DevSecOps on AWS: A Practical Guide

What Is DevSecOps? 

DevSecOps integrates security practices within the DevOps processes, aiming to incorporate security at every stage of the software development lifecycle. This philosophy acknowledges that security cannot be isolated as a separate function. Rather, it should be embedded into the early stages of development, carried through deployment, and maintained into the operations phase. Automation in DevSecOps enhances the ability to identify and rectify security issues as early as possible, thus reducing vulnerabilities and costs associated with them.

By fostering a culture of shared responsibility, DevSecOps emphasizes collaboration between development, security, and operations teams. This collaboration helps to streamline security processes without hampering agility or speed. Continuous assessment and real-time threat mitigation become achievable through automation tools that integrate into the workflow.

How Does AWS Support DevSecOps Transformations?

AWS offers a range of services and tools designed to facilitate DevSecOps practices. By leveraging the cloud provider’s infrastructure, organizations can integrate security into their continuous integration and continuous delivery (CI/CD) pipelines.

Amazon Inspector: Automated Vulnerability Management

Amazon Inspector is a critical tool in DevSecOps for automated and continuous vulnerability management. It provides assessments across AWS resources and applications, promptly identifying potential security issues. By integrating seamlessly with CI/CD tools, Inspector can scan new changes in code repositories to ensure that vulnerabilities do not go unnoticed before deployment. Users benefit from real-time alerts and easy-to-understand reports that help address issues quickly, reducing security risks at various stages of the application lifecycle.

The service supports compliance checks and integrates with other AWS security products, creating a comprehensive security posture for cloud-native applications. It eliminates manual processes by enabling continuous monitoring, ensuring a proactive approach to vulnerability management. This approach is especially beneficial for organizations operating at scale, where automated security assessments are crucial for maintaining security standards consistently without increasing operational overhead.

AWS CodeCommit: Manage Source Control

AWS CodeCommit is a managed source control service that helps in managing source code securely. It enables teams to make incremental changes to applications, streamlining code management and deployment processes within a DevSecOps framework. With its integration capabilities with other AWS services, CodeCommit facilitates automated testing and deployment of code changes, allowing teams to maintain version control without compromising on security or speed.

Security features within CodeCommit, such as repository encryption and access control permissions, ensure that only authorized users can make changes. This feature minimizes unauthorized access risks and improves code integrity throughout development. CodeCommit also supports seamless integration with CI/CD pipelines, enabling automated build and deployment processes that incorporate real-time security scans, ensuring that security checks are not bypassed during rapid iteration cycles.

Note: CodeCommit is no longer available for new AWS customers.

AWS Secrets Manager: Rotate, Manage, and Retrieve Secrets

AWS Secrets Manager plays a vital role in safely storing and managing sensitive information like database credentials and API keys. It offers the functionality to automate the rotation of secrets, reducing the risks associated with leaked or outdated credentials. Secrets Manager seamlessly integrates with AWS services and third-party applications, ensuring secure management of critical application secrets throughout their lifecycle.

By using Secrets Manager, organizations can enforce stringent access controls and audit capabilities, thereby maintaining compliance with security policies. The service simplifies secret distribution by allowing applications to access secrets when needed without hardcoding them in the application repository. This approach not only secures sensitive information but also supports best practices in secret management in a rapidly changing application environment.

Dan Garfield
VP of Open Source, Octopus Deploy
Dan is a seasoned leader in the tech industry with a strong focus on open source initiatives. Currently serving as VP of Open Source at Octopus Deploy, contributing as an Argo maintainer, co-creator of Open GitOps, and leveraging extensive experience as a co-founder of Codefresh, now part of Octopus Deploy.

TIPS FROM THE EXPERT

In my experience, here are tips that can help you better implement DevSecOps practices on AWS:

  1. Leverage AWS Organizations for Centralized Security: Use AWS Organizations to manage security baselines across multiple accounts. This allows you to enforce consistent security policies using Service Control Policies (SCPs) and helps ensure that no AWS account is exempt from security configurations, such as enabling CloudTrail and GuardDuty.
  2. Adopt Pre-Commit Hooks for Early Security Feedback: Integrate security checks into your developer workflows with pre-commit hooks. Tools like pre-commit can be configured to run linting, SAST scans, or secret detection locally before code is pushed to AWS CodeCommit, catching issues even earlier than CI/CD pipeline stages.
  3. Enable Automated Remediation with AWS Systems Manager: Automate incident response by using AWS Systems Manager Automation documents. For example, if a vulnerability is detected by Amazon Inspector, use a predefined automation runbook to patch the affected instance or revoke exposed credentials without manual intervention.
  4. Utilize AWS Control Tower for Governance at Scale: AWS Control Tower can help streamline DevSecOps initiatives by providing a secure, compliant multi-account setup. It integrates with AWS Security Hub, AWS Config, and other services to enforce guardrails, reducing the risk of non-compliance from the start.
  5. Monitor API Usage with AWS WAF and Shield: Use AWS WAF and AWS Shield to protect your APIs against common web exploits like SQL injection and DDoS attacks. Integrate these services with your CI/CD pipeline by deploying API security configurations alongside the application code, ensuring consistent API security across deployments.

Example: Building an End-to-End DevSecOps CI/CD Pipeline on AWS 

This section is based on an AWS reference architecture for DevSecOps, published in 2021. Below is an overview of the key components involved and the main steps that outline how this pipeline operates.

Source: AWS

Key components of the pipeline:

  1. AWS CodeCommit: CodeCommit serves as the source control service, where developers store and manage code changes. It triggers the pipeline when new code is committed.
  2. AWS CodePipeline: CodePipeline orchestrates the entire CI/CD process by automating the flow from code commits to deployment. It manages the stages of the pipeline and ensures that each step is executed in sequence.
  3. AWS CodeBuild: CodeBuild is responsible for compiling source code, running tests, and packaging the application. It integrates with security tools to perform static code analysis and vulnerability scans during the build process.
  4. AWS CodeDeploy: CodeDeploy handles the deployment of the application to staging and production environments, ensuring smooth rollouts without manual intervention.
  5. Amazon Simple Storage Service (S3): S3 stores artifacts generated during the build process, including packaged applications, scan reports, and logs.
  6. AWS Lambda: Lambda functions are used to automate responses to security findings, such as parsing vulnerability scan results and posting them to AWS Security Hub.
  7. AWS Security Hub: Security Hub consolidates all security findings from different stages of the pipeline, giving teams a unified view of vulnerabilities and security risks.
  8. AWS CloudWatch: CloudWatch monitors the state of the pipeline and triggers alerts when specific events occur, such as build failures or security findings.
  9. AWS Systems Manager Parameter Store: Parameter Store securely manages sensitive data such as API keys, tokens, and passwords used throughout the pipeline.

Main steps of the pipeline:

  1. Source code commit and pipeline trigger: The process begins when a developer commits code to an AWS CodeCommit repository. This triggers a CloudWatch event, which activates AWS CodePipeline to start the automated workflow.
  2. Building and testing with CodeBuild: In the build stage, CodeBuild compiles the source code and runs unit tests. It packages the application and stores the output in an S3 bucket. During this phase, CodeBuild retrieves sensitive credentials from Parameter Store to authenticate and initiate security scanning tools.
  3. Static security scanning: As part of the build process, CodeBuild integrates with open-source security tools such as OWASP Dependency-Check for analyzing third-party libraries for known vulnerabilities (Software Composition Analysis or SCA) and SonarQube or PHPStan for checking the source code for security issues (Static Application Security Testing or SAST).
  4. Reporting vulnerabilities: If vulnerabilities are found, a Lambda function processes the results and sends them to AWS Security Hub. This ensures that the development team is immediately alerted to security risks, which are also logged for later review in S3.
  5. Deployment to staging environment: After the build passes all tests and security scans, CodeDeploy automatically deploys the application to a staging environment in AWS Elastic Beanstalk. This environment simulates production for further testing and validation.
  6. Dynamic Application Security Testing (DAST): In the staging environment, a security scan using ZAP is performed to identify vulnerabilities in the running application. This phase focuses on detecting security issues in the live environment that may not have been caught by static analysis.
  7. Approval and deployment to production: Once the DAST scan is completed, the pipeline pauses for manual approval. After approval, CodeDeploy deploys the application to the production environment, ensuring a secure and efficient rollout.
  8. Monitoring and notifications: Throughout the pipeline, AWS CloudWatch and SNS send notifications to relevant teams when significant events occur, such as a build completion or security findings. AWS CloudTrail logs every API call in the pipeline for audit and compliance purposes.
  9. Continuous auditing and governance: AWS Config checks the pipeline for compliance with security best practices, such as ensuring that sensitive credentials are not stored in plaintext. This helps maintain a strong security posture across the entire CI/CD process.

Best Practices for Adopting DevSecOps on AWS

1. Automate Security Testing Across All Pipeline Stages 

Automating security testing ensures that vulnerabilities are caught as early as possible without introducing manual bottlenecks. By integrating static code analysis (SAST), dynamic testing (DAST), and dependency checks directly into the pipeline, teams can enforce consistent security standards across every stage. 

A layered testing approach, including unit tests, integration tests, and live environment scans, reduces the risk of unaddressed vulnerabilities slipping into production. To avoid pitfalls, ensure the security tests are fast and non-disruptive. Excessive testing durations can delay feedback loops, frustrating developers and undermining adoption. 

2. Enforce Principle of Least Privilege

Implementing the principle of least privilege minimizes the potential damage from compromised credentials or misconfigurations. Each system, application, and individual should only have access to resources essential to their role or function. Use granular permission sets for roles and services to tightly control access.

Frequently audit permission assignments to ensure they match evolving requirements. Overly permissive configurations often arise from attempts to resolve access issues quickly. Avoid assigning blanket permissions, as they can be exploited by attackers or inadvertently misused. Regularly review and adjust permissions, ensuring access is revoked when no longer needed.

3. Integrate Secrets Management at Every Stage 

Proper secrets management prevents sensitive data, such as API keys, passwords, or certificates, from being exposed in code repositories or logs. Centralize secrets storage in a secure, encrypted environment, and ensure applications access them dynamically at runtime. Automate secret rotations to reduce risks from compromised or outdated credentials.

Ensure secrets are never hardcoded or shared manually between team members. Educate teams about the risks of storing secrets in plaintext or including them in version control systems. Regularly audit access to secrets, and enforce thorough monitoring to detect unauthorized access attempts.

4. Regularly Review and Rotate Access Controls and Keys 

Frequent review and rotation of access controls and keys ensure that potential exposures do not persist indefinitely. Regularly scheduled key rotations reduce the risk of unauthorized access due to leaked or compromised credentials. Adopt a lifecycle management approach where keys and access credentials are continuously evaluated and updated.

Maintain a comprehensive inventory of all active keys and access permissions, including third-party integrations. Use automated tools to rotate keys and update dependencies dynamically, minimizing disruptions. Avoid manual key rotations, as these can introduce errors or operational delays.

5. Implement Continuous Monitoring and Incident Response Automation 

Continuous monitoring helps detect anomalies and security incidents in real time. Automate the analysis of logs, metrics, and network traffic to identify potential threats, such as unauthorized access attempts or unusual activity patterns. Pair monitoring with automated incident response workflows to contain and remediate issues quickly.

Ensure monitoring solutions are well-calibrated to reduce false positives and negatives. A deluge of false alarms can lead to complacency, while insufficient detection thresholds can miss critical threats. Continuously refine incident response playbooks and train teams to address edge cases.

6. Centralize Logging and Auditing for Compliance 

Centralizing logs across pipeline components provides a unified view of operations and security events, making it easier to identify anomalies and maintain compliance. Collect logs from source control, build tools, deployment systems, and runtime environments. Implement access controls to ensure log integrity and prevent tampering.

Design the logging strategy to focus on actionable insights rather than overwhelming teams with excessive data. Use standard formats for logs to simplify parsing and analysis. Regularly review logs for completeness and adjust configurations to capture evolving security and compliance requirements.

7. Conduct Regular Threat Modeling for Pipeline Components 

Threat modeling helps identify vulnerabilities and risks within the CI/CD pipeline. Map out pipeline components and workflows to uncover potential attack vectors, such as unsecured APIs, dependency vulnerabilities, or insider threats. Update the model frequently to reflect changes in the pipeline architecture.

Involve cross-functional teams, including developers, security experts, and operations staff, in threat modeling exercises. Ensure that identified threats are not only documented but also addressed through actionable steps. Avoid relying solely on theoretical models; validate assumptions with practical security tests and penetration simulations.

Related content: Read our guide to DevSecOps tools

CI/CD Security with Codefresh

Codefresh can help with CI/CD security in a number of ways

  1. It provides out of the box integrations for several code scanning tools
  2. It supports running security analysis tools before, during and after each deployment
  3. It will work with any software supply security solution to monitor and assess risks in any part of the software lifecycle
  4. It includes a built-in facility for storing secrets but also integrates with popular secret solutions (such as Hashicorp Vault or the secret facilities of major cloud providers)
  5. It allows organizations to run pipelines and deploy application with a zero trust model where confidential information never leaves the customer premises

Most importantly because GitOps is the central paradigm behind all aspects of the Codefresh platform, with Codefresh organizations get auditing and tracing facilities out of the box using standard Git tools. Every action in Codefresh (even from the UI) is backed by a Git commit. Simply looking at Git history provides an audit log for everything that happened in the platform.

Ready to Get Started?

Deploy more and fail less with Codefresh and Argo