Building DevSecOps - Builders' Day 2019

© 2018, Amazon Web Services, Inc. or its Affiliates. All
rights reserved. Julio Faerman @faermanj Building DevSecOps

A tale of two pizzas... Back in 2001, the Amazon.com
retail website was a large architectural monolith…

“If you can’t feed a team with two pizzas, it’s
too large” - Jeff Bezos, ~2001

Strangling the Monolith MONOLITH MONOLITH Router SERVICE Router SMALLER DNS
CDN LB Zuul …

© 2019, Amazon Web Services, Inc. or its affiliates. All
rights reserved. Strangling the Monolith Amazon EC2 Amazon Elastic Container Service AWS Lambda Application Load Balancer (ALB)

Amazon dependencies graph, 2008

rights reserved. Teams that practice CI/CD ship code faster, and with more confidence 5x Lower change failure rate 440x Faster from commit to deploy 46x More frequent deployments 44% More time spent on new features Source: Puppet 2017 State of DevOps Report

rights reserved.

rights reserved. ”…a necessary capability if you're moving to a serious adoption of microservices.”

rights reserved. • A simpliﬁed way to create and manage a collection of AWS resources • Orderly and predictable provisioning and updating of resources • Fully managed service • Use the AWS Management Console, the AWS Command Line Interface (CLI), or AWS APIs • Only pay for the resources you create AWS CloudFormation

AWS CloudFormation

rights reserved.

Hello world!

Template Deployment

Authoring in JSON or YAML

Template Anatomy 1.Format version 2.Transforms 3.Description 4.Metadata 5.Parameters 6.Mappings 7.Conditions
8.Resources * 9.Outputs

Typed Parameter Types String Number List<Number> CommaDelimitedList Parameter Store AWS::EC2::AvailabilityZone::Name
AWS::EC2::KeyPair::KeyName AWS::EC2::SecurityGroup::Id AWS::EC2::Subnet::Id 1.Format version 2.Transforms 3.Description 4.Metadata 5.Parameters 6.Mappings 7.Conditions 8.Resources * 9.Outputs

Resources and References 1.Format version 2.Transforms 3.Description 4.Metadata 5.Parameters 6.Mappings
7.Conditions 8.Resources * 9.Outputs Types service-provider::service-name::data-type-name AWS::S3::Bucket AWS::EC2::Instance AWS::EC2::EIP AWS::AutoScalingPlans::ScalingPlan AWS::ECS::Cluster AWS::Lambda::Function AWS::DynamoDB::Table AWS::RDS::DBCluster AWS::ElastiCache::CacheCluster AWS::Elasticsearch::Domain

Infrastructure as Code as Code 1.Format version 2.Transforms 3.Description 4.Metadata
5.Parameters 6.Mappings 7.Conditions 8.Resources * 9.Outputs AWS::CodeCommit::Repository AWS::CodeBuild::Project AWS::CodePipeline::Pipeline AWS::CodePipeline::CustomActionType AWS::CodeDeploy::Application AWS::CodeDeploy::DeploymentGroup

Ref Fn::GetAtt Fn::Join Fn::Sub Fn::Base64 Fn::Cidr Fn::FindInMap Fn::ImportValue Fn::GetAZs Fn::Select
Fn::Split Fn::Transform Conditionals Intrisic Functions

AWS::AccountId AWS::NotificationARNs AWS::NoValue AWS::Partition AWS::Region AWS::StackId AWS::StackName AWS::URLSuffix Pseudo Parameters

Conditions Resource creation can depend on logical conditions: Conditions: isProd:
Fn::Equals [ !Ref EnvType, prod ] Resources: EC2Instance: Type: "AWS::EC2::Instance" Condition: isProd Properties: ImageId: Fn::FindInMap [RegionMap, !Ref "AWS::Region", AMI] Use conditions with intrinsic functions (Fn::If, Fn::Equals, Fn::Not) to create complex logic for property values.

Dynamic references Inject values from SSM Parameter Store and Secrets
Manager KMS encryptedstrings Versioned and secured byIAM

AWS Secrets Manager

rights reserved. Declarative and Imperative DSLs

AWS Cloud Development Kit

DSLs • Troposphere • Stratosphere • SparkleFormation • DYI

Continous delivery with CodeStar

rights reserved.

Cross Stack References Network Stack Outputs: VPC Description: reference VPC
Value: !Ref VPC Export: Name: ProdVPC App Stack Resources: myTargetGroup: Type: AWS::ELBV2::TargetGroup Properties: VpcId: Fn::ImportValue: ProdVPC

Nested stacks Application Resources: NetworkResources: Type: AWS::CloudFormation::Stack Network Resources Resources:
MyVPC Type: AWS::EC2::VPC ECS Service Resources: MyService: Type: AWS::ECS::Service

rights reserved. Provisioning Configuration Deployment AWS OpsWorks AWS CodeDeploy AWS EC2 Systems Manager

rights reserved. Provisioning Configuration Deployment “…An Immutable Server is the logical conclusion of this approach, a server that once deployed, is never modified, merely replaced with a new updated instance.”

rights reserved.

Amazon DynamoDB Amazon ElastiCache Amazon RDS AWS Lambda AWS Batch
Amazon CloudFront + ...

Nested Stacks Cross Stack References Recommended uses cases Advantages Considerations
• Template reuse • Use multiple templates but manage as single stack • Sharing common resources • Allows for independent stacks based on resource lifecycle or ownership. • Convenient management. One stack manages all resources and nested stacks. • Creation order and dependencies are managed • Separation of concern • Share databases and VPCs • Lets you limit blast radius with safeguards • Updates and rollbacks have a wide surface area • Reusing templates that have custom resource names • Replacing updates requires changes to the importing stacks to execute. • Does not manage creation order

rights reserved. Reliable Change Management

Template validation cfn-lint Validate AWS CloudFormation yaml/json templates against the
AWS CloudFormation spec and additionalchecks cfn-nag Look for patterns in templates that may indicate insecure infrastructure. Taskcat Catch problems that aren’t obvious in a single template/stack

cfn-lint "Can I deploy thistemplate?" Community-driven open source tool to
validate CloudFormation YAML/JSON templates against the CloudFormation resource speciﬁcation + additionalchecks. IDE plugins (VS Code, Atom, Sublime, IntelliJ, vim) https://github.com/awslabs/cfn-p ython-lint pip install cfn-lint

CloudFormation change sets Preview the impact to your stack of
changes by comparing the new template and parameters to the last known state of the stack. CloudFormation makes the changes to your stack only when you decide to execute the change set.

Drift Detection

CloudFormation StackSets Create, update, and delete stacks in multiple accounts
and regions using a single operation

rights reserved.

rights reserved. Amazon Route 53 AWS CodeDeploy

rights reserved.

AWS Security, Identity and Compliance

rights reserved.

AWS CloudTrail

Normalize Record AWS Config & Config Rules Deliver Stream Snapshot
(ex. 2014-11-05) AWS Config Store History

Sample AWS Config Event

Sample Custom AWS Config Rule

Sample AWS Config Rule

rights reserved.

rights reserved. AWS GuardDuty 'Backdoor:EC2/XORDDOS', 'Backdoor:EC2/Spambot', 'Backdoor:EC2/C&CActivity.B!DNS', 'CryptoCurrency:EC2/BitcoinTool.B!DNS', 'Trojan:EC2/BlackholeTraffic', 'Trojan:EC2/DropPoint', 'Trojan:EC2/BlackholeTraffic!DNS', 'Trojan:EC2/DriveBySourceTraffic!DNS', 'Trojan:EC2/DropPoint!DNS', 'Trojan:EC2/DGADomainRequest.B', 'Trojan:EC2/DGADomainRequest.C!DNS', 'Trojan:EC2/DNSDataExfiltration', …

rights reserved. Self-Healing a Unencrypted Bucket Lambda Function S3 operation detected, calls function Validate Crypto; Encrypts S3 bucket events logged S3 Bucket AWS CloudTrail Amazon CloudWatch Processed in CloudWatch

rights reserved. Self-Healing Open Sensitive Ports Amazon CloudWatch Lambda Function Alert raised in CloudWatch Call to run Lambda Remove bad CIDR from security group Disallowed CIDR used Security Group server AWS CloudTrail

rights reserved. Self-Healing a Compromised Instance AWS GuardDuty Amazon CloudWatch Lambda Function Processed by CloudWatch Call Lambda on malicious trigger Kills EC2 instance DNS lookup of malicious hostname detected AWS EC2

ec2_security_group_ingress.py ec2_security_group_port_range_all_prohibited.py ec2_security_group_protocol_all_prohibited.py ec2_vpc_public_subnet.py iam_mfa_for_console_access.py iam_policy_exists.py iam_unused_keys.py lambda_require_tags_with_valid_values.py rds_desired_instance_type.py rds_vpc_public_subnet.py
s3_bucket_default_encryption_enabled.py s3_bucket_policy_prohibited.py cf_logging_enabled cloudtrail_encrypted.py cloudtrail_lfi_activated.py config_enabled.py config_rules_exist.py ec2-exposed-instance.py ec2_desired_instance_type.py ec2_desired_lifecycle_spot.py ec2_launch_wizard_security_group_prohibited.py ec2_no_internet_access.py ec2_require_ebs_snapshots_for_volumes.py ec2_require_security_group_by_tag.py ec2_require_tags_with_valid_values.py

rights reserved.

OWASP Top 10 Application Vulnerabilities

https://infosec.mozilla.org/fundamentals/security_principles.html

rights reserved. Infrastructure as Code https://aws.amazon.com/whitepapers/

Building DevSecOps - Builders' Day 2019

Building DevSecOps - Builders' Day 2019

More Decks by Julio Faerman

Other Decks in Technology

Featured

Transcript