book

Accelerating DevSecOps on AWS

by Nikit Swaraj

April 2022

Intermediate to advanced

520 pages

10h 19m

English

Packt Publishing

Read now

Unlock full access

ContributorsAbout the authorAbout the reviewer
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesConventions usedGet in touchShare Your Thoughts
Technical requirementsIntroduction to CI/CD, along with a branching strategyCICDBranching strategy (Gitflow)Creating a project in AWS CodeStarIntroduction to AWS CodeStarGetting readyCreating feature and development branches, as well as an environmentCreating feature and develop branchesCreating a development environment and pipelineValidating PRs/MRs into the develop branch from the feature branch via CodeBuild and AWS LambdaAdding a production stage and environmentModifying the pipelineSummary
Technical requirementsImplementing policy and governance as code on infrastructure code Policy as codeWhy use policy as code?Policy as code in CI/CDUsing CloudFormation Guard to enforce compliance rules on CloudFormation templatesCloudFormation GuardInstallationTemplate validationWriting CloudFormation Guard rulesUsing AWS Service Catalog across teams with access controls and constraintsAWS Service CatalogIntegrating Terraform Cloud with GitHubTerraform CloudVCS-driven workflow (GitHub)Running a Terraform template in Terraform CloudWriting Sentinel policies to enforce rules on Terraform templatesHashiCorp SentinelSummary
Technical requirementsIntroduction to the AWS Proton serviceWhat is AWS Proton?Creating the environment template bundleWriting an environment templateCreating the service template bundleWriting the service templateDeploying the containerized application by creating a service instance in ProtonCreating a source connection (GitHub)Deploying the application by creating a service instanceIntroduction to Amazon CodeGuruIntegrating CodeGuru with AWS CodeCommit and analyzing the pull request reportSummary
Technical requirementsDeep diving into AWS EKSKubernetes componentsDeploying an EKS clusterIntroducing AWS App MeshAre microservices any good?AWS App MeshDeploying an application (Product Catalog) on EKSImplementing traffic managementInstalling the App Mesh controller Getting observability using X-Ray Enabling mTLS authentication between servicesSummary
Technical requirementsPlanning your fully private EKS clusterCreating your EKS cluster VPC, subnet, and endpoint creationBastion serverCreating a clusterVerifying the cluster accessDeploying add-onsCreating copies of container images in ECRIAM roles for service accountsCluster AutoscalerThe Amazon EBS CSI driverEnabling the App Mesh sidecar injectorKubernetes hardening guidance using KubescapePolicy and governance using OPA GatekeeperDeploying a stateful application using HelmBackup and restore using VeleroHow does Velero work?Summary
Technical requirementsThe concept of, and need for, chaos engineering Principles of chaos engineeringAWS FISChaos engineering in CI/CDExperimenting with AWS FIS on multiple EC2 instances with a terminate actionExperimenting with AWS FIS on EC2 instances with a CPU stress actionExperimenting with AWS FIS on RDS with a reboot and failover actionExperimenting with AWS FIS on an EKS cluster worker nodeSummary

Technical requirementsIntroduction to AWS Security HubDeny execution of non-compliant images on EKS using AWS Security Hub and ECRImporting an AWS Config rules evaluation as a finding in Security HubIntegrating AWS Systems Manager with Security Hub to detect issues, create an incident, and remediate automaticallySummary
Technical requirementsStrategy and planning for a CI/CD pipelineMonorepos versus polyreposFeature branchDevelop branchStaging branchMaster branchCreating a CodeCommit repository for microservicesCreating PR CodeBuild stages with CodeGuru ReviewerCreating a development CodePipeline project with image scanning and an EKS clusterCreating a staging CodePipeline project with mesh deployment and chaos testing with AWS FISCreating a production CodePipeline project with canary deployment and its analysis using GrafanaCanary deployment using FlaggerUpdating a new version of the serviceSummary
Technical requirementsDevSecOps in CI/CD and some terminologyWhy DevSecOps?Introduction to and concepts of some security toolsSnyk – Security advisory for source code vulnerabilities in real timeTalisman – Pre-commit secrets checkAnchore inline scanning and ECR scanning – SCA and SASTOpen Web Application Security Project-Zed Attack Proxy (OWASP ZAP) – DASTFalco – RASPPlanning for a DevSecOps pipelineUsing a security advisory plugin and a pre-commit hookPrerequisites for a DevSecOps pipelineInstallation of DAST and RASP toolsInstalling OWASP ZAPInstalling FalcoIntegration with DevOps GuruCreating a CI/CD pipeline using CloudFormationTesting and validating SAST, DAST, Chaos Simulation, Deployment, and RASPSummary
Technical requirementsAIOps and how it helps in IT operationsAIOps using Amazon DevOps GuruEnabling DevOps Guru on EKS cluster resourcesInjecting a failure and then reviewing the insightsDeploying a serverless application and enabling DevOps GuruIntegrating DevOps Guru with Systems Manager OpsCenterInjecting a failure and then reviewing the insightsSummary
Other Books You May EnjoyPackt is searching for authors like youShare Your Thoughts

Content preview from Accelerating DevSecOps on AWS

Chapter 5: Securing Private EKS Cluster for Production

This chapter will walk you through all the planning you require to create a production-grade private EKS cluster. It will cover most of the necessary topics, such as the Container Network Interface (Virtual Private Cloud CNI), network policy, logging, security, and observability for EKS clusters. It includes the implementation of a service mesh, and some must-have add-ons, such as Cluster Autoscaler, IAM Role for Service Accounts (IRSA), and the Elastic Block Store-Container Storage Interface (EBS-CSI) driver. We will verify whether Kubernetes is deployed securely using kubescape and kube-bench. We will apply policy and governance using Open Policy Agent (OPA) Gatekeeper. After that, we ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Continuous Security on AWS (The DevSecOps on AWS Series)

Publisher Resources

ISBN: 9781803248608Supplemental Content

Accelerating DevSecOps on AWS

by Nikit Swaraj

Chapter 5: Securing Private EKS Cluster for Production

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Continuous Security on AWS (The DevSecOps on AWS Series)

Mastering AWS CloudFormation

DevSecOps in Kubernetes

Practical GitOps: Infrastructure Management Using Terraform, AWS, and GitHub Actions

Publisher Resources

Chapter 5: Securing Private EKS Cluster for Production

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Continuous Security on AWS (The DevSecOps on AWS Series)

Mastering AWS CloudFormation

DevSecOps in Kubernetes

Practical GitOps: Infrastructure Management Using Terraform, AWS, and GitHub Actions

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.