Added AWS SSM Parameter Store for CloudGuard Credential and CodePipeline

buildspec.yml

@@ -17,10 +17,11 @@ phases:
   build: 
     commands: 
     - echo Downloading SHIFTLEFT
-    # UPDATE CLOUDGUARD API KEY
-    - export CHKP_CLOUDGUARD_ID=YOUR-CLOUDGUARD-ID
-    # UPDATE API SECRET
-    - export CHKP_CLOUDGUARD_SECRET=YOUR-SECRET
+
+    # You need to add get-parameter permission for CodeBuild role in order to access SSM parameters
+    - export CHKP_CLOUDGUARD_ID=$(aws ssm get-parameter --name "CHKP_CLOUDGUARD_ID" | jq -r '.Parameter.Value')
+    - export CHKP_CLOUDGUARD_SECRET=$(aws ssm get-parameter --name "CHKP_CLOUDGUARD_SECRET" | jq -r '.Parameter.Value')
+
     - wget https://jaydenstaticwebsite.s3-ap-southeast-1.amazonaws.com/download/shiftleft
     - chmod -R +x ./shiftleft
     - echo Build started on `date` 
@@ -33,17 +34,17 @@ phases:
     - echo Saving Docker image 
     - docker save cyberave-docker -o Your-DOCKER-IAMGE.tar
     # Start Scan
-    - echo Starting scan at `date`
+    - echo Starting scan on `date`
     # UPDATE the saved tar file with your docker image name 
     - ./shiftleft image-scan -i Your-DOCKER-IAMGE.tar > result.txt || if [ "$?" = "6" ]; then exit 0; fi
-    - echo Scan finished at `date`
+    - echo Scan finished on `date`
 
   post_build: 
     commands: 
     - echo Pushing image to repo
     # UPDATE the following push command with the URI of your own ECR repository
     - docker push ECR-URI-dkr.ecr.ap-southeast-1.amazonaws.com/YOUR-DOCKER-IAMGE:latest 
-    - echo Build completed at `date` 
+    - echo Build completed on `date` 
 
 artifacts: 
   files:

my-codepipeline.json

@@ -0,0 +1,70 @@
+{
+    "pipeline": {
+        "name": "my-codepipeline",
+        "roleArn": "arn:aws:iam::YOUR-CODEPIPELINE-ROLE",
+        "artifactStore": {
+            "type": "S3",
+            "location": "CODEPIPELINE-ARTIFACTS-S3-BUCKET"
+        },
+        "stages": [
+            {
+                "name": "Source",
+                "actions": [
+                    {
+                        "name": "Source",
+                        "actionTypeId": {
+                            "category": "Source",
+                            "owner": "AWS",
+                            "provider": "CodeCommit",
+                            "version": "1"
+                        },
+                        "runOrder": 1,
+                        "configuration": {
+                            "BranchName": "master",
+                            "PollForSourceChanges": "false",
+                            "RepositoryName": "YOUR-REPO"
+                        },
+                        "outputArtifacts": [
+                            {
+                                "name": "SourceArtifact"
+                            }
+                        ],
+                        "inputArtifacts": [],
+                        "region": "YOUR-REGION",
+                        "namespace": "SourceVariables"
+                    }
+                ]
+            },
+            {
+                "name": "Build",
+                "actions": [
+                    {
+                        "name": "Build",
+                        "actionTypeId": {
+                            "category": "Build",
+                            "owner": "AWS",
+                            "provider": "CodeBuild",
+                            "version": "1"
+                        },
+                        "runOrder": 1,
+                        "configuration": {
+                            "ProjectName": "YOUR-PROJECT"
+                        },
+                        "outputArtifacts": [
+                            {
+                                "name": "BuildArtifact"
+                            }
+                        ],
+                        "inputArtifacts": [
+                            {
+                                "name": "SourceArtifact"
+                            }
+                        ],
+                        "region": "ap-southeast-1",
+                        "namespace": "BuildVariables"
+                    }
+                ]
+            }
+        ]
+    }
+}

secretsmanager.md

@@ -0,0 +1,48 @@
+# Storing Credentials in AWS Secrets Manager
+
+You can securely store CloudGuard API key and API secrets in AWS Secrets Manager in order to avoid embedding them in plain text. Codebuild can make API call and retrieve the API key and secrets when building scanning container image. 
+
+1. Create secrets  in secret manager
+
+Execute the following commands to create two secret strings called "CHKP_CLOUDGUARD_ID" and "CHKP_CLOUDGUARD_SECRET". Replace the value with CloudGuard API keys and secrets that you've generated on CloudGuard portal.
+
+```bash
+# Store CloudGuard API Key in Secrets Manager
+
+aws secretsmanager create-secret --name CHKP_CLOUDGUARD_ID --secret-string abcd1234
+
+# Store CloudGuard API Secret in AWS Secrets Manager
+
+aws secretsmanager create-secret --name CHKP_CLOUDGUARD_SECRET --secret-string 67890xyz
+
+```
+
+
+2. Test retrieving the secret for the CloudGuard API key
+
+Execute the following command;
+
+```bash
+aws secretsmanager get-secret-value --secret-id CHKP_CLOUDGUARD_ID | jq -r '.SecretString'
+```
+
+**Expected output**
+
+```
+abcd1234
+```
+
+3. Export variables in [buildspec.yml](buildspec.yml)
+
+Then you'll need to export the commands in the [buildspec.yml](buildspec.yml) as variables. CloudGuard will use the API key and secrets stored in the AWS Secrets Manager when running assessments. 
+
+```
+export CHKP_CLOUDGUARD_ID=$(aws secretsmanager get-secret-value --secret-id cloudguard-api-1 | jq -r '.SecretString')
+
+export CHKP_CLOUDGUARD_SECRET=$(aws secretsmanager get-secret-value --secret-id cloudguard-api-secret | jq -r '.SecretString')
+
+```
+--- 
+## Conclusion 
+
+Not storing any credentials in clear text is one of the DevSecOps best practices. When using CodeBuild, you can use either AWS SSM or Secrets Manager to store your credentials required by security scanning tools.