Let’s say you are deploying an application to an EC2 instance. You want to ensure that your infrastructure is secure before deployment. AWS Inspector can scan the EC2 environment for vulnerabilities, missing patches or insecure configurations.
By integrating AWS Inspector into Jenkins, the pipeline will run automated security scans each time a new build is made. If AWS Inspector detects security vulnerabilities, the deployment will be halted, ensuring that insecure code or configurations never reach production.
GOAL
Automate security testing using AWS Inspector during your Jenkins pipeline. After code builds, Jenkins will trigger AWS Inspector to scan the environment for vulnerabilities before deployment.
I. Set Up Jenkins
Ensure you have the following plugins installed in Jenkins:
- Git (for version control integration)
- Pipeline (to write pipelines as code)
- AWS CLI (to interact with AWS services)
- AWS Credentials (to securely store access keys)
II. Configure AWS Inspector
If you haven't configured AWS Inspector yet, follow these steps:
Step 1
Set up the necessary AWSInspectorRole
role using IAM. This role must have permissions to create and manage findings and initiate security scans, for example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"inspector:StartAssessmentRun",
"inspector:ListFindings",
"inspector:DescribeFindings",
"inspector:ListAssessmentRuns"
],
"Resource": "*"
}
]
}
Step 2
Create an Assessment Target to specify which resources you want to evaluate in AWS Inspector. Choose Create assessment target and provide a name and select the resources (for example EC2 instances).
After creating the target, create an Assessment Template. Configure the Assessment Template in AWS Inspector to define what type of scans will run (like network, operating system).
Ensure the AWS Inspector has permissions to access your resources (EC2). You can attach a policy similar to the one above to the role assigned to AWS Inspector.
III. Set Up Jenkins Pipeline
Here’s an example Jenkins pipeline that integrates AWS Inspector to trigger a security scan:
pipeline {
agent any
environment {
AWS_ACCESS_KEY_ID = credentials('aws-access-key') // Store AWS credentials securely in Jenkins
AWS_SECRET_ACCESS_KEY = credentials('aws-secret-key')
REGION = 'us-east-1' // Change to your region
INSPECTOR_TEMPLATE_ARN = 'arn:aws:inspector:us-east-1:123456789012:template/0-ABCD1234'
}
stages {
stage('Clone Repository') {
steps {
git 'https://github.com/your-repo/your-project'
}
}
stage('Build') {
steps {
sh 'npm install' // Example build step for a Node.js project
}
}
stage('Run AWS Inspector') {
steps {
script {
// Trigger AWS Inspector assessment run
sh """
aws inspector start-assessment-run \
--assessment-template-arn $INSPECTOR_TEMPLATE_ARN \
--region $REGION
"""
}
}
}
stage('Check Assessment Findings') {
steps {
script {
// Wait a bit for AWS Inspector to finish
sleep(time: 300, unit: 'SECONDS')
// Fetch findings from AWS Inspector
def findings = sh(script: """
aws inspector list-findings \
--assessment-run-arns $INSPECTOR_TEMPLATE_ARN \
--region $REGION
""", returnStdout: true).trim()
// Check if findings were detected
if (findings) {
echo "Security issues detected: $findings"
currentBuild.result = 'UNSTABLE'
} else {
echo "No security issues detected!"
}
}
}
}
stage('Deploy') {
when {
expression {
return currentBuild.result != 'UNSTABLE'
}
}
steps {
sh 'npm run deploy' // Example deployment step
}
}
}
post {
always {
cleanWs() // Cleanup workspace after run
}
}
}
Pipeline Stages
1. Clone Repository: Pulls the source code from a Git repository.
2. Build: Compiles or prepares the project for deployment (e.g., npm install, mvn package).
3. Run AWS Inspector: Starts an AWS Inspector assessment run. It uses the ARN of an existing assessment template.
4. Check Assessment Findings: After some time (around 5 minutes), the pipeline checks for any findings from AWS Inspector. If issues are found, it marks the build as unstable and stops the deployment.
5. Deploy: If no security vulnerabilities are detected, the pipeline proceeds to the deployment stage.
IV. Integrate AWS Credentials in Jenkins
In Jenkins, go to Manage Jenkins → Manage Credentials. Add your AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
as credentials.
Use these to securely interact with AWS services from the Jenkins pipeline.
V. Trigger the Pipeline
Save the pipeline configuration and lick on Build Now to run the pipeline. Monitor the logs to see each stage's progress and check the output of the AWS Inspector findings.
VI. Monitor and Review Findings
After the AWS Inspector stage runs, you can review the findings in the AWS Management Console under Amazon Inspector.
Top comments (0)