Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS CDKを用いたセキュアなCI/CDパイプラインの構築 / Build a secure...

shiro seike
PRO
September 25, 2024
Programming
3
810

AWS CDKを用いたセキュアなCI/CDパイプラインの構築 / Build a secure CI/CD pipeline using AWS CDK

JAWS-UG CDK支部 #16 ~CDK Conference 2024 Extra~
https://jawsug-cdk.connpass.com/event/328676/

shiro seike
PRO

September 25, 2024
Tweet

More Decks by shiro seike

See All by shiro seike
Amazon Q Developer Proで効率化するAPI開発入門
seike460
PRO
0
120
(再)ひとり技術広報からの脱却 / Re:Breaking away from one-man technical public relations
seike460
PRO
1
140
PHPで作るWebSocketサーバー ~リアクティブなアプリケーションを知るために~ / WebSocket Server in PHP - To know reactive applications
seike460
PRO
2
900
CQRS+ES の力を使って効果を感じる / Feel the effects of using the power of CQRS+ES
seike460
PRO
0
260
AWS reInvent 2024サービスアップデートデモ / AWS reInvent 2024 Service Update Demo
seike460
PRO
0
44
AWS Lambdaから始まった
Serverlessの「熱」とキャリアパス / It started with AWS Lambda Serverless “fever” and career path
seike460
PRO
1
620
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
1.2k
実践サーバーレスパフォーマンスチューニング ~その実力に迫る~ / Practical Serverless Performance Tuning ~A Close Look at its Power~
seike460
PRO
2
390
PHPを書く理由、PHPを書いていて良い理由 / Reasons to write PHP and why it is good to write PHP
seike460
PRO
5
680

Other Decks in Programming

See All in Programming
Introduction to kotlinx.rpc
arawn
0
750
CDK開発におけるコーディング規約の運用
yamanashi_ren01
2
240
CI改善もDatadogとともに
taumu
0
190
Boos Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
190
推しメソッドsource_locationのしくみを探る - はじめてRubyのコードを読んでみた
nobu09
2
130
ナレッジイネイブリングにAIを活用してみる ゆるSRE勉強会 #9
nealle
0
140
React 19アップデートのために必要なこと
uhyo
8
1.4k
クリーンアーキテクチャから見る依存の向きの大切さ
shimabox
5
940
新宿駅構内を三人称視点で探索してみる
satoshi7190
2
120
楽しく向き合う例外対応
okutsu
0
580
負債になりにくいCSSをデザイナとつくるには?
fsubal
10
2.6k
XStateを用いた堅牢なReact Components設計~複雑なClient Stateをシンプルに~ @React Tokyo ミートアップ #2
kfurusho
1
970

Featured

See All Featured
Large-scale JavaScript Application Architecture
addyosmani
511
110k
Navigating Team Friction
lara
183
15k
Bash Introduction
62gerente
611
210k
How to Ace a Technical Interview
jacobian
276
23k
Site-Speed That Sticks
csswizardry
4
400
Designing for Performance
lara
604
68k
How GitHub (no longer) Works
holman
314
140k
Being A Developer After 40
akosma
89
590k
Docker and Python
trallard
44
3.3k
Why You Should Never Use an ORM
jnunemaker
PRO
55
9.2k
Speed Design
sergeychernyshev
27
810
Music & Morning Musume
bryan
46
6.4k

Transcript

  1. ©Fusic Co., Ltd.  1 AWS CDKΛ༻͍ͨ ηΩϡΞͳCI/CDύΠϓϥΠϯͷߏங 2024.09.25 @seike460

    JAWS-UG CDKࢧ෦ #16 ~CDK Conference 2024 Extra~

  2. ©Fusic Co., Ltd. 2 ਗ਼Ո ࢙࿠ @seike460 AWS Community Builder

    Serverless ίϛϡχςΟ Fukuoka.php Fukuoka.go JAWS-UG Fukuoka Serverless Meetup Fukuoka Cloudflare Meetup Fukuoka JP_Stripes Fukuoka ࣗݾ঺հ ͸͡Ίʹ גࣜձࣾFusic ϓϦϯγύϧΤϯδχΞ/ΤόϯδΣϦετ

  3. ©Fusic Co., Ltd. 3 CONTENTS ໨࣍ 1. AWS CDKͱηΩϡϦςΟ 2.

    cdk-nagɺCheckov 3. ࣮ࡍͷಈ࡞ 4. ·ͱΊ

  4. ©Fusic Co., Ltd. 4 AWS CDKͱηΩϡϦςΟ 1

  5. ©Fusic Co., Ltd. 5 AWS CDK AWS CDKɺͱͯ΋ศརͰ͢ΑͶ YAML΍JSONͰͷهड़ʹ୅ΘΓɺPythonɺTypeScript౳ͷ ϓϩάϥϛϯάݴޠΛ࢖ͬͯɺίʔυͰAWSϦιʔεΛఆٛͰ͖·͢ɻ

    →ෳࡶͳΠϯϑϥετϥΫνϟͷઃఆΛ؆୯ʹ͠ɺ ࠶ར༻ੑ΍ՄಡੑΛߴΊΔ͜ͱ͕Ͱ͖ɺ ։ൃऀʹͱͬͯΑΓޮ཰తͳӡ༻͕ՄೳͱͳΓ·͢

  6. ©Fusic Co., Ltd. 6 ෳࡶͳߏ੒ʹ΋ରԠ ෳࡶͳߏ੒ΛϓϩάϥϛϯάͰ੍ޚ

  7. ©Fusic Co., Ltd. 7 ෳࡶͳߏ੒ʹ΋ରԠग़དྷΔ͕… ෳࡶͳߏ੒ΛϓϩάϥϛϯάͰ੍ޚ ग़དྷΔ͕… ٯʹࠨͷΑ͏ͳڊେͳߏ੒΋ ࡞੒Ͱ͖ͯ͠·͍ɺ ͢΂ͯΛঠѲग़དྷΔ͔͸·ͨผͷ࿩

  8. ©Fusic Co., Ltd. 8 ͢΂ͯΛঠѲͰ͖ͳ͍ͱ… ηΩϡϦςΟϦεΫ಺ࡏͷՄೳੑ ▪S3 όέοτ͕ύϒϦοΫΞΫηεՄೳ ▪IAM ϩʔϧʹա৒ͳݖݶΛ෇༩

    ▪ϓϥΠϕʔτͳLambda ؔ਺͕ ɹVPC ʹ഑ஔ͞Ε͍ͯͳ͍ ▪Secrets Manager γʔΫϨοτ ɹࣗಈϩʔςʔγϣϯ͕ະઃఆ ▪KMS ΩʔϙϦγʔͷա৒ʹڐՄ

  9. ©Fusic Co., Ltd. 9 ਓͷ໨ͰνΣοΫͰ͸ةݥ ૝ఆ͚ͩͰ੍ޚ͢Δͷ͸೉͍͠ ͦ͜ͰCIͰνΣοΫΛߦ͍ɺ ηΩϡϦςΟϦεΫΛ ௿ݮ͢Δํ๏Λߟ͑·͢

  10. ©Fusic Co., Ltd. 10 cdk-nag + Checkov 2

  11. ©Fusic Co., Ltd. 11 cdk-nag CDK Labs at AWSͷϦϙδτϦͰ͋Δ cdk-nag

    AWS CDKͰఆٛ͞ΕͨϦιʔε͕ ηΩϡϦςΟ΍ӡ༻ͷϕετϓϥΫςΟεʹ ै͍ͬͯΔ͔Λݕূ͢ΔͨΊͷϥΠϒϥϦ ▪ϧʔϧϕʔεͷݕূ AWS͕ਪ঑͢ΔηΩϡϦςΟج४΍ ϕετϓϥΫςΟεʹج͍ͮͨϧʔϧηοτ ▪ΧελϚΠζՄೳ ϓϩδΣΫτͷχʔζʹ߹Θͤͯ ϧʔϧΛ௥Ճɾআ֎ɾΧελϚΠζՄೳ ▪CI/CD౷߹ GitHub ActionsͳͲͷCI/CDύΠϓϥΠϯʹ ౷߹ՄೳͰࣗಈతʹίʔυͷ඼࣭ΛνΣοΫ

  12. ©Fusic Co., Ltd. 12 AWSʹΑΔެࣜϒϩά΋ ࢸΕΓ෇ͤ͘Γͳ಺༰ͷެࣜϒϩά΋ - AWSʹΑΔAWS CDK ͱ

    cdk-nag Λ౷߹ͯ͠ɺ IaCͷηΩϡϦςΟͱίϯϓϥΠΞϯεΛ ࣗಈతʹ؅ཧɾݕূ͢Δํ๏Λղઆ - ۩ମతͳಋೖखॱ΍ϧʔϧͷΧελϚΠζɺ Τϥʔͷमਖ਼ɾ཈੍ํ๏͕঺հ͞Ε͓ͯΓɺ TypeScriptΛ༻͍࣮ͨ૷ྫ΋ఏڙ - cdk-nag Λ୯ମςετ΍CI/CDͱ࿈ܞ ܧଓతͳηΩϡϦςΟνΣοΫΛ࣮ݱ͢Δํ๏

  13. ©Fusic Co., Ltd. 13 Checkov Checkov͸IaCͷηΩϡϦςΟͱίϯϓϥΠΞϯεΛ ࣗಈతʹݕূ͢ΔͨΊͷOSSͷ੩తղੳπʔϧ TerraformɺAWS CloudFormationɺKubernetes YAMLɺ

    ͦͯ͠AWS CDKͳͲͷઃఆϑΝΠϧΛର৅ʹɺ ϕετϓϥΫςΟε΍ηΩϡϦςΟج४ʹ ج͍ͮͨνΣοΫΛ࣮ߦ͠·͢ - ෯޿͍αϙʔτର৅ - IaCπʔϧͷछྨɺΫϥ΢υϓϩόΠμʔʹରԠ - ๛෋ͳϧʔϧηοτ - CISɺNISTɺPCI DSSͳͲͷۀքඪ४ʹج͍ͮͨϧʔϧఏڙ - CI/CD౷߹ - GitHub ActionsɺGitLab CIɺJenkinsͳͲओཁͳCI/CDπʔϧͱ౷߹

  14. ©Fusic Co., Ltd. 14 cdk-nag + Checkov ͜ͷ̎ͭΛ૊Έ߹ΘͤΔ - แׅతͳηΩϡϦςΟΧόϨοδͷ޲্

    - cdk-nag͸AWS CDKಛ༗ͷৄࡉͳηΩϡϦςΟνΣοΫΛఏڙ CheckovʹͯΠϯϑϥશମͷηΩϡϦςΟΛ໢ཏతʹݕূ - ૬ิతͳϧʔϧηοτͷ׆༻ - cdk-nagͱCheckov͸ͦΕͧΕҟͳΔϧʔϧ΍ϕετϓϥΫςΟεΛ࣋ͭͨΊɺ ྆ऀΛซ༻͢Δ͜ͱͰΤϥʔݕग़ͷਫ਼౓͕޲্͠ɺݟམͱ͠Λ๷͙ - ଟ૚తͳCI/CDύΠϓϥΠϯͷڧԽ - ྆πʔϧΛCI/CDύΠϓϥΠϯʹ౷߹͢Δ͜ͱͰɺ CI࣌ʹࣗಈత͔ͭଟ֯తͳηΩϡϦςΟνΣοΫΛ࣮ߦՄೳ

  15. ©Fusic Co., Ltd. 15 ࣮ࡍͷಈ࡞ 3

  16. ©Fusic Co., Ltd. 16 GitHub Actions GitHub Actions npx cdk

    synthΛ࣮ߦ͢Δ͜ͱͰ Cdk-nagͷνΣοΫΛ࣮ߦ͢Δ͜ͱ͕ग़དྷΔ checkovίϚϯυ͸template.yamlΛࢦఆͯ͠ ࣮ߦ͢Δ͜ͱͰtemplate.yamlΛ࣮ߦ͢Δ͜ͱ͕Մೳ

  17. ©Fusic Co., Ltd. 17 cdk-nag cdk-nagͷmoduleΛ cdkͷAspectsʹ৯ΘͤΔ͜ͱͰ ର৅ͷStackͷνΣοΫ͕Մೳ ୯ମςετͱ࣮ͯ͠ߦ͢Δࣄ΋Մ

  18. ©Fusic Co., Ltd. 18 cdk-nagϧʔϧͷ཈੍ NagSuppressionsͷ addResourceSuppressions ʹͯϧʔϧͷ཈੍Λߦ͏IDΛࢦఆ ର৅ϧʔϧΛ཈੍͕Մೳ

  19. ©Fusic Co., Ltd. 19 Checkov ࣮ߦ͢Δ͜ͱͰ ಉ͡Α͏ʹΤϥʔදࣔͱ ݪҼΛදࣔͯ͘͠ΕΔ ΤϥʔʹରԠ͢Δ཈੍΋ .checkov.ymlʹॻ͘͜ͱͰରԠՄೳ

  20. ©Fusic Co., Ltd. 20 ·ͱΊ 4

  21. ©Fusic Co., Ltd. 21 ·ͱΊ CDK͸ͱͯ΋ศརɺศར͔ͩΒͦ͜؅ཧͷരൃ͕ى͜ΔՄೳੑ Point 01 ਓͷ໨ͰνΣοΫ͸ೝ஌ෛՙ͕ߴ͍ɺCIʹͯνΣοΫΛߦ͍ɺCDͷσϓϩΠʹͭͳ͛Δ Point

    02 cdk-nag + CheckovΛར༻͢Δ͜ͱͰ໢ཏతͳνΣοΫ͕Մೳ Point 03 ඞཁͳ಺༰ΛνΣοΫ͞ΕΔ͜ͱ΋͋Δɺͦͷ৔߹͸ϧʔϧͷ཈੍ͰରԠՄೳ Point 04

  22. ©Fusic Co., Ltd. 22 Thank You We are Hiring! https://recruit.fusic.co.jp/

    ͝ਗ਼ௌ͍͖ͨͩ͋Γ͕ͱ͏͍͟͝·ͨ͠