Building DevSecOps - Builders' Day 2019

Slide 1

Slide 1 text

Slide 2

Slide 2 text

A tale of two pizzas... Back in 2001, the Amazon.com retail website was a large architectural monolith…

Slide 3

Slide 3 text

“If you can’t feed a team with two pizzas, it’s too large” - Jeff Bezos, ~2001

Slide 4

Slide 4 text

Strangling the Monolith MONOLITH MONOLITH Router SERVICE Router SMALLER DNS CDN LB Zuul …

Slide 5

Slide 5 text

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Amazon dependencies graph, 2008

Slide 8

Slide 8 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Teams that practice CI/CD ship code faster, and with more confidence 5x Lower change failure rate 440x Faster from commit to deploy 46x More frequent deployments 44% More time spent on new features Source: Puppet 2017 State of DevOps Report

Slide 9

Slide 9 text

Slide 10

Slide 10 text

Slide 11

Slide 11 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • A simpliﬁed way to create and manage a collection of AWS resources • Orderly and predictable provisioning and updating of resources • Fully managed service • Use the AWS Management Console, the AWS Command Line Interface (CLI), or AWS APIs • Only pay for the resources you create AWS CloudFormation

Slide 12

Slide 12 text

AWS CloudFormation

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Hello world!

Slide 15

Slide 15 text

Template Deployment

Slide 16

Slide 16 text

Authoring in JSON or YAML

Slide 17

Slide 17 text

Template Anatomy 1.Format version 2.Transforms 3.Description 4.Metadata 5.Parameters 6.Mappings 7.Conditions 8.Resources * 9.Outputs

Slide 18

Slide 18 text

Typed Parameter Types String Number List CommaDelimitedList Parameter Store AWS::EC2::AvailabilityZone::Name AWS::EC2::KeyPair::KeyName AWS::EC2::SecurityGroup::Id AWS::EC2::Subnet::Id 1.Format version 2.Transforms 3.Description 4.Metadata 5.Parameters 6.Mappings 7.Conditions 8.Resources * 9.Outputs

Slide 19

Slide 19 text

Resources and References 1.Format version 2.Transforms 3.Description 4.Metadata 5.Parameters 6.Mappings 7.Conditions 8.Resources * 9.Outputs Types service-provider::service-name::data-type-name AWS::S3::Bucket AWS::EC2::Instance AWS::EC2::EIP AWS::AutoScalingPlans::ScalingPlan AWS::ECS::Cluster AWS::Lambda::Function AWS::DynamoDB::Table AWS::RDS::DBCluster AWS::ElastiCache::CacheCluster AWS::Elasticsearch::Domain

Slide 20

Slide 20 text

Infrastructure as Code as Code 1.Format version 2.Transforms 3.Description 4.Metadata 5.Parameters 6.Mappings 7.Conditions 8.Resources * 9.Outputs AWS::CodeCommit::Repository AWS::CodeBuild::Project AWS::CodePipeline::Pipeline AWS::CodePipeline::CustomActionType AWS::CodeDeploy::Application AWS::CodeDeploy::DeploymentGroup

Slide 21

Slide 21 text

Ref Fn::GetAtt Fn::Join Fn::Sub Fn::Base64 Fn::Cidr Fn::FindInMap Fn::ImportValue Fn::GetAZs Fn::Select Fn::Split Fn::Transform Conditionals Intrisic Functions

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

AWS::AccountId AWS::NotificationARNs AWS::NoValue AWS::Partition AWS::Region AWS::StackId AWS::StackName AWS::URLSuffix Pseudo Parameters

Slide 24

Slide 24 text

Conditions Resource creation can depend on logical conditions: Conditions: isProd: Fn::Equals [ !Ref EnvType, prod ] Resources: EC2Instance: Type: "AWS::EC2::Instance" Condition: isProd Properties: ImageId: Fn::FindInMap [RegionMap, !Ref "AWS::Region", AMI] Use conditions with intrinsic functions (Fn::If, Fn::Equals, Fn::Not) to create complex logic for property values.

Slide 25

Slide 25 text

Dynamic references Inject values from SSM Parameter Store and Secrets Manager KMS encryptedstrings Versioned and secured byIAM

Slide 26

Slide 26 text

AWS Secrets Manager

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

Slide 29

Slide 29 text

AWS Cloud Development Kit

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

DSLs • Troposphere • Stratosphere • SparkleFormation • DYI

Slide 32

Slide 32 text

Continous delivery with CodeStar

Slide 33

Slide 33 text

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

Slide 37

Slide 37 text

Cross Stack References Network Stack Outputs: VPC Description: reference VPC Value: !Ref VPC Export: Name: ProdVPC App Stack Resources: myTargetGroup: Type: AWS::ELBV2::TargetGroup Properties: VpcId: Fn::ImportValue: ProdVPC

Slide 38

Slide 38 text

Nested stacks Application Resources: NetworkResources: Type: AWS::CloudFormation::Stack Network Resources Resources: MyVPC Type: AWS::EC2::VPC ECS Service Resources: MyService: Type: AWS::ECS::Service

Slide 39

Slide 39 text

Slide 40

Slide 40 text

Slide 41

Slide 41 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Provisioning Configuration Deployment “…An Immutable Server is the logical conclusion of this approach, a server that once deployed, is never modified, merely replaced with a new updated instance.”

Slide 42

Slide 42 text

Slide 43

Slide 43 text

Amazon DynamoDB Amazon ElastiCache Amazon RDS AWS Lambda AWS Batch Amazon CloudFront + ...

Slide 44

Slide 44 text

Nested Stacks Cross Stack References Recommended uses cases Advantages Considerations • Template reuse • Use multiple templates but manage as single stack • Sharing common resources • Allows for independent stacks based on resource lifecycle or ownership. • Convenient management. One stack manages all resources and nested stacks. • Creation order and dependencies are managed • Separation of concern • Share databases and VPCs • Lets you limit blast radius with safeguards • Updates and rollbacks have a wide surface area • Reusing templates that have custom resource names • Replacing updates requires changes to the importing stacks to execute. • Does not manage creation order

Slide 45

Slide 45 text

Slide 46

Slide 46 text

Template validation cfn-lint Validate AWS CloudFormation yaml/json templates against the AWS CloudFormation spec and additionalchecks cfn-nag Look for patterns in templates that may indicate insecure infrastructure. Taskcat Catch problems that aren’t obvious in a single template/stack

Slide 47

Slide 47 text

cfn-lint "Can I deploy thistemplate?" Community-driven open source tool to validate CloudFormation YAML/JSON templates against the CloudFormation resource speciﬁcation + additionalchecks. IDE plugins (VS Code, Atom, Sublime, IntelliJ, vim) https://github.com/awslabs/cfn-p ython-lint pip install cfn-lint

Slide 48

Slide 48 text

CloudFormation change sets Preview the impact to your stack of changes by comparing the new template and parameters to the last known state of the stack. CloudFormation makes the changes to your stack only when you decide to execute the change set.

Slide 49

Slide 49 text

Drift Detection

Slide 50

Slide 50 text

CloudFormation StackSets Create, update, and delete stacks in multiple accounts and regions using a single operation

Slide 51

Slide 51 text

Slide 52

Slide 52 text

No content

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

Slide 55

Slide 55 text

Slide 56

Slide 56 text

No content

Slide 57

Slide 57 text

Slide 58

Slide 58 text

Slide 59

Slide 59 text

AWS Security, Identity and Compliance

Slide 60

Slide 60 text

Slide 61

Slide 61 text

No content

Slide 62

Slide 62 text

Slide 63

Slide 63 text

AWS CloudTrail

Slide 64

Slide 64 text

Normalize Record AWS Config & Config Rules Deliver Stream Snapshot (ex. 2014-11-05) AWS Config Store History

Slide 65

Slide 65 text

Sample AWS Config Event

Slide 66

Slide 66 text

Sample Custom AWS Config Rule

Slide 67

Slide 67 text

Sample AWS Config Rule

Slide 68

Slide 68 text

Slide 69

Slide 69 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS GuardDuty 'Backdoor:EC2/XORDDOS', 'Backdoor:EC2/Spambot', 'Backdoor:EC2/C&CActivity.B!DNS', 'CryptoCurrency:EC2/BitcoinTool.B!DNS', 'Trojan:EC2/BlackholeTraffic', 'Trojan:EC2/DropPoint', 'Trojan:EC2/BlackholeTraffic!DNS', 'Trojan:EC2/DriveBySourceTraffic!DNS', 'Trojan:EC2/DropPoint!DNS', 'Trojan:EC2/DGADomainRequest.B', 'Trojan:EC2/DGADomainRequest.C!DNS', 'Trojan:EC2/DNSDataExfiltration', …

Slide 70

Slide 70 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Self-Healing a Unencrypted Bucket Lambda Function S3 operation detected, calls function Validate Crypto; Encrypts S3 bucket events logged S3 Bucket AWS CloudTrail Amazon CloudWatch Processed in CloudWatch

Slide 71

Slide 71 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Self-Healing Open Sensitive Ports Amazon CloudWatch Lambda Function Alert raised in CloudWatch Call to run Lambda Remove bad CIDR from security group Disallowed CIDR used Security Group server AWS CloudTrail

Slide 72

Slide 72 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Self-Healing a Compromised Instance AWS GuardDuty Amazon CloudWatch Lambda Function Processed by CloudWatch Call Lambda on malicious trigger Kills EC2 instance DNS lookup of malicious hostname detected AWS EC2

Slide 73

Slide 73 text

ec2_security_group_ingress.py ec2_security_group_port_range_all_prohibited.py ec2_security_group_protocol_all_prohibited.py ec2_vpc_public_subnet.py iam_mfa_for_console_access.py iam_policy_exists.py iam_unused_keys.py lambda_require_tags_with_valid_values.py rds_desired_instance_type.py rds_vpc_public_subnet.py s3_bucket_default_encryption_enabled.py s3_bucket_policy_prohibited.py cf_logging_enabled cloudtrail_encrypted.py cloudtrail_lfi_activated.py config_enabled.py config_rules_exist.py ec2-exposed-instance.py ec2_desired_instance_type.py ec2_desired_lifecycle_spot.py ec2_launch_wizard_security_group_prohibited.py ec2_no_internet_access.py ec2_require_ebs_snapshots_for_volumes.py ec2_require_security_group_by_tag.py ec2_require_tags_with_valid_values.py