The software development and deployment lifecycle has recently had more demand concerning integrating security testing and protection. As much as this requirement concerns technological tools, it is also about the culture and shared responsibility, just like the DevOps philosophy. This seamless integration of security and protection, along with culture and shared responsibility, has come to be known as DevSecOps.
In this blog, we will demonstrate using the CI/CD pipeline to automate security operations and auditing, for example, failing the pipeline when an instance is launched with a specific AMI. So, we use the same resources mentioned here.
Services used
- Two AWS CloudFormation
- One to create a Demo Pipeline.
- One to create an EC2 instance.
- 2 Lambda functions
- For static code analysis of the CloudFormation template.
- For dynamic stack validation of the EC2 instance launched.
- S3 bucker as the sample code repository.
- VPCs to deploy the resources. (You can use the default VPC too)
CodePipeline Stages
The CodePipeline has 4 stages: (Find the source code here.)
- Commit: In this stage; the pipeline gets the CloudFormation codes from the S3 bucket.
- Static Code Analysis: This stage passes the CF template and pipeline name to the lambda function called CFNValidateLambda.
- Test Deployment: This stage has the test deployment, where the stack creates various resources, and validation is done.
The Stack Validation Lambda is triggered, and the stack and pipeline names are passed to this lambda function from the event parameters. If any violation is detected, the lambda deletes the stack, stops the pipeline, and returns an error message.
The below code detects if the mentioned AMIs are present and fails if found in the stack: (note that this is for a single region and only AMIs mentioned here.
client = boto3.client(\'ec2\')
response = client.describe_images(Filters=[{\'Name\': \'image-id\',
\'Values\': [\'ami-0022f774911c1d690\']}])
des_inst = client.describe_instances(Filters=[{\'Name\': \'tag:aws:cloudformation:stack-name\', \'Values\': [\'Test-SG\']}])
print(\"dest : %s\" % des_inst)
for image_id in des_inst:
image_id = des_inst[\'Reservations\'][0][\'Instances\'][0][\'ImageId\']
instanceID = des_inst[\'Reservations\'][0][\'Instances\'][0][\'InstanceId\']
if image_id in (\'ami-7a11e211\',\'ami-08111162\',\'ami-0022f774911c1d690\'):
result = False
failReason = \"Found an unapproved AMI\"
offenders.append(str(instanceID))
return {\'Result\': result, \'failReason\': failReason, \'Offenders\': offenders, \'ScoredControl\': scored,
\'Description\': description, \'ControlId\': control}
Next, there is a manual step to approve the step for review purposes, and thus it can be omitted.
After the above steps are completed, the test stack is deleted.
- Production Deployment: In the above steps, a security check has run, which we will call the testing phase in a testing VPC (which is evident from the fact that there was a testing and security check run). Now, we create a change set and execute it in another VPC, which will be for production.
Whenever you make changes to the CloudFormation template, upload them to the S3 bucket and click the Release Change button. One can expand on these checks as I did.
