AWSSecurity

AWS Signer & Lambda — SAA-C03 Practice Question

A representative AWS Solutions Architect Associate (SAA-C03) exam question on AWS Signer & Lambda. Work through it below, then read why each option is right or wrong.

Short answer

The correct answer is A. Configure AWS Signer to create a signing profile, sign Lambda deployment packages during the CI/CD pipeline, and attach a code signing configuration to the Lambda function that enforces signature validation on deployment.

AWS Signer is purpose-built for code signing. By creating a signing profile, the release engineering team signs approved deployment packages. When a code signing configuration is attached to the Lambda function with enforcement enabled, Lambda automatically rejects any deployment package that lacks a valid signature or whose signature does not match the trusted signing profile. This provides cryptographic assurance that only approved code runs in production.

The Question

A financial services company deploys Lambda functions that process payment transactions. Their compliance team requires that only approved, tamper-proof code packages are deployed to production Lambda functions. The team needs an automated mechanism to reject any deployment package that has not been verified by their release engineering team. Which solution meets these requirements?

AConfigure AWS Signer to create a signing profile, sign Lambda deployment packages during the CI/CD pipeline, and attach a code signing configuration to the Lambda function that enforces signature validation on deploymentCorrect
BEnable AWS CloudTrail to log all Lambda deployments and create an EventBridge rule that reverts any deployment not tagged with an approved hash
CStore Lambda deployment packages in S3 with server-side encryption enabled and restrict upload permissions to the release engineering team's IAM role
DUse AWS Config rules to evaluate Lambda function code hashes against an approved list and trigger automatic remediation for non-compliant functions

Why A is correct

AWS Signer is purpose-built for code signing. By creating a signing profile, the release engineering team signs approved deployment packages. When a code signing configuration is attached to the Lambda function with enforcement enabled, Lambda automatically rejects any deployment package that lacks a valid signature or whose signature does not match the trusted signing profile. This provides cryptographic assurance that only approved code runs in production.

Why the other options are wrong

Option B: Enable AWS CloudTrail to log all Lambda deployments and create an EventBridge rule that reverts any deployment not tagged with an approved hash

CloudTrail logging and EventBridge rules provide detection and reaction after deployment, not prevention. There would be a window where unsigned code could execute before being reverted, which violates the compliance requirement.

Option C: Store Lambda deployment packages in S3 with server-side encryption enabled and restrict upload permissions to the release engineering team's IAM role

S3 encryption protects data at rest but does not verify code integrity or authorship. Restricting upload permissions helps but does not prevent a compromised CI/CD pipeline from deploying unauthorized code directly to Lambda.

Option D: Use AWS Config rules to evaluate Lambda function code hashes against an approved list and trigger automatic remediation for non-compliant functions

AWS Config rules evaluate compliance after the fact and remediation introduces a delay. The function could briefly run unapproved code before Config detects the violation, failing to meet the requirement for rejection at deployment time.

Key idea: AWS Signer & Lambda

Why A is correct: AWS Signer is purpose-built for code signing. By creating a signing profile, the release engineering team signs approved deployment packages. When a code signing configuration is attached to the Lambda function with enforcement enabled, Lambda automatically rejects any deployment package that lacks a valid signature or whose signature does not match the trusted signing profile. This provides cryptographic assurance that only approved code runs in production. Why B is wrong: CloudTrail logging and EventBridge rules provide detection and reaction after deployment, not prevention. There would be a window where unsigned code could execute before being reverted, which violates the compliance requirement. Why C is wrong: S3 encryption protects data at rest but does not verify code integrity or authorship. Restricting upload permissions helps but does not prevent a compromised CI/CD pipeline from deploying unauthorized code directly to Lambda. Why D is wrong: AWS Config rules evaluate compliance after the fact and remediation introduces a delay. The function could briefly run unapproved code before Config detects the violation, failing to meet the requirement for rejection at deployment time. On the SAA-C03 exam, questions in the "Security" domain test whether you can map a scenario's constraints to the right choice. Read the requirement carefully, eliminate options that violate any single constraint, and pick the one that satisfies all of them with the least operational overhead.

Ready to see how you'd score?

Take the free practice quiz and find out which AWS Solutions Architect Associate domains you need to focus on. No signup required.

Practice 5 similar questions

Same cert, same or adjacent domain. Use these after reviewing the explanation.

Related AWS Solutions Architect Associate Practice Questions