Requirement Summary:
Prevent unauthorized code changes in AWS Lambda
Ensure only trusted code is deployed
AWS Lambda supports Code Signing:
You can configure code signing in Lambda using AWS Signer
Packages must be digitally signed and verified against the signing profile
Rejects unauthorized/modified packages automatically
Evaluate Options:
A. Trusted code option in CodeDeploy
No such feature exists for Lambda
CodeDeploy is more for EC2/On-Prem/Containers, not Lambda code signing
B. Define code signing config + use AWS Signer
This is exactly how AWS enforces trusted code deployment
Attach a code signing configuration to the Lambda function
Use AWS Signer to digitally sign deployment packages
C. Link to KMS to sign code
KMS is not used to sign Lambda packages
KMS is for data encryption, not application code integrity
D. Set KmsKeyArn
This configures data encryption, not code signing
Lambda code signing: https://docs.aws.amazon.com/lambda/latest/dg/configuration-codesigning.html
AWS Signer overview: https://docs.aws.amazon.com/signer/latest/developerguide/what-is-signer.html
