This document discusses how to implement DevSecOps on AWS for startups. It covers: - Key principles of DevSecOps like everyone being responsible for security and shifting security left - The tools and services used in their pipeline including Packer, Terraform, Ansible, SonarQube, AWS Inspector, GuardDuty, and WAF - How they established policies, used a multi-account approach, implemented access management, and focused on security culture and monitoring - Their plans to further improve using AWS Config, perform penetration testing, and meet standards like OWASP and PCI DSS

1. How to implement
DevSecOps on AWS
for Startups

2. Agenda Intro
About FigLeaf project
Why security matters for us
DevSecOps
Our pipeline (what we did and what our plans)
Conclusions

3. Amazon Web
Services User Group
Kiev

4. Intro
Aleksandr Maklakov
CIO at ZEO Alliance
14 years in IT
MBA
ISO 27001 Internal Auditor
AWS Certified Solutions Architect - Associate
Valentin Nastenko
Sr. System Administrator at FigLeaf
20 years in IT as developer and system
administrator

5. About this project
https://figleafapp.com

6. Why security matters for us

7. DevSecOps

8. Key principles for
DevSecOps
- Everyone in the software development life cycle is responsible for
security
- Shift left
- Continuous Security
- Automate everything

9. AWS Shared responsibility model

10. What we did and our plans
Organizational
Policies
Multi-Account
approach
Access
management
Incident
Management
Sec Culture
Code
development and
deployment
Packer
Terraform
Ansible
SonarQube
PVS-Studio
Mage
AWS SMM
AWS WAF
Operation
monitoring
AWS Inspector
AWS Config
AWS GuardDuty
Nessus
Clair

11. What we did

12. Immutable
Infrastructure
You wouldn’t repair a lego
piece. Just grab a new one.

13. Packer, Terraform, Ansible, Docker, AWS
Lambda

14. AWS Multiple Account Security Strategy
- Consolidated Billing – This is probably the number one use
case for anyone doing multiple accounts
- Audit Purposes (PCI, HIPAA) Audit – Production Environment
has restricted Access, which helps during any official audit.
While most companies do not think of this upfront, this is
possibly the most important reason to go towards a separate
PRODUCTION only account (and a top level Organization to
manage it)
- Control over AWS Services –using Service Control Policies
(SCPs) that centrally control AWS service use across multiple
AWS accounts

15. AWS-Vault
Securely store and access credentials for AWS. AWS Vault stores IAM
credentials in your operating system's secure keystore and then generates
temporary credentials from those to expose to your shell and applications. It's
designed to be complementary to the aws cli tools, and is aware of your profiles
and configuration in ~/.aws/config.
macOS Keychain
KWallet
freedesktop.org Secret Service
Encrypted file
https://github.com/99designs/aws-vault

16. Continuous Code Quality
- Overall health of your project
- Quality gate
- Identify code vulnerability
- Code Smells
- Bugs
- Code Duplication
- Code Coverage
- Security

17. SonarQube

18. Mage: Make/rake-like build tool
Why?
Makefiles are hard to read and hard to write. Mostly
because makefiles are essentially fancy bash scripts with
significant white space and additional make-related
syntax.
- Parallelism
- Dependencies
- Namespaces
- Compiling a static binary
https://magefile.org

19. Scanning Docker Images for Vulnerabilities
Clair ingests many vulnerability data sources, such as Debian
Security Bug Tracker, Ubuntu CVE Tracker, and Red Hat
Security Data. Since Clair consumes so many CVE databases,
its auditing is comprehensive.
Clair's feature set is flexible. It lets you add your own drivers
for additional behaviors. Also, making separate API calls to
audit specific container images is a sleek, machine-driven
alternative to scouring through massive report logs.
https://coreos.com/clair/docs/latest/

20. Update problem
sudo yum update-minimal --security --bugfix && sudo reboot
https://docs.aws.amazon.com/en_us/systems-manager/latest/userguide/patch-manager-how-it-works-installation.html

21. AWS SSM the next generation of SSH
- Audit by default with CloudTrail, all commands are recorded
- Ability to run commands on instances without opening any TCP
ports
- Users and authorisation is managed via IAM
- Commands can target multiple instances
- Natural integration with AWS SSM Parameter Store
- You don’t need to know which IP has your EC2 but you can use
EC2 tags filter

22. AWS SSM the next generation of SSH
- No longer require a Bastion Host
- Every command output can be saved in a S3
- Easily integrate with an additional security tool like AWS Inspector (the
agent can be installed in one click)
- Using AWS Cloudwatch Rule you can invoke specific commands based on
every AWS event
- AWS SSM agent can be installed on prem as well as in any other cloud
providers in order to unify your access control strategy
- AWS SSM is PCI compliant and lets you quickly achieve the PCI standard
with low effort

23. Secrets management with EC2 Systems
Manager Parameter Store

24. Amazon Inspector

25. Amazon GuardDuty
https://github.com/miztiik/Serverless-GuardDuty-Findings-to-SNS

26. AWS WAF

27. Plans
- AWS Config
- Pentest
- OWASP & PCI DSS
- Security Incident Response

28. Reps
- Key principles for DevSecOps
- Free tools to automates: SonarQube, Ansible, Clair, Mage
- AWS tools: GuardDuty, Inspector, System manager,
WAF

29. Conclusion
- DevSecOps not so scary
- Security can be flexible and comfort
- Life without SSH(on linux) is possible

30. The End