In today's digital world, security and reliability are paramount for any application, DevSecOps best practices to create a secure and reliable photo-sharing application. We'll use a combination of tools and services, including GitHub Actions, Checkov, Terraform, AWS EKS, and Prowler, to automate the software development and deployment process while ensuring security at every stage.
SourceCode Link: https://github.com/ravindrasinghh/Deploying-a-Bulletproof-Photo-Sharing-App-with-DevSecOps-Terraform-AWS-EKS-and-Chaos-Engineering
What is DevSecOps?
DevSecOps is a security-first approach to software development that emphasizes collaboration between development, security, and operations teams. By integrating security practices throughout the entire development lifecycle, DevSecOps helps to identify and fix vulnerabilities early on, reducing the risk of security breaches.
How the Architecture Works
The architecture we'll be using consists of several key components:
Infrastructure Management with DevSecOps
1. Infrastructure as Code (IaC):
We'll use Terraform to define our infrastructure as code. This means our infrastructure is created and managed using code, making it repeatable and manageable.
2. Version Control and Automation: GitHub as your version control system to store and manage your IaC code.
3. GitHub Actions: GitHub Actions automate our CI/CD pipeline,We'll use GitHub Actions to automate various tasks in our deployment pipeline, including security scanning.
4. Security Scanning in the Pipeline:
Integrate security scanning tools like TFSec and Checkov directly into your GitHub Actions workflows. Tools like TFSec and Checkov act as your quality inspectors
- TFSec: Integrate TFSec within your GitHub Actions workflow to scan your Terraform configurations for security misconfigurations. This helps identify potential security issues within your infrastructure code early in the development process.
- Checkov: Similar to TFSec, Checkov reviews your infrastructure code (like Terraform) and additional configurations for things like Kubernetes. It helps ensure that everything is secure and set up correctly before anything is actually built or deployed.
Code Commit and Build
1. Code Commit: Developers push their code changes to a version control system like GitHub.
2. Code Build Trigger: Upon a push event (or other configured triggers), GitHub Actions initiates the build process.
3. Code Build with Build Spec: The code is fetched from GitHub based on the workflow configuration.
- Build Spec Execution: A build specification file (buildspec.yml) located in the code repository instructs the build process on what to do. This YAML file typically includes steps for installing dependencies, running tests, and building the application.
Application Management with DevSecOps
Code Quality and Security Scanning:
1. Git secrets scanning: This will identify any sensitive information accidentally committed to your code repository.
2. SonarQube: This tool performs static code analysis to detect bugs and vulnerabilities in your code.
3. Hadolint: This tool will scan your Dockerfiles for potential security vulnerabilities and best practice violations.
4. Trivy: This tool scans container images for vulnerabilities before pushing them to Amazon ECR (ECR).
5. Amazon ECR (ECR): Amazon ECR is a container registry that allows you to store and manage your Docker container images securely.
6. Amazon Elastic Container Service (EKS):Amazon EKS is a managed Kubernetes service that allows you to easily deploy and manage containerized applications.
7. Amazon DynamoDB: A NoSQL database service that can be used to store application data alongside EKS.
Security after Deployment:
8. Slack Notifications: Get notified on Slack about successful code builds or failures, allowing for timely intervention if needed.
Amazon Security Services:
1. AWS Key Management Service (KMS):Encrypts your data in DynamoDB at rest and in transit for enhanced security.
AWS Web Application Firewall (WAF): Shields your application from common web attacks.
2. AWS Certificate Manager (ACM): Provides easy issuance and management of SSL/TLS certificates for secure communication.
Amazon Route 53: Manages DNS resolution for your application, directing users to the appropriate resources.
3. Amazon CloudFront: A content delivery network (CDN) that delivers content to users with high performance and low latency.
4. Amazon S3: Provides secure object storage for static content like photos.
5. Amazon Elastic Load Balancer: Distributes incoming traffic across your EKS cluster instances for scalability and high availability.
6. AWS WAF: AWS WAF is a web application firewall that helps to protect your application from common web attacks.
Security after Deployment:
1. Kubescape: This tool is used to scan your Kubernetes clusters for vulnerabilities and misconfigurations to ensure they meet compliance standards.
2. Prowler: Prowler is an open-source tool that helps you continuously monitor your AWS environment for security vulnerabilities and configuration issues.
3. AWS Config, CloudTrail, and Inspector:These AWS services provide continuous security monitoring and auditing of your AWS resources.
Chaos Engineering
AWS FIS to introduce controlled chaos into your infrastructure. This involves simulating failures within your EKS cluster or other AWS resources.
By injecting faults in a controlled manner, you can proactively identify weaknesses in your application's design and infrastructure. This allows you to improve your application's resilience and ability to handle unexpected events in production.
Benefits of the Architecture
1. Improved Security: By integrating security scanning throughout the development pipeline, we can identify and fix vulnerabilities early on in the development process. This helps to reduce the risk of security breaches.
2. Increased Efficiency: Automating tasks in the deployment pipeline with GitHub Actions can save time and effort for development, security, and operations teams.
3. Improved Reliability: Infrastructure as code (IaC) helps to ensure that our infrastructure is provisioned and configured consistently.
4. Better Collaboration: DevSecOps fosters collaboration between development, security, and operations teams by providing a shared understanding of security best practices.
5. Compliance: Tools like Kubescape and Prowler can help ensure your infrastructure meets security and compliance standards.
6. Faster Feedback: Notifications from successful code builds in GitHub Actions can help development teams identify and address issues quickly.
Troubleshooting:
Please remember to run this script; otherwise, your CodeBuild will not authenticate with the Kubernetes cluster, and you will encounter the following error
#!/bin/bash
# Dynamically fetch the AWS Account ID
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
ROLE_NAME="EksCodeBuildKubectlRole"
# Function to check if the IAM role exists
check_role_existence() {
aws iam get-role --role-name $ROLE_NAME > /dev/null 2>&1
echo $?
}
# Set the trust relationship policy JSON correctly
TRUST_POLICY='{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::'"${ACCOUNT_ID}"':root"
},
"Action": "sts:AssumeRole"
}
]
}'
# Create IAM Role if it does not exist
if [ $(check_role_existence) -ne 0 ]; then
echo "Creating IAM role..."
aws iam create-role --role-name $ROLE_NAME --assume-role-policy-document "$TRUST_POLICY"
else
echo "Role already exists, skipping creation..."
fi
# Define inline policy for describing EKS resources
INLINE_POLICY='{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "eks:Describe*",
"Resource": "*"
}
]
}'
# File path for inline policy
POLICY_FILE="/tmp/iam-eks-describe-policy"
echo "$INLINE_POLICY" > $POLICY_FILE
# Attach the policy to the role
aws iam put-role-policy --role-name $ROLE_NAME --policy-name eks-describe --policy-document "file://$POLICY_FILE"
# Prepare the role definition for the aws-auth configmap
ROLE_DEF=" - rolearn: arn:aws:iam::${ACCOUNT_ID}:role/${ROLE_NAME}
username: build
groups:
- system:masters"
# Get current aws-auth configMap data, check for existing role and append if not present
kubectl get configmap aws-auth -n kube-system -o yaml > /tmp/aws-auth-original.yml
if ! grep -q "$ROLE_NAME" /tmp/aws-auth-original.yml; then
kubectl get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$ROLE_DEF\";next}1" > /tmp/aws-auth-patch.yml
kubectl patch configmap aws-auth -n kube-system --patch "$(cat /tmp/aws-auth-patch.yml)"
else
echo "Role already in aws-auth, no changes made..."
fi
# Verify the updated configMap
kubectl get configmap aws-auth -o yaml -n kube-system
Cost Calculations
- Region: Mumbai
Amazon EKS:
1 Cluster x $0.10 per hour x 730 hours per month = $73.00 USD
Amazon ECR:
100 GB per month x $0.10 = $10.00 USD
EC2 Instances:
1 Instance x $0.111 per hour x 730 hours in a month = $81.03 USD
For 2 Instances = $81.03 x 2 = $162.06 USD
Network Load Balancer (NLB):
1 Load Balancer x $0.0239 per hour x 730 hours in a month = $17.45 USD
If you prefer a video tutorial to help guide you through the setup of deploying a Bulletproof Photo Sharing App with DevSecOps Terraform, AWS, EKS and Chaos Engineering