Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JAWS Pankration 2024 - Achieve software supply ...
Search
Richard Fan
August 25, 2024
Technology
0
44
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
Presented at JAWS Pankration 2024
Richard Fan
August 25, 2024
Tweet
Share
More Decks by Richard Fan
See All by Richard Fan
Preserving privacy on data collaboration with AWS Clean Rooms
richardfan1126
0
43
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
130
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
richardfan1126
0
55
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
richardfan1126
0
64
Create your first AWS Nitro Enclaves application
richardfan1126
0
55
Building Security Data Lake
richardfan1126
0
16
Other Decks in Technology
See All in Technology
Introducing RFC9111 / YAPC::Fukuoka 2025
k1low
1
310
LINEヤフー バックエンド組織・体制の紹介
lycorptech_jp
PRO
0
810
QAを"自動化する"ことの本質
kshino
1
140
AIエージェントによるエンタープライズ向けスライド検索!
shibuiwilliam
4
570
Flutterにしてよかった?出前館アプリを2年運用して気づいたことを全部話します
demaecan
0
230
AIと共に開発する時代の組織、プロセス設計 freeeでの実践から見えてきたこと
freee
4
740
[mercari GEARS 2025] なぜメルカリはノーコードを選ばなかったのか? 社内問い合わせ工数を60%削減したLLM活用の裏側
mercari
PRO
0
130
国産クラウドを支える設計とチームの変遷 “技術・組織・ミッション”
kazeburo
3
1.5k
LINEスキマニ/LINEバイトにおけるバックエンド開発
lycorptech_jp
PRO
0
310
バクラクの AI-BPO を支える AI エージェント 〜とそれを支える Bet AI Guild〜
tomoaki25
2
780
[CV勉強会@関東 ICCV2025 読み会] World4Drive: End-to-End Autonomous Driving via Intention-aware Physical Latent World Model (Zheng+, ICCV 2025)
abemii
0
230
ABEMAのCM配信を支えるスケーラブルな分散カウンタの実装
hono0130
4
940
Featured
See All Featured
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
11
930
Git: the NoSQL Database
bkeepers
PRO
432
66k
Balancing Empowerment & Direction
lara
5
750
How to train your dragon (web standard)
notwaldorf
97
6.4k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
The Cost Of JavaScript in 2023
addyosmani
55
9.3k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
31
2.9k
Large-scale JavaScript Application Architecture
addyosmani
514
110k
The Art of Programming - Codeland 2020
erikaheidi
56
14k
4 Signs Your Business is Dying
shpigford
186
22k
Building Better People: How to give real-time feedback that sticks.
wjessup
370
20k
Rebuilding a faster, lazier Slack
samanthasiow
84
9.3k
Transcript
Achieve software supply chain security using AWS Nitro Enclaves and
GitHub Actions Richard Fan AWS Security Hero
Where does the software come from? Source Developers Build Package
Consumers Dependencies
How can things go wrong? Source Developers Build Package Consumers
Dependencies Unauthorized code change Compromised repository Build from compromised source code Compromised build process Using compromised dependency Modified package Compromised package store Downloading compromised package
What is SLSA • Supply-chain Levels for Software Artifacts •
Framework for software integrity • Build trust between software producer and consumer • Different levels of security assurance
SLSA Provenance Birth certificate of the software Software
Achieving SLSA on GitHub Actions
What is GitHub Actions • CI/CD platform • Workflow defined
within code repo • Run on GitHub- / self-hosted runner
GitHub Actions workflow • name: Build and sign EIF •
on: [push] • permissions: • contents: read • packages: write • id-token: write • attestations: write • jobs: • build_and_sign_artifact: • runs-on: ubuntu-latest • steps: # ... Build and push artifact • - name: GitHub attest • uses: actions/
[email protected]
Generate and sign provenance
GitHub Actions workflow
SLSA provenance Built by GitHub Actions Source code version Software
build
Where does the software come from? Source Developers Build Package
Consumers Dependencies SLSA
The software need to run somewhere Package Server End-users Deployment
Downloading compromised package Compromised deployment process Unauthorized deployment Unauthorized access Accessing compromised API endpoint
AWS Nitro Enclaves • Isolated virtual machine • Run on
EC2 instances • No admin access • No persistent storage • No external networking
Attestation document 1. Generate by Nitro Enclave at runtime 2.
Present attestation document to client app 3. Client validates the document 4. Client validates enclave fingerprint (PCRs)
Where does the software come from? Source Build Package Fingerprint
(PCRs) Enclave application Attest Enclave End-users Attestation document Verify with attested artifact Verify source code and build process
Demo … by yourself
Demo - How high (or low) is my salary? •
This is a difficult question • I want to know how much you earn • But I don’t want you to know how much I earn
Demo - How high is my salary enclave app •
Only tell you where is your salary ranked • Source code is open • Build process is open • Run on AWS Nitro Enclave • Proved by attestation document • Data encrypted between you and the enclave
Demo - How high is my salary enclave app •
https://github.com/richardfan1126/how-high-is-my-salary-enclave-app • Easy setup (Terraform)
How to find me Richard Fan
[email protected]
20 richardfan1126
richardfan1126
k1low
lycorptech_jp
kshino
shibuiwilliam
demaecan
freee
mercari
kazeburo
tomoaki25
abemii
hono0130
tammyeverts
bkeepers
lara
notwaldorf
cassininazir
addyosmani
danielanewman
erikaheidi
shpigford
wjessup
samanthasiow
![How to find me Richard Fan [email protected] 20 richardfan1126](https://files.speakerdeck.com/presentations/e200c341294247ffabd66288129a973a/slide_19.jpg){kind=link}