How to Implement DevSecOps With CodePipeline?

Implement DevSecOps With CodePipeline
June 3, 2022

The software development and deployment lifecycle has recently had more demand concerning integrating security testing and protection. As much as this requirement concerns technological tools, it is also about the culture and shared responsibility, just like the DevOps philosophy. This seamless integration of security and protection, along with culture and shared responsibility, has come to be known as DevSecOps.

In this blog, we will demonstrate using the CI/CD pipeline to automate security operations and auditing, for example, failing the pipeline when an instance is launched with a specific AMI. So, we use the same resources mentioned here.

Services used

  • Two AWS CloudFormation
    • One to create a Demo Pipeline.
    • One to create an EC2 instance.
  • 2 Lambda functions
    • For static code analysis of the CloudFormation template.
    • For dynamic stack validation of the EC2 instance launched.
  • S3 bucker as the sample code repository.
  • VPCs to deploy the resources. (You can use the default VPC too)

CodePipeline Stages

The CodePipeline has 4 stages: (Find the source code here.)

  • Commit: In this stage; the pipeline gets the CloudFormation codes from the S3 bucket.
  • Static Code Analysis: This stage passes the CF template and pipeline name to the lambda function called CFNValidateLambda.
  • Test Deployment: This stage has the test deployment, where the stack creates various resources, and validation is done.

The Stack Validation Lambda is triggered, and the stack and pipeline names are passed to this lambda function from the event parameters. If any violation is detected, the lambda deletes the stack, stops the pipeline, and returns an error message.

The below code detects if the mentioned AMIs are present and fails if found in the stack: (note that this is for a single region and only AMIs mentioned here.

client = boto3.client(\'ec2\')

    response = client.describe_images(Filters=[{\'Name\': \'image-id\',
                                             \'Values\': [\'ami-0022f774911c1d690\']}])
    des_inst = client.describe_instances(Filters=[{\'Name\': \'tag:aws:cloudformation:stack-name\', \'Values\': [\'Test-SG\']}])
    print(\"dest : %s\" % des_inst)
    for image_id in des_inst:
        image_id = des_inst[\'Reservations\'][0][\'Instances\'][0][\'ImageId\']
        instanceID = des_inst[\'Reservations\'][0][\'Instances\'][0][\'InstanceId\']
        if image_id in (\'ami-7a11e211\',\'ami-08111162\',\'ami-0022f774911c1d690\'):
            result = False
            failReason = \"Found an unapproved AMI\"

    return {\'Result\': result, \'failReason\': failReason, \'Offenders\': offenders, \'ScoredControl\': scored,
        \'Description\': description, \'ControlId\': control}

Next, there is a manual step to approve the step for review purposes, and thus it can be omitted.

After the above steps are completed, the test stack is deleted.

  • Production Deployment: In the above steps, a security check has run, which we will call the testing phase in a testing VPC (which is evident from the fact that there was a testing and security check run). Now, we create a change set and execute it in another VPC, which will be for production.

Whenever you make changes to the CloudFormation template, upload them to the S3 bucket and click the Release Change button. One can expand on these checks as I did.

Cloud Computing Insights and Resources

Role of Augmented and Virtual Reality in EdTech

Role of Augmented and Virtual Reality in EdTech 

There has been a rapid adoption and incorporation of technology in education, especially since the Covid-19 Pandemic, to make education …

Role of Augmented and Virtual Reality in EdTech  Read More »

Optimization and Licensing Assessment for Enterprise Workload

Optimization and Licensing Assessment for Enterprise Workload: An Overview 

Businesses around the world are enhancing cost to performance to achieve 2x growth by migrating their workload. But this does …

Optimization and Licensing Assessment for Enterprise Workload: An Overview  Read More »

4 Ways to Optimize Your Cloud with Modernization

4 Ways to Optimize Your Cloud with Modernization: A Comprehensive Guide

In today’s dynamic IT industry, it is imperative for organizations to incorporate cost-effective measures and efficient budgeting strategies to achieve …

4 Ways to Optimize Your Cloud with Modernization: A Comprehensive Guide Read More »