Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JAWS Pankration 2024 - Achieve software supply ...
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Richard Fan
August 25, 2024
Technology
72
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
Presented at JAWS Pankration 2024
Richard Fan
August 25, 2024
More Decks by Richard Fan
See All by Richard Fan
You Don’t Need to Be a Hero to Contribute
richardfan1126
0
6
Understanding the Identity of a CI Platform
richardfan1126
0
12
Preserving privacy on data collaboration with AWS Clean Rooms
richardfan1126
0
53
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
170
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
richardfan1126
0
63
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
richardfan1126
0
75
Create your first AWS Nitro Enclaves application
richardfan1126
0
74
Building Security Data Lake
richardfan1126
0
22
Other Decks in Technology
See All in Technology
WebGIS AI Agentの紹介
_shimizu
0
530
インシデントレスポンス演習 I / Incident Response Exercise I
ks91
PRO
0
110
水を運ぶ人としてのリーダーシップ
izumii19
4
900
徹底討論!ECS vs EKS!
daitak
3
1.4k
Agile and AI Redmine Japan 2026
hiranabe
4
460
20260619 私の日常業務での生成 AI 活用
masaruogura
1
240
[チョークトーク資料]AWS DevOps Agent を使いこなす / AWS Dev Ops Agent Chalk Talk AWS Summit Japan 2026
kinunori
4
750
Bucharest Tech Week 2026 - Reinventing testing practices in the AI era
edeandrea
PRO
1
170
Flow 不死:AI 時代 DevOps 的不變本質
cheng_wei_chen
2
480
ぼっちではじめた登壇が「51名」「241件」の発信に化けた
subroh0508
1
300
技術・能力を向上する原理原則 #きのこセッションa #きのこ2026
bash0c7
0
110
「勝手に広まる」人気 AI エージェントを爆速で作ろう!(AWS Summit Japan 2026講演資料)
minorun365
PRO
10
2.4k
Featured
See All Featured
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
tomoyanonymous
2
870
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
aleyda
1
1.3k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1.4k
Skip the Path - Find Your Career Trail
mkilby
1
150
How to Align SEO within the Product Triangle To Get Buy-In & Support - #RIMC
aleyda
2
1.5k
Design in an AI World
tapps
1
250
Game over? The fight for quality and originality in the time of robots
wayneb77
1
200
Jess Joyce - The Pitfalls of Following Frameworks
techseoconnect
PRO
1
170
How STYLIGHT went responsive
nonsquared
100
6.2k
WCS-LA-2024
lcolladotor
0
650
How to Think Like a Performance Engineer
csswizardry
28
2.7k
30 Presentation Tips
portentint
PRO
1
330
Transcript
Achieve software supply chain security using AWS Nitro Enclaves and
GitHub Actions Richard Fan AWS Security Hero
Where does the software come from? Source Developers Build Package
Consumers Dependencies
How can things go wrong? Source Developers Build Package Consumers
Dependencies Unauthorized code change Compromised repository Build from compromised source code Compromised build process Using compromised dependency Modified package Compromised package store Downloading compromised package
What is SLSA • Supply-chain Levels for Software Artifacts •
Framework for software integrity • Build trust between software producer and consumer • Different levels of security assurance
SLSA Provenance Birth certificate of the software Software
Achieving SLSA on GitHub Actions
What is GitHub Actions • CI/CD platform • Workflow defined
within code repo • Run on GitHub- / self-hosted runner
GitHub Actions workflow • name: Build and sign EIF •
on: [push] • permissions: • contents: read • packages: write • id-token: write • attestations: write • jobs: • build_and_sign_artifact: • runs-on: ubuntu-latest • steps: # ... Build and push artifact • - name: GitHub attest • uses: actions/
[email protected]
Generate and sign provenance
GitHub Actions workflow
SLSA provenance Built by GitHub Actions Source code version Software
build
Where does the software come from? Source Developers Build Package
Consumers Dependencies SLSA
The software need to run somewhere Package Server End-users Deployment
Downloading compromised package Compromised deployment process Unauthorized deployment Unauthorized access Accessing compromised API endpoint
AWS Nitro Enclaves • Isolated virtual machine • Run on
EC2 instances • No admin access • No persistent storage • No external networking
Attestation document 1. Generate by Nitro Enclave at runtime 2.
Present attestation document to client app 3. Client validates the document 4. Client validates enclave fingerprint (PCRs)
Where does the software come from? Source Build Package Fingerprint
(PCRs) Enclave application Attest Enclave End-users Attestation document Verify with attested artifact Verify source code and build process
Demo … by yourself
Demo - How high (or low) is my salary? •
This is a difficult question • I want to know how much you earn • But I don’t want you to know how much I earn
Demo - How high is my salary enclave app •
Only tell you where is your salary ranked • Source code is open • Build process is open • Run on AWS Nitro Enclave • Proved by attestation document • Data encrypted between you and the enclave
Demo - How high is my salary enclave app •
https://github.com/richardfan1126/how-high-is-my-salary-enclave-app • Easy setup (Terraform)
How to find me Richard Fan
[email protected]
20 richardfan1126
richardfan1126
_shimizu
ks91
izumii19
daitak
hiranabe
masaruogura
kinunori
edeandrea
cheng_wei_chen
subroh0508
bash0c7
minorun365
tomoyanonymous
aleyda
irinanazarova
mkilby
tapps
wayneb77
techseoconnect
nonsquared
lcolladotor
csswizardry
portentint
![How to find me Richard Fan [email protected] 20 richardfan1126](https://files.speakerdeck.com/presentations/e200c341294247ffabd66288129a973a/slide_19.jpg){kind=link}