Continuous Delivery can be challenging, especially for enterprises that deal with strict compliance requirements like those in the financial services sector. AWS and Stelligent frequently work together with many large Financial Services Enterprises to help incorporate their capabilities securely on the Cloud. From security of the source code used to trigger builds, to the insertion of strict business controls at run time, and out to the continuous inspection of the running infrastructure to ensure compliance, we are helping to build capabilities that are enabling them to run their business faster and safer on AWS. In this breakout session we will share some very effective techniques that can be incorporated into your Continuous Delivery capability that bring bank level controls and security while enabling faster deployments. We will be looking at a strong encryption pattern for handling Build Artifacts in a Continuous Delivery Pipeline, a simple process for inspecting CloudFormation to ensure business rules are in compliance prior to AWS api calls, and a runtime inspector with Lambda and AWS Config Rules that can be leveraged to ensure that running infrastructure is always in compliance. Attendees will benefit from real-world scenarios and code examples of how to incorporate these techniques into their capabilities.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DevOps Pipeline Security
How to use AWS to secure your DevOps Pipeline like a bank
Alan Garver AWS Sr. Professional Services Consultant
Chuck Dudley Stelligent Director Financial Services Accounts
Jamie Greco Citi Sr. VP Technical Program Management
FIN303

2. What to Expect from the Session
• Simple Secure Build Artifact Repository with AWS
• Advanced DevOps Pipeline Concepts
• Static Code Analysis for Infrastructure as Code
• Use AWS Config Rules and AWS Lambda to Monitor Resource Compliance

3. Technology Challenges in Financial Services
Regulatory
Requirements
Organizational
Boundaries
DEV OPS
Engineering
Monolithic
Applications

5. Enable Continuous Delivery on the Cloud
Provisioning
Monitoring
CI / CD
Orchestration
Tokenization &
Encryption
• Deploy provisioning tools
• Practice to provision & manage all architecture and data
components (e.g. operating system )
• Implement automated systems to monitor infrastructure and
applications to alert abnormal conditions.
• Align disintegrated tools, people, controls and processes
• Focus on automated builds, orchestration & deployment
capabilities.
• Manage overall orchestration governing different actions and
phases that make up the deployment pipeline (e.g. code check-
in to go-live on cloud)
• Consistent way to protect information
Establish Cloud platform and enable developers to build and rapidly deploy

6. Journey to Decouple the Mainframe and ESB

7. & Control Teams
Empower teams to accelerate decision making and delivery
Empowering Teams
DEDICATED
TEAMS
 Organize in 2-pizza teams
 Map capabilities to service owners with
dedicated teams
OWNERSHIP
 Autonomous teams that can build, test and
deploy independently
 Decision making authority for service at team
level
TRANSPARENCY
 Inspection and transparency of the team
performance, service capability and roadmap
 Services are tracked, mapped and managed
via the Service Catalog
Technical
Program
Manager

8. Accelerating Innovation and Product Delivery
4 DELIVER ON STRATS
BUILD GLOBAL
CLOUD FOUNDATION1
BUILD
MICROSERVICES2
EMPOWER
TEAMS3
 Create operating framework
 Establish design patterns for
microservices
 Build, re-use and extend services
 Test driven development
 Deploy cloud infrastructure
 Establish scale and availability
 Enable continuous
integration/continuous delivery
 Protect Citi information
 Build full stack, autonomous agile,
scrum teams
 Single ownership structure
 Empowered development with
decentralized functions
 Continuous integration / deployment
SPEED, COST & QUALI TY
IMPROVING

9. The DevOps Pipeline

10. Continuous Delivery Pipeline
• A secure automated transport mechanism
• Moves a resources from point A to point B

11. Continuous Delivery Pipeline
• Transports code from development to production
• Tests ensure integrity and validity of the resource
• Resources morph from source, to executable, to
operational

12. Continuous Delivery Pipeline
• Failures stop the line, and prevent breakages to
production
• Fast feedback provided to the developer
• Customized to your software development lifecycle

13. AWS CodePipeline
• Quickly model and
configure release stages
• View progress
at-a-glance
• Use your favorite tools
• Integrates with other
AWS services

14. The Build Artifact Repository
The Build Artifact Repository
Storage of Build Artifacts for later deployment in the pipeline

15. Why Build Artifact Repository
• Build once, deploy many times
• Version control
• Artifacts available for later deploy events (Scale Up)
• Build Server and Deployed Services don’t need to talk to
each other

16. Pipeline Build Artifacts
Objects assembled during a build process from code used
for testing and convergence down stream in a pipeline
Chef
Cookbook
Code
.tar
Build
Artifact
# berks vendor
Build
# chef-client
Deploy
Amazon EC2
Instance
Running
System

17. Examples of Build Artifacts
ruby
python
chef
puppet
Amazon Linux
chocolatey

18. Simple Artifact Repository with AWS
Build System
Amazon EC2 at launch
Converging Systems
Artifact Repository
Amazon S3 Bucket
1 detect commit
2
build
mvn package
3 publish
s3 put-object
4 launch
ec2 run-instances
–-user-data
retrieve
s3 get-object
5

19. Pipeline Build Artifacts Like a Bank
Data Protection Entitlement Integrity
AWS KMS AWS IAM sha256sum
• Generate Data Keys for client side encryption
• Use Server Side Encryption integration with Amazon S3
• Use IAM Roles to grant access to resources
• Implement strict resource policies for S3
Buckets and KMS Keys
• Validate integrity with sha-sum
• Implement sha integrity database

20. Envelope Encryption with AWS KMS
$> aws kms generate-data-key
--key-id alias/artifact-demo
--key-spec AES_256 --output text
--query [Plaintext,CiphertextBlob]
$> openssl enc -aes-256-cbc -salt
–in source.tar
–out encrypted.out
-k ${Plaintext}
$> tar –czvf artifact.tgz
encrypted.out
CiphertextBlob.out
Source
encrypt
KMS

21. Artifact Repository on AWS with encryption
Build System
Artifact Repository
Amazon S3 Bucket
detect commit
2
build
mvn package
5 launch
ec2 run-instances
–-user-data
3 encrypt
kms generate-data-key
enc –k Plaintext
Client Side Envelope Encryption
Server Side Encryption
4 publish
s3 put-object
–-sse aws:kms
1

22. Entitle Access with Resource Policies
Artifact Repository
Amazon S3 Bucket
Artifact Encryption Key
AWS KMS Customer Master Key
S3 Bucket Policy KMS Key Policy

23. Entitle Access with Resource Policies
Artifact Repository
Amazon S3 Bucket
Amazon EC2 at launch
Converging Systems
Artifact Encryption Key
AWS KMS Customer Master Key
S3 Bucket Policy KMS Key Policy
retrieve
s3 get-object
1 decrypt
kms decrypt
2

24. Entitle Access with Resource Policies
Amazon EC2 at launch
Converging Systems
IAM Role
Instance Profile

25. Entitle Access with Resource Policies
Artifact Repository
Amazon S3 Bucket
Amazon EC2 at launch
Converging Systems
Artifact Encryption Key
AWS KMS Customer Master Key
S3 Bucket Policy KMS Key Policy
retrieve
s3 get-object
1 decrypt
kms decrypt
2
IAM Role
Instance Profile

26. Validate Artifact Integrity
$> sha256sum mysource
b2f3fb7e84761eac78eb34aaaae2793efb41f23141a31f2c mysource
$> tar –czvf artifact.tgz
encrypted.out
sha256sum.out
CiphertextBlob.out
CiphtertextBlob
KMS
Encrypted
Source

27. Validate Artifact Integrity
Artifact Repository
Amazon S3 Bucket
1
Artifact Encryption Key
AWS KMS Customer Master Key
3
Amazon EC2 at launch
Converging Systems
retrieve & unpack
s3 get-object
decrypt
kms decrypt
2
verify
${envelope_sum} == $(sha256sum)
4 validate authorization
dynamodb query $(sha256sum)
Authorized Artifacts
Amazon DynamoDB Table

29. Continuous Delivery Pipeline
• A secure automated transport mechanism
• Moves a resources from point A to point B

30. Commit Acceptance Capacity Pre-Prod Production
The Stelligent Pipeline

31. GOAL:
Fast feedback for developers
PIPELINE ACTIONS:
1. Unit Tests
2. Static Code Analysis
Commit Acceptance Capacity Pre-Prod Production
The Commit Stage

32. GOAL:
Fast feedback for developers
Commit Acceptance Capacity Pre-Prod Production
The Commit Stage
SECURITY TESTS:
1. Security static analysis
of application code
PIPELINE ACTIONS:
1. Unit Tests
2. Static Code Analysis

33. GOAL:
Fast feedback for developers
Commit Acceptance Capacity Pre-Prod Production
The Commit Stage
SECURITY TESTS:
1. Security static analysis
of application code
2. Security static analysis
of infrastructure code
PIPELINE ACTIONS:
1. Unit Tests
2. Static Code Analysis

34. Security Static Analysis of CloudFormation
• Security static analysis builds a model of templates in
order to verify compliance with best practices and
organizational standards.
• This can be a powerful tool to stop bad things before
they happen.
• A security organization can define their policy in code
and have all development efforts unambiguously verify
against that standard without manual intervention.

35. Static Analysis of CloudFormation with cfn-nag
The cfn-nag tool inspects the JSON of a CloudFormation
template before convergence to find patterns that may
indicate:
• Overly permissive IAM policies
• Overly permissive security groups
• Disabled access logs
• Disabled server-side encryption

36. Demo

37. GOAL:
Comprehensive testing of the application
and its infrastructure
PIPELINE ACTIONS:
1. Integration Tests
2. Acceptance Tests
Commit Acceptance Capacity Pre-Prod Production
The Acceptance Stage

38. GOAL:
Comprehensive testing of the application
and its infrastructure
SECURITY TESTS:
1. Infrastructure Analysis
PIPELINE ACTIONS:
1. Integration Tests
2. Acceptance Tests
Commit Acceptance Capacity Pre-Prod Production
The Acceptance Stage

39. Testing Infrastructure Changes
Problems to solve:
• Prevent infrastructure changes that violate company
security policies.
• Need the ability to codify security rules and get
notifications when violations occur.
• Ability to execute on-demand compliance testing.

40. Testing Infrastructure Changes
AWS Config solves these problems, but…
• Pipeline enablement can be challenging.
• Console-centric.

41. config-rule-status
ConfigRuleStatus is an open source tool that enables continuous
monitoring and on-demand testing of security compliance for infrastructure
through the AWS Config service.
How does it solve the problem?
• Sets up AWS Config for resource monitoring.
• Creates Config Rules and Lambda functions to evaluate security compliance.
• Creates a Tester Lambda function that returns aggregated compliance status.

42. config-rule-status
How should it be used?
• The bundled CLI provides commands for deploying the
tool.
• The Tester Lambda function can be invoked with the
bundled CLI or the AWS CLI.
• Invoke it from a CD pipeline to catch policy violations
before they get to production.

43. Core Technology

44. config-rule-status
On-Demand
compliance testing
for AWS Resources

45. Demo

46. GOAL:
Test the system under real world conditions
The Capacity Stage
Commit Acceptance Capacity Pre-Prod Production
PIPELINE ACTIONS:
1. Performance Tests
2. Load Tests

47. GOAL:
Test the system under real world conditions
The Capacity Stage
Commit Acceptance Capacity Pre-Prod Production
PIPELINE ACTIONS:
1. Performance Tests
2. Load Tests
SECURITY TESTS:
1. OWASP ZAP Pen Test
2. OpenSCAP Image Testing

48. GOAL:
Go / no-go decision for blue/green deployment
PIPELINE ACTIONS:
1. Build Pre-Prod Stack
2. Data Migration
3. Blue/green Deployment
Commit Acceptance Capacity
Pre-Prod Production
The Production Stage

49. SECURITY ACTIONS:
1. Prevent out-of-band changes
2. Security metrics for feedback
loops
PIPELINE ACTIONS:
1. Build Pre-Prod Stack
2. Data Migration
3. Blue/green Deployment
GOAL:
Go / no-go decision for blue/green deployment
Commit Acceptance Capacity
Pre-Prod Production
The Production Stage

50. Resources
stelligent.com/fin303

51. Thank you!

52. Remember to complete
your evaluations!