Building an End-To-End DevSecOps Pipeline: AWS

Services and tools Used in The AWS DevOps Pipeline

This section covers various AWS services and third-party compatible tools you can use when building out your DevOps pipeline. Ranging from CI to CD, security and automation, continuous testing, operational services, and more.

CI/CD Services

The following is a list of CI/CD AWS services that lead to innovation for developers.

• AWS CodeBuild – A fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy.
• AWS CodeCommit – A fully managed source control service that hosts secure Git-based repositories.
• AWS CodeDeploy – A fully managed deployment service that automates software deployments to a variety of compute services such as Amazon Elastic Compute Cloud (Amazon EC2), AWS Fargate, AWS Lambda, and your on-premises servers.
• AWS CodePipeline – A fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates.
• AWS Lambda – A service that lets you run code without provisioning or managing servers. You pay only for the compute time you consume.
• Amazon Simple Notification Service – Amazon SNS is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.
• Amazon Simple Storage Service – Amazon S3 is storage for the internet. You can use Amazon S3 to store and retrieve any amount of data at any time, from anywhere on the web.
• AWS Systems Manager Parameter Store – Parameter Store gives you visibility and control of your infrastructure on AWS.

Security & Automation Services

The following are AWS services for continuous logging and monitoring.

• AWS CloudWatch Logs– Allows you to monitor, store, and access your log files from EC2 instances, AWS CloudTrail, Amazon Route 53, and other sources
• AWS CloudWatch Events– Delivers a near-real-time stream of system events that describe changes in AWS resources
• AWS CloudTrail– Enables governance, compliance, operational auditing, and risk auditing of your AWS account.
• AWS Identity and Access Management– Enables you to manage access to AWS services and resources securely. With IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
• AWS Key Management Services (KMS) – Services for creating and managing the encryption keys necessary for data protection. These services use validated hardware security modules to ensure the security of your keys.
• AWS Config– Allows you to assess, audit, and evaluate the configurations of your AWS resources.

Continuous Testing Tools

The following are open-source scanning tools that integrated with AWS in the DevOps pipeline.

• OWASP Dependency-Check– A Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
• SonarQube (SAST)– Catches bugs and vulnerabilities in your app, with thousands of automated Static Code Analysis rules.
• PHPStan (SAST)– Focuses on finding errors in your code without running it. It catches whole classes of bugs even before you write tests for the code.
• OWASP Zap (DAST)– Helps you automatically find security vulnerabilities in your web applications while you’re developing and testing your applications.

Operational Services

The following are AWS operations services.

• AWS Security Hub– Gives you a comprehensive view of your security alerts and security posture across your AWS accounts. This post uses Security Hub to aggregate all the vulnerability findings as a single pane of glass.
• AWS CloudFormation– Gives you an easy way to model a collection of related AWS and third-party resources, provision them quickly and consistently, and manage them throughout their lifecycles, by treating infrastructure as code.
• AWS Systems Manager Parameter Store– Provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values.
• AWS Elastic Beanstalk– An easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS. This post uses Elastic Beanstalk to deploy LAMP stack with WordPress and Amazon Aurora MySQL. Although we use Elastic Beanstalk for this post, you could configure the pipeline to deploy to various other environments on AWS or elsewhere as needed.

Conclusion

All these AWS services work together to create powerful, functional, and scalable pipelines. Nonetheless, achieving a DevSecOps culture can seem distant at first do not give up hope. Good things are soon to come, sometimes all it takes is the right toolset, team, and vision to get the mission accomplished. If your team needs a little boost, our experts can help guide the way and focus your efforts. With options including security training, program assessment and development, and more.

DevOps without security falls short of the target 100% of the time. DevOps with embedded security is the only way to ensure your organization’s Development program reaches full maturity. Also, it lets you take advantage of the expected rewards. Our DevSecOps team has worked with fortune 500 companies to help develop very sophisticated, scalable DevSecOps programs. We take all the difficulty and what ifs out of the equation for you by adding a third-party expert to give you feedback and guidance.