signing-config.html) in the *AWS CLI Command Reference*.
Before using the `Tags` parameter with `CreateCodeSigningConfig`, ensure that your role has permission to tag resources alongside the usual permissions needed for this operation. For more information about permissions for tagging, see [Permissions required for working with tags](#csc-tags-required-permissions).
### Viewing tags with the Lambda tag APIs
To view the tags that are applied to a specific Lambda resource, use the `ListTags` API operation. For more information, see [ListTags](https://docs.aws.amazon.com/lambda/latest/api/API_ListTags.html).
You can call this operation with the `list-tags` AWS CLI command by providing an ARN (Amazon Resource Name).
```
aws lambda list-tags --resource arn:aws:lambda:us-east-1:123456789012:resource-type:resource-identifier
```
### Filtering resources by tag
You can use the AWS Resource Groups Tagging API [GetResources](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetResources.html) API operation to filter your resources by tags. The `GetResources` operation receives up to 10 filters, with each filter containing a tag key and up to 10 tag values. You provide `GetResources` with a `ResourceType` to filter by specific resource types.
You can call this operation using the `get-resources` AWS CLI command. For examples of using `get-resources`, see [get-resources](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/resourcegroupstaggingapi/get-resources.html#examples) in the *AWS CLI Command Reference*.