This guide provides instructions on how to:
- Set up Beyond Identity [BI} Authenticator to sign and verify with AWS Devops.
- Beyond Identity authenticator with GPG key entitlements can be used to sign and verify code based on typical Devops events like push, pull, etc. This is a powerful tool to ensure security of SDLC process. The event triggers the signature validation process as part of CI/CD pipeline.
- A GPG key generated on BI Authenticator can be used to sign many repositories, but a repository can be signed with only one key.
- The email used to sign must be enrolled in the Beyond Identity tenant.
- You can also require any commits to be verified with biometrics to prevent local malware from committing code or developers from bypassing hygiene and security controls.
Secure DevOps is an add-on for Secure Workforce. Contact your Account Representative to add this feature to your environment.
Contents
Prerequisites
AWS prerequisites
- A configured source code repository, project, and entitled users to pull, commit, and merge source code.
- (Optional) A configured CI/CD pipeline.
Beyond Identity prerequisites
- A Beyond Identity tenant configured for your organization and the ability to enroll users.
- An integration with your SSO provider. The instructions are different based on your SSO provider. Please refer to the integration guides available in the link below:
https://support.beyondidentity.com/hc/en-us/sections/6746815209111-Integration-Guides - Any users who will sign the code must
- Have a copy of the Beyond Identity authenticator installed.
- Have enrolled a passkey with the tenant using the same email that will be used to sign the code.
Note the following:
-
- A Beyond Identity authenticator with GPG key entitlements can sign and verify code based on typical DevOps events like push, pull, etc. This is a powerful tool to ensure the security of the SDLC process. The event triggers the signature validation process as part of the CI/CD pipeline.
- A GPG key generated on the Beyond Identity Authenticator can be used to sign many repositories, but a repository can be signed with only one key.
Configure Beyond Identity for AWS
This section describes the tasks required to configure the Beyond Identity authenticator for users with SDO enabled.
- Generate a Key management token
- Get an authenticator entitlement to generate GPG keys
- Add groups and users (BI Admin console)
- Generate a GPG Key and set a repository path (Authenticator)
Generate a Key management token
Your Beyond Identity Representative will provide you with a key management token. This token will be used in the CI/CD pipeline as the value of BYNDID_KEY_MGMT_API_TOKEN in later steps.
Get an authenticator entitlement to generate GPG keys
A Beyond Identity SME will enable the following entitlements for your tenant in the Support console so users can begin using their authenticator for commit signing.
- Commit Signing - Enables users to generate GPG keys and configure repository paths. Signs and verifies the author of every commit using the authenticator to prevent unauthorized threats.
- Commit Signing with Biometrics (optional) - Requires users to provide biometrics as part of signing and verifying commit signing to prevent local malware from committing code or developers from bypassing hygiene and security controls.
Add groups and users (BI Admin console)
Once the entitlements are enabled, add groups using the names in this section to generate GPG keys, configure repository paths, and optionally require biometrics for commit signing.
Important: You must use the exact group name provided below for SDO to work.
- Open the Groups page in the Admin console and click Add Group.
- Enter BI_SDO_GPG_Key_Creation for the group name.
Important: You must use BI_SDO_GPG_Key_Creation as the exact name for Commit Signing to work. - Enter an optional description and click Save Changes.
- Open the newly created group and then click Add Users to add any developers to this group.
- Enter BI_SDO_GPG_Key_Creation for the group name.
- Users added in the steps above will see a GPG Keys link in their authenticator as shown below.
- Continue to the Generate a GPG Key and set a repository (Authenticator) section below for steps the development users will need to follow.
Generate a GPG Key and set a repository path (Authenticator)
- On the Beyond Identity platform authenticator, click the GPG Keys link.
- Click Create GPG key to create and configure GPG keys.
- Ensure the email address matches the email configured to perform Git operations. You can ignore the expiration date.
- Click Create. You should see the key in the Authenticator.
- Set the repository path on the authenticator.
- In the authenticator, click the ellipses to the right of the GPG key and choose Set repository.
- Browse to the local path of the repository root and click Configure.
- Continue to Configure AWS below.
Configure AWS
The components of AWS Devops eco system used in Beyond Identity SDO integration are described below.
Component | Use |
“AWS CodeCommit is a fully-managed source control service that makes it easy for companies to host secure and highly scalable private Git repositories. You can use CodeCommit to securely store anything from source code to binaries, and it works seamlessly with your existing Git tools.” AWS codecommit is the code repository. | |
“AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages that are ready to deploy. “. | |
“AWS CodePipeline is a continuous integration and continuous delivery service for fast and reliable application and infrastructure updates. CodePipeline builds, tests, and deploys your code every time there is a code change, based on the release process models you define.” The CI/CD pipeline configured with “buildspec.yml” |
- Create an AWS account and add the account to roles with full permissions to CodeCommit, Codebuild, and CodePipeline.
- Create GIT credentials for the IAM user. This credential will be used with the git commands such as git clone, commit, and push.
- Click Create repository to create a code repository with AWS CodeCommit.
- Click Create.
- Add a “buildspec.yml” in the root of the repository. The buildspec file specifies the command “/bin/action” run with BI docker image for code sign verification.
- buildspec.yml file contents
version: 0.2
phases:
install:
commands:
- echo "install"
pre_build:
commands:
- echo "pre build"
build:
commands:
- echo "build"
- /bin/action
- Create and configure a build project with AWS CodeBuild.
- Specify AWS CodeCommit as the source provider and the repository created earlier as the repository.
- Select the Reference Type as “Branch” and choose “main” as the branch.
- Select Custom Image under “Environment Image”.
- Under “Image registry”, choose Other registry.
- Type “byndid/auth-commit-sig:0.4.1-debian” as the value for External registry URL. This is the Beyond Identity container image performing code sign verification.
- Add an environment variable API_TOKEN with value generated in Generate a Key management token.
- Under “Buildspec”, choose Use a buildspec file.
- Create a CodePipeline.
- Choose pipeline settings:
- Pipeline name in this example, helloworldpipeline
- New Service Role
- Allow AWS CodePipeline to create a new role
- Artifact store: Default Location
- Encryption Key: Default AWS managed key
- Source provider: AWS CodeCommit
- Repository name: helloworld
- Change Detection options: AWS CodePipeline
- Under “Output artifact format”, choose Full Clone. This choice makes the metadata available to Beyond Identity container.
- Choose Deploy skip stage.
- Test Run
- Clone code
- Set repository path on the GPG key in the authenticator
- Make changes to files
- Add
- Commit with Sign
- (Optional) If biometrics were enabled for signing, you will be prompted to provide biometric verification to complete the signing.
- Push
- Check Build history on AWS CodeBuild. You should see the job “succeeded”
Appendix
AWS Devops prerequisites
- Create an account
- Use the same email account that you will use to code sign/verify
- Create a repository
- Sign in with the same email account that you will use to code sign/verify
- You should have privileges to clone, modify, commit changes.
Create an account
Create a repository
- AWS CodeCommit: https://aws.amazon.com/codecommit/
- AWS Devops: https://aws.amazon.com/devops/
Comments
0 comments
Please sign in to leave a comment.