Snyk Developer-First Security on the AWS Cloud

Quick Start Reference Deployment

QS

December 2020
Jay Yeras, Snyk
Dylan Owen, AWS Quick Start team

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by Snyk in collaboration with Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

This guide provides instructions for deploying the Snyk Quick Start reference architecture on the AWS Cloud.

Snyk finds and fixes vulnerabilities in applications that use open-source, serverless, and container solutions. Snyk’s seamless integration into the developer workflow, with continuous monitoring of applications in production, empowers developers to continue to release fast, while ensuring secure code.

This Quick Start is for developers, DevOps, security teams, and other roles within an organization that build, deploy, and maintain serverless applications or container images that use AWS Lambda and Amazon Elastic Container Registry (Amazon ECR).

Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.

Snyk Developer-First Security on AWS

About Snyk

Snyk empowers software-driven businesses to develop fast and stay secure. Snyk offers several products to secure your applications:

  • Snyk Open Source: Enables developers to find and automatically fix open-source vulnerabilities.

  • Snyk Container: Find and fix vulnerabilities in container images and Kubernetes applications.

  • Snyk Infrastructure as Code: Find and fix insecure configurations in Infrastructure as Code (IaC) tools and Kubernetes code.

  • Snyk Intel Vulnerability DB Access: Expose comprehensive and actionable open-source and container vulnerability data.

  • Snyk License Compliance Management: Identify, monitor, and manage open-source license usage across your projects.

Snyk Container and Amazon ECR

Snyk integrates with Amazon ECR to help you import projects and monitor containers for vulnerabilities. Snyk tests your imported projects for known security vulnerabilities at a frequency that you control. Integration with Amazon ECR is available for all pricing plans. For more information, see Snyk Container.

Snyk Open Source and AWS Lambda

Snyk integrates with AWS Lambda to help you monitor your deployed AWS Lambda resources. With this integration, you can scan Lambda functions deployed to your AWS account and start managing the security of your code by identifying vulnerabilities and getting fix advice.

AWS costs

You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

Software licenses

This Quick Start is available to Snyk customers of all pricing plans. If you are not currently a Snyk customer, you can register for a free account on the Snyk login page. For information on payment plans, see the Snyk AWS Marketplace page.

Architecture

This Quick Start establishes cross-account access and enables Snyk integrations with AWS Lambda and Amazon ECR.

Architecture
Figure 1. Quick Start architecture for Snyk on AWS

As shown in Figure 1, the Quick Start for Snyk Security sets up the following three deployment options:

  • AWS Lambda and Amazon ECR full integration with Snyk, including two cross-account AWS Identity and Access Management (IAM) roles for each product.

  • AWS Lambda integration with Snyk, including one cross-account IAM role.

  • Amazon ECR integration with Snyk, including one cross-account IAM role.

Planning the deployment

Specialized knowledge

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

This Quick Start also assumes that you are familiar with AWS CloudFormation, IAM, Amazon Elastic Container Registry, and AWS Lambda.

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, review the following information and ensure that your account is properly configured. Otherwise, deployment might fail.

Resource quotas

If necessary, request service quota increases for the following resources. You might need to request increases if your existing deployment currently uses these resources and if this Quick Start deployment could result in exceeding the default quotas. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.

Resource This deployment uses

ECR

0

Lambda

0

Supported AWS Regions

For any Quick Start to work in a Region other than its default Region, all the services it deploys must be supported in that Region. You can launch a Quick Start in any Region and see if it works. If you get an error such as “Unrecognized resource type,” the Quick Start is not supported in that Region.

For an up-to-date list of AWS Regions and the AWS services they support, see AWS Regional Services.

Certain Regions are available on an opt-in basis. For more information, see Managing AWS Regions.

IAM permissions

Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Deployment options

This Quick Start provides three deployment options:

  • Deploy Snyk Security full integration. This option enables both Amazon ECR and AWS Lambda integrations for Snyk as a single deployment.

  • Deploy Snyk Security integration with AWS Lambda. This option enables only the AWS Lambda integration for Snyk.

  • Deploy Snyk Security integration with Amazon ECR. This option enables only the Amazon ECR integration for Snyk.

The Quick Start provides separate templates for these options.

Prepare your AWS account

This Quick Start assumes that you already have Amazon ECR repositories and/or Lambda functions provisioned in your account.

Prepare your Snyk account

Snyk Organization ID
Figure 2. Snyk Settings page

As shown in the Figure 2, log in to your Snyk account and obtain your Organization ID.

Snyk Account Access

The Snyk AWS Account is required to assume a role in your account in order to function. Please be aware that this deployment grants Snyk the ability to assume an IAM role in your account. In order to continue, please use 198361731867 as the account ID for the Snyk AWS Account ID parameter

Deployment steps

Sign in to your AWS account

  1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For details, see Planning the deployment earlier in this guide.

  2. Make sure that your AWS account is configured correctly, as discussed in the Technical requirements section.

Sign in to your Snyk account

This Quick Start requires a registered Snyk account with any plan: Free, Standard, Pro, or Enterprise. To purchase Standard or Pro plans through the AWS Marketplace, do the following steps:

  1. Sign in to your AWS account.

  2. Open the Snyk Developer-First Security page in AWS Marketplace, and then choose Continue to Subscribe.

  3. Review the terms and conditions for software usage, and then choose Accept Terms.
    A confirmation page loads, and an email confirmation is sent to the account owner. For detailed subscription instructions, see the AWS Marketplace documentation.

  4. When the subscription process is complete, close the AWS Marketplace without further action.

Launch the Quick Start

You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service used by this Quick Start. Prices are subject to change.

Each deployment takes about 15 minutes to complete.

  1. Sign in to your AWS account, and choose one of the following options to launch the AWS CloudFormation template. For help with choosing an option, see Deployment options earlier in this guide.

Deploy Snyk Security full integration on AWS

View template

Deploy Snyk Security with Amazon ECR

View template

Deploy Snyk Security with AWS Lambda

View template

  1. Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This Region is where the network infrastructure for Snyk is built. The template is launched in the us-east-1 Region by default.

  1. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  2. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. For details on each parameter, see the Parameter reference section of this guide. When you finish reviewing and customizing the parameters, choose Next.

  3. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.

  4. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  5. Choose Create stack to deploy the stack.

  6. Monitor the status of the stack. When the status is CREATE_COMPLETE, the Snyk deployment is ready.

  7. To view the created resources, see the values displayed in the Outputs tab for the stack.

Test the deployment

Snyk integration with Amazon ECR

  1. Log in to your Snyk account.

  2. Go to Projects, select Add projects, and then select Amazon ECR.

  3. Select single or multiple images.

  4. Select Add selected repositories.

Snyk integration with AWS Lambda

  1. Log in to your Snyk account.

  2. Go to Projects, select Add projects, and then select AWS Lambda.

  3. Select the relevant functions.

  4. Select Add selected functions.

Snyk currently supports integration with AWS Lambda for Node, Ruby, and Java projects.

For more information, see AWS Lambda integration.

FAQ

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, relaunch the template with Rollback on failure set to Disabled. This setting is under Advanced in the AWS CloudFormation console on the Configure stack options page. With this setting, the stack’s state is retained and the instance is left running, so you can troubleshoot the issue. (For Windows, look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)

When you set Rollback on failure to Disabled, you continue to incur AWS charges for this stack. Delete the stack when you finish troubleshooting.

For more information, see Troubleshooting AWS CloudFormation.

Q. I encountered a size limitation error when I deployed the AWS CloudFormation templates.

A. Launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a location other than an S3 bucket, you might encounter template size limitations. For more information, see AWS CloudFormation quotas.

Q. Where can I find additional resources?

A. See the following resources:

Snyk documentation

Other Quick Start reference deployments

Troubleshooting

For Snyk-specific troubleshooting, see the Snyk Knowledge Center.

For troubleshooting AWS CloudFormation stacks, see Troubleshooting AWS CloudFormation.

Customer responsibility

After you successfully deploy this Quick Start, confirm that your resources and services are updated and configured — including any required patches — to meet your security and other needs. For more information, see the AWS Shared Responsibility Model.

Parameter reference

Unless you are customizing the Quick Start templates for your own deployment projects, keep the default settings for the parameters labeled Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these parameter settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide.

Snyk integration for AWS services

Table 1. Snyk
Parameter label (name) Default value Description

Snyk organization ID (SnykExternalId)

Requires input

Locate the organization ID by logging in to https://app.snyk.io and navigating to Settings.

Snyk AWS Account ID (SnykAWSAccountNumber)

Requires input

Snyk’s AWS Account ID which assumes a role in your account. Please see the deployment guide 'Technical requirements

Table 2. AWS Quick Start configuration
Parameter label (name) Default value Description

Quick Start S3 bucket name (QSS3BucketName)

aws-quickstart

Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html.

Quick Start S3 bucket Region (QSS3BucketRegion)

us-east-1

AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. See https://aws-quickstart.github.io/option1.html.

Quick Start S3 key prefix (QSS3KeyPrefix)

quickstart-snyk-security/

S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html.

Snyk integration for AWS Lambda

Table 3. Snyk
Parameter label (name) Default value Description

Snyk organization ID (SnykExternalId)

Requires input

Locate the organization ID by logging in to https://app.snyk.io and navigating to Settings.

Snyk AWS Account ID (SnykAWSAccountNumber)

Requires input

Snyk’s AWS Account ID which assumes a role in your account. Please see the deployment guide 'Technical requirements

Snyk Account Access' for this Account ID

Lambda Resource ARN (LambdaResourceARN)

*

Snyk integration for Amazon ECR

Table 4. Snyk
Parameter label (name) Default value Description

Snyk organization ID (SnykExternalId)

Requires input

Locate the organization ID by logging in to https://app.snyk.io and navigating to Settings.

Snyk AWS Account ID (SnykAWSAccountNumber)

Requires input

Snyk’s AWS Account ID which assumes a role in your account. Please see the deployment guide 'Technical requirements

Snyk Account Access' for this Account ID

ECR Resource ARN (ECRResourceARN)

*

Snyk integration for Amazon ECR

Table 5. Snyk
Parameter label (name) Default value Description

Snyk Group ID to associate with new Org (SnykGroupId)

Requires input

Locate the Group ID by logging in to https://app.snyk.io and navigating to Settings.

Snyk Org ID from which to copy permissions (SnykParentOrgId)

Requires input

Locate the Organization ID by logging in to https://app.snyk.io and navigating to Settings. This Organization will act as the permissions template for the Organization generated by this template.

Snyk API authentication token, preferably a service account token (SnykAuthToken)

Requires input

Locate your account’s API token by logging in to https://app.snyk.io and navigating to Account Settings. It is recommended that you use a Service Account token instead of your personal API Token.

Snyk AWS Account ID (SnykAWSAccountNumber)

Requires input

Snyk’s AWS Account ID which assumes a role in your account. Please see the deployment guide 'Technical requirements

Snyk Account Access' for this Account ID

ECR Resource ARN (ECRResourceARN)

*

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, see the Quick Start Contributor’s Guide.

Quick Start reference deployments

GitHub repository

Visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.


Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.