Adding the Sec to Your DevOps Pipelines

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Nate Case & Dave Walker
Security Geeks
Workshop Guide: https://tinyurl.com/yakft2rq
DevSecOps on AWS
Introduction to DevSecOps

Agenda
Setup the initial Account
- Run the Cloudformation
(This can take a bit, so while we wait..)
• Introduction to DevSecOps
• Introduction to Pipelines
Review of the Pipeline
- Correct the code! Or the rule?
- Test the Test environment
- Amazon Systems Manager
- To manual or not to manual?
- Finished!

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introduction to DevSecOps

What is DevOps?
Cultural
Philosophy
Practices Tools

What is DevOps?
Break down cultural barriers
Work as one team
Support business and IT agility
Collaborate and communicate
Treat infrastructure as code
Automate
Test, measure, and monitor
Culture
Process

Why do organizations adopt DevOps?
Faster time to value
Agility
Quality
Speed

Competing Forces
Business
Development Operations
Build it faster Keep it stable
Security
Make it
secure

What is DevSecOps?
DevSecOps is the combination of cultural
philosophies, practices, and tools that exploits
the advances made in IT automation to achieve
a state of production immutability, frequent
delivery of business value, and automated
enforcement of security policy.
DevSecOps is achieved by integrating and
automating the enforcement of preventive,
detective, and responsive security controls into
the pipeline.
Security
OperationsDevelopment

Tenets of DevSecOps
1. Test security as early as possible to accelerate
feedback.
2. Prioritize preventive security controls to stop bad
things from happening.
3. When deploying a detective security control, ensure it
has a complementary responsive security control to
do something about it.
4. Automate, automate, automate.

Three Major Components to DevSecOps
1. Security OF the pipeline
2. Security IN the pipeline
3. Enforcement of the pipeline

Security OF the pipeline
Use the Core 5 Security Epics from the CAF
• Identity and Access Management
• Detective Controls
• Infrastructure Security
• Data Protection
• Incident Response
Security OF the Pipeline module will provide guidance

Security IN the pipeline
Static analysis
• Infrastructure-as-code
• Security-as-code
Dynamic analysis
• Unit tests
• Integration tests
• System tests

Enforce the pipeline
Establish environments (e.g. Sandbox, Dev, Test, Prod)
Humans should have increasingly fewer rights as you
progress through environments
Only the pipeline should be able to “make changes” to
Prod

What is a Pipeline?
Build automation
Continuous Integration
• Deployment automation
Test automation
Service Orchestration

CI vs CD
Continuous Integration
Techniques and tools to
implement the continuous process
of applying quality control; in
general, small pieces of effort,
applied frequently, to improve
the quality of software, and to
reduce the time taken to deliver
it.
Continuous Deployment
Techniques and tools to improve
the process of software delivery,
resulting in the ability to rapidly,
reliably, and repeatedly push out
enhancements and bug fixes to
customers at low risk and with
minimal manual overhead.

Promotion Process in Continuous Deployment

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pipelines as Workloads

Pipeline as a workload
Securing the application starts with securing the pipeline
The CI/CD pipeline is a workload
Its purpose is to integrate and deliver other workloads
It has users, supporting infrastructure, application, and
data components, etc.
Those components are typically managed as code …

Infrastructure as Code is a practice
where by traditional infrastructure
management techniques are
supplemented and often replaced by
using code based tools and software
development techniques.

AWS Resources
Operating System and
Host Configuration
Application
Configuration
Amazon Virtual Private
Cloud (VPC)
Amazon Elastic
Compute Cloud (EC2)
AWS Identity and Access
Management (IAM)
Amazon Relational
Database Service (RDS)
Amazon Simple Storage
Service (S3)
AWS CodePipeline
…
Windows Registry
Linux Networking
OpenSSH
LDAP
Centralized logging
System Metrics
Deployment agents
Host monitoring
…
Application dependencies
Application configuration
Service registration
Management scripts
Database credentials
…
AWS CloudFormation
AWS SSM
AWS CodeDeploy

allOfThis == $Code
https://secure.flickr.com/photos/wscullin/3770015991

Enforcing Least Privilege between pipelines
Pipeline can perform a specific job
E.g. Jenkins/Spinnaker/CodePipeline is a pipeline factory
Pipelines can be limited to blast radius-based functions
• Pipeline Factory
• AMI Factory
• Artifact Factory

Decompose security requirements for CI/CD
Remember that CI/CD is not a “thing” unto itself
CI/CD is a collection of microservices
In the same way we use the cloud to protect the cloud,
use Agile to deploy Agile
Start with Security epics and create user stories for
security features to include in the pipeline
Make the pipeline another reference architecture
Don’t forget that the pipeline is a workload!

Security Epics
Identity & Access Management
Logging & Monitoring
Infrastructure Security
Data Protection
Incident Response
Resilience
Compliance Validation
Secure CI/CD (DevSecOps)
Configuration & Vulnerability Analysis
Big Data Analytics
Bearded security guy
asks, “Who can list the
10 Security Epics of the
CAF in order?”

Top 10 11 IAM Best Practices
0. Users
1. Permissions
2. Groups
3. Conditions
4. Auditing
5. Passwords
6. Rotation
7. MFA
8. Sharing
9. Roles
10.Root
Oops, looks
like a 0-based
code error
J

Some IAM risks for pipelines
Anyone can run build jobs
Consistent user management across build servers
Pipeline role is too permissive
Slave node adverse effects on Masters

Exercise: IAM for pipelines wrap-up
Could you write a user story for the DevOps team
managing the pipeline to implement?
• If not, what is missing?
What are the acceptance criteria for your user story?
How would you validate your user story?

Top Detective Controls Best Practices
1. Coordinate time sources (EC2 Time Sync!)
2. Capture all logs
3. Determine auditable events and audit record content
4. Protect the confidentiality and integrity of audit logs
(WORM)
5. Detect audit processing failures
6. Determine thresholds for warnings and alerts
7. Respond to warnings and alerts

Exercise: Detective Controls
• What produces logs?
• How are logs produced?
• Where do logs go?
• How do I protect my logs?
• What are the items of interest in my logs?
• At what threshold are those items interesting?
• What should I do when thresholds are exceeded?

Detective Controls for pipelines
Who logged in?
What code was committed and by whom?
What jobs did they run?
Did the jobs succeed/fail?
Was static/dynamic analysis enforced?
What were the results of the static/dynamic analysis?

Detective Controls for pipelines wrap-up
There are multiple consumers of logs produced by the
pipeline.
Fast feedback to the log consumers is critical.
Results of static/dynamic tests are as important as any
other audit trail.

Top Infrastructure Security Best Practices
Provision AWS accounts in accordance with team organization
Separate environments by their access levels
Create good architectures for pipelines (e.g. dedicated, shared,
team)
Whitelist the environments, API’s, and services the pipeline is
allowed to interact with
Use EC2 roles combined with IAM policies (and CloudTrail!) to
your advantage
Limit the blast radius!

Hopefully you've seen this already…
Developer
Sandbox
Dev Pre-Prod
Team/Group accounts
Security
Core accounts
AWS Organizations
Shared
Services
Network
Log
Archive
Prod
Team
Shared
Services
Network Path
Developer accounts Data Centre
Orgs: Account management
Log Archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct Connect
Dev Sandbox: Experiments, learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team SS: Team Shared Services, Data
Lake

Services
Security
Core accounts
AWS Organizations
Shared
Services
Network
Log
Archive
Network Path
Data Centre
Dev: Development
Pre-Prod: Staging
Prod: Production
Lake

Developers
Developer
Sandbox
Team/Group accounts
AWS Organizations
Network Path
Dev: Development
Pre-Prod: Staging
Prod: Production
Lake

Connections to Team Accounts
Developer
Sandbox
Team/Group accounts
AWS Organizations
Network Path
Dev: Development
Pre-Prod: Staging
Prod: Production
Lake
Core accounts
Dev Pre-Prod
Team/Group accounts
Prod
Team
Shared
Services

Team verses Production Accounts
Dev
Prod Green
Team/Group accounts
Prod Blue
Dev Pipeline account
Network Path
Data Centre
Dev: Development
Pre-Prod: Staging
Prod: Production
Lake
Testing Account
Prod Pipeline account
Network
Prod/Group accounts

Infrastructure Security risks to pipelines
Who has access to underlying infrastructure resources?
How are pipelines patched and updated?
How is least privilege between pipelines enforced?
Are my pipelines deploying into approved AWS accounts?
Does the pipeline align with organizational responsibility?

Infrastructure Security for pipelines wrap-up
The pipeline is a workload and needs to be treated with
the same rigor as other critical infrastructure.
Build a pipeline factory to build pipelines from known
good configurations.
Deploy workloads into known good environments.

Use IAM roles for Amazon EC2 instances
Benefits
Easy to manage access keys
on EC2 instances
Automatic key rotation
Assign least privilege to the
application
AWS SDKs fully integrated
AWS CLI fully integrated
How to get started
Create an IAM role
Assign permissions to role
Launch instances w / role
If not using SDKs, sign all
requests to AWS services
with the role’s temporary
credentials

Top Data Protection Best Practices
Control access and permissions to the code repository
Trigger builds automatically (time-based or event-based)
Use tokenization or dummy data in non-production
environments
Categorize data and enforce restrictions through pipeline
• For example, pipeline is configured to build Dev environment
is not allowed to pull Production data from repo

No more humans in production.
Dev
Prod Green
Team/Group accounts
Prod Blue
Dev Pipeline account
Network Path
Data Centre
Dev: Development
Pre-Prod: Staging
Prod: Production
Lake
Testing Account
Prod Pipeline account
Network
Prod/Group accounts

Data Protection risks for pipelines
Who can change/commit code?
How is production data prevented from being introduced
into non-prod environments?
How is artifact integrity maintained?

Data Protection for pipelines wrap-up
Control access and permissions to source repository:
artifacts are critical data for your pipeline.
Build pipelines that are environment-aware (e.g. prod vs.
non-prod).
Build artifact handlers to validate integrity across
pipelines and environments.

DevSecOps Benefits
• Confidence that workloads and changes are validated
against corporate security policies.
• Consistency and repeatability of security validation.
• Match the business’ pace of innovation.
• Security at scale!

Helpful Links
https://aws.amazon.com/devops/
https://aws.amazon.com/devops/what-is-devops/
https://stelligent.com/2015/01/20/deployment-
pipeline-aws/
https://aws.amazon.com/getting-started/projects/set-
up-ci-cd-pipeline/
https://aws.amazon.com/certification/certified-devops-
engineer-professional/
https://github.com/awslabs/git-secrets

Questions?

Core accounts
Core Accounts
AWS Organizations Master
Network Path
Data Center
Foundational
Building Blocks
Once per organization
Have their own development
life cycle (dev/qa/prod)

Log archive account
Core Accounts
Log
Archive
Network Path
Data Center
Versioned Amazon S3 bucket
Restricted
MFA delete
CloudTrail logs
Security logs
Single source of truth
Alarm on user login
Limited access

Security account
Core Accounts
Log
Archive
Network Path
Data Center
Optional data center
connectivity
Security tools and audit
GuardDuty Master
Cross-account read/write
Automated Tooling
Limited access
Security

Shared services account
Security
Core Accounts
Log
Archive
Network Path
Data Center
Connected to DC
DNS
LDAP
Shared Services VPC
Deployment tools
Golden AMI
Pipeline
Scanning infrastructure
Inactive instances
Improper tags
Snapshot lifecycle
Monitoring
Limited access
Shared
Services

Network account
Security
Core Accounts
Shared
Services
Log
Archive
Network Path
Data Center
Managed by
network team
Networking services
AWS Direct
Connect
Limited access
Network

Developer sandbox
Security
Core Accounts
Shared
Services
Network
Log
Archive
Network Path
No connection to
DC
Innovation space
Fixed spending limit
Autonomous
Experimentation
Developer
Sandbox
Developer Accounts

Team/group accounts
Developer
Sandbox
Security
Core Accounts
Shared
Services
Network
Log
Archive
Network Path
Developer Accounts Data Center
Based on level of needed
isolation
Match your development
lifecycle
Think Small
Team/Group Accounts

Dev
Developer
Sandbox
Team/Group Accounts
Security
Core Accounts
Shared
Services
Network
Log
Archive
Network Path
Develop and iterate
quickly
Collaboration space
Stage of SDLCDev

Pre-production
Developer
Sandbox
Dev
Team/Group Accounts
Security
Core Accounts
Shared
Services
Network
Log
Archive
Network Path
Connected to DC
Production-like
Staging
Testing
Automated Deployment
Pre-Prod

Production
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
Shared
Services
Network
Log
Archive
Network Path
Connected to DC
Production applications
Promoted from Pre-Prod
Limited access
Automated Deployments
Prod

Team shared services
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
Shared
Services
Network
Log
Archive
Prod
Network Path
Grows organically
Shared to the team
Product-specific common
services
Data lake
Common tooling
Common services
Team
Shared
Services

Innovation pipeline
Developer
Accounts
Developer Accounts
PoC
Developer
Accounts
Developer Accounts
Dev
Pre-Prod
Team/Group Accounts
Prod
Shared
Services
PoC
New initiatives
Experimentation
Innovation

Multi-account approach
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
Shared
Services
Network
Log
Archive
Prod
Team
Shared
Services
Network Path
Shared services: Directory, limit
monitoring
Dev Sandbox: Experiments, Learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Lake

Team: Billing tools
Developer
Sandbox
Dev Pre-Prod
Billing Tools Team Accounts
Security
Core Accounts
Shared
Services
Network
Log
Archive
Prod
Network Path
Reduces access to
Organizations account
Billing reports
Usage metrics and
reporting
Usage optimizations and
RI management

Team: Internal audit
Developer
Sandbox
Dev Pre-Prod
Internal Audit Team Accounts
Security
Core Accounts
Shared
Services
Network
Log
Archive
Prod
Network Path
Regulatory compliance
Read-only access to
needed logs
Limited access
ENT315: Automate and
Audit Cloud Governance
and Compliance in your
Landing Zone

Team: Amazing new product
Developer
Sandbox
Dev Pre-Prod
Amazing New Product Team Accounts
Security
Core Accounts
Shared
Services
Network
Log
Archive
Prod
Network Path
Match your development
lifecycle
Think Small

Adding the Sec to Your DevOps Pipelines

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Adding the Sec to Your DevOps Pipelines

Ähnlich wie Adding the Sec to Your DevOps Pipelines (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

Adding the Sec to Your DevOps Pipelines