Building DevSecOps - Builders' Day 2019

Transcript

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Julio Faerman @faermanj Building DevSecOps

2. A tale of two pizzas... Back in 2001, the Amazon.com

   retail website was a large architectural monolith…

3. “If you can’t feed a team with two pizzas, it’s

   too large” - Jeff Bezos, ~2001

4. Strangling the Monolith MONOLITH MONOLITH Router SERVICE Router SMALLER DNS

   CDN LB Zuul …

5. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Strangling the Monolith Amazon EC2 Amazon Elastic Container Service AWS Lambda Application Load Balancer (ALB)

6. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Strangling the Monolith Amazon EC2 Amazon Elastic Container Service AWS Lambda Application Load Balancer (ALB)

7. Amazon dependencies graph, 2008

8. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Teams that practice CI/CD ship code faster, and with more confidence 5x Lower change failure rate 440x Faster from commit to deploy 46x More frequent deployments 44% More time spent on new features Source: Puppet 2017 State of DevOps Report

9. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved.

10. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. ”…a necessary capability if you're moving to a serious adoption of microservices.”

11. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. • A simplified way to create and manage a collection of AWS resources • Orderly and predictable provisioning and updating of resources • Fully managed service • Use the AWS Management Console, the AWS Command Line Interface (CLI), or AWS APIs • Only pay for the resources you create AWS CloudFormation

12. AWS CloudFormation

13. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.

14. Hello world!

15. Template Deployment

16. Authoring in JSON or YAML

17. Template Anatomy 1.Format version 2.Transforms 3.Description 4.Metadata 5.Parameters 6.Mappings 7.Conditions

    8.Resources * 9.Outputs

18. Typed Parameter Types String Number List<Number> CommaDelimitedList Parameter Store AWS::EC2::AvailabilityZone::Name

    AWS::EC2::KeyPair::KeyName AWS::EC2::SecurityGroup::Id AWS::EC2::Subnet::Id 1.Format version 2.Transforms 3.Description 4.Metadata 5.Parameters 6.Mappings 7.Conditions 8.Resources * 9.Outputs

19. Resources and References 1.Format version 2.Transforms 3.Description 4.Metadata 5.Parameters 6.Mappings

    7.Conditions 8.Resources * 9.Outputs Types service-provider::service-name::data-type-name AWS::S3::Bucket AWS::EC2::Instance AWS::EC2::EIP AWS::AutoScalingPlans::ScalingPlan AWS::ECS::Cluster AWS::Lambda::Function AWS::DynamoDB::Table AWS::RDS::DBCluster AWS::ElastiCache::CacheCluster AWS::Elasticsearch::Domain

20. Infrastructure as Code as Code 1.Format version 2.Transforms 3.Description 4.Metadata

    5.Parameters 6.Mappings 7.Conditions 8.Resources * 9.Outputs AWS::CodeCommit::Repository AWS::CodeBuild::Project AWS::CodePipeline::Pipeline AWS::CodePipeline::CustomActionType AWS::CodeDeploy::Application AWS::CodeDeploy::DeploymentGroup

21. Ref Fn::GetAtt Fn::Join Fn::Sub Fn::Base64 Fn::Cidr Fn::FindInMap Fn::ImportValue Fn::GetAZs Fn::Select

    Fn::Split Fn::Transform Conditionals Intrisic Functions
22. None

23. AWS::AccountId AWS::NotificationARNs AWS::NoValue AWS::Partition AWS::Region AWS::StackId AWS::StackName AWS::URLSuffix Pseudo Parameters

24. Conditions Resource creation can depend on logical conditions: Conditions: isProd:

    Fn::Equals [ !Ref EnvType, prod ] Resources: EC2Instance: Type: "AWS::EC2::Instance" Condition: isProd Properties: ImageId: Fn::FindInMap [RegionMap, !Ref "AWS::Region", AMI] Use conditions with intrinsic functions (Fn::If, Fn::Equals, Fn::Not) to create complex logic for property values.

25. Dynamic references Inject values from SSM Parameter Store and Secrets

    Manager KMS encryptedstrings Versioned and secured byIAM

26. AWS Secrets Manager

27. None

28. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Declarative and Imperative DSLs

29. AWS Cloud Development Kit

30. None

31. DSLs • Troposphere • Stratosphere • SparkleFormation • DYI

32. Continous delivery with CodeStar

33. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.
34. None
35. None

36. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.

37. Cross Stack References Network Stack Outputs: VPC Description: reference VPC

    Value: !Ref VPC Export: Name: ProdVPC App Stack Resources: myTargetGroup: Type: AWS::ELBV2::TargetGroup Properties: VpcId: Fn::ImportValue: ProdVPC

38. Nested stacks Application Resources: NetworkResources: Type: AWS::CloudFormation::Stack Network Resources Resources:

    MyVPC Type: AWS::EC2::VPC ECS Service Resources: MyService: Type: AWS::ECS::Service

39. ``

40. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Provisioning Configuration Deployment AWS OpsWorks AWS CodeDeploy AWS EC2 Systems Manager

41. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Provisioning Configuration Deployment “…An Immutable Server is the logical conclusion of this approach, a server that once deployed, is never modified, merely replaced with a new updated instance.”

42. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.

43. Amazon DynamoDB Amazon ElastiCache Amazon RDS AWS Lambda AWS Batch

    Amazon CloudFront + ...

44. Nested Stacks Cross Stack References Recommended uses cases Advantages Considerations

    • Template reuse • Use multiple templates but manage as single stack • Sharing common resources • Allows for independent stacks based on resource lifecycle or ownership. • Convenient management. One stack manages all resources and nested stacks. • Creation order and dependencies are managed • Separation of concern • Share databases and VPCs • Lets you limit blast radius with safeguards • Updates and rollbacks have a wide surface area • Reusing templates that have custom resource names • Replacing updates requires changes to the importing stacks to execute. • Does not manage creation order

45. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Reliable Change Management

46. Template validation cfn-lint Validate AWS CloudFormation yaml/json templates against the

    AWS CloudFormation spec and additionalchecks cfn-nag Look for patterns in templates that may indicate insecure infrastructure. Taskcat Catch problems that aren’t obvious in a single template/stack

47. cfn-lint "Can I deploy thistemplate?" Community-driven open source tool to

    validate CloudFormation YAML/JSON templates against the CloudFormation resource specification + additionalchecks. IDE plugins (VS Code, Atom, Sublime, IntelliJ, vim) https://github.com/awslabs/cfn-p ython-lint pip install cfn-lint

48. CloudFormation change sets Preview the impact to your stack of

    changes by comparing the new template and parameters to the last known state of the stack. CloudFormation makes the changes to your stack only when you decide to execute the change set.

49. Drift Detection

50. CloudFormation StackSets Create, update, and delete stacks in multiple accounts

    and regions using a single operation

51. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.
52. None
53. None

54. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.

55. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.
56. None

57. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Route 53 AWS CodeDeploy

58. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.

59. AWS Security, Identity and Compliance

60. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.
61. None

62. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.

63. AWS CloudTrail

64. Normalize Record AWS Config & Config Rules Deliver Stream Snapshot

    (ex. 2014-11-05) AWS Config Store History

65. Sample AWS Config Event

66. Sample Custom AWS Config Rule

67. Sample AWS Config Rule

68. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.

69. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS GuardDuty 'Backdoor:EC2/XORDDOS', 'Backdoor:EC2/Spambot', 'Backdoor:EC2/C&CActivity.B!DNS', 'CryptoCurrency:EC2/BitcoinTool.B!DNS', 'Trojan:EC2/BlackholeTraffic', 'Trojan:EC2/DropPoint', 'Trojan:EC2/BlackholeTraffic!DNS', 'Trojan:EC2/DriveBySourceTraffic!DNS', 'Trojan:EC2/DropPoint!DNS', 'Trojan:EC2/DGADomainRequest.B', 'Trojan:EC2/DGADomainRequest.C!DNS', 'Trojan:EC2/DNSDataExfiltration', …

70. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Self-Healing a Unencrypted Bucket Lambda Function S3 operation detected, calls function Validate Crypto; Encrypts S3 bucket events logged S3 Bucket AWS CloudTrail Amazon CloudWatch Processed in CloudWatch

71. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Self-Healing Open Sensitive Ports Amazon CloudWatch Lambda Function Alert raised in CloudWatch Call to run Lambda Remove bad CIDR from security group Disallowed CIDR used Security Group server AWS CloudTrail

72. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Self-Healing a Compromised Instance AWS GuardDuty Amazon CloudWatch Lambda Function Processed by CloudWatch Call Lambda on malicious trigger Kills EC2 instance DNS lookup of malicious hostname detected AWS EC2

73. ec2_security_group_ingress.py ec2_security_group_port_range_all_prohibited.py ec2_security_group_protocol_all_prohibited.py ec2_vpc_public_subnet.py iam_mfa_for_console_access.py iam_policy_exists.py iam_unused_keys.py lambda_require_tags_with_valid_values.py rds_desired_instance_type.py rds_vpc_public_subnet.py

    s3_bucket_default_encryption_enabled.py s3_bucket_policy_prohibited.py cf_logging_enabled cloudtrail_encrypted.py cloudtrail_lfi_activated.py config_enabled.py config_rules_exist.py ec2-exposed-instance.py ec2_desired_instance_type.py ec2_desired_lifecycle_spot.py ec2_launch_wizard_security_group_prohibited.py ec2_no_internet_access.py ec2_require_ebs_snapshots_for_volumes.py ec2_require_security_group_by_tag.py ec2_require_tags_with_valid_values.py
74. None

75. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.

76. OWASP Top 10 Application Vulnerabilities

77. None

78. https://infosec.mozilla.org/fundamentals/security_principles.html

79. None

80. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Infrastructure as Code https://aws.amazon.com/whitepapers/

81. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Julio Faerman @faermanj Thank you!