Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JAWS Pankration 2024 - Achieve software supply ...
Search
Richard Fan
August 25, 2024
Technology
64
0
Share
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
Presented at JAWS Pankration 2024
Richard Fan
August 25, 2024
More Decks by Richard Fan
See All by Richard Fan
You Don’t Need to Be a Hero to Contribute
richardfan1126
0
5
Understanding the Identity of a CI Platform
richardfan1126
0
5
Preserving privacy on data collaboration with AWS Clean Rooms
richardfan1126
0
53
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
160
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
richardfan1126
0
60
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
richardfan1126
0
74
Create your first AWS Nitro Enclaves application
richardfan1126
0
68
Building Security Data Lake
richardfan1126
0
21
Other Decks in Technology
See All in Technology
既存プロダクトQAから新規プロダクトQAへ
ryotakahashi
0
140
エムスリーテクノロジーズ株式会社 エンジニア向け紹介資料 / M3 Technologies Company Deck
m3_engineering
0
160
"うちにはまだ早い"は本当? ─ 小さく始めるPlatform Engineering入門
harukasakihara
6
610
Sansan Engineering Unit 紹介資料
sansan33
PRO
1
4.4k
freeeで運用しているAIQAについて
qatonchan
1
630
(きっとたぶん)人材育成や教育のような何かの話
sejima
0
750
写真で見るAWS Summit Singapore 2026
k_adachi_01
0
110
鹿野さんに聞く!CSSの最新トレンド Ver.2026
tonkotsuboy_com
6
3.4k
Redmine次期バージョン7.0の注目新機能解説 — UI/UX強化と連携強化を中心に
vividtone
1
140
サンプリングは「作る」のか「使う」のか? 分散トレースのコストと運用を両立する実践的戦略 / Why you need the tail sampling and why you don't want it
ymotongpoo
4
180
社内RAGの導入で気を付けたポイント
yakumo
1
110
Terragrunt x Snowflake + dbt で作るマルチテナントなデータ基盤構築プラットフォーム
gak_t12
0
170
Featured
See All Featured
The Language of Interfaces
destraynor
162
26k
Build The Right Thing And Hit Your Dates
maggiecrowley
39
3.1k
Producing Creativity
orderedlist
PRO
348
40k
From Legacy to Launchpad: Building Startup-Ready Communities
dugsong
0
210
The B2B funnel & how to create a winning content strategy
katarinadahlin
PRO
1
360
Darren the Foodie - Storyboard
khoart
PRO
3
3.3k
Automating Front-end Workflow
addyosmani
1370
200k
SEO in 2025: How to Prepare for the Future of Search
ipullrank
3
3.4k
The SEO Collaboration Effect
kristinabergwall1
1
450
Git: the NoSQL Database
bkeepers
PRO
432
67k
We Are The Robots
honzajavorek
0
230
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
inesmontani
PRO
3
2.2k
Transcript
Achieve software supply chain security using AWS Nitro Enclaves and
GitHub Actions Richard Fan AWS Security Hero
Where does the software come from? Source Developers Build Package
Consumers Dependencies
How can things go wrong? Source Developers Build Package Consumers
Dependencies Unauthorized code change Compromised repository Build from compromised source code Compromised build process Using compromised dependency Modified package Compromised package store Downloading compromised package
What is SLSA • Supply-chain Levels for Software Artifacts •
Framework for software integrity • Build trust between software producer and consumer • Different levels of security assurance
SLSA Provenance Birth certificate of the software Software
Achieving SLSA on GitHub Actions
What is GitHub Actions • CI/CD platform • Workflow defined
within code repo • Run on GitHub- / self-hosted runner
GitHub Actions workflow • name: Build and sign EIF •
on: [push] • permissions: • contents: read • packages: write • id-token: write • attestations: write • jobs: • build_and_sign_artifact: • runs-on: ubuntu-latest • steps: # ... Build and push artifact • - name: GitHub attest • uses: actions/
[email protected]
Generate and sign provenance
GitHub Actions workflow
SLSA provenance Built by GitHub Actions Source code version Software
build
Where does the software come from? Source Developers Build Package
Consumers Dependencies SLSA
The software need to run somewhere Package Server End-users Deployment
Downloading compromised package Compromised deployment process Unauthorized deployment Unauthorized access Accessing compromised API endpoint
AWS Nitro Enclaves • Isolated virtual machine • Run on
EC2 instances • No admin access • No persistent storage • No external networking
Attestation document 1. Generate by Nitro Enclave at runtime 2.
Present attestation document to client app 3. Client validates the document 4. Client validates enclave fingerprint (PCRs)
Where does the software come from? Source Build Package Fingerprint
(PCRs) Enclave application Attest Enclave End-users Attestation document Verify with attested artifact Verify source code and build process
Demo … by yourself
Demo - How high (or low) is my salary? •
This is a difficult question • I want to know how much you earn • But I don’t want you to know how much I earn
Demo - How high is my salary enclave app •
Only tell you where is your salary ranked • Source code is open • Build process is open • Run on AWS Nitro Enclave • Proved by attestation document • Data encrypted between you and the enclave
Demo - How high is my salary enclave app •
https://github.com/richardfan1126/how-high-is-my-salary-enclave-app • Easy setup (Terraform)
How to find me Richard Fan
[email protected]
20 richardfan1126
richardfan1126
ryotakahashi
.jpg){kind=avatar}
m3_engineering
harukasakihara
sansan33
qatonchan
sejima
k_adachi_01
tonkotsuboy_com
vividtone
ymotongpoo
yakumo
gak_t12
destraynor
maggiecrowley
orderedlist
dugsong
katarinadahlin
khoart
addyosmani
ipullrank
kristinabergwall1
bkeepers
honzajavorek
inesmontani
![How to find me Richard Fan [email protected] 20 richardfan1126](https://files.speakerdeck.com/presentations/e200c341294247ffabd66288129a973a/slide_19.jpg){kind=link}