AWS CodeBuild, Amazon Inspector, and SBOM for Enhanced Container Image Security

Overview

Containerization has become a cornerstone in modern software development, offering flexibility and scalability. AWS CodeBuild, a fully managed build service, empowers developers to build and test container images in a consistent and secure environment. As security concerns rise, integrating tools like Amazon Inspector and generating Software Bill of Materials (SBOM) for container images becomes imperative. In this blog post, we’ll explore the significance of scanning container images for vulnerabilities and how AWS services contribute to a secure container development pipeline.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Introduction

As organizations increasingly adopt containerized applications, ensuring the security of container images becomes paramount. Containers often encapsulate critical components of applications, making them potential targets for attackers. Vulnerabilities within container images can lead to security breaches, data leaks, and service disruptions. Hence, it is crucial to incorporate security checks into the container build process to identify and mitigate vulnerabilities proactively.

AWS CodeBuild and Amazon Inspector Integration

AWS CodeBuild provides a scalable and fully managed environment for building, testing, and packaging applications. Amazon Inspector, on the other hand, offers automated security assessment services to identify vulnerabilities within your applications. By combining these services, developers can create an enhanced security layer within their CI/CD pipelines.

Prerequisites

Before diving into the integration, ensure the following prerequisites are met:

CodeBuild Role Permissions: Grant the AWS CodeBuild role sufficient permissions to access Amazon ECR and read files from the Amazon S3 bucket where the SBOM generator resides. This ensures a seamless flow of data between services.
Amazon Linux 2 OS for AWS CodeBuild: Choose Amazon Linux 2 as the operating system for AWS CodeBuild. It provides a secure and lightweight environment suitable for building container images.

Buildspec.yml Configuration

The provided buildspec.yml file showcases the integration of AWS CodeBuild, Amazon Inspector, and SBOM generation. Let’s break down the key sections:

Install Phase: Specifies the runtime version for Java Corretto 17 and sets up necessary tools.
Pre-Build Phase: Logs into Amazon ECR, copies the SBOM generator from Amazon S3, and prepares the environment.
Build Phase: Builds the Docker image, tags it, generates an SBOM using Inspector, and checks for vulnerabilities. The build fails if vulnerabilities are detected.
Post-Build Phase: Completes the build process by pushing the Docker image to Amazon ECR.

version: 0.2

phases:
  install:
    runtime-versions:
      java: corretto17

  pre_build:
    commands:
      - echo Logging in to Amazon ECR.....
      - aws ecr get-login-password --region ap-south-1 | docker login --username AWS --password-stdin <ACCOUNT_ID>.dkr.ecr.ap-south-1.amazonaws.com
      - REPOSITORY_URI=<ACCOUNT_ID>.dkr.ecr.ap-south-1.amazonaws.com/<ECR_REPO_NAME>
      - IMAGE_NAME=amazoncorretto
      - IMAGE_TAG=17.0.9
      - NEW_IMAGE=amazoncorretto-17.0.9-hardened
      - SERVICE_NAME=amazoncorretto-17.0.9-hardened
      - aws s3 cp s3://inspector-bucket/inspector-sbomgen.zip inspector-sbomgen.zip #path to the zip file in s3
      - unzip inspector-sbomgen.zip
      - chmod +x inspector-sbomgen-1.0.0/linux/amd64/inspector-sbomgen
      - inspector-sbomgen-1.0.0/linux/amd64/inspector-sbomgen --version
      - pip install --upgrade awscli

  build:
    commands:
      - docker build -t $NEW_IMAGE -f Dockerfile .
      - docker tag $NEW_IMAGE:latest $REPOSITORY_URI:$NEW_IMAGE
      - inspector-sbomgen-1.0.0/linux/amd64/inspector-sbomgen container --image $REPOSITORY_URI:$IMAGE_TAG -o $SERVICE_NAME_sbom_report.json
      - aws inspector-scan scan-sbom --sbom file://$SERVICE_NAME_sbom_report.json --endpoint "https://inspector-scan.ap-south-1.amazonaws.com" --region ap-south-1 --output-format INSPECTOR --output json 2>&1 | tee $SERVICE_NAME-inspector-report-$CODEBUILD_BUILD_NUMBER.json
      - |
        if grep -E -i '(high|critical|low|medium)' $SERVICE_NAME-inspector-report-$CODEBUILD_BUILD_NUMBER.json; then
        echo "Build failed due to vulnerabilities."
        exit 1
        fi
      - echo "Build passed without vulnerabilities."
      - echo Pushing the Docker images...
      - docker push $REPOSITORY_URI:$NEW_IMAGE
      
  post_build:
    commands:
      - echo "Build completed successfully."

version: 0.2

phases:

install:

runtime-versions:

java: corretto17

pre_build:

commands:

- echo Logging in to Amazon ECR.....

- aws ecr get-login-password --region ap-south-1 | docker login --username AWS --password-stdin <ACCOUNT_ID>.dkr.ecr.ap-south-1.amazonaws.com

- REPOSITORY_URI=<ACCOUNT_ID>.dkr.ecr.ap-south-1.amazonaws.com/<ECR_REPO_NAME>

- IMAGE_NAME=amazoncorretto

- IMAGE_TAG=17.0.9

- NEW_IMAGE=amazoncorretto-17.0.9-hardened

- SERVICE_NAME=amazoncorretto-17.0.9-hardened

- aws s3 cp s3://inspector-bucket/inspector-sbomgen.zip inspector-sbomgen.zip #path to the zip file in s3

- unzip inspector-sbomgen.zip

- chmod +x inspector-sbomgen-1.0.0/linux/amd64/inspector-sbomgen

- inspector-sbomgen-1.0.0/linux/amd64/inspector-sbomgen --version

- pip install --upgrade awscli

build:

commands:

- docker build -t $NEW_IMAGE -f Dockerfile .

- docker tag $NEW_IMAGE:latest $REPOSITORY_URI:$NEW_IMAGE

- inspector-sbomgen-1.0.0/linux/amd64/inspector-sbomgen container --image $REPOSITORY_URI:$IMAGE_TAG -o $SERVICE_NAME_sbom_report.json

- aws inspector-scan scan-sbom --sbom file://$SERVICE_NAME_sbom_report.json --endpoint "https://inspector-scan.ap-south-1.amazonaws.com" --region ap-south-1 --output-format INSPECTOR --output json 2>&1 | tee $SERVICE_NAME-inspector-report-$CODEBUILD_BUILD_NUMBER.json

- |

if grep -E -i '(high|critical|low|medium)' $SERVICE_NAME-inspector-report-$CODEBUILD_BUILD_NUMBER.json; then

echo "Build failed due to vulnerabilities."

exit 1

- echo "Build passed without vulnerabilities."

- echo Pushing the Docker images...

- docker push $REPOSITORY_URI:$NEW_IMAGE

post_build:

commands:

- echo "Build completed successfully."

Conclusion

Ensuring the security of container images is a shared responsibility between developers and the tools they leverage. AWS CodeBuild, Amazon Inspector, and SBOM generation collectively contribute to building and deploying secure containerized applications.

By integrating vulnerability scanning into the CI/CD pipeline, organizations can confidently deploy container images, knowing they adhere to stringent security standards. This approach not only enhances the overall security posture but also fosters a culture of proactive security within development teams.

In conclusion, as organizations navigate the complex landscape of container security, AWS services offer a robust foundation for creating secure and resilient containerized applications. Embracing these practices ensures that your container images are not just efficient and scalable but also meet the highest standards of security.

Drop a query if you have any questions regarding AWS CodeBuild, Amazon Inspector, or SBOM and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

FAQs

1. Why use Amazon Inspector for vulnerability scanning?

ANS: – Amazon Inspector automates the process of identifying security vulnerabilities and deviations from best practices. It provides actionable findings with prioritized steps for remediation, enhancing the overall security posture of containerized applications.

2. How does SBOM contribute to container security?

ANS: – SBOM provides a detailed inventory of software components within a container image. This transparency enables organizations to track dependencies, identify outdated libraries, and respond quickly to security vulnerabilities. Integrating SBOM with Amazon Inspector enhances the precision of vulnerability assessments.

3. What if vulnerabilities are found during the build process?

ANS: – The build process is designed to fail if high, critical, medium, or low severity vulnerabilities are detected. This proactive approach ensures that only secure container images are pushed to the Amazon ECR repository.

WRITTEN BY Deepak S

Deepak S is a Senior Research Associate at CloudThat, specializing in AWS services. He is passionate about exploring new technologies in cloud and is also an automobile enthusiast.