Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JAWS Pankration 2024 - Achieve software supply ...
Search
Richard Fan
August 25, 2024
Technology
0
46
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
Presented at JAWS Pankration 2024
Richard Fan
August 25, 2024
Tweet
Share
More Decks by Richard Fan
See All by Richard Fan
Preserving privacy on data collaboration with AWS Clean Rooms
richardfan1126
0
49
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
140
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
richardfan1126
0
55
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
richardfan1126
0
67
Create your first AWS Nitro Enclaves application
richardfan1126
0
59
Building Security Data Lake
richardfan1126
0
17
Other Decks in Technology
See All in Technology
usermode linux without MMU - fosdem2026 kernel devroom
thehajime
0
240
Embedded SREの終わりを設計する 「なんとなく」から計画的な自立支援へ
sansantech
PRO
3
2.6k
We Built for Predictability; The Workloads Didn’t Care
stahnma
0
150
マネージャー視点で考えるプロダクトエンジニアの評価 / Evaluating Product Engineers from a Manager's Perspective
hiro_torii
0
180
20260204_Midosuji_Tech
takuyay0ne
1
160
Exadata Fleet Update
oracle4engineer
PRO
0
1.1k
~Everything as Codeを諦めない~ 後からCDK
mu7889yoon
3
490
Claude Code for NOT Programming
kawaguti
PRO
1
100
Cloud Runでコロプラが挑む 生成AI×ゲーム『神魔狩りのツクヨミ』の裏側
colopl
0
140
Codex 5.3 と Opus 4.6 にコーポレートサイトを作らせてみた / Codex 5.3 vs Opus 4.6
ama_ch
0
200
FinTech SREのAWSサービス活用/Leveraging AWS Services in FinTech SRE
maaaato
0
130
Why Organizations Fail: ノーベル経済学賞「国家はなぜ衰退するのか」から考えるアジャイル組織論
kawaguti
PRO
1
190
Featured
See All Featured
Efficient Content Optimization with Google Search Console & Apps Script
katarinadahlin
PRO
1
330
SEOcharity - Dark patterns in SEO and UX: How to avoid them and build a more ethical web
sarafernandez
0
120
How Fast Is Fast Enough? [PerfNow 2025]
tammyeverts
3
460
How to Ace a Technical Interview
jacobian
281
24k
Public Speaking Without Barfing On Your Shoes - THAT 2023
reverentgeek
1
310
Building Better People: How to give real-time feedback that sticks.
wjessup
370
20k
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
marketingsoph
0
77
Java REST API Framework Comparison - PWX 2021
mraible
34
9.1k
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
1
130
Product Roadmaps are Hard
iamctodd
PRO
55
12k
Tell your own story through comics
letsgokoyo
1
810
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
minecr
0
160
Transcript
Achieve software supply chain security using AWS Nitro Enclaves and
GitHub Actions Richard Fan AWS Security Hero
Where does the software come from? Source Developers Build Package
Consumers Dependencies
How can things go wrong? Source Developers Build Package Consumers
Dependencies Unauthorized code change Compromised repository Build from compromised source code Compromised build process Using compromised dependency Modified package Compromised package store Downloading compromised package
What is SLSA • Supply-chain Levels for Software Artifacts •
Framework for software integrity • Build trust between software producer and consumer • Different levels of security assurance
SLSA Provenance Birth certificate of the software Software
Achieving SLSA on GitHub Actions
What is GitHub Actions • CI/CD platform • Workflow defined
within code repo • Run on GitHub- / self-hosted runner
GitHub Actions workflow • name: Build and sign EIF •
on: [push] • permissions: • contents: read • packages: write • id-token: write • attestations: write • jobs: • build_and_sign_artifact: • runs-on: ubuntu-latest • steps: # ... Build and push artifact • - name: GitHub attest • uses: actions/
[email protected]
Generate and sign provenance
GitHub Actions workflow
SLSA provenance Built by GitHub Actions Source code version Software
build
Where does the software come from? Source Developers Build Package
Consumers Dependencies SLSA
The software need to run somewhere Package Server End-users Deployment
Downloading compromised package Compromised deployment process Unauthorized deployment Unauthorized access Accessing compromised API endpoint
AWS Nitro Enclaves • Isolated virtual machine • Run on
EC2 instances • No admin access • No persistent storage • No external networking
Attestation document 1. Generate by Nitro Enclave at runtime 2.
Present attestation document to client app 3. Client validates the document 4. Client validates enclave fingerprint (PCRs)
Where does the software come from? Source Build Package Fingerprint
(PCRs) Enclave application Attest Enclave End-users Attestation document Verify with attested artifact Verify source code and build process
Demo … by yourself
Demo - How high (or low) is my salary? •
This is a difficult question • I want to know how much you earn • But I don’t want you to know how much I earn
Demo - How high is my salary enclave app •
Only tell you where is your salary ranked • Source code is open • Build process is open • Run on AWS Nitro Enclave • Proved by attestation document • Data encrypted between you and the enclave
Demo - How high is my salary enclave app •
https://github.com/richardfan1126/how-high-is-my-salary-enclave-app • Easy setup (Terraform)
How to find me Richard Fan
[email protected]
20 richardfan1126
richardfan1126
thehajime
sansantech
stahnma
.jpg){kind=avatar}
hiro_torii
takuyay0ne
oracle4engineer
mu7889yoon
kawaguti
colopl
ama_ch
maaaato
katarinadahlin
sarafernandez
tammyeverts
jacobian
reverentgeek
wjessup
marketingsoph
mraible
stephenakadiri
iamctodd
letsgokoyo
minecr
![How to find me Richard Fan [email protected] 20 richardfan1126](https://files.speakerdeck.com/presentations/e200c341294247ffabd66288129a973a/slide_19.jpg){kind=link}