Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JAWS Pankration 2024 - Achieve software supply ...
Search
Richard Fan
August 25, 2024
Technology
0
49
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
Presented at JAWS Pankration 2024
Richard Fan
August 25, 2024
Tweet
Share
More Decks by Richard Fan
See All by Richard Fan
Preserving privacy on data collaboration with AWS Clean Rooms
richardfan1126
0
51
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
150
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
richardfan1126
0
56
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
richardfan1126
0
68
Create your first AWS Nitro Enclaves application
richardfan1126
0
61
Building Security Data Lake
richardfan1126
0
19
Other Decks in Technology
See All in Technology
製造業ドメインにおける LLMプロダクト構築: 複雑な文脈へのアプローチ
caddi_eng
0
250
LY Tableauでの Tableau x AIの実践 (at Tableau Now! - 2026-02-26)
yoshitakaarakawa
0
1.3k
Webアクセシビリティ技術と実装の実際
tomokusaba
0
210
技術的負債の泥沼から組織を救う3つの転換点
nwiizo
5
1.1k
Ultra Ethernet (UEC) v1.0 仕様概説
markunet
3
120
自動テストが巻き起こした開発プロセス・チームの変化 / Impact of Automated Testing on Development Cycles and Team Dynamics
codmoninc
1
990
Devinを導入したら予想外の人たちに好評だった
tomuro
0
860
primeNumber DATA MANAGEMENT CAMP #2:
masatoshi0205
1
680
Introduction to Sansan, inc / Sansan Global Development Center, Inc.
sansan33
PRO
0
3k
Digitization部 紹介資料
sansan33
PRO
1
7k
Snowflake Night #2 LT
taromatsui_cccmkhd
0
320
LINE Messengerの次世代ストレージ選定
lycorptech_jp
PRO
19
7.2k
Featured
See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
8k
The Straight Up "How To Draw Better" Workshop
denniskardys
239
140k
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
apolaine
0
220
What does AI have to do with Human Rights?
axbom
PRO
1
2k
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
120
Building a A Zero-Code AI SEO Workflow
portentint
PRO
0
370
Utilizing Notion as your number one productivity tool
mfonobong
4
240
How to Build an AI Search Optimization Roadmap - Criteria and Steps to Take #SEOIRL
aleyda
1
1.9k
Sam Torres - BigQuery for SEOs
techseoconnect
PRO
0
210
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
kimpetersen
PRO
0
260
The Director’s Chair: Orchestrating AI for Truly Effective Learning
tmiket
1
120
How Fast Is Fast Enough? [PerfNow 2025]
tammyeverts
3
470
Transcript
Achieve software supply chain security using AWS Nitro Enclaves and
GitHub Actions Richard Fan AWS Security Hero
Where does the software come from? Source Developers Build Package
Consumers Dependencies
How can things go wrong? Source Developers Build Package Consumers
Dependencies Unauthorized code change Compromised repository Build from compromised source code Compromised build process Using compromised dependency Modified package Compromised package store Downloading compromised package
What is SLSA • Supply-chain Levels for Software Artifacts •
Framework for software integrity • Build trust between software producer and consumer • Different levels of security assurance
SLSA Provenance Birth certificate of the software Software
Achieving SLSA on GitHub Actions
What is GitHub Actions • CI/CD platform • Workflow defined
within code repo • Run on GitHub- / self-hosted runner
GitHub Actions workflow • name: Build and sign EIF •
on: [push] • permissions: • contents: read • packages: write • id-token: write • attestations: write • jobs: • build_and_sign_artifact: • runs-on: ubuntu-latest • steps: # ... Build and push artifact • - name: GitHub attest • uses: actions/
[email protected]
Generate and sign provenance
GitHub Actions workflow
SLSA provenance Built by GitHub Actions Source code version Software
build
Where does the software come from? Source Developers Build Package
Consumers Dependencies SLSA
The software need to run somewhere Package Server End-users Deployment
Downloading compromised package Compromised deployment process Unauthorized deployment Unauthorized access Accessing compromised API endpoint
AWS Nitro Enclaves • Isolated virtual machine • Run on
EC2 instances • No admin access • No persistent storage • No external networking
Attestation document 1. Generate by Nitro Enclave at runtime 2.
Present attestation document to client app 3. Client validates the document 4. Client validates enclave fingerprint (PCRs)
Where does the software come from? Source Build Package Fingerprint
(PCRs) Enclave application Attest Enclave End-users Attestation document Verify with attested artifact Verify source code and build process
Demo … by yourself
Demo - How high (or low) is my salary? •
This is a difficult question • I want to know how much you earn • But I don’t want you to know how much I earn
Demo - How high is my salary enclave app •
Only tell you where is your salary ranked • Source code is open • Build process is open • Run on AWS Nitro Enclave • Proved by attestation document • Data encrypted between you and the enclave
Demo - How high is my salary enclave app •
https://github.com/richardfan1126/how-high-is-my-salary-enclave-app • Easy setup (Terraform)
How to find me Richard Fan
[email protected]
20 richardfan1126
richardfan1126
caddi_eng
yoshitakaarakawa
tomokusaba
nwiizo
markunet
codmoninc
tomuro
masatoshi0205
sansan33
taromatsui_cccmkhd
lycorptech_jp
eileencodes
denniskardys
apolaine
axbom
jdejongh
portentint
mfonobong
aleyda
techseoconnect
kimpetersen
tmiket
tammyeverts
![How to find me Richard Fan [email protected] 20 richardfan1126](https://files.speakerdeck.com/presentations/e200c341294247ffabd66288129a973a/slide_19.jpg){kind=link}