Snyk Developer-First Security on the AWS Cloud
Quick Start deployment guide
John Smith and Carwin Young, Snyk
Dylan Owen, AWS Integration & Automation team
|See the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Quick Start. To comment on the documentation, refer to Feedback.|
This Quick Start was created by Snyk in collaboration with Amazon Web Services (AWS). Quick Starts are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices.
This guide provides instructions for deploying Snyk on the AWS Cloud. If you are unfamiliar with AWS Quick Starts, refer to the AWS Quick Start General Information Guide.
This Quick Start is for developers, DevOps, security teams, and others who build, deploy, and maintain serverless applications or container images that use AWS Lambda and Amazon Elastic Container Registry (Amazon ECR).
Costs and licenses
This Quick Start is available to Snyk customers of all pricing plans. If you’re not a Snyk customer, you can register for a free account from Snyk. For information about payment plans (required for Amazon ECR on AWS Control Tower option), refer to Snyk: Developer Security Platform (Business and Enterprise Tiers).
There is no cost to use this Quick Start, but you will be billed for any AWS resources it deploys. For more information, refer to the AWS Quick Start General Information Guide.
Deploying this Quick Start for a new virtual private cloud (VPC) with default parameters builds the following Snyk environment in the AWS Cloud.
As shown in Figure 1, this Quick Start for Snyk Security provides the following deployment options:
AWS Lambda and Amazon ECR full integration with Snyk, including two cross-account AWS Identity and Access Management (IAM) roles for each product.
AWS Lambda integration with Snyk, including one cross-account IAM role.
Amazon ECR integration with Snyk, including one cross-account IAM role.
Amazon ECR integration with Snyk with automated configuration, including one cross-account IAM role.
This Quick Start provides four deployment options:
Deploy Snyk Security full integration. This option deploys both Amazon ECR and AWS Lambda integrations for Snyk as a single deployment.
Deploy Snyk Security integration with AWS Lambda. This option deploys only the AWS Lambda integration for Snyk.
Deploy Snyk Security integration with Amazon ECR. This option deploys only the Amazon ECR integration for Snyk.
Deploy Snyk Security integration with Amazon ECR and automated Snyk integration. This option deploys the Amazon ECR integration for Snyk. It creates a new organization within a Snyk account that’s preconfigured with an Amazon ECR integration.
The Quick Start provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Snyk settings.
Prepare your AWS account
This Quick Start assumes that you already have Amazon ECR repositories or Lambda functions provisioned in your account.
Prepare your Snyk account
Automated configuration for Amazon ECR
If you deploy Snyk security using the automated configuration option for Amazon ECR, obtain an API authentication token. The token automates the creation of organizations and ECR integrations within Snyk.
You may use either your personal account token, available through your Snyk account’s settings page, as shown in Figure 3, or a service-account token. Service-account tokens can be generated through the Settings page for your organization within Snyk, as shown in Figure 4. For more information, refer to Service accounts.
|An automated integration of Amazon ECR with Snyk requires a paid Snyk subscription.|
Snyk account access
For created roles to function, a Snyk account is required. Note that this deployment grants Snyk the ability to assume an IAM role in your account. To continue, use
198361731867 as the account ID for the Snyk AWS account ID parameter.
Sign in to your AWS account, and launch this Quick Start, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template. Deployment takes about 15 minutes to complete.
Ensure that you set the correct AWS Region, and choose Next.
On the Create stack page, keep the default setting for the template URL, and then choose Next.
On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.
Unless you are customizing the Quick Start templates for your own projects, don’t change the default settings for the following Amazon Simple Storage Service (Amazon S3) parameters: Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these settings automatically updates code references to point to a new Quick Start location. For more information, refer to the AWS Quick Start Contributor’s Guide.
On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources that might require the ability to automatically expand macros.
Choose Create stack to deploy the stack.
Monitor the stack’s status, and when the status is CREATE_COMPLETE, the Snyk Developer-First Security deployment is ready.
To view the created resources, choose the Outputs tab.
Snyk integration with Amazon ECR
Deploying the Snyk security Quick Start for Amazon Elastic Container Registry (Amazon ECR) creates an integration for your Snyk organization. After it deploys, you can add repositories for Snyk to scan by following these steps:
Log in to your Snyk account.
Navigate to Projects, choose Add projects, and then choose Amazon ECR.
Select either single or multiple images.
Choose Add selected repositories.
For more information, refer to Amazon ECR: add images to Snyk.
|Both integration options connect the deployed Amazon ECR instance to the Snyk organization provided in the Quick Start parameters. Deployment may fail, however, if your chosen Snyk organization has an existing ECR integration or if the authentication token you provide in the parameters has insufficient permissions.|
Snyk integration with AWS Lambda
Log in to your Snyk account.
Go to Projects, choose Add projects, and then choose AWS Lambda.
Select the relevant functions.
Choose Add selected functions.
|Snyk supports integrating with AWS Lambda for Node.js, Ruby, and Java projects.|
For more information, refer to AWS Lambda integration.
After you successfully deploy a Quick Start, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.
This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.
The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. See the License for specific language governing permissions and limitations.