Extending an AWS Governance Pipeline with a New Control

Table of Contents

1. Challenge

   Verify AWS resources were deployed and locally clone the repository files

   Verify AWS resources were deployed and locally clone the repository files

   • Clone and download the repository files for the lab from https://github.com/pluralsight-cloud/Path-Proactive-Security-in-Your-AWS-CI-CD-Pipeline/tree/main
   • Verify the pre-existing resources were deployed in AWS with the lab folder (see the Additional Resources' Directory Tree):
     • Amazon S3 bucket (Starts with governance-lab-artifacts-)
     • AWS CodePipeline pipeline (governance-pipeline)
       • The pipeline contains Source, GovernanceLint, GovernanceGuard, and Deploy stages to start.
     • CloudFormation stack is deployed (governance-lab-deploy).
2. Challenge

   Create the new CodeBuild buildspec file

   You will now create the new required buildspec file for the upcoming GovernanceSecrets CodePipeline stage and respective CodeBuild project.

   • Edit the configuration/buildspec-secrets.yml file to be used with the new CodeBuild project containing the following phases:
     • install: Install TruffleHog following instructions here > https://github.com/trufflesecurity/trufflehog#using-installation-script
     • pre_build: Confirm TruffleHog was installed by checking the version.
     • build: Scan all contents within the artifacts files for hardcoded secrets.
       • Hint: You need to specify a specific flag when scanning to cause the error output.

   Important: You can find all TruffleHog documentation and instruction at the following GitHub page: https://github.com/trufflesecurity/trufflehog

3. Challenge

   Create the new CodeBuild project

   With the buildspec file ready to go, you can now create the CodeBuild project that will use it.

   • Within CodeBuild, clone the existing governance-guard project:
     • Name: governance-secrets
     • Source > Source 1 - Primary: AWS CodePipeline
     • Use a buildspec file: configuration/buildspec-secrets.yml
     • Service role permissions - Existing service role: ARN containing governance-codebuild-role
4. Challenge

   Create the new CodePipeline stage

   Now you can create the code pipeline stage to reference the recently created CodeBuild project for your secrets scanning.

   • Edit the existing governance-pipeline within AWS CodePipeline
   • Add a new stage between the GovernanceLint and GovernanceGuard stages
     • Name: GovernanceSecrets
   • Add a new stage action
     • Action name: GovernanceSecretsAction
     • Action provider: Build > AWS CodeBuild
     • Region: United States (N. Virginia)
     • Input artifacts: GovernanceLintOutputs
     • Project name: governance-secrets
     • Output artifacts: GovernanceSecretsOutputs

   Then, you need to edit the GovernanceGuard stage's DeployAction

   • Input artifacts: GovernanceSecretsOutputs
5. Challenge

   Update the template and test the AWS CodePipeline pipeline

   With all of the pieces in place, you can now move on to testing your pipeline.

   • Generate a new set of IAM access keys for your current user.
   • Add your newly created access keys to the following within your infra/template.yml file:
     • OUR_AWS_ACCESS_KEY_ID
     • OUR_AWS_SECRET_ACCESS_KEY
   • Create the new artifacts.zip file containing the required directories:
     • infra/
     • configuration/
     • cfn-guard/
   • Upload the artifacts.zip file to the Amazon S3 artifacts bucket in your account.
   • Wait for the pipeline to fail at the GovernanceSecrets stage