Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JAWS Pankration 2024 - Achieve software supply ...
Search
Richard Fan
August 25, 2024
Technology
70
0
Share
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
Presented at JAWS Pankration 2024
Richard Fan
August 25, 2024
More Decks by Richard Fan
See All by Richard Fan
You Don’t Need to Be a Hero to Contribute
richardfan1126
0
5
Understanding the Identity of a CI Platform
richardfan1126
0
9
Preserving privacy on data collaboration with AWS Clean Rooms
richardfan1126
0
53
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
170
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
richardfan1126
0
62
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
richardfan1126
0
75
Create your first AWS Nitro Enclaves application
richardfan1126
0
70
Building Security Data Lake
richardfan1126
0
22
Other Decks in Technology
See All in Technology
Diagnosing performance problems without the guesswork
elenatanasoiu
0
150
個人AIからチームAIへ:開発における品質と生産性の再設計
moongift
PRO
0
360
プラットフォームエンジニア ワークショップ/ platform-workshop
databricksjapan
0
170
OCI Oracle AI Database Services新機能アップデート(2026/03-2026/05)
oracle4engineer
PRO
0
120
Terraformモジュールは、なぜ「魔境」化するのか
hayama17
1
160
「速く作る」から「正しく作る」へ ─ 生成AI時代の開発フロー改革の ロードマップと実行 ─
starfish719
0
3.5k
サイバーセキュリティ概論 / Introduction to Cybersecurity
ks91
PRO
0
120
Claude Codeを組織で使いこなす— サーバサイドAIエージェント運用の実践知
techtekt
PRO
0
170
Cloud Run のアップデート 触ってみる&紹介
gre212
0
300
ポスター発表&デモと総括 / Poster Presentations & Demonstrations and Summary
ks91
PRO
0
190
もりもり新機能を一挙紹介! AgentCoreに入門して、AWS上にAIエージェントを構築しよう
minorun365
PRO
6
670
Claude code Orchestra
ozakiomumkj
3
890
Featured
See All Featured
How GitHub (no longer) Works
holman
316
150k
Art, The Web, and Tiny UX
lynnandtonic
304
22k
Principles of Awesome APIs and How to Build Them.
keavy
128
17k
VelocityConf: Rendering Performance Case Studies
addyosmani
333
25k
Intergalactic Javascript Robots from Outer Space
tanoku
273
27k
SEO in 2025: How to Prepare for the Future of Search
ipullrank
3
3.5k
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
2k
Impact Scores and Hybrid Strategies: The future of link building
tamaranovitovic
0
300
The Curse of the Amulet
leimatthew05
1
13k
Building Experiences: Design Systems, User Experience, and Full Site Editing
marktimemedia
0
520
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
38
2.9k
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
tomoyanonymous
2
840
Transcript
Achieve software supply chain security using AWS Nitro Enclaves and
GitHub Actions Richard Fan AWS Security Hero
Where does the software come from? Source Developers Build Package
Consumers Dependencies
How can things go wrong? Source Developers Build Package Consumers
Dependencies Unauthorized code change Compromised repository Build from compromised source code Compromised build process Using compromised dependency Modified package Compromised package store Downloading compromised package
What is SLSA • Supply-chain Levels for Software Artifacts •
Framework for software integrity • Build trust between software producer and consumer • Different levels of security assurance
SLSA Provenance Birth certificate of the software Software
Achieving SLSA on GitHub Actions
What is GitHub Actions • CI/CD platform • Workflow defined
within code repo • Run on GitHub- / self-hosted runner
GitHub Actions workflow • name: Build and sign EIF •
on: [push] • permissions: • contents: read • packages: write • id-token: write • attestations: write • jobs: • build_and_sign_artifact: • runs-on: ubuntu-latest • steps: # ... Build and push artifact • - name: GitHub attest • uses: actions/
[email protected]
Generate and sign provenance
GitHub Actions workflow
SLSA provenance Built by GitHub Actions Source code version Software
build
Where does the software come from? Source Developers Build Package
Consumers Dependencies SLSA
The software need to run somewhere Package Server End-users Deployment
Downloading compromised package Compromised deployment process Unauthorized deployment Unauthorized access Accessing compromised API endpoint
AWS Nitro Enclaves • Isolated virtual machine • Run on
EC2 instances • No admin access • No persistent storage • No external networking
Attestation document 1. Generate by Nitro Enclave at runtime 2.
Present attestation document to client app 3. Client validates the document 4. Client validates enclave fingerprint (PCRs)
Where does the software come from? Source Build Package Fingerprint
(PCRs) Enclave application Attest Enclave End-users Attestation document Verify with attested artifact Verify source code and build process
Demo … by yourself
Demo - How high (or low) is my salary? •
This is a difficult question • I want to know how much you earn • But I don’t want you to know how much I earn
Demo - How high is my salary enclave app •
Only tell you where is your salary ranked • Source code is open • Build process is open • Run on AWS Nitro Enclave • Proved by attestation document • Data encrypted between you and the enclave
Demo - How high is my salary enclave app •
https://github.com/richardfan1126/how-high-is-my-salary-enclave-app • Easy setup (Terraform)
How to find me Richard Fan
[email protected]
20 richardfan1126
richardfan1126
elenatanasoiu
moongift
databricksjapan
oracle4engineer
hayama17
starfish719
ks91
techtekt
gre212
minorun365
ozakiomumkj
holman
lynnandtonic
keavy
addyosmani
tanoku
ipullrank
aleyda
tamaranovitovic
leimatthew05
marktimemedia
eileencodes
tomoyanonymous
![How to find me Richard Fan [email protected] 20 richardfan1126](https://files.speakerdeck.com/presentations/e200c341294247ffabd66288129a973a/slide_19.jpg){kind=link}