Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JAWS Pankration 2024 - Achieve software supply ...
Search
Richard Fan
August 25, 2024
Technology
0
45
JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
Presented at JAWS Pankration 2024
Richard Fan
August 25, 2024
Tweet
Share
More Decks by Richard Fan
See All by Richard Fan
Preserving privacy on data collaboration with AWS Clean Rooms
richardfan1126
0
47
Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions
richardfan1126
0
140
When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS
richardfan1126
0
55
AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture
richardfan1126
0
67
Create your first AWS Nitro Enclaves application
richardfan1126
0
57
Building Security Data Lake
richardfan1126
0
16
Other Decks in Technology
See All in Technology
2025-12-27 Claude CodeでPRレビュー対応を効率化する@機械学習社会実装勉強会第54回
nakamasato
4
1.1k
AI との良い付き合い方を僕らは誰も知らない
asei
0
280
まだ間に合う! Agentic AI on AWSの現在地をやさしく一挙おさらい
minorun365
17
2.9k
普段使ってるClaude Skillsの紹介(by Notebooklm)
zerebom
8
2.3k
"人"が頑張るAI駆動開発
yokomachi
1
630
Knowledge Work の AI Backend
kworkdev
PRO
0
290
AWS re:Invent 2025~初参加の成果と学び~
kubomasataka
1
200
AWSインフルエンサーへの道 / load of AWS Influencer
whisaiyo
0
230
AR Guitar: Expanding Guitar Performance from a Live House to Urban Space
ekito_station
0
250
テストセンター受験、オンライン受験、どっちなんだい?
yama3133
0
180
Identity Management for Agentic AI 解説
fujie
0
490
モダンデータスタックの理想と現実の間で~1.3億人Vポイントデータ基盤の現在地とこれから~
taromatsui_cccmkhd
2
270
Featured
See All Featured
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1.1k
Designing for humans not robots
tammielis
254
26k
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
techseoconnect
PRO
0
52
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
0
970
Building a Scalable Design System with Sketch
lauravandoore
463
34k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
122
21k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
32
2.8k
The Language of Interfaces
destraynor
162
25k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
196
70k
Navigating Team Friction
lara
191
16k
Dominate Local Search Results - an insider guide to GBP, reviews, and Local SEO
greggifford
PRO
0
20
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
davidcarrasco
0
38
Transcript
Achieve software supply chain security using AWS Nitro Enclaves and
GitHub Actions Richard Fan AWS Security Hero
Where does the software come from? Source Developers Build Package
Consumers Dependencies
How can things go wrong? Source Developers Build Package Consumers
Dependencies Unauthorized code change Compromised repository Build from compromised source code Compromised build process Using compromised dependency Modified package Compromised package store Downloading compromised package
What is SLSA • Supply-chain Levels for Software Artifacts •
Framework for software integrity • Build trust between software producer and consumer • Different levels of security assurance
SLSA Provenance Birth certificate of the software Software
Achieving SLSA on GitHub Actions
What is GitHub Actions • CI/CD platform • Workflow defined
within code repo • Run on GitHub- / self-hosted runner
GitHub Actions workflow • name: Build and sign EIF •
on: [push] • permissions: • contents: read • packages: write • id-token: write • attestations: write • jobs: • build_and_sign_artifact: • runs-on: ubuntu-latest • steps: # ... Build and push artifact • - name: GitHub attest • uses: actions/
[email protected]
Generate and sign provenance
GitHub Actions workflow
SLSA provenance Built by GitHub Actions Source code version Software
build
Where does the software come from? Source Developers Build Package
Consumers Dependencies SLSA
The software need to run somewhere Package Server End-users Deployment
Downloading compromised package Compromised deployment process Unauthorized deployment Unauthorized access Accessing compromised API endpoint
AWS Nitro Enclaves • Isolated virtual machine • Run on
EC2 instances • No admin access • No persistent storage • No external networking
Attestation document 1. Generate by Nitro Enclave at runtime 2.
Present attestation document to client app 3. Client validates the document 4. Client validates enclave fingerprint (PCRs)
Where does the software come from? Source Build Package Fingerprint
(PCRs) Enclave application Attest Enclave End-users Attestation document Verify with attested artifact Verify source code and build process
Demo … by yourself
Demo - How high (or low) is my salary? •
This is a difficult question • I want to know how much you earn • But I don’t want you to know how much I earn
Demo - How high is my salary enclave app •
Only tell you where is your salary ranked • Source code is open • Build process is open • Run on AWS Nitro Enclave • Proved by attestation document • Data encrypted between you and the enclave
Demo - How high is my salary enclave app •
https://github.com/richardfan1126/how-high-is-my-salary-enclave-app • Easy setup (Terraform)
How to find me Richard Fan
[email protected]
20 richardfan1126
richardfan1126
nakamasato
asei
minorun365
zerebom
yokomachi
kworkdev
kubomasataka
whisaiyo
ekito_station
yama3133
fujie
taromatsui_cccmkhd
irinanazarova
tammielis
techseoconnect
charlesmeaden
lauravandoore
panda_program
bluesmoon
destraynor
soudai
lara
greggifford
davidcarrasco
![How to find me Richard Fan [email protected] 20 richardfan1126](https://files.speakerdeck.com/presentations/e200c341294247ffabd66288129a973a/slide_19.jpg){kind=link}