Note: In case if you are looking for a panacea. The following project is on 👉
Github
👈. Alternatively,
Click Here
to launch the AWS CloudFormation Create Stack Console with the prepopulated master template in the Ohio region. ~GD
Welcome to the first part of the How to Build a DevSecOps Pipeline in AWS. DevSecOps is the new buzz and definitely a potential candidate to scare people in the ever-changing software industry. When I heard the term for the first time, my inner voice said it out loud, "When just this Happened, and why SEC is sandwiched between them ?". Later on, to look cool, I started adding DevSecOps on my profile, but the dire consequence was a complete disappointment. DevSecOps isn't just restricted to understand security by heart & fit it with DevOps. A good analogy would be not to imagine your ex with someone, especially with your girlfriend/wife. In simple terms, it is all about "Shift left on Security" i.e. to introduce security as early as possible in the SDLC. Though I am not going to bore you with the definitions and concepts as I am a pragmatist.
Thus, my objective here is to demonstrate how DevSecOps works in reality.
Everything covered from scratch you won't face any difficulty understanding. In case of any clarification, drop me a note on LinkedIn. Feel free to explore them with ease, skip to the one which is relevant to you. The following series is split into two parts (refer below) with very simple and clear instructions to provision a CI/CD pipeline adhering to DevSecOps principles in AWS.
Myth buster: Automation isn't the only thing you do in a DevSecOps workflow. It's a whole set of principles, paradigm & security best practices you introduce in every stage of the SDLC. The tutorial here focuses on the automation part of it. Thus, gear up to learn how to bring security build and test stages in a CI/CD pipeline & get continuous feedback.
So in this tutorial, I have used open-source tools to build the DevSecOps pipeline to make the demo more achievable. The below diagram depicts the tools and native services used along with the security control gates applied in the process.
You are going to build the below CI/CD Pipeline in AWS by using AWS native developer tools such as AWS CodePipeline, AWS CodeBuild & AWS CodeCommit. The entire provisioning will be done using cloudformation template. It just requires plug & play. I will be explaining the deployment process as you move forward.
The main steps are as follows:
1.
First, you would launch the entire DevSecOps pipeline using a master cloudformation template. Refer the above reference architecture. 2.
The pipeline divided into four parts. 3.
The 1st part stores the source code in AWS CodeCommit, which is an AWS native private repository. The master template would auto-populate a sample application in the repository. You need to clone the sample code from the repository to interact with the pipeline and modify it. 4.
The 2nd part contains the following build stages, which performs static code analysis by using AWS CodeBuild. 4.1
Git-secrets scans Git source repositories and finds code that may potentially include sensitive information, such as user passwords, or that has other security issues & notify of any breach via email.4.2
Insider CLI is an open-source SAST tool that performs static code analysis.4.3
OWASP Dependency-Check is an open-source SCA tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.4.4
Cfn_nag (optional) is an open-source IaC scanner that looks for patterns in CloudFormation templates that may indicate insecure infrastructure. This an optional build-stage, which can be disabled while launching the master template if not required.5.
The 3rd part builds a pre-prod environment that hosts the sample application and also performs dynamic testing, integrated with AWS CodeBuild.
5.1
CloudFormation stack will facilitate the deployment. At first, a changeset will be created & then changeset will be executed to bring up the sample application up & running. The sample application runs on an autoscaling group backed by a VPC and an ALB. 5.2
OWASP ZAP is an open-source DAST tool that performs dynamic code analysis on the running application. 5.3
Manual Approval required to move to the next stage.6.
The 4th part (optional) is something readers can explore by themselves where they need to create a replica of the pre-prod environment to host the same sample application to bring up the production environment. To set up the sample DevSecOps pipeline. Log in to the AWS account if you haven’t done so already.
Click 👉
here
👈 to launch the
AWS CFN console
with the prepopulated master template in the
Ohio region
.
If you want to run the template on a different AWS region, change the region from the top right corner. Additionally, you can find the latest code on GitHub. ***Refer to the below Clean Up section to initiate decommissioning of the running resources ***
Fill in the stack parameters as shown below, acknowledge the required
capabilities: [AWS::CloudFormation::Stack]
and click create to execute the pipeline and wait for the cloudformation stack to complete.
Keep it default.
Click here
to follow the instructions to enable Security-Hub (Free-Trial) in your AWS account.
Keep it default.
Keep it default.
Keep it false for smooth transition.
Keep it default as the demo application is using JAVA.
Keep it default.
Keep it default.
NOTE: To get email alerts, subscribe to the AWS Notification mailer sent to the input email-id.
Keep it default.
Keep it default.
Click here to open the AWS Pipeline console, change the region if you have run the template in a different region. Navigate to the required codepipeline, you can see something similar like below. I have explained all the Code Pipeline stages in the second part of the tutorial. Alternatively, click here to navigate to the second part of the tutorial.
Now, if you want to trigger or modify the pipeline, you need to clone the code from the repository. Thus, go to AWS CodeCommit & select the repository e.g. AWSDevSecOpsTutorial. In the top right corner, you will see the Clone URL option. Follow the following AWS Doc, which got all the procedures to access the codecommit repository from your local system.
To test the pipeline, 👉 download 👈 the following file (it contains dummy AWS access keys), commit and push the changes to the remote repository. If you see an email alert or Secrets-Check failed in the build stage. Congratulations , you have successfully configured the pipeline on AWS (👍 ͡⚈ ͜ʖ ͡⚈)👍 .
Cleanup is a bit tricky, thus follow the instructions carefully. Click here to go to the Cloudformation stacks page. Look for the stack with the name Pre-Prod-DevSecOps* & initiate the delete. With due diligence, the pre-prod stack needs to be deleted first. If you have deleted the other stack or master stack (e.g. DevSecOpsTutorial*), you won't be able to delete the pre-prod stack.
Post deletion of the first stack, you can initiate the delete of Master Stack. No need to touch the nested stack, keep it as it is. It will be removed automatically while the master template gets deleted. (Select the correct region where the master template running)
Note: Versioning is enabled in the Bucket
aws-sec-build-reports-
*. Thus, you need to list all the objects and delete them.
Congratulation for coming so far. In the next part, I will explain all the Code Pipeline stages in details, Hope to see you again😊.
We have come a long way, kindly Share and help me on my mission to educate and familiarize people in the world of digitization 💪 #This is a Free tutorial and all my upcoming tutorials will be free and accessible from Public forums# Appreciate if you drop me a note on
LinkedIn
& share your opinion. Don't worry, I don't bite 👻 so don't shy away 🏃🏻♀️ 🏃🏻. Your feedback will help me to come up with more awesome contents on the internet.