stelligent / aws-devsecops-workshop Goto Github PK

Configure CFN Nag to target all *.json and all *.template files instead of specific templates.

https://github.com/stelligent/aws-devsecops-workshop/blob/master/pipeline/tasks/security-test.rake#L14

Move to ruby/python from gulp/serverless.js?

the admin user dir has moved to a randomly numbered directory in a recent release.

instance userdata must now discover and pass this directory, or create a symlink, in ansible bootstrapping:
ln -sfv /var/lib/jenkins/users/admin_8253647996753921952 /var/lib/jenkins/users/admin

Remove CFNDSL and it's rake tasks. All CFN templates should be raw AWS JSON.

parameterize github_owner and github_branch

Plugins are downloaded at boot via cfn-init and failures can arise do to plugin versions.
Need to ensure we are pinning them and/or investigate current pipeline plugin failure.

currently running -nohup via userdata

Currently outgoing tcp/80 and tcp/443 open to world, due to installation package download.

Installation artifacts should be vetted and stored on s3 via pipeline, and retrieved from there via cloudinit and instance profile.

Currently passing a bash script via userdata and should move to cloudinit modules, given the complexity of boot script.

exempt S3 bucket from CFN control.

use latest amazon linux ami ami-a4c7edb2

lockdown port 80 on deployment server to jenkins secgroup and trusted cidr.

world_cidr is not needed and should be removed.

this will be more important when moving from default nginx page to custom chat app #4

currently only scans jenkins template. should scan all cfn.

pull out config and inspector stuff to higher level account/vpc configuration template

this new template could then be used on all new accounts to configure configservice, cloudtrail, vpcflowlogs, cloudwatch alarms, and logging buckets.

these global services and existing roles would then be assumed/consumed by this devsecops stack (global stack outputs queried), as opposed to creating on every run.