SEC11-BP07: Regularly assess security properties of the pipelines

Apply the same rigor to your deployment pipelines that you apply to your applications. Regularly assess the security properties of your build and deployment pipelines, including the security of the pipeline infrastructure, integrity of the pipeline stages, and access controls.

Implementation guidance

Pipeline security assessment is critical for maintaining the integrity of your entire software delivery process. By regularly evaluating your pipeline security properties, you ensure that your deployment infrastructure remains secure, compliant, and resistant to supply chain attacks.

Key steps for implementing this best practice:

1. Establish pipeline security assessment framework:
   • Define security assessment criteria and standards
   • Create pipeline security baselines and benchmarks
   • Implement automated security scanning for pipeline infrastructure
   • Establish regular assessment schedules and procedures
   • Create security metrics and KPIs for pipeline evaluation
2. Assess pipeline infrastructure security:
   • Evaluate compute environment security configurations
   • Review network security and access controls
   • Assess storage and artifact security measures
   • Validate encryption and key management practices
   • Review logging and monitoring configurations
3. Validate pipeline stage integrity:
   • Assess source code management security
   • Review build environment isolation and security
   • Validate testing and scanning stage effectiveness
   • Evaluate deployment stage security controls
   • Assess approval and governance mechanisms
4. Review access controls and permissions:
   • Audit user and service account permissions
   • Validate role-based access control implementation
   • Review authentication and authorization mechanisms
   • Assess secrets management and rotation practices
   • Evaluate audit logging and monitoring coverage
5. Implement continuous security monitoring:
   • Set up real-time security monitoring for pipelines
   • Configure alerting for security violations
   • Implement anomaly detection for pipeline activities
   • Create security dashboards and reporting
   • Establish incident response procedures for pipeline security
6. Conduct regular security reviews and audits:
   • Perform periodic comprehensive security assessments
   • Conduct penetration testing of pipeline infrastructure
   • Review compliance with security standards and regulations
   • Assess third-party integrations and dependencies
   • Create remediation plans for identified security gaps

Implementation examples

Example 1: Automated pipeline security assessment framework

Code snippet hidden for website display

Example 2: Pipeline security monitoring and alerting system

Code snippet hidden for website display

Example 3: Terraform configuration for pipeline security assessment infrastructure

Code snippet hidden for website display

Example 4: Pipeline security compliance checker script

Code snippet hidden for website display

AWS services to consider

AWS CodePipeline

Continuous delivery service that provides the pipeline infrastructure to assess. Understanding pipeline configuration is essential for security evaluation.

AWS CodeBuild

Build service that executes within pipelines. Security assessment must evaluate build environment configurations, permissions, and isolation.

AWS CloudTrail

Audit logging service that tracks API calls and user activities. Essential for monitoring pipeline access and detecting suspicious activities.

Amazon CloudWatch

Monitoring and observability service for tracking pipeline metrics, logs, and setting up alerts for security events.

AWS Lambda

Serverless compute service for running automated security assessments and monitoring functions without managing infrastructure.

Amazon DynamoDB

NoSQL database service for storing assessment results, monitoring data, and maintaining historical security metrics.

Amazon SNS

Messaging service for sending security alerts and notifications when pipeline security issues are detected.

AWS Config

Configuration management service for tracking changes to pipeline resources and ensuring compliance with security policies.

Benefits of regularly assessing security properties of pipelines

• Proactive threat detection: Identifies security vulnerabilities before they can be exploited
• Compliance assurance: Ensures pipelines meet security standards and regulatory requirements
• Risk mitigation: Reduces the likelihood of supply chain attacks and security breaches
• Continuous improvement: Enables ongoing enhancement of pipeline security posture
• Audit readiness: Provides comprehensive documentation for security audits and reviews
• Incident prevention: Prevents security incidents through early detection and remediation
• Cost optimization: Reduces potential costs associated with security breaches and downtime
• Stakeholder confidence: Demonstrates commitment to security best practices to customers and partners

Related resources

Related Resources

• AWS Well-Architected Framework - Regularly assess security properties of the pipelines
• AWS CodePipeline Security
• AWS CodeBuild Security
• Validating AWS CodePipeline pipeline configuration using AWS Config Rules
• How to monitor and visualize failed SSH access attempts to Amazon EC2 Linux instances
• Evaluating Resources with AWS Config Rules