Book Image

Accelerating DevSecOps on AWS

By : Nikit Swaraj
Book Image

Accelerating DevSecOps on AWS

By: Nikit Swaraj

Overview of this book

Continuous integration and continuous delivery (CI/CD) has never been simple, but these days the landscape is more bewildering than ever; its terrain riddled with blind alleys and pitfalls that seem almost designed to trap the less-experienced developer. If you’re determined enough to keep your balance on the cutting edge, this book will help you navigate the landscape with ease. This book will guide you through the most modern ways of building CI/CD pipelines with AWS, taking you step-by-step from the basics right through to the most advanced topics in this domain. The book starts by covering the basics of CI/CD with AWS. Once you’re well-versed with tools such as AWS Codestar, Proton, CodeGuru, App Mesh, SecurityHub, and CloudFormation, you’ll focus on chaos engineering, the latest trend in testing the fault tolerance of your system. Next, you’ll explore the advanced concepts of AIOps and DevSecOps, two highly sought-after skill sets for securing and optimizing your CI/CD systems. All along, you’ll cover the full range of AWS CI/CD features, gaining real-world expertise. By the end of this AWS book, you’ll have the confidence you need to create resilient, secure, and performant CI/CD pipelines using the best techniques and technologies that AWS has to offer.

Related Content you might be interested in

Current Title:

Small book image
Accelerating DevSecOps on AWS
Nikit Swaraj
Apr, 2022 | 520 pages
Small book image
Mastering Elastic Kubernetes Service on AWS
Malcolm Orr | YangXin Cao Eason
Jul, 2023 | 448 pages
Small book image
Building and Delivering Microservices on AWS
Amar Deep Singh
May, 2023 | 602 pages
Small book image
AWS Automation Cookbook
Nikit Swaraj
Nov, 2017 | 388 pages
Table of Contents (15 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Conventions used
Get in touch
Share Your Thoughts
1
Section 1:Basic CI/CD and Policy as Code
Section 1:Basic CI/CD and Policy as Code
Free Chapter
2
Chapter 1: CI/CD Using AWS CodeStar
Chapter 1: CI/CD Using AWS CodeStar
Technical requirements
Introduction to CI/CD, along with a branching strategy
Creating a project in AWS CodeStar
Creating feature and development branches, as well as an environment
Validating PRs/MRs into the develop branch from the feature branch via CodeBuild and AWS Lambda
Adding a production stage and environment
Summary
3
Chapter 2: Enforcing Policy as Code on CloudFormation and Terraform
Chapter 2: Enforcing Policy as Code on CloudFormation and Terraform
Technical requirements
Implementing policy and governance as code on infrastructure code
Using CloudFormation Guard to enforce compliance rules on CloudFormation templates
Using AWS Service Catalog across teams with access controls and constraints
Integrating Terraform Cloud with GitHub
Running a Terraform template in Terraform Cloud
Writing Sentinel policies to enforce rules on Terraform templates
Summary
4
Chapter 3: CI/CD Using AWS Proton and an Introduction to AWS CodeGuru
Chapter 3: CI/CD Using AWS Proton and an Introduction to AWS CodeGuru
Technical requirements
Introduction to the AWS Proton service
Creating the environment template bundle
Creating the service template bundle
Deploying the containerized application by creating a service instance in Proton
Introduction to Amazon CodeGuru
Integrating CodeGuru with AWS CodeCommit and analyzing the pull request report
Summary
5
Section 2:Chaos Engineering and EKS Clusters
Section 2:Chaos Engineering and EKS Clusters
6
Chapter 4: Working with AWS EKS and App Mesh
Chapter 4: Working with AWS EKS and App Mesh
Technical requirements
Deep diving into AWS EKS
Deploying an EKS cluster
Introducing AWS App Mesh
Implementing traffic management
Getting observability using X-Ray
Enabling mTLS authentication between services
Summary
7
Chapter 5: Securing Private EKS Cluster for Production
Chapter 5: Securing Private EKS Cluster for Production
Technical requirements
Planning your fully private EKS cluster
Creating your EKS cluster
Deploying add-ons
Enabling the App Mesh sidecar injector
Kubernetes hardening guidance using Kubescape
Policy and governance using OPA Gatekeeper
Deploying a stateful application using Helm
Backup and restore using Velero
Summary
8
Chapter 6: Chaos Engineering with AWS Fault Injection Simulator
Chapter 6: Chaos Engineering with AWS Fault Injection Simulator
Technical requirements
The concept of, and need for, chaos engineering
Chaos engineering in CI/CD
Experimenting with AWS FIS on multiple EC2 instances with a terminate action
Experimenting with AWS FIS on EC2 instances with a CPU stress action
Experimenting with AWS FIS on RDS with a reboot and failover action
Experimenting with AWS FIS on an EKS cluster worker node
Summary
9
Section 3:DevSecOps and AIOps
Section 3:DevSecOps and AIOps
10
Chapter 7: Infrastructure Security Automation Using Security Hub and Systems Manager
Chapter 7: Infrastructure Security Automation Using Security Hub and Systems Manager
Technical requirements
Introduction to AWS Security Hub
Deny execution of non-compliant images on EKS using AWS Security Hub and ECR
Importing an AWS Config rules evaluation as a finding in Security Hub
Integrating AWS Systems Manager with Security Hub to detect issues, create an incident, and remediate automatically
Summary
11
Chapter 8: DevSecOps Using AWS Native Services
Chapter 8: DevSecOps Using AWS Native Services
Technical requirements
Strategy and planning for a CI/CD pipeline
Creating a CodeCommit repository for microservices
Creating PR CodeBuild stages with CodeGuru Reviewer
Creating a development CodePipeline project with image scanning and an EKS cluster
Creating a staging CodePipeline project with mesh deployment and chaos testing with AWS FIS
Creating a production CodePipeline project with canary deployment and its analysis using Grafana
Summary
12
Chapter 9: DevSecOps Pipeline with AWS Services and Tools Popular Industry-Wide
Chapter 9: DevSecOps Pipeline with AWS Services and Tools Popular Industry-Wide
Technical requirements
DevSecOps in CI/CD and some terminology
Introduction to and concepts of some security tools
Planning for a DevSecOps pipeline
Using a security advisory plugin and a pre-commit hook
Prerequisites for a DevSecOps pipeline
Installation of DAST and RASP tools
Integration with DevOps Guru
Creating a CI/CD pipeline using CloudFormation
Testing and validating SAST, DAST, Chaos Simulation, Deployment, and RASP
Summary
13
Chapter 10: AIOps with Amazon DevOps Guru and Systems Manager OpsCenter
Chapter 10: AIOps with Amazon DevOps Guru and Systems Manager OpsCenter
Technical requirements
AIOps and how it helps in IT operations
AIOps using Amazon DevOps Guru
Enabling DevOps Guru on EKS cluster resources
Injecting a failure and then reviewing the insights
Deploying a serverless application and enabling DevOps Guru
Integrating DevOps Guru with Systems Manager OpsCenter
Injecting a failure and then reviewing the insights
Summary
Why subscribe?
14
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

What this book covers

Chapter 1, CI/CD Using AWS CodeStar, introduces the basic concept of CI/CD and branching strategies, then you will create a basic pipeline using AWS CodeStar and enhance it by adding multiple stages, environments, and branching strategies. Doing this will cover all of the AWS developer toolchain, such as CodeCommit, CodeBuild, CloudFormation, and CodePipeline.

Chapter 2, Enforcing Policy as Code on CloudFormation and Terraform, walks through the concept of policy as code and its importance in security and compliance, and the stage of CI/CD at which infrastructure can be checked. You will use CloudFormation Guard to apply policies on an AWS CloudFormation template. After that, you will learn how to use AWS Service Catalog across multiple teams. You will also do hands-on implementation on Terraform Cloud and policy implementation using HashiCorp Sentinel.

Chapter 3, CI/CD Using AWS Proton and an Introduction to AWS CodeGuru, introduces the new AWS Proton service and how AWS Proton helps both developers and DevOps/infrastructure engineers with their work in software delivery. You will learn the basic blocks of the Proton service and create an environment template to spin up multiple infrastructure environments and service templates to deploy the service instance in the environment. This chapter will also walk you through the code review process and how to find a vulnerability or secret leak using AWS CodeGuru.

Chapter 4, Working with AWS EKS and App Mesh, guides you through the architecture and implementation of an AWS EKS cluster. It explains the importance of and need for the AWS App Mesh service mesh and implementing features such as traffic routing, mutual TLS authentication, and using the X-Ray service for tracing.

Chapter 5, Securing Private EKS Cluster for Production, contains an implementation guide to set up a production-grade secure private EKS cluster. It covers almost all the important implementations on EKS, such as IAM Role for Service Account (IRSA), Cluster Autoscaler, EBS CSI, App Mesh, hardening using Kubescape, policy and governance using OPA Gatekeeper, and the backup and restore of a stateful application using Velero.

Chapter 6, Chaos Engineering with AWS Fault Injection Simulator, covers the concept of chaos engineering and when it is needed. It walks through the principles of chaos engineering and gives insights in terms of where it fits in CI/CD. You will learn how to perform chaos simulation using AWS FIS on an EC2 instance, Relational Database Service (RDS), and an EKS node.

Chapter 7, Infrastructure Security Automation Using Security Hub and Systems Manager, includes some important solutions to automate infrastructure security using AWS Security Hub and Systems Manager. The solutions include enforcing only running compliant images from ECR on an EKS cluster, config rule evaluation as an insight into Security Hub, and integrating Systems Manager with Security Hub to detect issues, create an incident, and remediate it automatically.

Chapter 8, DevSecOps Using AWS Native Services, walks you step by step through creating a DevSecOps CI/CD pipeline with a branching strategy using AWS native security services such as CodeGuru Reviewer and ECR image scanning. It includes the powerful combination of the developer toolchain, App Mesh, and Fault Injection Simulator. It also covers the canary deployment of microservices and analysis using Prometheus and Grafana.

Chapter 9, DevSecOps Pipeline with AWS Services and Tools Popular Industry-Wide, walks you through the planning to create a pipeline. It shows how to implement security at every stage of software delivery, starting from when you write code. It also shows the usage of the Snyk Security Advisory plugin in an IDE, git-secrets to scan sensitive data such as keys and passwords, SAST using Snyk, DAST using OWASP ZAP, RASP using Falco, chaos simulation using AWS FIS, and AIOps using AWS DevOps Guru. It also includes operational activities such as showing a security posture and vulnerability findings using AWS Security Hub.

Chapter 10, AIOps with Amazon DevOps Guru and Systems Manager OpsCenter, introduces the primer artificial intelligence and machine learning concepts. It covers what AIOps is, why we need it, and how it applies to IT operations. You will learn about the AWS AIOps tool DevOps Guru and implement two use cases about identifying anomalies in CPU, memory, and networking within an EKS cluster, and analyzing failure insights and remediation in a serverless application.

Previous Section
Next Section