"DevSecOps 的規模化實踐 講師：Rebeker Choi, Solutions Architect, AWS"

1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rebeker Choi
Solutions Architect, Amazon Web Services
Implementing DevSecOps at Scale

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to expect from the session
What is DevSecOps? Why?
Landing Zone Concept
AWS CI/CD Pipeline
Demo Scenario

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
So, what is DevSecOps?

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
So, what is DevOps?
DevOps is a collaboration between Development and
Operations to improve agility and pace of innovation.

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
So, what is DevSecOps?
DevSecOps is expanding the Dev + Ops collaboration to
include Security Automation.

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Goals of DevSecOps
It’s important to have security that is:
• meets pace of innovation
• works at scale in a scalable infrastructure
• is working in less friction manner

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to win at DevSecOps – Automate!
- Automation is effective
- Automation is reliable
- Automation is scalable….

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to win at DevSecOps – team!
Operations Engineering
Application Infrastructure
Security
Security is everyone’s responsibilities!

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps pipeline
developers customers
delivery pipeline
feedback loop
• Address security threats more effectively, in real-time
• Embed security knowledge into DevOps teams so that they can secure the pipelines they design and
automate.
releasetestbuild
plan monitor
Security

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps common use cases
• Enterprise AWS Landing Zone on-boarding
• Centralized account creation
• Centralized VPC setup
• Centralized IAM setup
• Centralized Logging setup
• Centralized Monitoring
• AWS CI/CD Pipeline
• Infrastructure as code deployment
• application deployment
“before” application deployment
“during” application deployment

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Landing Zone Concept

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Landing
Zone
What Is A Landing Zone
Multi-Account AWS
Environment Based
on AWS Best Practices
Set of Architecture Patterns
For Shared Core Services
Adaptable Foundation
With Governance
Guardrails
Automation Driven
Versioned Infrastructure

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-account approach
AWS Organization Master
Security Logging
Shared
Services
Developer
Sandbox
Developer Accounts
Core Accounts
Pre-Prod
ProdDev
BU/Project Accounts
Data Center
AWS Organization: Account management
Logging: Centralized logs
Security: AWS Config rules, security tools
Shared services: Directory, DNS, limit
monitoring
Sandbox: Experiments
Dev: Development
Pre-Prod: Staging
Prod: Production
Test

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone solution
Multi-
Account
Structure
User Access
NotificationsSecurity
Baseline
AWS
CloudTrail
AWS
Config
AWS Identity and
Access
Management
Cross-Account
Access Amazon VPC
https://aws.amazon.com/answers/aws-landing-zone/

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CI/CD Pipeline

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps is Automated, Continuous & Visible
MonitorTestDeployBuildCode
Cloud
Watch
CloudTrail
Config
Rules
CodeCommit CodeBuild 3rd parties
testing tools for
application
CodeDeploy
CloudFormation
CodePipeline

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
MonitorTestDeployBuildCode
Cloud
Watch
CloudTrail
Config
Rules
CodeCommit CodeBuild 3rd parties
testing tools for
application
CodeDeploy
CloudFormation
CodePipeline
DevSecOps is Automated, Continuous & Visible
Scan for secrets
Static code
analysis
Deploy / Register security
components
Test security
meets
standards
Monitor
security
standards

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo Scenario:
Security policy only allows SSH port open to the
approved IP CIDR range (72.21.196.67/32)

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo: DevSecOps for Infrastructure code
AWS CodePipeline
https://aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-codepipeline/
Create Stack
AWS
CloudFormation
DevOps
Code Push
Code Pull Static Code
Analysis
Lambda
Stack
Validation
Lambda
Create ChangeSet
AWS
CloudFormation
Approve
Test Stack
Delete Stack
AWS
CloudFormation
Execute ChangeSet
AWS
CloudFormation
Code analysis Stage Test Deployment Stage Production Deployment Stage
Amazon S3
Commit Stage
1. Commit
infrastructure code
changes to S3
2. Perform code
analysis to identify
vulnerabilities /
error
3. Deploy infrastructure change to test env.
4. Deployment security validation
5. Manual approval
6. Delete change on test env.
7. Deploy
infrastructure
change to
production
environment

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create Stack
AWS
CloudFormation
DevOps
Code Push
Code Pull Static Code
Analysis
Lambda
Stack
Validation
Lambda
Create ChangeSet
AWS
CloudFormation
Approve
Test Stack
Delete Stack
AWS
CloudFormation
Execute ChangeSet
AWS
CloudFormation
Code analysis Stage Test Deployment Stage Production Deployment Stage
Amazon S3
Commit Stage

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
``
Create Stack
AWS
CloudFormation
DevOps
Code Push
Code Pull Static Code
Analysis
Lambda
Stack
Validation
Lambda
Create ChangeSet
AWS
CloudFormation
Approve
Test Stack
Delete Stack
AWS
CloudFormation
Execute ChangeSet
AWS
CloudFormation
Code analysis Stage Test Deployment Stage Production Deployment Stage
Amazon S3
Commit Stage

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevOps team goes back and update the
infrastructure code to only allow SSH port open to
the approved IP CIDR range (72.21.196.67/32)

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
``
Create Stack
AWS
CloudFormation
DevOps
Code Push
Code Pull Static Code
Analysis
Lambda
Stack
Validation
Lambda
Create ChangeSet
AWS
CloudFormation
Approve
Test Stack
Delete Stack
AWS
CloudFormation
Execute ChangeSet
AWS
CloudFormation
Code analysis Stage Test Deployment Stage Production Deployment Stage
Amazon S3
Commit Stage

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
MonitorTestDeployBuildCode
Cloud
Watch
CloudTrail
Config
Rules
CodeCommit CodeBuild 3rd parties
testing tools for
application
CodeDeploy
CloudFormation
CodePipeline
DevSecOps is Automated, Continuous & Visible
Monitor
security
standards

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudTrail
• Simplify your compliance audits by automatically recording and storing
activity logs for your AWS accounts
• Provide visibility into your user and resource activity
WhoWhat
Where from
Where to
When

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Config
Internal
Controls
Industry best
practice
• Perform configuration management of your AWS deployment against
compliance policies

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudWatch

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key Takeaways
• Automated security measures
• Continuous security measures as infrastructure evolves
• Security events have to be visible

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!