site-logo

JAWS PANKRATION 2024

site-logo
HomeNewsTimetableCfPCommitteePromotionFollow UpPrivacy Policy

Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions

Lv200

Lv200

8/24/2024 04:40 (UTC)

Session Info

Cloud deployments are complex, and securing them is even harder to achieve.

 

When we deploy applications into the cloud, many things can go wrong and break our defense.

What if the software being deployed has malware injected? How can we make sure the API we are connecting is not spoofed by attackers? These problems are even more concerning when it comes to sensitive components like personal information processing.

 

In this session, I’ll demonstrate how we can use AWS Nitro Enclaves and GitHub Actions to implement a Trusted Execution Environment and the software deployment pipeline with software supply chain security baked in, where we can verify every single API call in production, all the way back to its source code.

Richard  Fan

Richard Fan

- AWS Heroes -



Session Category
Security
Identity and compliance


AWS Services
AWS Nitro Enclaves



Session Summary (by Amazon Bedrock)
    Richard Fan, an AWS Security Hero, discusses software supply chain security using AWS Nitro Enclaves and GitHub Actions. He introduces the concept of software supply chain and its vulnerabilities, emphasizing the importance of ensuring software integrity from source code to end-user distribution. The presentation focuses on two main frameworks: 1. SLSA (Supply chain Levels for Software Artifacts): This framework provides guidelines for ensuring software integrity. It uses a "provenance" document, similar to a birth certificate for software, to prove the software's authenticity. GitHub Actions can be used to implement SLSA, creating attestations for software builds. 2. AWS Nitro Enclaves: These are isolated virtual machines within EC2 instances that provide additional security. They generate attestation documents at runtime, which can be used to verify the application's authenticity. Fan demonstrates how to integrate these two frameworks: 1. Use GitHub Actions to build and package the application, including its fingerprint. 2. Create an attestation for the entire package using SLSA. 3. Deploy the application to an AWS Nitro Enclave. 4. The API server presents the Nitro Enclave attestation document to end-users. 5. End-users can verify the application's authenticity by comparing fingerprints and tracing back to the source code. He showcases a practical example of a salary comparison app running in a Nitro Enclave, demonstrating how this setup ensures data privacy and software integrity. The presentation concludes with information on how to access the demo application and contact the speaker for further questions.

©JAWS-UG (AWS User Group - Japan). All rights reserved.