Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS CDKを用いたセキュアなCI/CDパイプラインの構築 / Build a secure...

shiro seike
PRO
September 25, 2024
Programming
3
810

AWS CDKを用いたセキュアなCI/CDパイプラインの構築 / Build a secure CI/CD pipeline using AWS CDK

JAWS-UG CDK支部 #16 ~CDK Conference 2024 Extra~
https://jawsug-cdk.connpass.com/event/328676/

shiro seike
PRO

September 25, 2024
Tweet

More Decks by shiro seike

See All by shiro seike
Amazon Q Developer Proで効率化するAPI開発入門
seike460
PRO
0
120
(再)ひとり技術広報からの脱却 / Re:Breaking away from one-man technical public relations
seike460
PRO
1
140
PHPで作るWebSocketサーバー ~リアクティブなアプリケーションを知るために~ / WebSocket Server in PHP - To know reactive applications
seike460
PRO
2
900
CQRS+ES の力を使って効果を感じる / Feel the effects of using the power of CQRS+ES
seike460
PRO
0
260
AWS reInvent 2024サービスアップデートデモ / AWS reInvent 2024 Service Update Demo
seike460
PRO
0
44
AWS Lambdaから始まった
Serverlessの「熱」とキャリアパス / It started with AWS Lambda Serverless “fever” and career path
seike460
PRO
1
620
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
1.2k
実践サーバーレスパフォーマンスチューニング ~その実力に迫る~ / Practical Serverless Performance Tuning ~A Close Look at its Power~
seike460
PRO
2
390
PHPを書く理由、PHPを書いていて良い理由 / Reasons to write PHP and why it is good to write PHP
seike460
PRO
5
680

Other Decks in Programming

See All in Programming
Boost Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
600
責務と認知負荷を整える! 抽象レベルを意識した関心の分離
yahiru
8
1.3k
Rubyで始める関数型ドメインモデリング
shogo_tksk
0
130
Grafana Loki によるサーバログのコスト削減
mot_techtalk
1
130
AIプログラミング雑キャッチアップ
yuheinakasaka
9
1.5k
2025.2.14_Developers Summit 2025_登壇資料
0101unite
0
130
昭和の職場からアジャイルの世界へ
kumagoro95
1
410
JavaScriptツール群「UnJS」を5分で一気に駆け巡る!
k1tikurisu
9
1.8k
Kubernetes History Inspector(KHI)を触ってみた
bells17
0
250
AI Agent系IDEを使って 開発生産性を爆アゲする
ouchi2501
1
100
ソフトウェアエンジニアの成長
masuda220
PRO
12
2k
Honoのおもしろいミドルウェアをみてみよう
yusukebe
1
220

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.5k
Facilitating Awesome Meetings
lara
52
6.2k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
114
50k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
30
2.2k
YesSQL, Process and Tooling at Scale
rocio
172
14k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
175
52k
KATA
mclloyd
29
14k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
133
33k
Product Roadmaps are Hard
iamctodd
PRO
50
11k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
193
16k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
40
2k

Transcript

  1. ©Fusic Co., Ltd.  1 AWS CDKΛ༻͍ͨ ηΩϡΞͳCI/CDύΠϓϥΠϯͷߏங 2024.09.25 @seike460

    JAWS-UG CDKࢧ෦ #16 ~CDK Conference 2024 Extra~

  2. ©Fusic Co., Ltd. 2 ਗ਼Ո ࢙࿠ @seike460 AWS Community Builder

    Serverless ίϛϡχςΟ Fukuoka.php Fukuoka.go JAWS-UG Fukuoka Serverless Meetup Fukuoka Cloudflare Meetup Fukuoka JP_Stripes Fukuoka ࣗݾ঺հ ͸͡Ίʹ גࣜձࣾFusic ϓϦϯγύϧΤϯδχΞ/ΤόϯδΣϦετ

  3. ©Fusic Co., Ltd. 3 CONTENTS ໨࣍ 1. AWS CDKͱηΩϡϦςΟ 2.

    cdk-nagɺCheckov 3. ࣮ࡍͷಈ࡞ 4. ·ͱΊ

  4. ©Fusic Co., Ltd. 4 AWS CDKͱηΩϡϦςΟ 1

  5. ©Fusic Co., Ltd. 5 AWS CDK AWS CDKɺͱͯ΋ศརͰ͢ΑͶ YAML΍JSONͰͷهड़ʹ୅ΘΓɺPythonɺTypeScript౳ͷ ϓϩάϥϛϯάݴޠΛ࢖ͬͯɺίʔυͰAWSϦιʔεΛఆٛͰ͖·͢ɻ

    →ෳࡶͳΠϯϑϥετϥΫνϟͷઃఆΛ؆୯ʹ͠ɺ ࠶ར༻ੑ΍ՄಡੑΛߴΊΔ͜ͱ͕Ͱ͖ɺ ։ൃऀʹͱͬͯΑΓޮ཰తͳӡ༻͕ՄೳͱͳΓ·͢

  6. ©Fusic Co., Ltd. 6 ෳࡶͳߏ੒ʹ΋ରԠ ෳࡶͳߏ੒ΛϓϩάϥϛϯάͰ੍ޚ

  7. ©Fusic Co., Ltd. 7 ෳࡶͳߏ੒ʹ΋ରԠग़དྷΔ͕… ෳࡶͳߏ੒ΛϓϩάϥϛϯάͰ੍ޚ ग़དྷΔ͕… ٯʹࠨͷΑ͏ͳڊେͳߏ੒΋ ࡞੒Ͱ͖ͯ͠·͍ɺ ͢΂ͯΛঠѲग़དྷΔ͔͸·ͨผͷ࿩

  8. ©Fusic Co., Ltd. 8 ͢΂ͯΛঠѲͰ͖ͳ͍ͱ… ηΩϡϦςΟϦεΫ಺ࡏͷՄೳੑ ▪S3 όέοτ͕ύϒϦοΫΞΫηεՄೳ ▪IAM ϩʔϧʹա৒ͳݖݶΛ෇༩

    ▪ϓϥΠϕʔτͳLambda ؔ਺͕ ɹVPC ʹ഑ஔ͞Ε͍ͯͳ͍ ▪Secrets Manager γʔΫϨοτ ɹࣗಈϩʔςʔγϣϯ͕ະઃఆ ▪KMS ΩʔϙϦγʔͷա৒ʹڐՄ

  9. ©Fusic Co., Ltd. 9 ਓͷ໨ͰνΣοΫͰ͸ةݥ ૝ఆ͚ͩͰ੍ޚ͢Δͷ͸೉͍͠ ͦ͜ͰCIͰνΣοΫΛߦ͍ɺ ηΩϡϦςΟϦεΫΛ ௿ݮ͢Δํ๏Λߟ͑·͢

  10. ©Fusic Co., Ltd. 10 cdk-nag + Checkov 2

  11. ©Fusic Co., Ltd. 11 cdk-nag CDK Labs at AWSͷϦϙδτϦͰ͋Δ cdk-nag

    AWS CDKͰఆٛ͞ΕͨϦιʔε͕ ηΩϡϦςΟ΍ӡ༻ͷϕετϓϥΫςΟεʹ ै͍ͬͯΔ͔Λݕূ͢ΔͨΊͷϥΠϒϥϦ ▪ϧʔϧϕʔεͷݕূ AWS͕ਪ঑͢ΔηΩϡϦςΟج४΍ ϕετϓϥΫςΟεʹج͍ͮͨϧʔϧηοτ ▪ΧελϚΠζՄೳ ϓϩδΣΫτͷχʔζʹ߹Θͤͯ ϧʔϧΛ௥Ճɾআ֎ɾΧελϚΠζՄೳ ▪CI/CD౷߹ GitHub ActionsͳͲͷCI/CDύΠϓϥΠϯʹ ౷߹ՄೳͰࣗಈతʹίʔυͷ඼࣭ΛνΣοΫ

  12. ©Fusic Co., Ltd. 12 AWSʹΑΔެࣜϒϩά΋ ࢸΕΓ෇ͤ͘Γͳ಺༰ͷެࣜϒϩά΋ - AWSʹΑΔAWS CDK ͱ

    cdk-nag Λ౷߹ͯ͠ɺ IaCͷηΩϡϦςΟͱίϯϓϥΠΞϯεΛ ࣗಈతʹ؅ཧɾݕূ͢Δํ๏Λղઆ - ۩ମతͳಋೖखॱ΍ϧʔϧͷΧελϚΠζɺ Τϥʔͷमਖ਼ɾ཈੍ํ๏͕঺հ͞Ε͓ͯΓɺ TypeScriptΛ༻͍࣮ͨ૷ྫ΋ఏڙ - cdk-nag Λ୯ମςετ΍CI/CDͱ࿈ܞ ܧଓతͳηΩϡϦςΟνΣοΫΛ࣮ݱ͢Δํ๏

  13. ©Fusic Co., Ltd. 13 Checkov Checkov͸IaCͷηΩϡϦςΟͱίϯϓϥΠΞϯεΛ ࣗಈతʹݕূ͢ΔͨΊͷOSSͷ੩తղੳπʔϧ TerraformɺAWS CloudFormationɺKubernetes YAMLɺ

    ͦͯ͠AWS CDKͳͲͷઃఆϑΝΠϧΛର৅ʹɺ ϕετϓϥΫςΟε΍ηΩϡϦςΟج४ʹ ج͍ͮͨνΣοΫΛ࣮ߦ͠·͢ - ෯޿͍αϙʔτର৅ - IaCπʔϧͷछྨɺΫϥ΢υϓϩόΠμʔʹରԠ - ๛෋ͳϧʔϧηοτ - CISɺNISTɺPCI DSSͳͲͷۀքඪ४ʹج͍ͮͨϧʔϧఏڙ - CI/CD౷߹ - GitHub ActionsɺGitLab CIɺJenkinsͳͲओཁͳCI/CDπʔϧͱ౷߹

  14. ©Fusic Co., Ltd. 14 cdk-nag + Checkov ͜ͷ̎ͭΛ૊Έ߹ΘͤΔ - แׅతͳηΩϡϦςΟΧόϨοδͷ޲্

    - cdk-nag͸AWS CDKಛ༗ͷৄࡉͳηΩϡϦςΟνΣοΫΛఏڙ CheckovʹͯΠϯϑϥશମͷηΩϡϦςΟΛ໢ཏతʹݕূ - ૬ิతͳϧʔϧηοτͷ׆༻ - cdk-nagͱCheckov͸ͦΕͧΕҟͳΔϧʔϧ΍ϕετϓϥΫςΟεΛ࣋ͭͨΊɺ ྆ऀΛซ༻͢Δ͜ͱͰΤϥʔݕग़ͷਫ਼౓͕޲্͠ɺݟམͱ͠Λ๷͙ - ଟ૚తͳCI/CDύΠϓϥΠϯͷڧԽ - ྆πʔϧΛCI/CDύΠϓϥΠϯʹ౷߹͢Δ͜ͱͰɺ CI࣌ʹࣗಈత͔ͭଟ֯తͳηΩϡϦςΟνΣοΫΛ࣮ߦՄೳ

  15. ©Fusic Co., Ltd. 15 ࣮ࡍͷಈ࡞ 3

  16. ©Fusic Co., Ltd. 16 GitHub Actions GitHub Actions npx cdk

    synthΛ࣮ߦ͢Δ͜ͱͰ Cdk-nagͷνΣοΫΛ࣮ߦ͢Δ͜ͱ͕ग़དྷΔ checkovίϚϯυ͸template.yamlΛࢦఆͯ͠ ࣮ߦ͢Δ͜ͱͰtemplate.yamlΛ࣮ߦ͢Δ͜ͱ͕Մೳ

  17. ©Fusic Co., Ltd. 17 cdk-nag cdk-nagͷmoduleΛ cdkͷAspectsʹ৯ΘͤΔ͜ͱͰ ର৅ͷStackͷνΣοΫ͕Մೳ ୯ମςετͱ࣮ͯ͠ߦ͢Δࣄ΋Մ

  18. ©Fusic Co., Ltd. 18 cdk-nagϧʔϧͷ཈੍ NagSuppressionsͷ addResourceSuppressions ʹͯϧʔϧͷ཈੍Λߦ͏IDΛࢦఆ ର৅ϧʔϧΛ཈੍͕Մೳ

  19. ©Fusic Co., Ltd. 19 Checkov ࣮ߦ͢Δ͜ͱͰ ಉ͡Α͏ʹΤϥʔදࣔͱ ݪҼΛදࣔͯ͘͠ΕΔ ΤϥʔʹରԠ͢Δ཈੍΋ .checkov.ymlʹॻ͘͜ͱͰରԠՄೳ

  20. ©Fusic Co., Ltd. 20 ·ͱΊ 4

  21. ©Fusic Co., Ltd. 21 ·ͱΊ CDK͸ͱͯ΋ศརɺศར͔ͩΒͦ͜؅ཧͷരൃ͕ى͜ΔՄೳੑ Point 01 ਓͷ໨ͰνΣοΫ͸ೝ஌ෛՙ͕ߴ͍ɺCIʹͯνΣοΫΛߦ͍ɺCDͷσϓϩΠʹͭͳ͛Δ Point

    02 cdk-nag + CheckovΛར༻͢Δ͜ͱͰ໢ཏతͳνΣοΫ͕Մೳ Point 03 ඞཁͳ಺༰ΛνΣοΫ͞ΕΔ͜ͱ΋͋Δɺͦͷ৔߹͸ϧʔϧͷ཈੍ͰରԠՄೳ Point 04

  22. ©Fusic Co., Ltd. 22 Thank You We are Hiring! https://recruit.fusic.co.jp/

    ͝ਗ਼ௌ͍͖ͨͩ͋Γ͕ͱ͏͍͟͝·ͨ͠