Continuous AWS Cloud Security with Trusted Delivery
In this whitepaper, we explore how to use existing AWS capabilities, paired with the power of Weave GitOps Enterprise, towards preventing security breaches and strengthening security posture throughout your CI/CD pipelines and runtime infrastructure, while building and delivering cloud-native solutions at DevOps speed.
Background
Deployment frequency and lead time for changes are a measure of how an elite organization can deliver software on-demand to its users; at the same time, keeping failure and recovery rates low. With many developers now embracing this new trend, the decentralized nature of cloud infrastructure has significantly increased the threat landscape; thus raising many security issues and concerns many companies grapple with.
Building and deploying trusted containerized artifacts, image generation pipelines, and secured CI/CD pipelines are all instrumental in fortifying the software development lifecycle. Using the AWS cloud and Weave GitOps, teams have a wide range of options to reduce the effort and complexity of guaranteeing continuous security and compliance. One method we introduce is Trusted application delivery. It allows organizations to incorporate security and compliance guardrails in the form of code, to prevent any security flaws from making it into production.
AWS and Weaveworks have collaborated together and wrote this whitepaper: “Trusted Application Delivery: Continuous AWS Cloud Security with Weave GitOps.” In this blog, we introduce some of the concepts that we discuss in depth and encourage you to download the whitepaper to learn more.
Introducing Policy as Code and Trusted Delivery
Policy-driven deployment and management are one of the top DevOps and security pain points in 2022. The addition of Policy as Code (Open Policy Agent “OPA” and Rego language) guarantees that security checks are completed before deployment, in addition to runtime drift detection and automatic remediation through GitOps. These DevOps security tools come together to create trusted application delivery. Trusted Delivery enables a completely policy-driven deployment and operations automation that prevents inconsistent application performance and downtime.
Often security testing is left until the end of the development cycle and can bring a deployment to a halt or even worse break through to production. Automated security checks, and guardrails, can prevent delays and guarantee the highest level of governance and compliance while maintaining the highest deployment frequency. If security policies are added to GitOps pipelines, DevOps teams can implement a radically declarative approach; ensuring continuous compliance and reliability across environments and minimizing the potential for configuration inconsistencies and human error.
CI/CD Cloud Security Fundamentals
It is clear that just by running in the cloud, your applications will not be inherently secure. AWS has gone to great lengths in educating its users on which areas it provides security guarantees, and areas to be diligently handled by organizations deploying workloads on the cloud. The “Shared Responsibility Model” is AWS’s framework to understand via an easy-to-follow concept, where security responsibilities lay between the cloud and the client.
In an effort to enable security to move at the speed of software development, we have also seen a pattern of shifting security left. This is done through automation, guardrails, and frameworks that aim to reduce complexities in addressing security concerns. Although usually used as a single term, CI/CD is actually comprised of two stages with markedly different objectives.
- Continuous Integration is all about building artifacts that have gone through a thorough process that we can reliably trust during runtime.
- Continuous delivery and deployment on the other hand are to guarantee that only those trusted artifacts can land in any environment. And that they’re made available to users with no negative impact on their experience nor to the reliability of the service.
Continuous AWS Cloud Security
Like their virtual machine counterparts, container images can contain binaries and application libraries with vulnerabilities or develop vulnerabilities over time. The best way to safeguard against exploits is by regularly scanning your images with an image scanner. Images that are stored in Amazon ECR (Elastic Container Registry) can be scanned at push or on-demand (once during a 24-hour period). ECR currently leverages Clair, an open-source image scanning solution.
In this whitepaper, we explore how to use existing AWS capabilities, paired with the power of Weave GitOps Enterprise, towards preventing security breaches and strengthening security posture throughout your CI/CD pipelines and runtime infrastructure, while building and delivering cloud-native solutions at DevOps speed. The whitepaper covers various topics, including:
- CI/CD security strategies and tools
- Building artifacts that can be trusted in AWS
- How to securely store and access trusted images in ECR
- EKS runtime security
- Using a policy engine (Weave GitOps Enterprise) for continuous security and compliance
About Weave GitOps
Weave GitOps enables trusted application delivery through the Weave Policy Engine, a catalog of 100+ OPA-based policies that DevOps and Platform teams can embed into their software development lifecycle. It also makes it easy to deploy, and manage Kubernetes clusters and applications at scale, thus ensuring your AWS workloads are secure. Our Weave Policy Library is composed of OPA-based (Open Policy Agent) policies that are mapped to standards such as NIST, CIS, PCI DSS, MITRE ATT&CK, GDPR, and more.
To learn more about continuous AWS cloud security with Weave GitOps, download the whitepaper now.
Whitepaper: Trusted Application Delivery: Continuous AWS Cloud Security with Weave GitOps
Learn how to prevent security breaches and strengthen security posture throughout your AWS CI/CD pipelines and runtime infrastructure.
