Login
February 20, 2024Overview
Containerization has become a cornerstone in modern software development, offering flexibility and scalability. AWS CodeBuild, a fully managed build service, empowers developers to build and test container images in a consistent and secure environment. As security concerns rise, integrating tools like Amazon Inspector and generating Software Bill of Materials (SBOM) for container images becomes imperative. In this blog post, we’ll explore the significance of scanning container images for vulnerabilities and how AWS services contribute to a secure container development pipeline.
Introduction
As organizations increasingly adopt containerized applications, ensuring the security of container images becomes paramount. Containers often encapsulate critical components of applications, making them potential targets for attackers. Vulnerabilities within container images can lead to security breaches, data leaks, and service disruptions. Hence, it is crucial to incorporate security checks into the container build process to identify and mitigate vulnerabilities proactively.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
AWS CodeBuild and Amazon Inspector Integration
AWS CodeBuild provides a scalable and fully managed environment for building, testing, and packaging applications. Amazon Inspector, on the other hand, offers automated security assessment services to identify vulnerabilities within your applications. By combining these services, developers can create an enhanced security layer within their CI/CD pipelines.
Prerequisites
Before diving into the integration, ensure the following prerequisites are met:
- CodeBuild Role Permissions: Grant the AWS CodeBuild role sufficient permissions to access Amazon ECR and read files from the Amazon S3 bucket where the SBOM generator resides. This ensures a seamless flow of data between services.
- Amazon Linux 2 OS for AWS CodeBuild: Choose Amazon Linux 2 as the operating system for AWS CodeBuild. It provides a secure and lightweight environment suitable for building container images.
Buildspec.yml Configuration
The provided buildspec.yml file showcases the integration of AWS CodeBuild, Amazon Inspector, and SBOM generation. Let’s break down the key sections:
- Install Phase: Specifies the runtime version for Java Corretto 17 and sets up necessary tools.
- Pre-Build Phase: Logs into Amazon ECR, copies the SBOM generator from Amazon S3, and prepares the environment.
- Build Phase: Builds the Docker image, tags it, generates an SBOM using Inspector, and checks for vulnerabilities. The build fails if vulnerabilities are detected.
- Post-Build Phase: Completes the build process by pushing the Docker image to Amazon ECR.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
version: 0.2 phases: install: runtime-versions: java: corretto17 pre_build: commands: - echo Logging in to Amazon ECR..... - aws ecr get-login-password --region ap-south-1 | docker login --username AWS --password-stdin <ACCOUNT_ID>.dkr.ecr.ap-south-1.amazonaws.com - REPOSITORY_URI=<ACCOUNT_ID>.dkr.ecr.ap-south-1.amazonaws.com/<ECR_REPO_NAME> - IMAGE_NAME=amazoncorretto - IMAGE_TAG=17.0.9 - NEW_IMAGE=amazoncorretto-17.0.9-hardened - SERVICE_NAME=amazoncorretto-17.0.9-hardened - aws s3 cp s3://inspector-bucket/inspector-sbomgen.zip inspector-sbomgen.zip #path to the zip file in s3 - unzip inspector-sbomgen.zip - chmod +x inspector-sbomgen-1.0.0/linux/amd64/inspector-sbomgen - inspector-sbomgen-1.0.0/linux/amd64/inspector-sbomgen --version - pip install --upgrade awscli build: commands: - docker build -t $NEW_IMAGE -f Dockerfile . - docker tag $NEW_IMAGE:latest $REPOSITORY_URI:$NEW_IMAGE - inspector-sbomgen-1.0.0/linux/amd64/inspector-sbomgen container --image $REPOSITORY_URI:$IMAGE_TAG -o $SERVICE_NAME_sbom_report.json - aws inspector-scan scan-sbom --sbom file://$SERVICE_NAME_sbom_report.json --endpoint "https://inspector-scan.ap-south-1.amazonaws.com" --region ap-south-1 --output-format INSPECTOR --output json 2>&1 | tee $SERVICE_NAME-inspector-report-$CODEBUILD_BUILD_NUMBER.json - | if grep -E -i '(high|critical|low|medium)' $SERVICE_NAME-inspector-report-$CODEBUILD_BUILD_NUMBER.json; then echo "Build failed due to vulnerabilities." exit 1 fi - echo "Build passed without vulnerabilities." - echo Pushing the Docker images... - docker push $REPOSITORY_URI:$NEW_IMAGE post_build: commands: - echo "Build completed successfully." |
Conclusion
By integrating vulnerability scanning into the CI/CD pipeline, organizations can confidently deploy container images, knowing they adhere to stringent security standards. This approach not only enhances the overall security posture but also fosters a culture of proactive security within development teams.
In conclusion, as organizations navigate the complex landscape of container security, AWS services offer a robust foundation for creating secure and resilient containerized applications. Embracing these practices ensures that your container images are not just efficient and scalable but also meet the highest standards of security.
Drop a query if you have any questions regarding AWS CodeBuild, Amazon Inspector, or SBOM and we will get back to you quickly.
Making IT Networks Enterprise-ready – Cloud Management Services
- Accelerated cloud migration
- End-to-end view of the cloud environment
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, Microsoft Gold Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.
To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.
FAQs
1. Why use Amazon Inspector for vulnerability scanning?
ANS: – Amazon Inspector automates the process of identifying security vulnerabilities and deviations from best practices. It provides actionable findings with prioritized steps for remediation, enhancing the overall security posture of containerized applications.
2. How does SBOM contribute to container security?
ANS: – SBOM provides a detailed inventory of software components within a container image. This transparency enables organizations to track dependencies, identify outdated libraries, and respond quickly to security vulnerabilities. Integrating SBOM with Amazon Inspector enhances the precision of vulnerability assessments.
3. What if vulnerabilities are found during the build process?
ANS: – The build process is designed to fail if high, critical, medium, or low severity vulnerabilities are detected. This proactive approach ensures that only secure container images are pushed to the Amazon ECR repository.
WRITTEN BY Deepak S
Deepak S works as a Research Intern at CloudThat. His expertise lies in AWS's services. Deepak is good at haunting new technologies and automobile enthusiasts.
PREV
Comments