How to set up a relevant and effective DevSecOps stack with AWS

How to set up a relevant and effective DevSecOps stack with AWS

What is DevSecOps?

Above all, DevSecOps is a cultural philosophy. It is a methodology that allows you to simultaneously achieve operational excellence and structural efficiency. DevSecOps provides major benefits to organizations:

What is Infrastructure as Code?

In most cases, the cloud makes it possible to do away with an infrastructure and the physical management thereof. Nevertheless, the infrastructure still exists. It simply adapts to the new methods and requirements of the teams. A migration to the cloud will therefore not make your Ops teams obsolete.

In fact, the rise of Infrastructure as Code (IaC) allows you to better serve all the players in your organization’s IT ecosystem. Often at the heart of DevOps Transformation, this approach is not just an added commodity, but a real necessity.

02_Visuals_Article_DevOps

In addition to a reorganization to accommodate this paradigm shift, a number of tools and services (often associated with certain DevSecOps practices) are necessary for:

Tools, which are often considered simple commodities, are now vital to the implementation of DevSecOps in organizations. We therefore need to take some time to explore the various offers on the market, and understand how these products work together in your ecosystem.

How do AWS tools meet the requirements of DevSecOps?

Let’s look at the tools offered by AWS for creating a relevant and effective DevSecOps stack.

AWS tools for continuous integration (CI)

Continuous integration involves the automation of the build, test, and deliverable generation phases. It allows developers to be sure they have a sound foundation for each new project.

AWS tools for continuous delivery (CD)

Continuous delivery involves the automation of the deployment phases, with the exception of production deployment (which is done manually).

Which AWS tools can be used for Infrastructure as Code?

Let’s look at a simple example in TypeScript. We’ll create an AWS-managed secret that can only be read by a defined IAM role.

First of all, AWS provides us with a Stack interface to help us define our AWS infrastructure:

export class InfraStack extends Stack {  

  constructor(scope: Construct, id: string, props?: StackProps) {  

  super(scope, id, props);  

  // definition of the infrastructure here  

 } 

} 

All the subsequent code blocks will be placed in “definition of the infrastructure here.”

Let’s create the IAM role:

const secretRole = new iam.Role(this, 'MyRole', { assumedBy: new iam.AnyPrincipal() });  

This is stored in the secretRole variable, which can be used for the rest of the code.
“MyRole” is used to define the name that will be found in CloudFormation.
“assumedBy” lets you restrict who can assume the role. You may wish for the role to be assumed by a WebIdentityPrincipal like a federated web identity provided by Facebook, Google, Cognito, etc., a ServicePrincipal like Lambda or EC2, or a CanonicalUserPrincipal (an AWS user), etc.

Now that we have the role, let’s create the secret:

const websiteAccessPassword = new sm.Secret(this, "WebsiteAccessPassword", {  

  generateSecretString: {  

  secretStringTemplate: "{}",  

  generateStringKey: "password"  

 } 

});  

First, we’ll initialize the secret “WebsiteAccessPassword” in CloudFormation. With this initialization, AWS generates a string that will correspond to the password contained in the secret.
“generateStringKey” generates the string in “password,” and the “password” key is found in the empty JSON object “{}” provided by “secretStringTemplate.”
In other words, when we retrieve the secret (for example, with the CLI command “aws secretsmanager get-secret-value”), it will give us a JSON object like this:

 { 

    “password”: “leSecretGénéré” 

  } 

Finally, we must give our role permission to read our secret:

websiteAccessPassword.grantRead(secretRole);  

Bonus:

We can add this role to any resource we created. For example, we may wish to access the secret from an EC2 instance that we’ve also created via CDK (or that we’ve referenced). Now you just have to give it the role “secretRole:”

const ec2Instance = new ec2.Instance(this, "ec2-instance", { “role”: secretRole, ... });  

To finish with CDK, a single command suffices to transform our code into CloudFormation infrastructure: “cdk deploy”

Like all source codes, IaC can be managed with continuous integration and delivery. We can then deploy an entire infrastructure in the same way as we would with the programs that will run on this same infrastructure.

In this first article, we presented the AWS tools for the delivery, continuous deployment, and creation of Infrastructure as Code. These first bricks are the foundation of your AWS infrastructure. However, in order to adhere to DevSecOps methodology as closely as possible and obtain a consistent stack, additional bricks are required: in particular, monitoring and collaboration. These will be covered in subsequent articles. In the meantime, discover our AWS offer here.