From Code to Cloud: A Practical Guide to Building a Secure DevSecOps Pipeline on AWS

The Backstory

In the world of technology, continuous learning is key. To put modern DevSecOps principles into practice, I decided to build a complete, end-to-end project from scratch. The goal was to create a real-world example of a secure software development lifecycle.

This article documents each step of that journey, from a simple idea to a fully secured, containerised application running in AWS, complete with a CI/CD pipeline and runtime protection.

Phase 1: The Idea - AI-Powered Application Scaffolding

Every project starts with an idea. My goal was a simple "Cyber Airways" flight check-in application. To get from zero to one quickly, I turned to modern AI-powered development tools. Using a detailed prompt, I was able to "vibe-code" a professional-looking frontend with React and Tailwind CSS in a fraction of the time it would take manually. This accelerated the process, allowing me to focus on the core of the project: the security.

Phase 2: Shifting Left - Security Starts in the Code

Before writing a single line of infrastructure code, I started with security. The "Shift-Left" philosophy is about finding and fixing vulnerabilities as early as possible. I configured the project's GitHub repository to be my first line of defence.

• Dependabot: I enabled Dependabot to continuously scan my third-party dependencies (package.json) for known CVEs.
• SAST: I also established a process for Static Application Security Testing to analyse my own source code for potential flaws.

This proactive approach ensures that security isn't an afterthought; it's the foundation..

Phase 3: Repeatable Infrastructure with Terraform

With the application defined, it was time to build its home in the cloud. I used Terraform to define all my AWS infrastructure as code (IaC). This approach provides repeatability, version control, and eliminates the human error associated with manual configuration. The key resources defined were:

• VPC and Networking: A secure, isolated Virtual Private Cloud to provide a resilient and controlled network environment.
• Amazon ECR Repository: A private container registry to securely store my Docker images. A key security feature was built directly into the code: I configured the ECR repository to automatically scan any image on push.

Phase 4: Containerisation & Real-World Vulnerability Testing

Next, I packaged the application into a Docker container. A container's security is only as strong as its foundation. To test my security setup, I made a crucial decision: I intentionally used an older, out-of-date base image (node:16-alpine). This is a common scenario and was the perfect way to prove that my downstream security controls were working as expected.

Phase 5: The CI/CD Engine - A Multi-Stage Security Gate

The heart of the project is the CI/CD pipeline, built with GitHub Actions. On every git push, it acts as a comprehensive, automated security checkpoint:

1. IaC Scan: It first runs tfsec to ensure the Terraform code is free from security misconfigurations.
2. Build: It builds the application into a Docker image.
3. Container Scan: It then uses Trivy to scan the newly built image for OS and dependency vulnerabilities. The pipeline is configured to fail if any High or Critical severity issues are found, preventing the insecure image from ever being pushed.
4. Push: Only if all scans pass, it pushes the image to our secure ECR repository.

Phase 6: Deployment, Detection, and Defence

With a secure artifact in our registry, the final phase was deployment and runtime protection.

• Automated Deployment: I chose AWS App Runner, a managed service that automatically deploys any new image pushed by our pipeline. This simplifies operations without sacrificing security.
• Vulnerability Detection: As a defence-in-depth measure, the ECR "scan on push" feature successfully identified the vulnerabilities in our intentionally outdated image, including 1 Critical and 4 High-severity CVEs. These findings are fed to AWS Security Hub for central tracking.
• Runtime Defence: The final layer of security was a Web Application Firewall (WAF). I configured an AWS WAF with AWS-managed rule sets to provide immediate protection against the OWASP Top 10, blocking common attacks like SQL injection and XSS.

Conclusion

This project was a fantastic learning experience, covering the full DevSecOps lifecycle from code to cloud. It demonstrates a multi-layered security approach where automated checks and secure defaults are built in at every stage. By embracing tools like Terraform, GitHub Actions (tfsec, Trivy), and AWS's managed security services, we can build robust, resilient, and secure applications.