DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User...
Transcript of DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User...
![Page 1: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/1.jpg)
DevOps DevSecOpsBuilding Security in to your DevOps Pipeline
![Page 2: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/2.jpg)
Eric Johnson | Эрик Джонсон
• AWS Senior Developer Advocate - Serverless
• AWS Certified• Solutions Architect
• SysOps Administrator
• Developer
• Father of Five
• Musician | Drummer
• Avid Diet Dr. Pepper Drinker
• Lover of Pizza
@edjgeek
![Page 3: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/3.jpg)
DefinitionsGetting Everyone on the Same Page
![Page 4: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/4.jpg)
DevOps
Development Operations
Refer to a set of practices that emphasize the collaboration and communication of both software developers and information technology (IT) professionals while automating the process of software delivery and infrastructure changes. It aims at establishing a culture and environment where building, testing, and releasing software can happen rapidly, frequently, and more reliably.
De
vO
ps
![Page 5: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/5.jpg)
DevSecOps
Development Operations
De
vO
ps
Wrapping the DevOps process with security best practices
![Page 6: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/6.jpg)
DevOps ExamplesThings We See In The Wild
![Page 7: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/7.jpg)
Deploying to Instances
• Deploying code to EC2 Instances
• Deploying to on premise instances
![Page 8: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/8.jpg)
Deploying to Containers
• Amazon ECS
• Amazon EKS
![Page 9: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/9.jpg)
Deploying to Serverless
• API Gateway
• Lambda
• DynamoDB
• SQS
• SNS
![Page 10: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/10.jpg)
The ”DevOps” Part
• CodePipeline
• CodeBuild
• CodeCommit
• CloudFormation
• ECR
• OpsWorks
![Page 11: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/11.jpg)
The Security RealityNot “If” but “When”
![Page 12: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/12.jpg)
Everything fails all of the timeWerner Vogels – VP & CTO, AWS
![Page 13: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/13.jpg)
“What If” Guy
![Page 14: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/14.jpg)
Solid Security is Like Onions
It Has Layers
![Page 15: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/15.jpg)
DevOps Layers of SecurityBuilding the Walls
![Page 16: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/16.jpg)
The Account
Beta Staging Production
AWS
CloudFormation
AWS
CodeCommitAWS
CodeBuild
AWS
CodeDeploy
![Page 17: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/17.jpg)
The Account
Beta Staging Production
![Page 18: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/18.jpg)
The Account
Beta Staging Production
Master
![Page 19: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/19.jpg)
The User
Root User
• Supports MFA
• Dashboard Access
• Programmatic Access
• Full Account Access
• CANNOT be locked out
IAM User
• Supports MFA
• Dashboard Access
• Programmatic Access
• Fine Grained Access
• CAN be locked out
![Page 20: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/20.jpg)
The Root User
• Use a recoverable email address
• Remove programmable access
• Enable MFA
• Store in a VERY secure place
• Do not use
• LOCK IT UP!!
Best Practices
![Page 21: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/21.jpg)
The IAM User
• Enable MFA
• Grant Least Privileges
• Disable Unused Users
• Employ user Groups
• Employ Managed Policies
• Use Groups to Assign Permissions
• Configure A Strong Password Policy
• Rotate Credentials Often
Best Practices
![Page 22: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/22.jpg)
The Role & Policies
Roles
• An IAM entity that defines a set of permissions
• Can contain one or more policies
• Is assumable by trusted entities such as IAM Users or AWS Services
Policies
• Policies define permissions for an action
• Multiple types of policies• Identity
• Resource
• Access Control List (ACL)
![Page 23: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/23.jpg)
The Role & Policies
• Break up policies by resource
• Use AWS Defined Policies When Possible
• Grant Least Privilege
• Use Policy Conditions for Extra Security
Best Practices
Role
Policy
Policy
![Page 24: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/24.jpg)
SecretsKeeping Secrets… Secret
![Page 25: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/25.jpg)
Common Patterns for Secrets
• Stored in code repo
• Stored on server
• Stored on developers machines
• Shared with other developers
• Maximum “blast radius”
• Available at rest and in transit
Hard Coded Values
![Page 26: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/26.jpg)
Common Patterns for Secrets
• Where to store?
• Management nightmare
• Smaller blast radius
• Becomes problematic in managed services
• Passing in as parameters
• Exposed on dashboard
Environmental Variables
![Page 27: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/27.jpg)
Common Patterns for Secrets
• Where to store?
• Smaller blast radius
• Hand rolled fetch and implementation
• Can add latency depending on location
External Central Config Files
![Page 28: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/28.jpg)
Best Practices for Secrets
• Rotates Secrets Safely on Supported Services
• RDS
• Other Select Databases*
• Secure and Audit Secrets Centrally
• Manage Access with Fine-Grained Permissions
• Provides Code Examples!!
• Can store non-rotated strings as well
• Encryption and Decryption managed for you
• Minimal blast radius
• Accessible through CloudFormation*
AWS Secrets Manager
![Page 29: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/29.jpg)
Best Practices for Secrets
1. User inserts secrets to AWS Secret Manager
2. AWS Secret Manager creates an AWS Lambda to manage rotation
3. Lambda rotates password in AWS Secrets Manager and the Amazon RDS Instance
4. User adds code to get secrets
5. Code calls AWS Secrets Manager to get secret DB User and Password
6. Code uses obtained credentials to query RDS database.
AWS Secrets Manager
AWS
Secrets Manager
AWS
Lambda
Amazon
RDS
Amazon
EC2
1
2
3
3
4 5
6
![Page 30: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/30.jpg)
Best Practices for Secrets
1. User inserts secrets to Amazon EC2 Systems Manager Parameter Store
2. User adds code to get secrets
3. Code calls AWS Secrets Manager to get secret DB User and Password
4. Code uses obtained credentials to query RDS database.
Amazon SSM Parameter Store
Amazon
RDS
Amazon
EC2
1
2 3
4
Parameter
Store
![Page 31: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/31.jpg)
Best Practices for Secrets
• Allow users to connect to RDS databases with an IAM Role instead of database credentials
• Apply IAM Roles to EC2 instances to allow permission to other services
• Allow authenticated users to assume roles using Cognito Federated Identities
• Provide fine-grained, row level access to DynamoDB tables through assumed roles
Don’t Use Them – Use IAM Access When Possible
![Page 32: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/32.jpg)
AutomationAutomate all the things
![Page 33: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/33.jpg)
“The first rule of any technology used in a
business is that automation applied to an efficient
operation will magnify the efficiency. The second
is that automation applied to an inefficient
operation will magnify the inefficiency.”
- Bill Gates
![Page 34: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/34.jpg)
Why Automation
• Reproducible Processes
• Predictable Outcomes
• Minimize the Blast Radius
• Removing Human Error
• Reduce Wasted Man Hours
Humans = Security Risk
![Page 35: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/35.jpg)
Not Automated
GIT
Bob the Builder
developers
Tammy the Tester
Debbie the Deployer
![Page 36: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/36.jpg)
Automating Integration & DeploymentContinuous Integration and Continuous Delivery
AWS
CodeCommit
GitHub
Bitbucket
AWS
CodePipeline
AWS
CodeBuild
AWS
CodeDeploy
AWS
CloudFormation
Amazon ECR Amazon
ECS,
EKS, Fargate
EC2
Instance
![Page 37: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/37.jpg)
Automating Configuration
• AWS CloudFormation
• AWS Systems Manager
• AWS OpsWorks
• AWS Service Catalog
Building and Maintaining Consistency
![Page 38: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/38.jpg)
Automating Monitoring
• Amazon CloudWatch
• AWS CloudTrail
• AWS Config
Watching & Reacting
![Page 39: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/39.jpg)
Ask MeI will be answering questions in the Ask Me Section
![Page 40: DevOps -> DevSecOps€¦ · DevOps DevSecOps Building Security in to your DevOps Pipeline. ... User inserts secrets to AWS Secret Manager 2. AWS Secret Manager creates an AWS Lambda](https://reader030.fdocuments.us/reader030/viewer/2022040204/5ec648dda2aff10f2701e645/html5/thumbnails/40.jpg)
Thank You!Благодарю вас!
Eric Johnson @edjgeek