Accelerating DevSecOps on AWS

By : Nikit Swaraj

Accelerating DevSecOps on AWS

By: Nikit Swaraj

Overview of this book

Continuous integration and continuous delivery (CI/CD) has never been simple, but these days the landscape is more bewildering than ever; its terrain riddled with blind alleys and pitfalls that seem almost designed to trap the less-experienced developer. If you’re determined enough to keep your balance on the cutting edge, this book will help you navigate the landscape with ease. This book will guide you through the most modern ways of building CI/CD pipelines with AWS, taking you step-by-step from the basics right through to the most advanced topics in this domain. The book starts by covering the basics of CI/CD with AWS. Once you’re well-versed with tools such as AWS Codestar, Proton, CodeGuru, App Mesh, SecurityHub, and CloudFormation, you’ll focus on chaos engineering, the latest trend in testing the fault tolerance of your system. Next, you’ll explore the advanced concepts of AIOps and DevSecOps, two highly sought-after skill sets for securing and optimizing your CI/CD systems. All along, you’ll cover the full range of AWS CI/CD features, gaining real-world expertise. By the end of this AWS book, you’ll have the confidence you need to create resilient, secure, and performant CI/CD pipelines using the best techniques and technologies that AWS has to offer.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Conventions used

Get in touch

Share Your Thoughts

Section 1:Basic CI/CD and Policy as Code

Free Chapter

Chapter 1: CI/CD Using AWS CodeStar

Technical requirements

Introduction to CI/CD, along with a branching strategy

Creating a project in AWS CodeStar

Creating feature and development branches, as well as an environment

Validating PRs/MRs into the develop branch from the feature branch via CodeBuild and AWS Lambda

Adding a production stage and environment

Summary

Chapter 2: Enforcing Policy as Code on CloudFormation and Terraform

Technical requirements

Implementing policy and governance as code on infrastructure code

Using CloudFormation Guard to enforce compliance rules on CloudFormation templates

Using AWS Service Catalog across teams with access controls and constraints

Integrating Terraform Cloud with GitHub

Running a Terraform template in Terraform Cloud

Writing Sentinel policies to enforce rules on Terraform templates

Summary

Chapter 3: CI/CD Using AWS Proton and an Introduction to AWS CodeGuru

Technical requirements

Introduction to the AWS Proton service

Creating the environment template bundle

Creating the service template bundle

Deploying the containerized application by creating a service instance in Proton

Introduction to Amazon CodeGuru

Integrating CodeGuru with AWS CodeCommit and analyzing the pull request report

Summary

Section 2:Chaos Engineering and EKS Clusters

Chapter 4: Working with AWS EKS and App Mesh

Technical requirements

Deep diving into AWS EKS

Deploying an EKS cluster

Introducing AWS App Mesh

Implementing traffic management

Getting observability using X-Ray

Enabling mTLS authentication between services

Summary

Chapter 5: Securing Private EKS Cluster for Production

Technical requirements

Planning your fully private EKS cluster

Creating your EKS cluster

Deploying add-ons

Enabling the App Mesh sidecar injector

Kubernetes hardening guidance using Kubescape

Policy and governance using OPA Gatekeeper

Deploying a stateful application using Helm

Backup and restore using Velero

Summary

Chapter 6: Chaos Engineering with AWS Fault Injection Simulator

Technical requirements

The concept of, and need for, chaos engineering

Chaos engineering in CI/CD

Experimenting with AWS FIS on multiple EC2 instances with a terminate action

Experimenting with AWS FIS on EC2 instances with a CPU stress action

Experimenting with AWS FIS on RDS with a reboot and failover action

Experimenting with AWS FIS on an EKS cluster worker node

Summary

Section 3:DevSecOps and AIOps

Chapter 7: Infrastructure Security Automation Using Security Hub and Systems Manager

Technical requirements

Introduction to AWS Security Hub

Deny execution of non-compliant images on EKS using AWS Security Hub and ECR

Importing an AWS Config rules evaluation as a finding in Security Hub

Integrating AWS Systems Manager with Security Hub to detect issues, create an incident, and remediate automatically

Summary

Chapter 8: DevSecOps Using AWS Native Services

Technical requirements

Strategy and planning for a CI/CD pipeline

Creating a CodeCommit repository for microservices

Creating PR CodeBuild stages with CodeGuru Reviewer

Creating a development CodePipeline project with image scanning and an EKS cluster

Creating a staging CodePipeline project with mesh deployment and chaos testing with AWS FIS

Creating a production CodePipeline project with canary deployment and its analysis using Grafana

Summary

Chapter 9: DevSecOps Pipeline with AWS Services and Tools Popular Industry-Wide

Technical requirements

DevSecOps in CI/CD and some terminology

Introduction to and concepts of some security tools

Planning for a DevSecOps pipeline

Using a security advisory plugin and a pre-commit hook

Prerequisites for a DevSecOps pipeline

Installation of DAST and RASP tools

Integration with DevOps Guru

Creating a CI/CD pipeline using CloudFormation

Testing and validating SAST, DAST, Chaos Simulation, Deployment, and RASP

Summary

Chapter 10: AIOps with Amazon DevOps Guru and Systems Manager OpsCenter

Technical requirements

AIOps and how it helps in IT operations

AIOps using Amazon DevOps Guru

Enabling DevOps Guru on EKS cluster resources

Injecting a failure and then reviewing the insights

Deploying a serverless application and enabling DevOps Guru

Integrating DevOps Guru with Systems Manager OpsCenter

Injecting a failure and then reviewing the insights

Summary

Why subscribe?

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Kubernetes hardening guidance using Kubescape

In this section of the chapter, we will learn about the hardening guidance of the EKS cluster using Kubescape. Kubescape is an open source tool, developed by ARMO. Kubescape was developed in line with all of the recommendations and guidance from the NSA and CISA. Kubescape tests whether a Kubernetes cluster is deployed securely according to multiple frameworks: regulatory, customized company policies, and DevSecOps best practices, such as the NSA/CISA and MITRE ATT&CK.

It not only scans Kubernetes clusters, but also YAML files and Helm Charts, and detects misconfigurations and software vulnerabilities at early stages of the CI/CD pipeline. To get the Kubescape recommendations for the EKS cluster, perform the following steps:

Connect to the bastion server and install the binary of kubescape:

$ curl -o kubescape.sh https://raw.githubusercontent.com/armosec/kubescape/master/install.sh
$ vi kubescape.sh 
#### Look for install_dir...

Accelerating DevSecOps on AWS

By : Nikit Swaraj

Accelerating DevSecOps on AWS

By: Nikit Swaraj

Overview of this book

Related Content you might be interested in

Current Title:

Accelerating DevSecOps on AWS

Mastering Elastic Kubernetes Service on AWS

Building and Delivering Microservices on AWS

AWS Automation Cookbook

Kubernetes hardening guidance using Kubescape