Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS CDKを用いたセキュアなCI/CDパイプラインの構築 / Build a secure...

shiro seike
PRO
September 25, 2024
Programming
3
850

AWS CDKを用いたセキュアなCI/CDパイプラインの構築 / Build a secure CI/CD pipeline using AWS CDK

JAWS-UG CDK支部 #16 ~CDK Conference 2024 Extra~
https://jawsug-cdk.connpass.com/event/328676/

shiro seike
PRO

September 25, 2024
Tweet

More Decks by shiro seike

See All by shiro seike
OpenTelemetryを活用したObservability入門 / Introduction to Observability with OpenTelemetry
seike460
PRO
1
450
Amazon Q Developer Proで効率化するAPI開発入門
seike460
PRO
0
170
(再)ひとり技術広報からの脱却 / Re:Breaking away from one-man technical public relations
seike460
PRO
1
190
PHPで作るWebSocketサーバー ~リアクティブなアプリケーションを知るために~ / WebSocket Server in PHP - To know reactive applications
seike460
PRO
2
1k
CQRS+ES の力を使って効果を感じる / Feel the effects of using the power of CQRS+ES
seike460
PRO
0
280
AWS reInvent 2024サービスアップデートデモ / AWS reInvent 2024 Service Update Demo
seike460
PRO
0
56
AWS Lambdaから始まった
Serverlessの「熱」とキャリアパス / It started with AWS Lambda Serverless “fever” and career path
seike460
PRO
1
660
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
1.3k
実践サーバーレスパフォーマンスチューニング ~その実力に迫る~ / Practical Serverless Performance Tuning ~A Close Look at its Power~
seike460
PRO
2
420

Other Decks in Programming

See All in Programming
RuboCop: Modularity and AST Insights
koic
1
200
AI Agents with JavaScript
slobodan
0
220
The Weight of Data: Rethinking Cloud-Native Systems for the Age of AI
hollycummins
0
270
Vibe Codingをせずに Clineを使っている
watany
17
6.2k
SEAL - Dive into the sea of search engines - Symfony Live Berlin 2025
alexanderschranz
1
130
Exit 8 for SwiftUI
ojun9
0
110
技術選定を未来に繋いで活用していく
sakito
3
110
Lambda(Python)の リファクタリングが好きなんです
komakichi
3
160
Code smarter, not harder - How AI Coding Tools Boost Your Productivity | Webinar 2025
danielsogl
0
120
AIコードエディタの基盤となるLLMのFlutter性能評価
alquist4121
0
210
Qiita Bash
mercury_dev0517
1
190
Java 24まとめ / Java 24 summary
kishida
3
500

Featured

See All Featured
How to Ace a Technical Interview
jacobian
276
23k
Automating Front-end Workflow
addyosmani
1369
200k
The Power of CSS Pseudo Elements
geoffreycrofte
75
5.8k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
650
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
The Art of Programming - Codeland 2020
erikaheidi
53
13k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
52
2.4k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
32
5.3k
BBQ
matthewcrist
88
9.6k
Side Projects
sachag
452
42k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
119
51k
Designing for Performance
lara
607
69k

Transcript

  1. ©Fusic Co., Ltd.  1 AWS CDKΛ༻͍ͨ ηΩϡΞͳCI/CDύΠϓϥΠϯͷߏங 2024.09.25 @seike460

    JAWS-UG CDKࢧ෦ #16 ~CDK Conference 2024 Extra~

  2. ©Fusic Co., Ltd. 2 ਗ਼Ո ࢙࿠ @seike460 AWS Community Builder

    Serverless ίϛϡχςΟ Fukuoka.php Fukuoka.go JAWS-UG Fukuoka Serverless Meetup Fukuoka Cloudflare Meetup Fukuoka JP_Stripes Fukuoka ࣗݾ঺հ ͸͡Ίʹ גࣜձࣾFusic ϓϦϯγύϧΤϯδχΞ/ΤόϯδΣϦετ

  3. ©Fusic Co., Ltd. 3 CONTENTS ໨࣍ 1. AWS CDKͱηΩϡϦςΟ 2.

    cdk-nagɺCheckov 3. ࣮ࡍͷಈ࡞ 4. ·ͱΊ

  4. ©Fusic Co., Ltd. 4 AWS CDKͱηΩϡϦςΟ 1

  5. ©Fusic Co., Ltd. 5 AWS CDK AWS CDKɺͱͯ΋ศརͰ͢ΑͶ YAML΍JSONͰͷهड़ʹ୅ΘΓɺPythonɺTypeScript౳ͷ ϓϩάϥϛϯάݴޠΛ࢖ͬͯɺίʔυͰAWSϦιʔεΛఆٛͰ͖·͢ɻ

    →ෳࡶͳΠϯϑϥετϥΫνϟͷઃఆΛ؆୯ʹ͠ɺ ࠶ར༻ੑ΍ՄಡੑΛߴΊΔ͜ͱ͕Ͱ͖ɺ ։ൃऀʹͱͬͯΑΓޮ཰తͳӡ༻͕ՄೳͱͳΓ·͢

  6. ©Fusic Co., Ltd. 6 ෳࡶͳߏ੒ʹ΋ରԠ ෳࡶͳߏ੒ΛϓϩάϥϛϯάͰ੍ޚ

  7. ©Fusic Co., Ltd. 7 ෳࡶͳߏ੒ʹ΋ରԠग़དྷΔ͕… ෳࡶͳߏ੒ΛϓϩάϥϛϯάͰ੍ޚ ग़དྷΔ͕… ٯʹࠨͷΑ͏ͳڊେͳߏ੒΋ ࡞੒Ͱ͖ͯ͠·͍ɺ ͢΂ͯΛঠѲग़དྷΔ͔͸·ͨผͷ࿩

  8. ©Fusic Co., Ltd. 8 ͢΂ͯΛঠѲͰ͖ͳ͍ͱ… ηΩϡϦςΟϦεΫ಺ࡏͷՄೳੑ ▪S3 όέοτ͕ύϒϦοΫΞΫηεՄೳ ▪IAM ϩʔϧʹա৒ͳݖݶΛ෇༩

    ▪ϓϥΠϕʔτͳLambda ؔ਺͕ ɹVPC ʹ഑ஔ͞Ε͍ͯͳ͍ ▪Secrets Manager γʔΫϨοτ ɹࣗಈϩʔςʔγϣϯ͕ະઃఆ ▪KMS ΩʔϙϦγʔͷա৒ʹڐՄ

  9. ©Fusic Co., Ltd. 9 ਓͷ໨ͰνΣοΫͰ͸ةݥ ૝ఆ͚ͩͰ੍ޚ͢Δͷ͸೉͍͠ ͦ͜ͰCIͰνΣοΫΛߦ͍ɺ ηΩϡϦςΟϦεΫΛ ௿ݮ͢Δํ๏Λߟ͑·͢

  10. ©Fusic Co., Ltd. 10 cdk-nag + Checkov 2

  11. ©Fusic Co., Ltd. 11 cdk-nag CDK Labs at AWSͷϦϙδτϦͰ͋Δ cdk-nag

    AWS CDKͰఆٛ͞ΕͨϦιʔε͕ ηΩϡϦςΟ΍ӡ༻ͷϕετϓϥΫςΟεʹ ै͍ͬͯΔ͔Λݕূ͢ΔͨΊͷϥΠϒϥϦ ▪ϧʔϧϕʔεͷݕূ AWS͕ਪ঑͢ΔηΩϡϦςΟج४΍ ϕετϓϥΫςΟεʹج͍ͮͨϧʔϧηοτ ▪ΧελϚΠζՄೳ ϓϩδΣΫτͷχʔζʹ߹Θͤͯ ϧʔϧΛ௥Ճɾআ֎ɾΧελϚΠζՄೳ ▪CI/CD౷߹ GitHub ActionsͳͲͷCI/CDύΠϓϥΠϯʹ ౷߹ՄೳͰࣗಈతʹίʔυͷ඼࣭ΛνΣοΫ

  12. ©Fusic Co., Ltd. 12 AWSʹΑΔެࣜϒϩά΋ ࢸΕΓ෇ͤ͘Γͳ಺༰ͷެࣜϒϩά΋ - AWSʹΑΔAWS CDK ͱ

    cdk-nag Λ౷߹ͯ͠ɺ IaCͷηΩϡϦςΟͱίϯϓϥΠΞϯεΛ ࣗಈతʹ؅ཧɾݕূ͢Δํ๏Λղઆ - ۩ମతͳಋೖखॱ΍ϧʔϧͷΧελϚΠζɺ Τϥʔͷमਖ਼ɾ཈੍ํ๏͕঺հ͞Ε͓ͯΓɺ TypeScriptΛ༻͍࣮ͨ૷ྫ΋ఏڙ - cdk-nag Λ୯ମςετ΍CI/CDͱ࿈ܞ ܧଓతͳηΩϡϦςΟνΣοΫΛ࣮ݱ͢Δํ๏

  13. ©Fusic Co., Ltd. 13 Checkov Checkov͸IaCͷηΩϡϦςΟͱίϯϓϥΠΞϯεΛ ࣗಈతʹݕূ͢ΔͨΊͷOSSͷ੩తղੳπʔϧ TerraformɺAWS CloudFormationɺKubernetes YAMLɺ

    ͦͯ͠AWS CDKͳͲͷઃఆϑΝΠϧΛର৅ʹɺ ϕετϓϥΫςΟε΍ηΩϡϦςΟج४ʹ ج͍ͮͨνΣοΫΛ࣮ߦ͠·͢ - ෯޿͍αϙʔτର৅ - IaCπʔϧͷछྨɺΫϥ΢υϓϩόΠμʔʹରԠ - ๛෋ͳϧʔϧηοτ - CISɺNISTɺPCI DSSͳͲͷۀքඪ४ʹج͍ͮͨϧʔϧఏڙ - CI/CD౷߹ - GitHub ActionsɺGitLab CIɺJenkinsͳͲओཁͳCI/CDπʔϧͱ౷߹

  14. ©Fusic Co., Ltd. 14 cdk-nag + Checkov ͜ͷ̎ͭΛ૊Έ߹ΘͤΔ - แׅతͳηΩϡϦςΟΧόϨοδͷ޲্

    - cdk-nag͸AWS CDKಛ༗ͷৄࡉͳηΩϡϦςΟνΣοΫΛఏڙ CheckovʹͯΠϯϑϥશମͷηΩϡϦςΟΛ໢ཏతʹݕূ - ૬ิతͳϧʔϧηοτͷ׆༻ - cdk-nagͱCheckov͸ͦΕͧΕҟͳΔϧʔϧ΍ϕετϓϥΫςΟεΛ࣋ͭͨΊɺ ྆ऀΛซ༻͢Δ͜ͱͰΤϥʔݕग़ͷਫ਼౓͕޲্͠ɺݟམͱ͠Λ๷͙ - ଟ૚తͳCI/CDύΠϓϥΠϯͷڧԽ - ྆πʔϧΛCI/CDύΠϓϥΠϯʹ౷߹͢Δ͜ͱͰɺ CI࣌ʹࣗಈత͔ͭଟ֯తͳηΩϡϦςΟνΣοΫΛ࣮ߦՄೳ

  15. ©Fusic Co., Ltd. 15 ࣮ࡍͷಈ࡞ 3

  16. ©Fusic Co., Ltd. 16 GitHub Actions GitHub Actions npx cdk

    synthΛ࣮ߦ͢Δ͜ͱͰ Cdk-nagͷνΣοΫΛ࣮ߦ͢Δ͜ͱ͕ग़དྷΔ checkovίϚϯυ͸template.yamlΛࢦఆͯ͠ ࣮ߦ͢Δ͜ͱͰtemplate.yamlΛ࣮ߦ͢Δ͜ͱ͕Մೳ

  17. ©Fusic Co., Ltd. 17 cdk-nag cdk-nagͷmoduleΛ cdkͷAspectsʹ৯ΘͤΔ͜ͱͰ ର৅ͷStackͷνΣοΫ͕Մೳ ୯ମςετͱ࣮ͯ͠ߦ͢Δࣄ΋Մ

  18. ©Fusic Co., Ltd. 18 cdk-nagϧʔϧͷ཈੍ NagSuppressionsͷ addResourceSuppressions ʹͯϧʔϧͷ཈੍Λߦ͏IDΛࢦఆ ର৅ϧʔϧΛ཈੍͕Մೳ

  19. ©Fusic Co., Ltd. 19 Checkov ࣮ߦ͢Δ͜ͱͰ ಉ͡Α͏ʹΤϥʔදࣔͱ ݪҼΛදࣔͯ͘͠ΕΔ ΤϥʔʹରԠ͢Δ཈੍΋ .checkov.ymlʹॻ͘͜ͱͰରԠՄೳ

  20. ©Fusic Co., Ltd. 20 ·ͱΊ 4

  21. ©Fusic Co., Ltd. 21 ·ͱΊ CDK͸ͱͯ΋ศརɺศར͔ͩΒͦ͜؅ཧͷരൃ͕ى͜ΔՄೳੑ Point 01 ਓͷ໨ͰνΣοΫ͸ೝ஌ෛՙ͕ߴ͍ɺCIʹͯνΣοΫΛߦ͍ɺCDͷσϓϩΠʹͭͳ͛Δ Point

    02 cdk-nag + CheckovΛར༻͢Δ͜ͱͰ໢ཏతͳνΣοΫ͕Մೳ Point 03 ඞཁͳ಺༰ΛνΣοΫ͞ΕΔ͜ͱ΋͋Δɺͦͷ৔߹͸ϧʔϧͷ཈੍ͰରԠՄೳ Point 04

  22. ©Fusic Co., Ltd. 22 Thank You We are Hiring! https://recruit.fusic.co.jp/

    ͝ਗ਼ௌ͍͖ͨͩ͋Γ͕ͱ͏͍͟͝·ͨ͠