AWS re:Inforce 2024
Supply Chain Security Aws Signer for Build Attribution Aps323

Title: AWS re:Inforce 2024 - Supply chain security: AWS Signer for build attribution (APS323)

Insights:

  • Introduction to AWS Signer: AWS Signer is a fully managed service by AWS for code signing containers and lambdas, ensuring the integrity and source of the artifacts.
  • Importance of Signing: Signing is crucial for proving the source and integrity of artifacts, ensuring they haven't been tampered with between build and deployment.
  • Security Benefits:
    • Attribution: Ensures artifacts can be traced back to the build process.
    • Defense in Depth: Adds an additional layer of security beyond IAM permissions.
    • Compliance: Meets government regulations and standards like NIST 853 for component authenticity.
  • Integration with AWS Lambda:
    • Simple Architecture: Involves using GitHub Actions for CI, storing artifacts in S3, and a single call to AWS Signer for signing.
    • Code Implementation: Requires creating a signing profile and using AWS Signer to sign artifacts, ensuring they are validated before deployment.
    • Lessons Learned: Implementation is straightforward but requires attention to versioned object references and considerations for sandbox environments.
  • Integration with ECS:
    • More Complex: ECS integration is less straightforward than Lambda, requiring additional steps and tools like the notation CLI.
    • Validation Steps: Includes both pre-deployment and post-deployment validation to ensure artifacts are signed and untampered.
    • Lessons Learned: ECR integrates well with signatures, but ECS requires custom logic. Managing signatures and containers can be complex without lifecycle policies.
  • Next Steps: Attendees are encouraged to participate in workshops and review related blogs for hands-on experience and deeper understanding.

Quotes:

  • "Signing is an industry standard way of proving the source and the integrity of something."
  • "Code signing allows us to say, provably, one, when we deploy, we know that that has not been tampered with and we know its source."
  • "By signing our artifact, we can make it so when we go to deploy, we can validate that signature."
  • "Government regulations is a big driver as well for a company like Cisco."
  • "You could probably implement this in under a day, probably half a day in your build pipeline."
  • "ECR is well integrated with signatures, and it just kind of works. ECS takes some of this custom logic for us to build a full-on solution."

This document provides a comprehensive overview of the key points and insights from the transcript, along with selected quotes that highlight the importance and benefits of using AWS Signer for build attribution and supply chain security.

Strengthening Security with DNS Firewall Nis222The Building Blocks of a Culture of Security Sec202 Int