Snyk Developer-First Security on the AWS Cloud

Quick Start deployment guide

QS

February 2022
John Smith and Carwin Young, Snyk
Dylan Owen, AWS Integration & Automation team

See the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Quick Start. To comment on the documentation, refer to Feedback.

This Quick Start was created by Snyk in collaboration with Amazon Web Services (AWS). Quick Starts are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices.

Overview

This guide provides instructions for deploying Snyk on the AWS Cloud. If you are unfamiliar with AWS Quick Starts, refer to the AWS Quick Start General Information Guide.

This Quick Start is for developers, DevOps, security teams, and others who build, deploy, and maintain serverless applications or container images that use AWS Lambda and Amazon Elastic Container Registry (Amazon ECR).

Costs and licenses

This Quick Start is available to Snyk customers of all pricing plans. If you’re not a Snyk customer, you can register for a free account from Snyk. For information about payment plans (required for Amazon ECR on AWS Control Tower option), refer to Snyk: Developer Security Platform (Business and Enterprise Tiers).

There is no cost to use this Quick Start, but you will be billed for any AWS resources it deploys. For more information, refer to the AWS Quick Start General Information Guide.

Architecture

Deploying this Quick Start for a new virtual private cloud (VPC) with default parameters builds the following Snyk environment in the AWS Cloud.

Architecture
Figure 1. Quick Start architecture for Snyk on AWS

As shown in Figure 1, this Quick Start for Snyk Security provides the following deployment options:

  • AWS Lambda and Amazon ECR full integration with Snyk, including two cross-account AWS Identity and Access Management (IAM) roles for each product.

  • AWS Lambda integration with Snyk, including one cross-account IAM role.

  • Amazon ECR integration with Snyk, including one cross-account IAM role.

  • Amazon ECR integration with Snyk with automated configuration, including one cross-account IAM role.

Deployment options

This Quick Start provides four deployment options:

The Quick Start provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Snyk settings.

Predeployment steps

Prepare your AWS account

This Quick Start assumes that you already have Amazon ECR repositories or Lambda functions provisioned in your account.

Prepare your Snyk account

Regardless of which Quick Start option you choose, log in to your Snyk account, as shown in Figure 2, and obtain your organization ID.

Snyk Organization ID
Figure 2. Snyk Settings page

Automated configuration for Amazon ECR

If you deploy Snyk security using the automated configuration option for Amazon ECR, obtain an API authentication token. The token automates the creation of organizations and ECR integrations within Snyk.

You may use either your personal account token, available through your Snyk account’s settings page, as shown in Figure 3, or a service-account token. Service-account tokens can be generated through the Settings page for your organization within Snyk, as shown in Figure 4. For more information, refer to Service accounts.

An automated integration of Amazon ECR with Snyk requires a paid Snyk subscription.
Snyk account API token
Figure 3. Snyk account settings page
Snyk Service Account settings
Figure 4. Snyk organization service account settings

Snyk account access

For created roles to function, a Snyk account is required. Note that this deployment grants Snyk the ability to assume an IAM role in your account. To continue, use 198361731867 as the account ID for the Snyk AWS account ID parameter.

Deployment steps

  1. Sign in to your AWS account, and launch this Quick Start, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template. Deployment takes about 15 minutes to complete.

  2. Ensure that you set the correct AWS Region, and choose Next.

  3. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

    Unless you are customizing the Quick Start templates for your own projects, don’t change the default settings for the following Amazon Simple Storage Service (Amazon S3) parameters: Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these settings automatically updates code references to point to a new Quick Start location. For more information, refer to the AWS Quick Start Contributor’s Guide.
  5. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources that might require the ability to automatically expand macros.

  7. Choose Create stack to deploy the stack.

  8. Monitor the stack’s status, and when the status is CREATE_COMPLETE, the Snyk Developer-First Security deployment is ready.

  9. To view the created resources, choose the Outputs tab.

Postdeployment steps

Snyk integration with Amazon ECR

Deploying the Snyk security Quick Start for Amazon Elastic Container Registry (Amazon ECR) creates an integration for your Snyk organization. After it deploys, you can add repositories for Snyk to scan by following these steps:

  1. Log in to your Snyk account.

  2. Navigate to Projects, choose Add projects, and then choose Amazon ECR.

  3. Select either single or multiple images.

  4. Choose Add selected repositories.

For more information, refer to Amazon ECR: add images to Snyk.

Both integration options connect the deployed Amazon ECR instance to the Snyk organization provided in the Quick Start parameters. Deployment may fail, however, if your chosen Snyk organization has an existing ECR integration or if the authentication token you provide in the parameters has insufficient permissions.

Snyk integration with AWS Lambda

  1. Log in to your Snyk account.

  2. Go to Projects, choose Add projects, and then choose AWS Lambda.

  3. Select the relevant functions.

  4. Choose Add selected functions.

Snyk supports integrating with AWS Lambda for Node.js, Ruby, and Java projects.

For more information, refer to AWS Lambda integration.

Troubleshooting

For common Quick Start issues, refer to the AWS Quick Start General Information Guide and Troubleshooting CloudFormation.

After you successfully deploy a Quick Start, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, refer to the Quick Start Contributor’s Guide. For all other feedback, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. See the License for specific language governing permissions and limitations.