Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS re:Invent 2016: Use AWS to Secure Your DevOps Pipeline Like a Bank (FIN303 )

2,316 views

Published on

Continuous Delivery can be challenging, especially for enterprises that deal with strict compliance requirements like those in the financial services sector. AWS and Stelligent frequently work together with many large Financial Services Enterprises to help incorporate their capabilities securely on the Cloud. From security of the source code used to trigger builds, to the insertion of strict business controls at run time, and out to the continuous inspection of the running infrastructure to ensure compliance, we are helping to build capabilities that are enabling them to run their business faster and safer on AWS.

In this breakout session we will share some very effective techniques that can be incorporated into your Continuous Delivery capability that bring bank level controls and security while enabling faster deployments. We will be looking at a strong encryption pattern for handling Build Artifacts in a Continuous Delivery Pipeline, a simple process for inspecting CloudFormation to ensure business rules are in compliance prior to AWS api calls, and a runtime inspector with Lambda and AWS Config Rules that can be leveraged to ensure that running infrastructure is always in compliance.

Attendees will benefit from real-world scenarios and code examples of how to incorporate these techniques into their capabilities.

Published in: Technology
  • Be the first to comment

AWS re:Invent 2016: Use AWS to Secure Your DevOps Pipeline Like a Bank (FIN303 )

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DevOps Pipeline Security How to use AWS to secure your DevOps Pipeline like a bank Alan Garver AWS Sr. Professional Services Consultant Chuck Dudley Stelligent Director Financial Services Accounts Jamie Greco Citi Sr. VP Technical Program Management FIN303
  2. 2. What to Expect from the Session • Simple Secure Build Artifact Repository with AWS • Advanced DevOps Pipeline Concepts • Static Code Analysis for Infrastructure as Code • Use AWS Config Rules and AWS Lambda to Monitor Resource Compliance
  3. 3. Technology Challenges in Financial Services Regulatory Requirements Organizational Boundaries DEV OPS Engineering Monolithic Applications
  4. 4. Enable Continuous Delivery on the Cloud Provisioning Monitoring CI / CD Orchestration Tokenization & Encryption • Deploy provisioning tools • Practice to provision & manage all architecture and data components (e.g. operating system ) • Implement automated systems to monitor infrastructure and applications to alert abnormal conditions. • Align disintegrated tools, people, controls and processes • Focus on automated builds, orchestration & deployment capabilities. • Manage overall orchestration governing different actions and phases that make up the deployment pipeline (e.g. code check- in to go-live on cloud) • Consistent way to protect information Establish Cloud platform and enable developers to build and rapidly deploy
  5. 5. Journey to Decouple the Mainframe and ESB
  6. 6. & Control Teams Empower teams to accelerate decision making and delivery Empowering Teams DEDICATED TEAMS  Organize in 2-pizza teams  Map capabilities to service owners with dedicated teams OWNERSHIP  Autonomous teams that can build, test and deploy independently  Decision making authority for service at team level TRANSPARENCY  Inspection and transparency of the team performance, service capability and roadmap  Services are tracked, mapped and managed via the Service Catalog Technical Program Manager
  7. 7. Accelerating Innovation and Product Delivery 4 DELIVER ON STRATS BUILD GLOBAL CLOUD FOUNDATION1 BUILD MICROSERVICES2 EMPOWER TEAMS3  Create operating framework  Establish design patterns for microservices  Build, re-use and extend services  Test driven development  Deploy cloud infrastructure  Establish scale and availability  Enable continuous integration/continuous delivery  Protect Citi information  Build full stack, autonomous agile, scrum teams  Single ownership structure  Empowered development with decentralized functions  Continuous integration / deployment SPEED, COST & QUALI TY IMPROVING
  8. 8. The DevOps Pipeline
  9. 9. Continuous Delivery Pipeline • A secure automated transport mechanism • Moves a resources from point A to point B
  10. 10. Continuous Delivery Pipeline • Transports code from development to production • Tests ensure integrity and validity of the resource • Resources morph from source, to executable, to operational
  11. 11. Continuous Delivery Pipeline • Failures stop the line, and prevent breakages to production • Fast feedback provided to the developer • Customized to your software development lifecycle
  12. 12. AWS CodePipeline • Quickly model and configure release stages • View progress at-a-glance • Use your favorite tools • Integrates with other AWS services
  13. 13. The Build Artifact Repository The Build Artifact Repository Storage of Build Artifacts for later deployment in the pipeline
  14. 14. Why Build Artifact Repository • Build once, deploy many times • Version control • Artifacts available for later deploy events (Scale Up) • Build Server and Deployed Services don’t need to talk to each other
  15. 15. Pipeline Build Artifacts Objects assembled during a build process from code used for testing and convergence down stream in a pipeline Chef Cookbook Code .tar Build Artifact # berks vendor Build # chef-client Deploy Amazon EC2 Instance Running System
  16. 16. Examples of Build Artifacts ruby python chef puppet Amazon Linux chocolatey
  17. 17. Simple Artifact Repository with AWS Build System Amazon EC2 at launch Converging Systems Artifact Repository Amazon S3 Bucket 1 detect commit 2 build mvn package 3 publish s3 put-object 4 launch ec2 run-instances –-user-data retrieve s3 get-object 5
  18. 18. Pipeline Build Artifacts Like a Bank Data Protection Entitlement Integrity AWS KMS AWS IAM sha256sum • Generate Data Keys for client side encryption • Use Server Side Encryption integration with Amazon S3 • Use IAM Roles to grant access to resources • Implement strict resource policies for S3 Buckets and KMS Keys • Validate integrity with sha-sum • Implement sha integrity database
  19. 19. Envelope Encryption with AWS KMS $> aws kms generate-data-key --key-id alias/artifact-demo --key-spec AES_256 --output text --query [Plaintext,CiphertextBlob] $> openssl enc -aes-256-cbc -salt –in source.tar –out encrypted.out -k ${Plaintext} $> tar –czvf artifact.tgz encrypted.out CiphertextBlob.out Source encrypt KMS
  20. 20. Artifact Repository on AWS with encryption Build System Artifact Repository Amazon S3 Bucket detect commit 2 build mvn package 5 launch ec2 run-instances –-user-data 3 encrypt kms generate-data-key enc –k Plaintext Client Side Envelope Encryption Server Side Encryption 4 publish s3 put-object –-sse aws:kms 1
  21. 21. Entitle Access with Resource Policies Artifact Repository Amazon S3 Bucket Artifact Encryption Key AWS KMS Customer Master Key S3 Bucket Policy KMS Key Policy
  22. 22. Entitle Access with Resource Policies Artifact Repository Amazon S3 Bucket Amazon EC2 at launch Converging Systems Artifact Encryption Key AWS KMS Customer Master Key S3 Bucket Policy KMS Key Policy retrieve s3 get-object 1 decrypt kms decrypt 2
  23. 23. Entitle Access with Resource Policies Amazon EC2 at launch Converging Systems IAM Role Instance Profile
  24. 24. Entitle Access with Resource Policies Artifact Repository Amazon S3 Bucket Amazon EC2 at launch Converging Systems Artifact Encryption Key AWS KMS Customer Master Key S3 Bucket Policy KMS Key Policy retrieve s3 get-object 1 decrypt kms decrypt 2 IAM Role Instance Profile
  25. 25. Validate Artifact Integrity $> sha256sum mysource b2f3fb7e84761eac78eb34aaaae2793efb41f23141a31f2c mysource $> tar –czvf artifact.tgz encrypted.out sha256sum.out CiphertextBlob.out CiphtertextBlob KMS Encrypted Source
  26. 26. Validate Artifact Integrity Artifact Repository Amazon S3 Bucket 1 Artifact Encryption Key AWS KMS Customer Master Key 3 Amazon EC2 at launch Converging Systems retrieve & unpack s3 get-object decrypt kms decrypt 2 verify ${envelope_sum} == $(sha256sum) 4 validate authorization dynamodb query $(sha256sum) Authorized Artifacts Amazon DynamoDB Table
  27. 27. Continuous Delivery Pipeline • A secure automated transport mechanism • Moves a resources from point A to point B
  28. 28. Commit Acceptance Capacity Pre-Prod Production The Stelligent Pipeline
  29. 29. GOAL: Fast feedback for developers PIPELINE ACTIONS: 1. Unit Tests 2. Static Code Analysis Commit Acceptance Capacity Pre-Prod Production The Commit Stage
  30. 30. GOAL: Fast feedback for developers Commit Acceptance Capacity Pre-Prod Production The Commit Stage SECURITY TESTS: 1. Security static analysis of application code PIPELINE ACTIONS: 1. Unit Tests 2. Static Code Analysis
  31. 31. GOAL: Fast feedback for developers Commit Acceptance Capacity Pre-Prod Production The Commit Stage SECURITY TESTS: 1. Security static analysis of application code 2. Security static analysis of infrastructure code PIPELINE ACTIONS: 1. Unit Tests 2. Static Code Analysis
  32. 32. Security Static Analysis of CloudFormation • Security static analysis builds a model of templates in order to verify compliance with best practices and organizational standards. • This can be a powerful tool to stop bad things before they happen. • A security organization can define their policy in code and have all development efforts unambiguously verify against that standard without manual intervention.
  33. 33. Static Analysis of CloudFormation with cfn-nag The cfn-nag tool inspects the JSON of a CloudFormation template before convergence to find patterns that may indicate: • Overly permissive IAM policies • Overly permissive security groups • Disabled access logs • Disabled server-side encryption
  34. 34. Demo
  35. 35. GOAL: Comprehensive testing of the application and its infrastructure PIPELINE ACTIONS: 1. Integration Tests 2. Acceptance Tests Commit Acceptance Capacity Pre-Prod Production The Acceptance Stage
  36. 36. GOAL: Comprehensive testing of the application and its infrastructure SECURITY TESTS: 1. Infrastructure Analysis PIPELINE ACTIONS: 1. Integration Tests 2. Acceptance Tests Commit Acceptance Capacity Pre-Prod Production The Acceptance Stage
  37. 37. Testing Infrastructure Changes Problems to solve: • Prevent infrastructure changes that violate company security policies. • Need the ability to codify security rules and get notifications when violations occur. • Ability to execute on-demand compliance testing.
  38. 38. Testing Infrastructure Changes AWS Config solves these problems, but… • Pipeline enablement can be challenging. • Console-centric.
  39. 39. config-rule-status ConfigRuleStatus is an open source tool that enables continuous monitoring and on-demand testing of security compliance for infrastructure through the AWS Config service. How does it solve the problem? • Sets up AWS Config for resource monitoring. • Creates Config Rules and Lambda functions to evaluate security compliance. • Creates a Tester Lambda function that returns aggregated compliance status.
  40. 40. config-rule-status How should it be used? • The bundled CLI provides commands for deploying the tool. • The Tester Lambda function can be invoked with the bundled CLI or the AWS CLI. • Invoke it from a CD pipeline to catch policy violations before they get to production.
  41. 41. Core Technology
  42. 42. config-rule-status On-Demand compliance testing for AWS Resources
  43. 43. Demo
  44. 44. GOAL: Test the system under real world conditions The Capacity Stage Commit Acceptance Capacity Pre-Prod Production PIPELINE ACTIONS: 1. Performance Tests 2. Load Tests
  45. 45. GOAL: Test the system under real world conditions The Capacity Stage Commit Acceptance Capacity Pre-Prod Production PIPELINE ACTIONS: 1. Performance Tests 2. Load Tests SECURITY TESTS: 1. OWASP ZAP Pen Test 2. OpenSCAP Image Testing
  46. 46. GOAL: Go / no-go decision for blue/green deployment PIPELINE ACTIONS: 1. Build Pre-Prod Stack 2. Data Migration 3. Blue/green Deployment Commit Acceptance Capacity Pre-Prod Production The Production Stage
  47. 47. SECURITY ACTIONS: 1. Prevent out-of-band changes 2. Security metrics for feedback loops PIPELINE ACTIONS: 1. Build Pre-Prod Stack 2. Data Migration 3. Blue/green Deployment GOAL: Go / no-go decision for blue/green deployment Commit Acceptance Capacity Pre-Prod Production The Production Stage
  48. 48. Resources stelligent.com/fin303
  49. 49. Thank you!
  50. 50. Remember to complete your evaluations!

×