Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JAWS Pankration 2024 - Achieve software supply ...
Search
Richard Fan
August 25, 2024
Technology
59
0
Share
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
Presented at JAWS Pankration 2024
Richard Fan
August 25, 2024
More Decks by Richard Fan
See All by Richard Fan
You Don’t Need to Be a Hero to Contribute
richardfan1126
0
3
Understanding the Identity of a CI Platform
richardfan1126
0
2
Preserving privacy on data collaboration with AWS Clean Rooms
richardfan1126
0
52
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
160
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
richardfan1126
0
57
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
richardfan1126
0
70
Create your first AWS Nitro Enclaves application
richardfan1126
0
64
Building Security Data Lake
richardfan1126
0
19
Other Decks in Technology
See All in Technology
LLM時代の検索アーキテクチャと技術的意思決定
shibuiwilliam
1
380
DevOpsDays Tokyo 2026 軽量な仕様書と新たなDORA AI ケイパビリティで実現する、動くソフトウェアを中心とした開発ライフサイクル / DevOpsDays Tokyo 2026
n11sh1
0
140
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
240
明日からドヤれる!超マニアックなAWSセキュリティTips10連発 / 10 Ultra-Niche AWS Security Tips
yuj1osm
0
500
AIを共同作業者にして書籍を執筆する方法 / How to Write a Book with AI as a Co-Creator
ama_ch
2
120
インターネットの技術 / Internet technology
ks91
PRO
0
130
BigQuery × dbtでコスト削減した話
rightcode
0
150
Data Hubグループ 紹介資料
sansan33
PRO
0
2.9k
2026年、知っておくべき最新 サーバレスTips10選/serverless-10-tips
slsops
12
4.9k
Do Ruby::Box dream of Modular Monolith?
joker1007
0
190
終盤で崩壊させないAI駆動開発
j5ik2o
2
2.2k
Discordでリモートポケカしてたら、なぜかDOを25分間動かせるようになった話
umireon
0
140
Featured
See All Featured
Test your architecture with Archunit
thirion
1
2.2k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
chikuwait
0
470
The AI Search Optimization Roadmap by Aleyda Solis
aleyda
1
5.6k
Marketing Yourself as an Engineer | Alaka | Gurzu
gurzu
0
180
Ecommerce SEO: The Keys for Success Now & Beyond - #SERPConf2024
aleyda
1
1.9k
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
konakalab
0
400
SERP Conf. Vienna - Web Accessibility: Optimizing for Inclusivity and SEO
sarafernandez
2
1.4k
From π to Pie charts
rasagy
0
160
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.7k
Side Projects
sachag
455
43k
YesSQL, Process and Tooling at Scale
rocio
174
15k
Transcript
Achieve software supply chain security using AWS Nitro Enclaves and
GitHub Actions Richard Fan AWS Security Hero
Where does the software come from? Source Developers Build Package
Consumers Dependencies
How can things go wrong? Source Developers Build Package Consumers
Dependencies Unauthorized code change Compromised repository Build from compromised source code Compromised build process Using compromised dependency Modified package Compromised package store Downloading compromised package
What is SLSA • Supply-chain Levels for Software Artifacts •
Framework for software integrity • Build trust between software producer and consumer • Different levels of security assurance
SLSA Provenance Birth certificate of the software Software
Achieving SLSA on GitHub Actions
What is GitHub Actions • CI/CD platform • Workflow defined
within code repo • Run on GitHub- / self-hosted runner
GitHub Actions workflow • name: Build and sign EIF •
on: [push] • permissions: • contents: read • packages: write • id-token: write • attestations: write • jobs: • build_and_sign_artifact: • runs-on: ubuntu-latest • steps: # ... Build and push artifact • - name: GitHub attest • uses: actions/
[email protected]
Generate and sign provenance
GitHub Actions workflow
SLSA provenance Built by GitHub Actions Source code version Software
build
Where does the software come from? Source Developers Build Package
Consumers Dependencies SLSA
The software need to run somewhere Package Server End-users Deployment
Downloading compromised package Compromised deployment process Unauthorized deployment Unauthorized access Accessing compromised API endpoint
AWS Nitro Enclaves • Isolated virtual machine • Run on
EC2 instances • No admin access • No persistent storage • No external networking
Attestation document 1. Generate by Nitro Enclave at runtime 2.
Present attestation document to client app 3. Client validates the document 4. Client validates enclave fingerprint (PCRs)
Where does the software come from? Source Build Package Fingerprint
(PCRs) Enclave application Attest Enclave End-users Attestation document Verify with attested artifact Verify source code and build process
Demo … by yourself
Demo - How high (or low) is my salary? •
This is a difficult question • I want to know how much you earn • But I don’t want you to know how much I earn
Demo - How high is my salary enclave app •
Only tell you where is your salary ranked • Source code is open • Build process is open • Run on AWS Nitro Enclave • Proved by attestation document • Data encrypted between you and the enclave
Demo - How high is my salary enclave app •
https://github.com/richardfan1126/how-high-is-my-salary-enclave-app • Easy setup (Terraform)
How to find me Richard Fan
[email protected]
20 richardfan1126
richardfan1126
shibuiwilliam
n11sh1
ks91
yuj1osm
ama_ch
rightcode
sansan33
slsops
joker1007
j5ik2o
umireon
thirion
chriscoyier
chikuwait
aleyda
gurzu
konakalab
sarafernandez
rasagy
thoeni
sachag
rocio
![How to find me Richard Fan [email protected] 20 richardfan1126](https://files.speakerdeck.com/presentations/e200c341294247ffabd66288129a973a/slide_19.jpg){kind=link}