Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JAWS Pankration 2024 - Achieve software supply ...
Search
Richard Fan
August 25, 2024
Technology
0
42
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
Presented at JAWS Pankration 2024
Richard Fan
August 25, 2024
Tweet
Share
More Decks by Richard Fan
See All by Richard Fan
Preserving privacy on data collaboration with AWS Clean Rooms
richardfan1126
0
40
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
130
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
richardfan1126
0
53
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
richardfan1126
0
59
Create your first AWS Nitro Enclaves application
richardfan1126
0
51
Building Security Data Lake
richardfan1126
0
16
Other Decks in Technology
See All in Technology
AIとともに歩んでいくデザイナーの役割の変化
lycorptech_jp
PRO
0
500
「れきちず」のこれまでとこれから - 誰にでもわかりやすい歴史地図を目指して / FOSS4G 2025 Japan
hjmkth
1
320
コンテキストエンジニアリング入門〜AI Coding Agent作りで学ぶ文脈設計〜
kworkdev
PRO
3
1.8k
Databricks AI/BI Genie の「値ディクショナリー」をAmazonの奥地(S3)まで見に行く
kameitomohiro
1
220
技育祭2025【秋】 企業ピッチ/登壇資料(高橋 悟生)
hacobu
PRO
0
110
All About Sansan – for New Global Engineers
sansan33
PRO
1
1.2k
Introdução a Service Mesh usando o Istio
aeciopires
0
210
能登半島災害現場エンジニアクロストーク 【JAWS FESTA 2025 in 金沢】
ditccsugii
0
900
RDS の負荷が高い場合に AWS で取りうる具体策 N 連発/a-series-of-specific-countermeasures-available-on-aws-when-rds-is-under-high-load
emiki
7
4.1k
難しいセキュリティ用語をわかりやすくしてみた
yuta3110
0
300
GoでもGUIアプリを作りたい!
kworkdev
PRO
0
150
事業開発におけるDify活用事例
kentarofujii
1
290
Featured
See All Featured
Raft: Consensus for Rubyists
vanstee
140
7.1k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
46
2.5k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
1.7k
Why Our Code Smells
bkeepers
PRO
340
57k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
657
61k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
230
22k
Designing for Performance
lara
610
69k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
140
34k
How STYLIGHT went responsive
nonsquared
100
5.8k
Scaling GitHub
holman
463
140k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
115
20k
How to Ace a Technical Interview
jacobian
280
24k
Transcript
Achieve software supply chain security using AWS Nitro Enclaves and
GitHub Actions Richard Fan AWS Security Hero
Where does the software come from? Source Developers Build Package
Consumers Dependencies
How can things go wrong? Source Developers Build Package Consumers
Dependencies Unauthorized code change Compromised repository Build from compromised source code Compromised build process Using compromised dependency Modified package Compromised package store Downloading compromised package
What is SLSA • Supply-chain Levels for Software Artifacts •
Framework for software integrity • Build trust between software producer and consumer • Different levels of security assurance
SLSA Provenance Birth certificate of the software Software
Achieving SLSA on GitHub Actions
What is GitHub Actions • CI/CD platform • Workflow defined
within code repo • Run on GitHub- / self-hosted runner
GitHub Actions workflow • name: Build and sign EIF •
on: [push] • permissions: • contents: read • packages: write • id-token: write • attestations: write • jobs: • build_and_sign_artifact: • runs-on: ubuntu-latest • steps: # ... Build and push artifact • - name: GitHub attest • uses: actions/
[email protected]
Generate and sign provenance
GitHub Actions workflow
SLSA provenance Built by GitHub Actions Source code version Software
build
Where does the software come from? Source Developers Build Package
Consumers Dependencies SLSA
The software need to run somewhere Package Server End-users Deployment
Downloading compromised package Compromised deployment process Unauthorized deployment Unauthorized access Accessing compromised API endpoint
AWS Nitro Enclaves • Isolated virtual machine • Run on
EC2 instances • No admin access • No persistent storage • No external networking
Attestation document 1. Generate by Nitro Enclave at runtime 2.
Present attestation document to client app 3. Client validates the document 4. Client validates enclave fingerprint (PCRs)
Where does the software come from? Source Build Package Fingerprint
(PCRs) Enclave application Attest Enclave End-users Attestation document Verify with attested artifact Verify source code and build process
Demo … by yourself
Demo - How high (or low) is my salary? •
This is a difficult question • I want to know how much you earn • But I don’t want you to know how much I earn
Demo - How high is my salary enclave app •
Only tell you where is your salary ranked • Source code is open • Build process is open • Run on AWS Nitro Enclave • Proved by attestation document • Data encrypted between you and the enclave
Demo - How high is my salary enclave app •
https://github.com/richardfan1126/how-high-is-my-salary-enclave-app • Easy setup (Terraform)
How to find me Richard Fan
[email protected]
20 richardfan1126