Note: In case if you are looking for a panacea. The following project is on 👉 Github 👈. Alternatively, Click Here to launch the AWS CloudFormation Create Stack Console with the prepopulated master template in the Ohio region. ~GD Welcome to the first part of the How to Build a DevSecOps Pipeline in AWS. DevSecOps is the new buzz and definitely a potential candidate to scare people in the ever-changing software industry. When I heard the term for the first time, my inner voice said it out loud, "When just this Happened, and why SEC is sandwiched between them ?". Later on, to look cool, I started adding DevSecOps on my profile, but the dire consequence was a complete disappointment. DevSecOps isn't just restricted to understand security by heart & fit it with DevOps. A good analogy would be not to imagine your ex with someone, especially with your girlfriend/wife. In simple terms, it is all about "Shift left on Security" i.e. to introduce security as early as possible in the SDLC. Though I am not going to bore you with the definitions and concepts as I am a pragmatist. Thus, my objective here is to demonstrate how DevSecOps works in reality. Everything covered from scratch you won't face any difficulty understanding In case of any clarification, . Feel free to explore them with ease, skip to the one which is relevant to you. The following series is split into two parts (refer below) with very simple and clear instructions to provision a CI/CD pipeline adhering to DevSecOps principles in AWS. . drop me a note on LinkedIn - Provision the DevSecOps Pipeline using Cloudformation Template. Part I - To understand various build, deployment & security stages in the following DevSecOps pipeline. Part II Myth buster: Automation isn't the only thing you do in a DevSecOps workflow. It's a whole set of principles, paradigm & security best practices you introduce in every stage of the SDLC. The tutorial here focuses on the automation part of it. Thus, gear up to learn how to bring security build and test stages in a CI/CD pipeline & get continuous feedback. : Prerequisites You need to have an AWS Free Tier Account to run a CloudFormation Template which will do all the necessary setup for the upcoming Demo. All the resources provisioned through CloudFormation Template comes under either Free Tier Eligibility or Free Trial. The following Project is in for your reference. Github How does it works: So in this tutorial, I have used open-source tools to build the DevSecOps pipeline to make the demo more achievable. The below diagram depicts the tools and native services used along with the security control gates applied in the process. Architecture: You are going to build the below CI/CD Pipeline in AWS by using AWS native developer tools such as , & . The entire provisioning will be done using cloudformation template. It just requires plug & play. I will be explaining the deployment process as you move forward. AWS CodePipeline AWS CodeBuild AWS CodeCommit The main steps are as follows: First, you would launch the entire DevSecOps pipeline using a master cloudformation template. Refer the above reference architecture. 1. The pipeline divided into four parts. 2. The stores the source code in , which is an AWS native private repository. The master template would auto-populate a sample application in the repository. You need to clone the sample code from the repository to interact with the pipeline and modify it. 3. 1st part AWS CodeCommit The contains the following build stages, which performs static code analysis by using . 4. 2nd part AWS CodeBuild scans Git source repositories and finds code that may potentially include sensitive information, such as user passwords, or that has other security issues & notify of any breach via email. 4.1 Git-secrets is an open-source tool that performs static code analysis. 4.2 Insider CLI SAST is an open-source tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. 4.3 OWASP Dependency-Check SCA (optional) is an open-source scanner that looks for patterns in CloudFormation templates that may indicate insecure infrastructure. This an optional build-stage, which can be disabled while launching the master template if not required. 4.4 Cfn_nag IaC The builds a pre-prod environment that hosts the sample application and also performs dynamic testing, integrated with . 5. 3rd part AWS CodeBuild will facilitate the deployment. At first, a changeset will be & then changeset will be to bring up the sample application up & running. The sample application runs on an backed by a and an . 5.1 CloudFormation stack created executed autoscaling group VPC ALB is an open-source tool that performs dynamic code analysis on the running application. 5.2 OWASP ZAP DAST required to move to the next stage. 5.3 Manual Approval The optional) is something readers can explore by themselves where they need to create a replica of the pre-prod environment to host the same sample application to bring up the production environment. 6. 4th part ( So let's see something happen now: To set up the sample DevSecOps pipeline. Log in to the AWS account if you haven’t done so already. If you want to run the template on a different AWS region, change the region from the top right corner Additionally, you can find the latest code on . Click 👉 here 👈 to launch the AWS CFN console with the prepopulated master template in the Ohio region . . GitHub ***Refer to the below section to initiate decommissioning of the running resources *** Clean Up Fill in the stack parameters as shown below, acknowledge the required capabilities: [AWS::CloudFormation::Stack] and click create to execute the pipeline and wait for the cloudformation stack to complete. Self-explanatory. CodeCommit Repository Name: : Self-explanatory. CodeCommit Repository Description : The folder in your repo that contains the AWS CloudFormation templates. TemplateFolder Keep it default. Whether to enable cfn-nag, it requires Security Hub to be enabled in your AWS account. Enable CFN-Nag (IaC Scanner): Click here to follow the instructions to enable Security-Hub (Free-Trial) in your AWS account. : The weight coefficient for a failing violation in the template. Weight coefficient for failing Keep it default. : The weight coefficient for a warning in the template. Weight coefficient for warning Keep it default. : Whether to fail the cfn-nag build stage when security findings are detected based on weight coefficient. Fail build Keep it false for smooth transition. Enter the Technology-Stack to Run Insider CLI for Vulnerabilities. Supported technologies: android, java, ios, javascript & csharp. Insider CLI Technology Stack: Keep it default as the demo application is using JAVA. If the score set between 0 and 100 the exit code from Insider CLI will indicate if a vulnerability with a score equal to or higher was identified. Insider CLI Score: Keep it default. If the score set between 0 and 10 the exit code from dependency-check will indicate if a vulnerability with a CVSS score equal to or higher was identified. Fail On CVSS: Keep it default. Email ID to get critical alerts e.g. AWS Access key detected in the Code Repository. Enter the Email ID: NOTE: To get email alerts, subscribe to the AWS Notification mailer sent to the input email-id. Self-explanatory. The subscription's protocol: : This bucket contains all sources, such as the Lambda function and templates. You can keep the default text if you’re not customizing the sources. S3 bucket with sources Keep it default. : The prefix for all objects. You can keep the default if you’re not customizing the sources. Prefix for S3 bucket with sources Keep it default. View the DevSecOps Pipeline: to open the AWS Pipeline console, change the region if you have run the template in a different region. Navigate to the required codepipeline, you can see something similar like below. I have explained all the Code Pipeline stages in the second part of the tutorial. Alternatively, to navigate to the second part of the tutorial. Click here click here How to initiate the Pipeline: Now, if you want to trigger or modify the pipeline, you need to clone the code from the repository. Thus, go to & select the repository e.g. AWSDevSecOpsTutorial. In the top right corner, you will see the option. Follow the following , which got all the procedures to access the codecommit repository from your local system. AWS CodeCommit Clone URL AWS Doc To test the pipeline, 👉 👈 the following file (it contains dummy AWS access keys), commit and push the changes to the remote repository. If you see an email alert or Secrets-Check failed in the build stage. Congratulations , you have successfully configured the pipeline on AWS (👍 ͡⚈ ͜ʖ ͡⚈)👍 . download Clean Up: Cleanup is a bit tricky, thus follow the instructions carefully. to go to the Cloudformation stacks page. Look for the stack with the name & initiate the delete. With due diligence, the pre-prod stack needs to be deleted first. If you have deleted the other stack or master stack (e.g. ), you won't be able to delete the pre-prod stack. Click here Pre-Prod-DevSecOps* DevSecOpsTutorial* Post deletion of the first stack, you can initiate the delete of . No need to touch the , keep it as it is. It will be removed automatically while the master template gets deleted. (Select the correct region where the master template running) Master Stack nested stack Troubleshooting: You may encounter the following issue "The bucket you tried to delete is not empty (Service: Amazon S3; Status Code: 409; Error Code: BucketNotEmpty" while deleting the master stack. Thus, explicitly you need to go to the S3 buckets & empty the objects inside them and rerun the stack delete. Note: Versioning is enabled in the Bucket aws-sec-build-reports- *. Thus, you need to list all the objects and delete them. You may encounter the pipeline didn't execute all stages successfully when the AWS CodePipeline starts automatically at the time of provisioning. You need to click the in the top right corner once all the build stages are completed in the initial phase. Release change Reference: https://aws.amazon.com/blogs/security/integrating-aws-cloudformation-security-tests-with-aws-security-hub-and-aws-codebuild-reports/ Congratulation for coming so far. I will explain all the Code Pipeline stages in details, Hope to see you again😊. In the next part , We have come a long way, kindly Share and help me on my mission to educate and familiarize people in the world of digitization 💪 #This is a Free tutorial and all my upcoming tutorials will be free and accessible from Public forums# Appreciate if you drop me a note on LinkedIn & share your opinion. Don't worry, I don't bite 👻 so don't shy away 🏃🏻♀️ 🏃🏻. Your feedback will help me to come up with more awesome contents on the internet.