Project Overview: AWS Inspector in Jenkins Pipeline

uendi_hoxha

Uendi Hoxha

Posted on October 4, 2024

Project Overview: AWS Inspector in Jenkins Pipeline

Let’s say you are deploying an application to an EC2 instance. You want to ensure that your infrastructure is secure before deployment. AWS Inspector can scan the EC2 environment for vulnerabilities, missing patches or insecure configurations.

By integrating AWS Inspector into Jenkins, the pipeline will run automated security scans each time a new build is made. If AWS Inspector detects security vulnerabilities, the deployment will be halted, ensuring that insecure code or configurations never reach production.

GOAL

Automate security testing using AWS Inspector during your Jenkins pipeline. After code builds, Jenkins will trigger AWS Inspector to scan the environment for vulnerabilities before deployment.


I. Set Up Jenkins

Ensure you have the following plugins installed in Jenkins:

  • Git (for version control integration)
  • Pipeline (to write pipelines as code)
  • AWS CLI (to interact with AWS services)
  • AWS Credentials (to securely store access keys)

II. Configure AWS Inspector

If you haven't configured AWS Inspector yet, follow these steps:

Step 1
Set up the necessary AWSInspectorRole role using IAM. This role must have permissions to create and manage findings and initiate security scans, for example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "inspector:StartAssessmentRun",
        "inspector:ListFindings",
        "inspector:DescribeFindings",
        "inspector:ListAssessmentRuns"
      ],
      "Resource": "*"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Step 2
Create an Assessment Target to specify which resources you want to evaluate in AWS Inspector. Choose Create assessment target and provide a name and select the resources (for example EC2 instances).
After creating the target, create an Assessment Template. Configure the Assessment Template in AWS Inspector to define what type of scans will run (like network, operating system).

Ensure the AWS Inspector has permissions to access your resources (EC2). You can attach a policy similar to the one above to the role assigned to AWS Inspector.

III. Set Up Jenkins Pipeline

Here’s an example Jenkins pipeline that integrates AWS Inspector to trigger a security scan:

pipeline {
    agent any

    environment {
        AWS_ACCESS_KEY_ID = credentials('aws-access-key')   // Store AWS credentials securely in Jenkins
        AWS_SECRET_ACCESS_KEY = credentials('aws-secret-key')
        REGION = 'us-east-1'  // Change to your region
        INSPECTOR_TEMPLATE_ARN = 'arn:aws:inspector:us-east-1:123456789012:template/0-ABCD1234'
    }

    stages {
        stage('Clone Repository') {
            steps {
                git 'https://github.com/your-repo/your-project'
            }
        }

        stage('Build') {
            steps {
                sh 'npm install'  // Example build step for a Node.js project
            }
        }

        stage('Run AWS Inspector') {
            steps {
                script {
                    // Trigger AWS Inspector assessment run
                    sh """
                    aws inspector start-assessment-run \
                        --assessment-template-arn $INSPECTOR_TEMPLATE_ARN \
                        --region $REGION
                    """
                }
            }
        }

        stage('Check Assessment Findings') {
            steps {
                script {
                    // Wait a bit for AWS Inspector to finish
                    sleep(time: 300, unit: 'SECONDS')

                    // Fetch findings from AWS Inspector
                    def findings = sh(script: """
                        aws inspector list-findings \
                        --assessment-run-arns $INSPECTOR_TEMPLATE_ARN \
                        --region $REGION
                    """, returnStdout: true).trim()

                    // Check if findings were detected
                    if (findings) {
                        echo "Security issues detected: $findings"
                        currentBuild.result = 'UNSTABLE'
                    } else {
                        echo "No security issues detected!"
                    }
                }
            }
        }

        stage('Deploy') {
            when {
                expression {
                    return currentBuild.result != 'UNSTABLE'
                }
            }
            steps {
                sh 'npm run deploy'  // Example deployment step
            }
        }
    }

    post {
        always {
            cleanWs()  // Cleanup workspace after run
        }
    }
}
Enter fullscreen mode Exit fullscreen mode

Pipeline Stages

1. Clone Repository: Pulls the source code from a Git repository.
2. Build: Compiles or prepares the project for deployment (e.g., npm install, mvn package).
3. Run AWS Inspector: Starts an AWS Inspector assessment run. It uses the ARN of an existing assessment template.
4. Check Assessment Findings: After some time (around 5 minutes), the pipeline checks for any findings from AWS Inspector. If issues are found, it marks the build as unstable and stops the deployment.
5. Deploy: If no security vulnerabilities are detected, the pipeline proceeds to the deployment stage.

IV. Integrate AWS Credentials in Jenkins

In Jenkins, go to Manage Jenkins → Manage Credentials. Add your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as credentials.
Use these to securely interact with AWS services from the Jenkins pipeline.

V. Trigger the Pipeline

Save the pipeline configuration and lick on Build Now to run the pipeline. Monitor the logs to see each stage's progress and check the output of the AWS Inspector findings.

VI. Monitor and Review Findings

After the AWS Inspector stage runs, you can review the findings in the AWS Management Console under Amazon Inspector.

💖 💪 🙅 🚩
uendi_hoxha
Uendi Hoxha

Posted on October 4, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related