cloud professional services
Book A Meeting

May 12, 2022 12:11:47 AM by Yura Vasilevitski

CI/CD AWS way

Cloud Security

CI/CD stands for Continuous Integration / Continuous Deployment. It is a development process aiming to automate software delivery. It allows developers to integrate changes into a central repository, then tests and deploy. In other words, every change made to the code is tested and automatically deployed to the production environment if it passes all tests.

AWS CI/CD Pipeline and its use cases

AWS Code Pipeline is a hassle-free way to automate your application release process on the AWS cloud. You can define your process through visual workflows, and AWS Code Pipeline will execute those for you. This means you only have to define your pipeline once and then run it as many times as required. AWS Code Pipeline offers support for integrating with other services like Amazon EC2, Amazon ECS, and AWS Lambda.

Use Cases for CI/CD Pipeline in AWS

  • Static code analysis
  • Unit tests
  • Functional tests
  • System tests
  • Integration tests
  • UI testing
  • Sanity tests
  • Regression tests

 

Benefits of using AWS CI/CD Workflows

With Continuous Deployment, teams can achieve the following benefits:

No deployment bottlenecks: Once you are ready with your code changes, you can deploy it. There is no waiting for a specific time or day to deploy your code. Deployment can happen at any time during the day. Furthermore, frequent deployments also help increase confidence in the software quality in production, which leads to improved customer satisfaction and loyalty.

Customers get additional value from the software quicker: Continuously delivering small increments of value to customers allows them to provide feedback on what is important for them and increase focus on high-value work. Quicker feedback cycles also reduce rework because issues are discovered earlier in development when they are cheaper to fix.

Less risky releases: Small changes that get gradually integrated into the mainline over time are less likely to cause major problems when they go out with other features than large changes developed separately over long periods before being released.

Implementing CI/CD Pipeline with AWS 

AWS CodePipeline, AWS CodeBuild, and AWS CodeDeploy are three separate services that can be deployed within any environment. 

CodePipeline helps in continuous integration and deployment of applications. It supports popular programming languages such as Java, Python, Ruby, Node.js, etc.

CodeBuild is used to build output artifacts of your application on demand when needed by other services such as CodePipeline or Lambda.

CodeCommit is a fully-managed source control service that makes it easy for companies to store and share Git repositories on AWS.

This is how you implement a CI/CD pipeline with these services.

Step 1: Create a new project in the AWS console, e.g., myproject

Step 2: Allocate a resource to the project (AWS CodePipeline)

Step 3: Choose the type of build you want to perform, e.g., Minimal testing or Full deployment

Step 4: Configure build settings for your build configuration, e.g., source control repositories and automated builds (e.g., GitLab)

How to Integrate Security into CI/CD Pipeline In AWS 

Many organizations are now using static code analysis tools like OWASP    to regularly test the code for vulnerabilities. You can easily set up a SAST pipeline using AWS CodeBuild. CodeBuild is an AWS-managed service used to build and test the software. 

If you are using Jenkins, you can use the CodeBuild plugin to trigger the build job within Jenkins. You can use AWS Lambda to trigger the build job when a new push happens to source control for other build tools. Also, please set up pre-commit hooks so that you don’t have to wait until a push happens to trigger the build.

Dynamic Application Security Testing (DAST) is another security test performed in the CI/CD pipeline. The test identifies the potential vulnerabilities by interacting with the applications at runtime. It is also known as grey-box testing. The test can be configured to fail the build if any vulnerability is identified. 

The tools used for DAST in AWS can be either commercial or open-source. Open-source tools like OWASP ZAP have an option to fail builds when a critical severity vulnerability is found, while other tools like Burp Suite require custom scripts to perform this functionality.

Runtime Application Security Testing (RASP) is a new security test that analyzes application behavior in real-time while an application runs in its production environment and detects anomalies from normal behavior that could indicate a security issue. It can also be used to detect and block attacks. 

Some teams use runtime scanners such as Arachni or OWASP ZAP inside their pipelines, while others choose to run security scans as part of their performance tests to ensure that there are no vulnerabilities present during stress testing.

CI/CD best practices in Amazon Web Service

The best practices you can follow are as follows:

  • Continuously verify your infrastructure code to ensure no security flaws are introduced in the system and allow teams to fix them faster than before.
  • Implement a continuous delivery pipeline for your applications using AWS CodePipeline, with AWS CodeBuild for building and testing.
  • Use AWS Lambda functions to run tests by adding them into CodeBuild projects or integrate with third-party tools like Sauce Labs or BlazeMeter to run performance tests on-demand or as part of your pipelines.
  • Set up notifications (e-mail/Slack) between phases so team members can respond quickly when something goes wrong in any pipeline phase.
  • Implementing CI/CD in AWS helps to improve code quality, hasten delivery, reduce human intervention, enhance collaboration and reduce integration errors.

Want to learn more? Book a free consultation call right here 

 

Subscribe today

For weekly special offers and new updates!