Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building DevSecOps - Builders' Day 2019

Building DevSecOps - Builders' Day 2019

Julio Faerman

March 04, 2019
Tweet

More Decks by Julio Faerman

Other Decks in Technology

Transcript

  1. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Julio Faerman @faermanj Building DevSecOps
  2. A tale of two pizzas... Back in 2001, the Amazon.com

    retail website was a large architectural monolith…
  3. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Strangling the Monolith Amazon EC2 Amazon Elastic Container Service AWS Lambda Application Load Balancer (ALB)
  4. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Strangling the Monolith Amazon EC2 Amazon Elastic Container Service AWS Lambda Application Load Balancer (ALB)
  5. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Teams that practice CI/CD ship code faster, and with more confidence 5x Lower change failure rate 440x Faster from commit to deploy 46x More frequent deployments 44% More time spent on new features Source: Puppet 2017 State of DevOps Report
  6. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. ”…a necessary capability if you're moving to a serious adoption of microservices.”
  7. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. • A simplified way to create and manage a collection of AWS resources • Orderly and predictable provisioning and updating of resources • Fully managed service • Use the AWS Management Console, the AWS Command Line Interface (CLI), or AWS APIs • Only pay for the resources you create AWS CloudFormation
  8. Typed Parameter Types String Number List<Number> CommaDelimitedList Parameter Store AWS::EC2::AvailabilityZone::Name

    AWS::EC2::KeyPair::KeyName AWS::EC2::SecurityGroup::Id AWS::EC2::Subnet::Id 1.Format version 2.Transforms 3.Description 4.Metadata 5.Parameters 6.Mappings 7.Conditions 8.Resources * 9.Outputs
  9. Resources and References 1.Format version 2.Transforms 3.Description 4.Metadata 5.Parameters 6.Mappings

    7.Conditions 8.Resources * 9.Outputs Types service-provider::service-name::data-type-name AWS::S3::Bucket AWS::EC2::Instance AWS::EC2::EIP AWS::AutoScalingPlans::ScalingPlan AWS::ECS::Cluster AWS::Lambda::Function AWS::DynamoDB::Table AWS::RDS::DBCluster AWS::ElastiCache::CacheCluster AWS::Elasticsearch::Domain
  10. Infrastructure as Code as Code 1.Format version 2.Transforms 3.Description 4.Metadata

    5.Parameters 6.Mappings 7.Conditions 8.Resources * 9.Outputs AWS::CodeCommit::Repository AWS::CodeBuild::Project AWS::CodePipeline::Pipeline AWS::CodePipeline::CustomActionType AWS::CodeDeploy::Application AWS::CodeDeploy::DeploymentGroup
  11. Conditions Resource creation can depend on logical conditions: Conditions: isProd:

    Fn::Equals [ !Ref EnvType, prod ] Resources: EC2Instance: Type: "AWS::EC2::Instance" Condition: isProd Properties: ImageId: Fn::FindInMap [RegionMap, !Ref "AWS::Region", AMI] Use conditions with intrinsic functions (Fn::If, Fn::Equals, Fn::Not) to create complex logic for property values.
  12. Dynamic references Inject values from SSM Parameter Store and Secrets

    Manager KMS encryptedstrings Versioned and secured byIAM
  13. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Declarative and Imperative DSLs
  14. Cross Stack References Network Stack Outputs: VPC Description: reference VPC

    Value: !Ref VPC Export: Name: ProdVPC App Stack Resources: myTargetGroup: Type: AWS::ELBV2::TargetGroup Properties: VpcId: Fn::ImportValue: ProdVPC
  15. Nested stacks Application Resources: NetworkResources: Type: AWS::CloudFormation::Stack Network Resources Resources:

    MyVPC Type: AWS::EC2::VPC ECS Service Resources: MyService: Type: AWS::ECS::Service
  16. ``

  17. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Provisioning Configuration Deployment AWS OpsWorks AWS CodeDeploy AWS EC2 Systems Manager
  18. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Provisioning Configuration Deployment “…An Immutable Server is the logical conclusion of this approach, a server that once deployed, is never modified, merely replaced with a new updated instance.”
  19. Nested Stacks Cross Stack References Recommended uses cases Advantages Considerations

    • Template reuse • Use multiple templates but manage as single stack • Sharing common resources • Allows for independent stacks based on resource lifecycle or ownership. • Convenient management. One stack manages all resources and nested stacks. • Creation order and dependencies are managed • Separation of concern • Share databases and VPCs • Lets you limit blast radius with safeguards • Updates and rollbacks have a wide surface area • Reusing templates that have custom resource names • Replacing updates requires changes to the importing stacks to execute. • Does not manage creation order
  20. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Reliable Change Management
  21. Template validation cfn-lint Validate AWS CloudFormation yaml/json templates against the

    AWS CloudFormation spec and additionalchecks cfn-nag Look for patterns in templates that may indicate insecure infrastructure. Taskcat Catch problems that aren’t obvious in a single template/stack
  22. cfn-lint "Can I deploy thistemplate?" Community-driven open source tool to

    validate CloudFormation YAML/JSON templates against the CloudFormation resource specification + additionalchecks. IDE plugins (VS Code, Atom, Sublime, IntelliJ, vim) https://github.com/awslabs/cfn-p ython-lint pip install cfn-lint
  23. CloudFormation change sets Preview the impact to your stack of

    changes by comparing the new template and parameters to the last known state of the stack. CloudFormation makes the changes to your stack only when you decide to execute the change set.
  24. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon Route 53 AWS CodeDeploy
  25. Normalize Record AWS Config & Config Rules Deliver Stream Snapshot

    (ex. 2014-11-05) AWS Config Store History
  26. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS GuardDuty 'Backdoor:EC2/XORDDOS', 'Backdoor:EC2/Spambot', 'Backdoor:EC2/C&CActivity.B!DNS', 'CryptoCurrency:EC2/BitcoinTool.B!DNS', 'Trojan:EC2/BlackholeTraffic', 'Trojan:EC2/DropPoint', 'Trojan:EC2/BlackholeTraffic!DNS', 'Trojan:EC2/DriveBySourceTraffic!DNS', 'Trojan:EC2/DropPoint!DNS', 'Trojan:EC2/DGADomainRequest.B', 'Trojan:EC2/DGADomainRequest.C!DNS', 'Trojan:EC2/DNSDataExfiltration', …
  27. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Self-Healing a Unencrypted Bucket Lambda Function S3 operation detected, calls function Validate Crypto; Encrypts S3 bucket events logged S3 Bucket AWS CloudTrail Amazon CloudWatch Processed in CloudWatch
  28. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Self-Healing Open Sensitive Ports Amazon CloudWatch Lambda Function Alert raised in CloudWatch Call to run Lambda Remove bad CIDR from security group Disallowed CIDR used Security Group server AWS CloudTrail
  29. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Self-Healing a Compromised Instance AWS GuardDuty Amazon CloudWatch Lambda Function Processed by CloudWatch Call Lambda on malicious trigger Kills EC2 instance DNS lookup of malicious hostname detected AWS EC2
  30. ec2_security_group_ingress.py ec2_security_group_port_range_all_prohibited.py ec2_security_group_protocol_all_prohibited.py ec2_vpc_public_subnet.py iam_mfa_for_console_access.py iam_policy_exists.py iam_unused_keys.py lambda_require_tags_with_valid_values.py rds_desired_instance_type.py rds_vpc_public_subnet.py

    s3_bucket_default_encryption_enabled.py s3_bucket_policy_prohibited.py cf_logging_enabled cloudtrail_encrypted.py cloudtrail_lfi_activated.py config_enabled.py config_rules_exist.py ec2-exposed-instance.py ec2_desired_instance_type.py ec2_desired_lifecycle_spot.py ec2_launch_wizard_security_group_prohibited.py ec2_no_internet_access.py ec2_require_ebs_snapshots_for_volumes.py ec2_require_security_group_by_tag.py ec2_require_tags_with_valid_values.py
  31. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Infrastructure as Code https://aws.amazon.com/whitepapers/
  32. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Julio Faerman @faermanj Thank you!