Securing Cloud-Based CI Systems: Best Practices

Limiting The Blast Radius.

Many Continuous Integration (CI) systems operating within a cloud environment wield root-like privileges. This is primarily because pinpointing the exact permissions needed can often be a complex and sometimes insurmountable task. However, we can take measures to limit who or what has the power to invoke processes within the CI system, as well as compartmentalize our company's infrastructure.

Accounts Isolation

Having different cloud accounts and saas accounts for different environment / products is a basic necessity for both security and reliability. It allows for role/creds isolation and allows to guard the access more for prod/customer data accounts for compliance and avoiding mistakes.

Limiting Access

Given the above point, we should be able to map each repository build/deploy steps to a role that corresponds to a specific AWS account.

There are cross account concern but those could be done in very specific policies.

Who can access/modify the build should be limited to the repository contributors, a list that should be limited (to mitigate the risk of PRs that expose creds)

Supply Chain Risk Mitigation

• Regularly monitor dependency security, although it's worth noting that many alerts turn out to be false positives in most contexts.

• Distinguish between CI and Deployment Process Contexts, ensuring the latter only deals with already built artifacts.

• Establish separate runtime environments and variables for each step.

• Minimize reliance on third-party systems. Trust, after all, can be precarious. A case in point is the Codecov supply chain breach.

Choice and Maintenance of CI Systems

Selecting the right CI system is pivotal. Here are some features that a robust CI system should ideally have:

• The ability to sandbox each build process.

• Network isolation capabilities for the build server.

• Efficient secrets handling.

• Support for OpenID Connect (OIDC) authentication, especially when a third-party build server needs to access AWS accounts.

Notably, both Github Actions and GitlabCI largely meet these criteria.

Future ideas

• Integrate anomaly detection within the system.

• Embrace packaging systems designed to counter supply chain attacks.