AWS prescriptive-guidance documentation change
Summary
Updates include clarifying IAM role configurations, adding security scanning tool documentation (Trivy, CodeGuru), expanding security best practices with IAM references, adding CodeCommit deprecation notices, and general documentation refinements.
Security assessment
The changes enhance security documentation by adding details about IAM least-privilege practices, Trivy vulnerability scanning configuration, and CodeGuru Profiler's security issue detection. However, there is no evidence of addressing a specific security vulnerability or incident.
Diff
diff --git a/prescriptive-guidance/latest/patterns/automatically-build-and-deploy-a-java-application-to-amazon-eks-using-a-ci-cd-pipeline.md b/prescriptive-guidance/latest/patterns/automatically-build-and-deploy-a-java-application-to-amazon-eks-using-a-ci-cd-pipeline.md index 90f657743..92b53623b 100644 --- a/prescriptive-guidance/latest/patterns/automatically-build-and-deploy-a-java-application-to-amazon-eks-using-a-ci-cd-pipeline.md +++ b/prescriptive-guidance/latest/patterns/automatically-build-and-deploy-a-java-application-to-amazon-eks-using-a-ci-cd-pipeline.md @@ -13 +13 @@ SummaryPrerequisites and limitationsArchitectureToolsBest practicesEpicsRelated -This pattern describes how to create a continuous integration and continuous delivery (CI/CD) pipeline that automatically builds and deploys a Java application with recommended DevSecOps practices to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster on the Amazon Web Services (AWS) Cloud. This pattern uses a greeting application developed with a Spring Boot Java framework and that uses Apache Maven. +This pattern describes how to create a continuous integration and continuous delivery (CI/CD) pipeline that automatically builds and deploys a Java application with recommended DevSecOps practices to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster on the AWS Cloud. This pattern uses a greeting application developed with a Spring Boot Java framework and that uses Apache Maven. @@ -23 +23 @@ You can use this pattern’s approach to build the code for a Java application, - * AWS Command Line Interface (AWS CLI) version 2, installed and configured. For more information about this, see [Installing, updating, and uninstalling the AWS CLI version 2](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) in the AWS CLI documentation. + * AWS Command Line Interface (AWS CLI) version 2, installed and configured. For more information about this, see [Installing or updating to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) in the AWS CLI documentation. @@ -25 +25 @@ You can use this pattern’s approach to build the code for a Java application, - * AWS CLI version 2 must be configured with the same IAM role that creates the Amazon EKS cluster because only that role is authorized to add other IAM roles to the `aws-auth` `ConfigMap`. For information and steps to configure AWS CLI, see [Configuration basics](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html) in the AWS CLI documentation. +AWS CLI version 2 must be configured with the same AWS Identity and Access Management (IAM) role that creates the Amazon EKS cluster, because only that role is authorized to add other IAM roles to the `aws-auth` `ConfigMap`. For information and steps to configure AWS CLI, see [Configuring settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html) in the AWS CLI documentation. @@ -27 +27 @@ You can use this pattern’s approach to build the code for a Java application, - * AWS Identity and Access Management (IAM) roles and permissions with full access to AWS CloudFormation. For more information about this, see [Controlling access with IAM](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html) in the AWS CloudFormation documentation. + * IAM roles and permissions with full access to AWS CloudFormation. For more information about this, see [Controlling access with IAM](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html) in the AWS CloudFormation documentation. @@ -29 +29 @@ You can use this pattern’s approach to build the code for a Java application, - * An existing Amazon EKS cluster, with details of the IAM role name and IAM role Amazon Resource Name (ARN) of worker nodes in the EKS cluster. + * An existing Amazon EKS cluster, with details of the IAM role name and the Amazon Resource Name (ARN) of the IAM role for worker nodes in the EKS cluster. @@ -31 +31 @@ You can use this pattern’s approach to build the code for a Java application, - * Kubernetes Cluster Autoscaler, installed and configured in your Amazon EKS cluster. For more information, see [Cluster Autoscaler](https://docs.aws.amazon.com/eks/latest/userguide/cluster-autoscaler.html) in the Amazon EKS documentation. + * Kubernetes Cluster Autoscaler, installed and configured in your Amazon EKS cluster. For more information, see [Scale cluster compute with Karpenter and Cluster Autoscaler](https://docs.aws.amazon.com/eks/latest/userguide/cluster-autoscaler.html) in the Amazon EKS documentation. @@ -38 +38 @@ You can use this pattern’s approach to build the code for a Java application, -_Important note_ +###### Important @@ -40 +40 @@ _Important note_ -AWS Security Hub is enabled as part of the AWS CloudFormation templates that are in the code. By default, after Security Hub is enabled, it comes with a 30–day free trial, after which there is a cost associated with this AWS service. For more information about pricing, see [AWS Security Hub pricing](https://aws.amazon.com/security-hub/pricing/). +AWS Security Hub is enabled as part of the AWS CloudFormation templates that are included in the code for this pattern. By default, after Security Hub is enabled, it comes with a 30–day free trial. After the trial, there is a cost associated with this AWS service. For more information about pricing, see [AWS Security Hub pricing](https://aws.amazon.com/security-hub/pricing/). @@ -62,0 +63,2 @@ AWS Security Hub is enabled as part of the AWS CloudFormation templates that are +**Notice** : AWS CodeCommit is no longer available to new customers. Existing customers of AWS CodeCommit can continue to use the service as normal. [Learn more](https://aws.amazon.com/blogs/devops/how-to-migrate-your-aws-codecommit-repository-to-another-git-provider/). However, this solution will work with any version control system (VCS) Git provider such as GitHub or GitLab with minimal changes. + @@ -67 +69 @@ AWS Security Hub is enabled as part of the AWS CloudFormation templates that are - * Amazon Elastic Container Registry + * Amazon Elastic Container Registry (Amazon ECR) @@ -69 +71 @@ AWS Security Hub is enabled as part of the AWS CloudFormation templates that are - * Amazon Elastic Kubernetes Service + * Amazon EKS @@ -82 +84 @@ AWS Security Hub is enabled as part of the AWS CloudFormation templates that are - + @@ -96 +98 @@ The diagram shows the following workflow: - 6. CodeBuild starts the security scan process in which the Dockerfile and Kubernetes deployment Helm files are scanned using Checkov, and application source code is scanned based on incremental code changes. The application source code scan is performed by the [CodeGuru Reviewer Command Line Interface (CLI) wrapper](https://github.com/aws/aws-codeguru-cli). + 6. AWS CodeBuild starts the security scan process in which the Dockerfile and Kubernetes deployment Helm files are scanned by using Checkov, and application source code is scanned based on incremental code changes. The application source code scan is performed by the [CodeGuru Reviewer Command Line Interface (CLI) wrapper](https://github.com/aws/aws-codeguru-cli). @@ -104 +106 @@ The diagram shows the following workflow: - 10. Email notifications of various phases within the CodePipeline pipeline are sent through Amazon SNS. + 10. Email notifications of sequential phases within the CodePipeline pipeline are sent through Amazon SNS. @@ -110 +112 @@ The diagram shows the following workflow: - 13. The application pod is configured with Amazon CodeGuru Profiler Agent which will send the profiling data of the application (CPU, heap usage, and latency) to Amazon CodeGuru Profiler, which helps developers to understand the behavior of the application. + 13. The application pod is configured with Amazon CodeGuru Profiler agent, which sends the profiling data of the application (CPU, heap usage, and latency) to CodeGuru Profiler, which helps developers understand the behavior of the application. @@ -124,0 +127,2 @@ The diagram shows the following workflow: +**Notice** : AWS CodeCommit is no longer available to new customers. Existing customers of AWS CodeCommit can continue to use the service as normal. [Learn more](https://aws.amazon.com/blogs/devops/how-to-migrate-your-aws-codecommit-repository-to-another-git-provider/) + @@ -135 +139 @@ The diagram shows the following workflow: - * [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) is a serverless event bus service that helps you connect your applications with real-time data from a variety of sources. For example, AWS Lambda functions, HTTP invocation endpoints using API destinations, or event buses in other AWS accounts. + * [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) is a serverless event bus service that helps you connect your applications with real-time data from a variety of sources, including AWS Lambda functions, HTTP invocation endpoints using API destinations, or event buses in other AWS accounts. @@ -139 +143 @@ The diagram shows the following workflow: - * [AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) provides a comprehensive view of your security state in AWS. It also helps you check your AWS environment against security industry standards and best practices. + * [AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) provides a comprehensive view of your security state on AWS. It also helps you check your AWS environment against security industry standards and best practices. @@ -167 +171 @@ The code for this pattern is available in the GitHub [aws-codepipeline-devsecops - * The principle of least privilege has been followed for IAM entities across all the phases of this solution. If you want to extend the solution with additional AWS services or third-party tools, we recommend following the principle of least privilege. + * This pattern follows [IAM security best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) to apply the principle of least privilege for IAM entities across all phases of the solution. If you want to extend the solution with additional AWS services or third-party tools, we recommend that you review the section on [applying least-privilege permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) in the IAM documentation. @@ -169 +173 @@ The code for this pattern is available in the GitHub [aws-codepipeline-devsecops - * If you have multiple Java applications, we recommend creating separate CI/CD pipelines for each application. + * If you have multiple Java applications, we recommend that you create separate CI/CD pipelines for each application. @@ -171 +175 @@ The code for this pattern is available in the GitHub [aws-codepipeline-devsecops - * If you have a monolith application, we recommend breaking the application into microservices as much as possible. Microservices are more flexible, they make it easier to deploy applications as containers, and they provide better visibility into the overall build and deployment of the application. + * If you have a monolith application, we recommend that you break the application into microservices where possible. Microservices are more flexible, they make it easier to deploy applications as containers, and they provide better visibility into the overall build and deployment of the application. @@ -188 +192 @@ Create an S3 bucket and upload the code.| - 1. Sign in to the AWS Management Console, open the Amazon S3 console, and then create an S3 bucket in the AWS Region where you plan to deploy this solution. For more information, see [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) in the Amazon S3 documentation. + 1. Sign in to the AWS Management Console, open the [Amazon S3 console](https://console.aws.amazon.com/s3/), and then create an S3 bucket in the AWS Region where you plan to deploy this solution. For more information, see [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) in the Amazon S3 documentation. @@ -190 +194 @@ Create an S3 bucket and upload the code.| - 3. Navigate to where you cloned the repository. To a create compressed version of the entire code with the .zip extension (`cicdstack.zip`) and validate the .zip file, run the following commands in order. + 3. Navigate to where you cloned the repository. To create a compressed version of the entire code with the .zip extension (`cicdstack.zip`) and validate the .zip file, run the following commands in order. @@ -201 +205 @@ If the `python` command fails and states that Python was not found, use `python3 -| AWS DevOps, DevOps engineer, Cloud administrator, DevOps +| AWS DevOps, Cloud administrator, DevOps engineer @@ -204 +208 @@ Create an AWS CloudFormation stack.| - 1. Open the AWS CloudFormation console and choose **Create stack**. + 1. Open the [AWS CloudFormation console](https://console.aws.amazon.com/cloudformation/) and choose **Create stack**. @@ -207,5 +211,5 @@ Create an AWS CloudFormation stack.| - * **CodeCommitRepositoryBranchName** : The branch-name where your code will be residing(the default is **main**) - * **CodeCommitRepositoryName** : The name of the CodeCommit repo to be created. - * **CodeCommitRepositoryS3Bucket** : The name of the S3 bucket where you created the code folder - * **CodeCommitRepositoryS3BucketObjKey** : `code/cicdstack.zip` - * **ECRRepositoryName** : The name of the Amazon ECR repo to be created + * `CodeCommitRepositoryBranchName`: The name of the branch where your code will reside (the default is `main`) + * `CodeCommitRepositoryName`: The name of the CodeCommitrepository to create + * `CodeCommitRepositoryS3Bucket`: The name of the S3 bucket where you created the code folder + * `CodeCommitRepositoryS3BucketObjKey`: `code/cicdstack.zip` + * `ECRRepositoryName`: The name of the Amazon ECR repository to create @@ -214 +218 @@ Create an AWS CloudFormation stack.| - 6. Note the names of the CodeCommit and Amazon ECR repositories, which will be required for the Java CI/CD pipeline setup. + 6. Note the names of the CodeCommit and Amazon ECR repositories, which will be required to set up the Java CI/CD pipeline. @@ -216 +220 @@ Create an AWS CloudFormation stack.| -| AWS DevOps, DevOps +| AWS DevOps, DevOps engineer @@ -219,2 +223,2 @@ Validate the CloudFormation stack deployment.| - 1. Under **Stacks** on the CloudFormation console, verify the status of CloudFormation stack that you deployed. The status of the stack should be **CREATE COMPLETE**. - 2. Additionally, from the console, validate that CodeCommit and Amazon ECR have been provisioned and are ready. + 1. Under **Stacks** on the CloudFormation console, verify the status of the CloudFormation stack that you deployed. The status of the stack should be **CREATE COMPLETE**. + 2. From the console, validate that the CloudFormation and Amazon ECR repositories have been provisioned and are ready. @@ -222,2 +226,2 @@ Validate the CloudFormation stack deployment.| -| DevOps engineer -Delete the S3 bucket.| Empty and delete the S3 bucket that you created earlier. For more information, see [Deleting a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-bucket.html) in the Amazon S3 documentation.| AWS DevOps, DevOps +| AWS DevOps, DevOps engineer +Delete the S3 bucket.| Empty and delete the S3 bucket that you created earlier. For more information, see [Deleting a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-bucket.html) in the Amazon S3 documentation.| AWS DevOps, DevOps engineer @@ -244 +248 @@ Configure the Helm charts of your Java application.| -To use a different service (for example, `NodePort`), you can change the parameters. For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). +To use a different service (for example, `NodePort`), you can change this parameter. For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). @@ -253,0 +258 @@ To use a different service (for example, `NodePort`), you can change the paramet + 4. You can enable different features for the Kubernetes workloads by changing the values in the `values.<ENV>.yaml` file, where `<ENV>` is your development, production, UAT, or QA environment. @@ -255 +260 @@ To use a different service (for example, `NodePort`), you can change the paramet -You can enable different features for the Kubernetes workloads by changing the values in the `values.<ENV>.yaml` file, where `<ENV>` is your development, production, UAT, or QA environment.| DevOps +| DevOps engineer @@ -275 +280 @@ Create the CI/CD pipeline.| - 1. Open the AWS CloudFormation console, and choose **Create stack**. + 1. Open the [AWS CloudFormation console](https://console.aws.amazon.com/cloudformation/), and choose **Create stack**. @@ -278,9 +283,9 @@ Create the CI/CD pipeline.| - * **CodeBranchName** : Branch name of CodeCommit repo, where your code resides - * **EKSClusterName:** Name of your EKS cluster (not the `EKSCluster` ID) - * **EKSCodeBuildAppName** : Name of the app Helm chart (`aws-proserve-java-greeting`) - * **EKSWorkerNodeRoleARN** : ARN of the Amazon EKS worker nodes IAM role - * **EKSWorkerNodeRoleName** : Name of the IAM role assigned to the Amazon EKS worker nodes - * **EcrDockerRepository** : Name of Amazon ECR repo where the Docker images of your code will be stored - * **EmailRecipient** : Email address where build notifications need to be sent - * **EnvType** : Environment (for example, dev, test, or prod) - * **SourceRepoName** : Name of the CodeCommit repo, where your code resides + * `CodeBranchName`: Branch name of the CodeCommit repository where your code resides + * `EKSClusterName`: Name of your EKS cluster (not the `EKSCluster` ID) + * `EKSCodeBuildAppName`: Name of the app Helm chart (`aws-proserve-java-greeting`) + * `EKSWorkerNodeRoleARN`: ARN of the IAM role assigned to the Amazon EKS worker nodes + * `EKSWorkerNodeRoleName`: Name of the IAM role assigned to the Amazon EKS worker nodes + * `EcrDockerRepository`: Name of the Amazon ECR repository where the Docker images of your code will be stored + * `EmailRecipient`: Email address where build notifications should be sent + * `EnvType`: Environment (for example, dev, test, or prod) + * `SourceRepoName`: Name of the CodeCommit repository where your code resides @@ -288 +293 @@ Create the CI/CD pipeline.| - 5. In the **Review** section, verify the AWS CloudFormation template and stack details, and then choose **Next**. + 5. In the **Review** section, verify the CloudFormation template and stack details, and then choose **Next**. @@ -291 +296 @@ Create the CI/CD pipeline.| - 8. After the stack is created, open the **Outputs** tab of the stack, and then record the ARN value for the `EksCodeBuildkubeRoleARN` output key. This IAM ARN value will be required later for providing the CodeBuild IAM role with permissions to deploy workloads in the Amazon EKS cluster. + 8. After the stack is created, open the **Outputs** tab of the stack, and then record the ARN value for the `EksCodeBuildkubeRoleARN` output key. This IAM ARN value will be required later when you provide permissions for the CodeBuild IAM role to deploy workloads in the Amazon EKS cluster. @@ -299 +304 @@ Turn on Aqua Security integration.| This step is required for uploading the Dock - 1. Open the **AWS Security Hub** console, and navigate to **Integrations**. + 1. Open the [AWS Security Hub console](https://console.aws.amazon.com/securityhub/), and navigate to **Integrations**. @@ -307 +312 @@ Task| Description| Skills required -Allow CodeBuild to run Helm or kubectl commands in the Amazon EKS cluster.| For CodeBuild to be authenticated to use Helm or `kubectl` commands with the EKS cluster, you must add the IAM roles to the `aws-auth` `ConfigMap` _._ In this case, add the ARN of IAM role `EksCodeBuildkubeRoleARN`, which is the IAM role created for the CodeBuild service to access the EKS cluster and deploy workloads on it. This is a one-time activity. +Allow CodeBuild to run Helm or kubectl commands in the Amazon EKS cluster.| For CodeBuild to be authenticated to use Helm or `kubectl` commands with the Amazon EKS cluster, you must add the IAM roles to the `aws-auth` `ConfigMap`. In this case, add the ARN of the IAM role `EksCodeBuildkubeRoleARN`, which is the IAM role created for the CodeBuild service to access the Amazon EKS cluster and deploy workloads on it. This is a one-time activity. @@ -339 +344 @@ For the pipeline to fail when vulnerabilities are reported for the Dockerfile an - 2. Similar to CodeSecurity Scan, the Build stage uses Aqua Security Trivy for identifying HIGH and CRITICAL Docker image vulnerabilities before pushing the application. to Amazon ECR. In this example, we are not making pipeline fail for Docker image vulnerabilities. In the file `buildspec/buildspec.yml`, the `trivy` command includes the flag****`--exit-code`**** with a value****`0`, which is why pipeline doesn’t fail when HIGH or CRITICAL Docker image vulnerabilities are reported. + 2. Similar to CodeSecurity Scan, the Build stage uses Aqua Security Trivy to identify `HIGH` and `CRITICAL` Docker image vulnerabilities before pushing the application to Amazon ECR. @@ -343,2 +348,2 @@ For the pipeline to fail when vulnerabilities are reported for the Dockerfile an -For the pipeline to fail when `HIGH, CRTICAL` vulnerabilities are reported, change the value of `--exit-code` to `1`.Developers or engineers can then fix the vulnerabilities and commit the changes to the CodeCommit source code repository. - 3. Docker image vulnerabilities reported by Aqua Security Trivy are uploaded to **Security Hub**. On the AWS Security Hub console, navigate to **Findings**. Filter the findings with **Record** **State = Active** and **Product = Aqua Security**. This will list the Docker image vulnerabilities in Security Hub. It can take 15 minutes–1 hour for vulnerabilities to appear on Security Hub. +In this example, the pipeline doesn’t fail when Docker image vulnerabilities are reported, because the `trivy` command in the `buildspec/buildspec.yml` file includes the flag****`--exit-code`**** with a value**** of`0`. For the pipeline to fail when `HIGH` and `CRTICAL` vulnerabilities are reported, change the value of `--exit-code` to `1`. Developers or engineers can then fix the vulnerabilities and commit the changes to the CodeCommit source code repository. + 3. Docker image vulnerabilities reported by Aqua Security Trivy are uploaded to Security Hub. On the Security Hub console, navigate to **Findings**. Filter the findings with **Record** **State = Active** and **Product = Aqua Security**. This lists the Docker image vulnerabilities in Security Hub. It can take 15 minutes to an hour for vulnerabilities to appear in Security Hub. @@ -346 +351 @@ For the pipeline to fail when `HIGH, CRTICAL` vulnerabilities are reported, chan -For more information about starting the pipeline by using CodePipeline, see [Start a pipeline in CodePipeline](https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-about-starting.html), [Start a pipeline manually](https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-rerun-manually.html), and [Start a pipeline on a schedule](https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-trigger-source-schedule.html) in the AWS CodePipeline documentation.| DevOps +For more information about starting the pipeline by using CodePipeline, see [Start a pipeline in ](https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-about-starting.html)CodePipeline, [Start a pipeline manually](https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-rerun-manually.html), and [Start a pipeline on a schedule](https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-trigger-source-schedule.html) in the CodePipeline documentation.| DevOps @@ -349 +354 @@ Approve the deployment.| - 1. After the build phase is complete, there is a deployment approval gate. The reviewer or a release manager should inspect the build and, if all requirements are met, approve it. This is the recommended approach for teams that use continuous delivery for application deployment. + 1. After the build phase is complete, there is a deployment approval gate. The reviewer or a release manager should inspect the build, and, if all requirements are met, approve it. This is the recommended approach for teams that use continuous delivery for application deployment. @@ -354 +359 @@ Approve the deployment.| -Validate application profiling.| After the deployment is complete and the application pod is deployed in Amazon EKS, the Amazon CodeGuru Profiler agent configured in the application will try to send profiling data of the application (CPU, heap summary, latency, and bottlenecks) to Amazon CodeGuru Profiler.For the initial deployment of an application, Amazon CodeGuru Profiler takes about 15 minutes to visualize the profiling data.| AWS DevOps +Validate application profiling.| After the deployment is complete and the application pod is deployed in Amazon EKS, the Amazon CodeGuru Profiler agent that is configured in the application will try to send profiling data of the application (CPU, heap summary, latency, and bottlenecks) to CodeGuru Profiler.For the initial deployment of an application, CodeGuru Profiler takes about 15 minutes to visualize the profiling data.| AWS DevOps @@ -360 +365 @@ Validate application profiling.| After the deployment is complete and the applic - * [Scanning images with Trivy in an AWS CodePipeline](https://aws.amazon.com/blogs/containers/scanning-images-with-trivy-in-an-aws-codepipeline/) (blog post) + * [Scanning images with Trivy in an AWS CodePipeline](https://aws.amazon.com/blogs/containers/scanning-images-with-trivy-in-an-aws-codepipeline/) (AWS blog post) @@ -362 +367 @@ Validate application profiling.| After the deployment is complete and the applic - * [Improving your Java applications using Amazon CodeGuru Profiler](https://aws.amazon.com/blogs/devops/improving-your-java-applications-using-amazon-codeguru-profiler) (blog post) + * [Improving your Java applications using Amazon CodeGuru Profiler](https://aws.amazon.com/blogs/devops/improving-your-java-applications-using-amazon-codeguru-profiler) (AWS blog post) @@ -375 +380,8 @@ Validate application profiling.| After the deployment is complete and the applic -CodeGuru Profiler should not be confused with the AWS X-Ray service in terms of functionality. CodeGuru Profiler is preferred for identifying the most expensive lines of codes, which might cause bottlenecks or security issues, and fix them before they become a potential risk. AWS X-Ray service is for application performance monitoring. + * AWS CodeCommit is no longer available to new customers. Existing customers of AWS CodeCommit can continue to use the service as normal. [Learn more](https://aws.amazon.com/blogs/devops/how-to-migrate-your-aws-codecommit-repository-to-another-git-provider/). This solution will also work with any version control system (VCS) Git provider such as GitHub or GitLab with minimal changes. + + * CodeGuru Profiler should not be confused with the AWS X-Ray service in terms of functionality. We recommend that you use CodeGuru Profiler to identify the most expensive lines of codes that might cause bottlenecks or security issues, and fix them before they become a potential risk. The X-Ray service is for application performance monitoring. + + * In this pattern, event rules are associated with the default event bus. If needed, you can extend the pattern to use a custom event bus. + + * This pattern uses CodeGuru Reviewer as a static application security testing (SAST) tool for application code. You can also use this pipeline for other tools, such as SonarQube or Checkmarx. You can add the scan setup instructions for any of these tools to `buildspec/buildspec_secscan.yaml` to replace the CodeGuru scan instructions. + @@ -377 +388,0 @@ CodeGuru Profiler should not be confused with the AWS X-Ray service in terms of -In this pattern, event rules are associated with the default event bus. If needed, you can extend the pattern to use a custom event bus. @@ -379 +389,0 @@ In this pattern, event rules are associated with the default event bus. If neede -This pattern uses CodeGuru Reviewer as a static application security testing (SAST) tool for application code. You can also use this pipeline for other tools, such as SonarQube or Checkmarx. The corresponding scan setup instructions of any of these tools can be added in `buildspec/buildspec_secscan.yaml`, replacing the scan instructions of CodeGuru.