DevSecOps Introduction: Clear Instructions on How to Build a DevSecOps Pipeline in AWS [Part 2]

Written by gourav-das | Published 2021/04/21
Tech Story Tags: devsecops | open-source | devops | aws | security | pipeline | aws-codepipeline | hackernoon-top-story

TLDR DevSecOps Introduction: Clear Instructions on How to Build a DevSec Ops Pipeline in AWS [Part 2] The following series is split into two parts (refer below) with very simple and clear instructions to provision a CI/CD pipeline. Everything is covered from scratch, you won't face any difficulty understanding. The following pre-prod environment will host a sample Java application in an AWS group Autoscaling group. It will be deployed using an AWS CodeCommitency repository & deployed using CloudFormation. The application has been exposed to the internet by an AWS application using an Amazon ALB balancer. Once it is approved, it will go to production for the deployment stage, which requires manual approval.via the TL;DR App
Note: What would you do if you ever got lost? 
Click Here
 to go to the First part of the Series. It's Important To Take Things One Step At A Time. ~GD
Welcome to the second part of the How to Build a DevSecOps Pipeline in AWS. In the second part, I would focus on all the DevSecOps Stages in detail and how to check the test results (artefacts). Before starting, let's do a recap. In Part 1, you have built a DevSecOps CI/CD Pipeline by using AWS native developer tools such as code pipeline, code build & code commit. The entire provisioning was done using a cloudformation stack. 
The following series is split into two parts (refer below) with very simple and clear instructions to provision a CI/CD pipeline adhering to DevSecOps principles in AWS.
Everything is covered from scratch, you won't face any difficulty understanding. In case of any clarification, drop me a note on LinkedIn. Feel free to explore them with ease, skip to the one which is relevant to you.

1. AWS CodePipeline Security Validation Stages:

The Codepipeline Security Validation Stages perform the static code analysis on the committed code whenever a new piece of code added by the developers.
Click here to open the AWS CodePipeline console, change the region if you have run the DevSecOps master template in a different region. Navigate to the required codepipeline to check for the build details & artefacts, you need to click on the Details as shown aboveIt will take you to the respective build status page, you can see something similar like below.
You can navigate through the tabs to check for:
  1. Build Logs: Generated during the code build run as shown below, which is essential to investigate & look for issues if a build failed.
  2. Phase details: Show you the various stages in the build process.
  3. Environmental Variables: Dynamic cfn user input or passed through other pipeline stages.
  4. Reports: Applicable only for SCA-Check and IaC-Check builds, where JUnit artefacts converted into AWS CodeBuild Reports.
  5. Build Details: Stores the Test Results or Artifacts.
1.1 How to check the Build Artefacts or Test Results ?
To check the Test Results or Artifacts, switch to the Build Details tab. You need to scroll a little bit down to see the Artifacts section, as shown below. It contains the hyperlink to the artefacts stored in S3. Click to navigate & download it.
Note: You can check the artefacts only for SAST-Check and DAST-Check [Check Section 2 below]. Always download the latest artefacts after a successful build. 
1.2 How to check the Code Build Reports
To check the Code Build Reports, switch to the Reports tab, as shown below. It contains the hyperlink to the Code Build Reports, click to navigate. In the 
SCA-Check report
, you can check the 3rd party libraries within the project and if they are vulnerable or not. In the 
IaC-Check report
, you can validate whether your Cloudformation templates contain vulnerable resources. 
Note: Applicable only for SCA-Check and IaC-Check builds, where JUnit artefacts converted into AWS CodeBuild Reports. 

2. AWS CodePipeline Pre-Prod Stages:

Once all the above security stages are successful, it will move to the next AWS CodePipeline phase where a pre-prod environment will initialise by creating & executing a cloudformation changeset, you can see something similar like below. The following pre-prod environment will host a sample Java application in an AWS Autoscaling group. It is the same sample application stored in AWS CodeCommit repository & deployed using AWS CloudFormation.
The Application has been exposed to the internet by using an AWS application load balancer. The following AWS ALB URL will be passed to the DAST AWS CodeBuild stage as an environment variable. Dynamic Application Security Testing will be performed on that URL, which will generate a report and flag issues if it finds medium or high vulnerabilities. If the DAST AWS CodeBuild stage is successful, it will move to the prod- approval stage, which requires manual approval.
Once approved, it will go for the production deployment, which is 
out-of-scope for this tutorial
. As I mentioned earlier, readers can explore by themselves where they need to create a replica of the pre-prod environment to host the same sample application to bring up the production environment.

3. Caveats

  • You can find the latest code on GitHub. Request you to go through the Project once.
  • You can also go through all the buildspec.yaml files to understand how AWS CodeBuild is cooking the recipes for various stages. Search for the files within the GitHub project.
  • Once you complete the project demo, kindly follow the Clean Up section in the first part of the tutorial.
  • If you have enabled Security Hub, make sure you disable it. Click here to know the steps.
We have come a long way, kindly Share and help me on my mission to educate and familiarize people in the world of digitization 💪 #This is a Free tutorial and all my upcoming tutorials will be free and accessible from Public forums# Appreciate if you drop me a note on 
LinkedIn
 & share your opinion. Don't worry, I don't bite 👻 so don't shy away 🏃🏻‍♀️ 🏃🏻. Your feedback will help me to come up  with more awesome contents on the internet.
Written by gourav-das | Tech Enthusiast and Clouder. AWS 6x & Azure 2x Certified. & I still watch One piece and spongebob
Published by HackerNoon on 2021/04/21
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy