AWS CDKを用いたセキュアなCI/CDパイプラインの構築 / Build a secure CI/CD pipeline using AWS CDK

Transcript

1. ©Fusic Co., Ltd.  1 AWS CDKΛ༻͍ͨ ηΩϡΞͳCI/CDύΠϓϥΠϯͷߏங 2024.09.25 @seike460

   JAWS-UG CDKࢧ෦ #16 ~CDK Conference 2024 Extra~

2. ©Fusic Co., Ltd. 2 ਗ਼Ո ࢙࿠ @seike460 AWS Community Builder

   Serverless ίϛϡχςΟ Fukuoka.php Fukuoka.go JAWS-UG Fukuoka Serverless Meetup Fukuoka Cloudflare Meetup Fukuoka JP_Stripes Fukuoka ࣗݾ঺հ ͸͡Ίʹ גࣜձࣾFusic ϓϦϯγύϧΤϯδχΞ/ΤόϯδΣϦετ

3. ©Fusic Co., Ltd. 3 CONTENTS ໨࣍ 1. AWS CDKͱηΩϡϦςΟ 2.

   cdk-nagɺCheckov 3. ࣮ࡍͷಈ࡞ 4. ·ͱΊ

4. ©Fusic Co., Ltd. 4 AWS CDKͱηΩϡϦςΟ 1

5. ©Fusic Co., Ltd. 5 AWS CDK AWS CDKɺͱͯ΋ศརͰ͢ΑͶ YAML΍JSONͰͷهड़ʹ୅ΘΓɺPythonɺTypeScript౳ͷ ϓϩάϥϛϯάݴޠΛ࢖ͬͯɺίʔυͰAWSϦιʔεΛఆٛͰ͖·͢ɻ

   →ෳࡶͳΠϯϑϥετϥΫνϟͷઃఆΛ؆୯ʹ͠ɺ ࠶ར༻ੑ΍ՄಡੑΛߴΊΔ͜ͱ͕Ͱ͖ɺ ։ൃऀʹͱͬͯΑΓޮ཰తͳӡ༻͕ՄೳͱͳΓ·͢

6. ©Fusic Co., Ltd. 6 ෳࡶͳߏ੒ʹ΋ରԠ ෳࡶͳߏ੒ΛϓϩάϥϛϯάͰ੍ޚ

7. ©Fusic Co., Ltd. 7 ෳࡶͳߏ੒ʹ΋ରԠग़དྷΔ͕… ෳࡶͳߏ੒ΛϓϩάϥϛϯάͰ੍ޚ ग़དྷΔ͕… ٯʹࠨͷΑ͏ͳڊେͳߏ੒΋ ࡞੒Ͱ͖ͯ͠·͍ɺ ͢΂ͯΛঠѲग़དྷΔ͔͸·ͨผͷ࿩

8. ©Fusic Co., Ltd. 8 ͢΂ͯΛঠѲͰ͖ͳ͍ͱ… ηΩϡϦςΟϦεΫ಺ࡏͷՄೳੑ ▪S3 όέοτ͕ύϒϦοΫΞΫηεՄೳ ▪IAM ϩʔϧʹա৒ͳݖݶΛ෇༩

   ▪ϓϥΠϕʔτͳLambda ؔ਺͕ ɹVPC ʹ഑ஔ͞Ε͍ͯͳ͍ ▪Secrets Manager γʔΫϨοτ ɹࣗಈϩʔςʔγϣϯ͕ະઃఆ ▪KMS ΩʔϙϦγʔͷա৒ʹڐՄ

9. ©Fusic Co., Ltd. 9 ਓͷ໨ͰνΣοΫͰ͸ةݥ ૝ఆ͚ͩͰ੍ޚ͢Δͷ͸೉͍͠ ͦ͜ͰCIͰνΣοΫΛߦ͍ɺ ηΩϡϦςΟϦεΫΛ ௿ݮ͢Δํ๏Λߟ͑·͢

10. ©Fusic Co., Ltd. 10 cdk-nag + Checkov 2

11. ©Fusic Co., Ltd. 11 cdk-nag CDK Labs at AWSͷϦϙδτϦͰ͋Δ cdk-nag

    AWS CDKͰఆٛ͞ΕͨϦιʔε͕ ηΩϡϦςΟ΍ӡ༻ͷϕετϓϥΫςΟεʹ ै͍ͬͯΔ͔Λݕূ͢ΔͨΊͷϥΠϒϥϦ ▪ϧʔϧϕʔεͷݕূ AWS͕ਪ঑͢ΔηΩϡϦςΟج४΍ ϕετϓϥΫςΟεʹج͍ͮͨϧʔϧηοτ ▪ΧελϚΠζՄೳ ϓϩδΣΫτͷχʔζʹ߹Θͤͯ ϧʔϧΛ௥Ճɾআ֎ɾΧελϚΠζՄೳ ▪CI/CD౷߹ GitHub ActionsͳͲͷCI/CDύΠϓϥΠϯʹ ౷߹ՄೳͰࣗಈతʹίʔυͷ඼࣭ΛνΣοΫ

12. ©Fusic Co., Ltd. 12 AWSʹΑΔެࣜϒϩά΋ ࢸΕΓ෇ͤ͘Γͳ಺༰ͷެࣜϒϩά΋ - AWSʹΑΔAWS CDK ͱ

    cdk-nag Λ౷߹ͯ͠ɺ IaCͷηΩϡϦςΟͱίϯϓϥΠΞϯεΛ ࣗಈతʹ؅ཧɾݕূ͢Δํ๏Λղઆ - ۩ମతͳಋೖखॱ΍ϧʔϧͷΧελϚΠζɺ Τϥʔͷमਖ਼ɾ཈੍ํ๏͕঺հ͞Ε͓ͯΓɺ TypeScriptΛ༻͍࣮ͨ૷ྫ΋ఏڙ - cdk-nag Λ୯ମςετ΍CI/CDͱ࿈ܞ ܧଓతͳηΩϡϦςΟνΣοΫΛ࣮ݱ͢Δํ๏

13. ©Fusic Co., Ltd. 13 Checkov Checkov͸IaCͷηΩϡϦςΟͱίϯϓϥΠΞϯεΛ ࣗಈతʹݕূ͢ΔͨΊͷOSSͷ੩తղੳπʔϧ TerraformɺAWS CloudFormationɺKubernetes YAMLɺ

    ͦͯ͠AWS CDKͳͲͷઃఆϑΝΠϧΛର৅ʹɺ ϕετϓϥΫςΟε΍ηΩϡϦςΟج४ʹ ج͍ͮͨνΣοΫΛ࣮ߦ͠·͢ - ෯޿͍αϙʔτର৅ - IaCπʔϧͷछྨɺΫϥ΢υϓϩόΠμʔʹରԠ - ๛෋ͳϧʔϧηοτ - CISɺNISTɺPCI DSSͳͲͷۀքඪ४ʹج͍ͮͨϧʔϧఏڙ - CI/CD౷߹ - GitHub ActionsɺGitLab CIɺJenkinsͳͲओཁͳCI/CDπʔϧͱ౷߹

14. ©Fusic Co., Ltd. 14 cdk-nag + Checkov ͜ͷ̎ͭΛ૊Έ߹ΘͤΔ - แׅతͳηΩϡϦςΟΧόϨοδͷ޲্

    - cdk-nag͸AWS CDKಛ༗ͷৄࡉͳηΩϡϦςΟνΣοΫΛఏڙ CheckovʹͯΠϯϑϥશମͷηΩϡϦςΟΛ໢ཏతʹݕূ - ૬ิతͳϧʔϧηοτͷ׆༻ - cdk-nagͱCheckov͸ͦΕͧΕҟͳΔϧʔϧ΍ϕετϓϥΫςΟεΛ࣋ͭͨΊɺ ྆ऀΛซ༻͢Δ͜ͱͰΤϥʔݕग़ͷਫ਼౓͕޲্͠ɺݟམͱ͠Λ๷͙ - ଟ૚తͳCI/CDύΠϓϥΠϯͷڧԽ - ྆πʔϧΛCI/CDύΠϓϥΠϯʹ౷߹͢Δ͜ͱͰɺ CI࣌ʹࣗಈత͔ͭଟ֯తͳηΩϡϦςΟνΣοΫΛ࣮ߦՄೳ

15. ©Fusic Co., Ltd. 15 ࣮ࡍͷಈ࡞ 3

16. ©Fusic Co., Ltd. 16 GitHub Actions GitHub Actions npx cdk

    synthΛ࣮ߦ͢Δ͜ͱͰ Cdk-nagͷνΣοΫΛ࣮ߦ͢Δ͜ͱ͕ग़དྷΔ checkovίϚϯυ͸template.yamlΛࢦఆͯ͠ ࣮ߦ͢Δ͜ͱͰtemplate.yamlΛ࣮ߦ͢Δ͜ͱ͕Մೳ

17. ©Fusic Co., Ltd. 17 cdk-nag cdk-nagͷmoduleΛ cdkͷAspectsʹ৯ΘͤΔ͜ͱͰ ର৅ͷStackͷνΣοΫ͕Մೳ ୯ମςετͱ࣮ͯ͠ߦ͢Δࣄ΋Մ

18. ©Fusic Co., Ltd. 18 cdk-nagϧʔϧͷ཈੍ NagSuppressionsͷ addResourceSuppressions ʹͯϧʔϧͷ཈੍Λߦ͏IDΛࢦఆ ର৅ϧʔϧΛ཈੍͕Մೳ

19. ©Fusic Co., Ltd. 19 Checkov ࣮ߦ͢Δ͜ͱͰ ಉ͡Α͏ʹΤϥʔදࣔͱ ݪҼΛදࣔͯ͘͠ΕΔ ΤϥʔʹରԠ͢Δ཈੍΋ .checkov.ymlʹॻ͘͜ͱͰରԠՄೳ

20. ©Fusic Co., Ltd. 20 ·ͱΊ 4

21. ©Fusic Co., Ltd. 21 ·ͱΊ CDK͸ͱͯ΋ศརɺศར͔ͩΒͦ͜؅ཧͷരൃ͕ى͜ΔՄೳੑ Point 01 ਓͷ໨ͰνΣοΫ͸ೝ஌ෛՙ͕ߴ͍ɺCIʹͯνΣοΫΛߦ͍ɺCDͷσϓϩΠʹͭͳ͛Δ Point

    02 cdk-nag + CheckovΛར༻͢Δ͜ͱͰ໢ཏతͳνΣοΫ͕Մೳ Point 03 ඞཁͳ಺༰ΛνΣοΫ͞ΕΔ͜ͱ΋͋Δɺͦͷ৔߹͸ϧʔϧͷ཈੍ͰରԠՄೳ Point 04

22. ©Fusic Co., Ltd. 22 Thank You We are Hiring! https://recruit.fusic.co.jp/

    ͝ਗ਼ௌ͍͖ͨͩ͋Γ͕ͱ͏͍͟͝·ͨ͠