Ensure that the AWS Lambda functions configured as action group executors for your Amazon Bedrock agents have code signing enabled. Amazon Bedrock agents use action groups to carry out tasks by invoking Lambda functions that contain business logic. Code signing for AWS Lambda uses AWS Signer to verify that only trusted, digitally signed code packages are deployed to your functions. When you attach a code signing configuration to a Lambda function, Lambda validates all new code deployments against the allowed signing profiles, checking for integrity, expiry, signing profile mismatch, and revocation.
Lambda functions serving as action group executors for Amazon Bedrock agents often have elevated privileges and access to sensitive resources, making them high-value targets for code injection attacks. Without code signing, any principal with lambda:UpdateFunctionCode or lambda:PublishLayerVersion permissions can silently modify the function code or inject malicious layers, potentially allowing an attacker to exfiltrate data, escalate privileges, or manipulate agent behavior. Enabling code signing ensures that only code packages signed by trusted AWS Signer profiles can be deployed, providing a strong defense-in-depth layer against supply chain attacks and unauthorized code modifications.
Audit
To determine if the Lambda functions used by your Amazon Bedrock Agent action groups have code signing configuration enabled, perform the following operations:
Remediation / Resolution
To enable code signing for the Lambda functions used by your Amazon Bedrock Agent action groups, you must create a code signing configuration with allowed signing profiles and attach it to each Lambda function. To enable code signing, perform the following operations:
Note: Code signing configurations only prevent new deployments of unsigned code. If you add a code signing configuration to an existing function that has unsigned code, that code continues running until you deploy a new signed code package. You must also ensure that a valid AWS Signer signing profile exists before creating the code signing configuration.References
- AWS Documentation
- Using code signing to verify code integrity with Lambda - AWS Lambda
- Creating code signing configurations for Lambda - AWS Lambda
- Lambda code signing with AWS Signer - AWS Lambda
- What is AWS Signer? - AWS Signer
- Add an action group to your agent in Amazon Bedrock - Amazon Bedrock
- Automate tasks in your application using AI agents - Amazon Bedrock
- Managing Lambda dependencies with layers - AWS Lambda
- AWS Command Line Interface (CLI) Documentation
- list-agents
- list-agent-action-groups
- get-agent-action-group
- get-function-code-signing-config
- create-code-signing-config
- put-function-code-signing-config