diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 25c0e19..0000000 --- a/.gitignore +++ /dev/null @@ -1,39 +0,0 @@ -# IntelliJ -.idea/ -out/ - -# Gradle and Maven with auto-import -# When using Gradle or Maven with auto-import, you should exclude module files, -# since they will be recreated, and may cause churn. -auto-import. -*.iml -*.ipr - -# CMake -cmake-build-*/ - -# File-based project format -*.iws - -# mpeltonen/sbt-idea plugin -.idea_modules/ - -# JIRA plugin -atlassian-ide-plugin.xml - -# Crashlytics plugin (for Android Studio and IntelliJ) -com_crashlytics_export_strings.xml -crashlytics.properties -crashlytics-build.properties -fabric.properties - -# Mac OS X -.DS_Store - -# Taskcat -.taskcat_overrides.yml -taskcat_outputs/ -.taskcat/ - -# Node -node_modules/ \ No newline at end of file diff --git a/docs/deployment_guide/images/architecture_diagram.png b/docs/deployment_guide/images/architecture_diagram.png deleted file mode 100644 index 769bf7f..0000000 Binary files a/docs/deployment_guide/images/architecture_diagram.png and /dev/null differ diff --git a/docs/deployment_guide/images/aws-configuration.png b/docs/deployment_guide/images/aws-configuration.png new file mode 100644 index 0000000..c945d68 Binary files /dev/null and b/docs/deployment_guide/images/aws-configuration.png differ diff --git a/docs/deployment_guide/images/aws-quickstart-deployment-graphic.png b/docs/deployment_guide/images/aws-quickstart-deployment-graphic.png deleted file mode 100644 index 8efde67..0000000 Binary files a/docs/deployment_guide/images/aws-quickstart-deployment-graphic.png and /dev/null differ diff --git a/docs/deployment_guide/images/aws-quickstart-migration-graphic.png b/docs/deployment_guide/images/aws-quickstart-migration-graphic.png deleted file mode 100644 index 8efde67..0000000 Binary files a/docs/deployment_guide/images/aws-quickstart-migration-graphic.png and /dev/null differ diff --git a/docs/deployment_guide/images/aws-quickstart-operational-graphic.png b/docs/deployment_guide/images/aws-quickstart-operational-graphic.png deleted file mode 100644 index 8efde67..0000000 Binary files a/docs/deployment_guide/images/aws-quickstart-operational-graphic.png and /dev/null differ diff --git a/docs/deployment_guide/images/cfn-outputs.png b/docs/deployment_guide/images/cfn-outputs.png new file mode 100644 index 0000000..5b1ba83 Binary files /dev/null and b/docs/deployment_guide/images/cfn-outputs.png differ diff --git a/docs/deployment_guide/images/ecr-configuration.png b/docs/deployment_guide/images/ecr-configuration.png new file mode 100644 index 0000000..02d0d94 Binary files /dev/null and b/docs/deployment_guide/images/ecr-configuration.png differ diff --git a/docs/deployment_guide/images/snyk-aws-account-id.png b/docs/deployment_guide/images/snyk-aws-account-id.png deleted file mode 100644 index da41880..0000000 Binary files a/docs/deployment_guide/images/snyk-aws-account-id.png and /dev/null differ diff --git a/docs/deployment_guide/images/snyk-lambda-account-id.png b/docs/deployment_guide/images/snyk-lambda-account-id.png deleted file mode 100644 index c0b0d60..0000000 Binary files a/docs/deployment_guide/images/snyk-lambda-account-id.png and /dev/null differ diff --git a/docs/deployment_guide/images/snyk-security-architecture-diagram.png b/docs/deployment_guide/images/snyk-security-architecture-diagram.png index a2aaad8..f146c78 100644 Binary files a/docs/deployment_guide/images/snyk-security-architecture-diagram.png and b/docs/deployment_guide/images/snyk-security-architecture-diagram.png differ diff --git a/docs/deployment_guide/images/snyk-security-architecture-diagram.pptx b/docs/deployment_guide/images/snyk-security-architecture-diagram.pptx index eba93e7..3dcd1a3 100644 Binary files a/docs/deployment_guide/images/snyk-security-architecture-diagram.pptx and b/docs/deployment_guide/images/snyk-security-architecture-diagram.pptx differ diff --git a/docs/deployment_guide/images/snyk_api_token_settings.png b/docs/deployment_guide/images/snyk_api_token_settings.png index f577b21..14340c3 100644 Binary files a/docs/deployment_guide/images/snyk_api_token_settings.png and b/docs/deployment_guide/images/snyk_api_token_settings.png differ diff --git a/docs/deployment_guide/images/snyk_org_id_settings.png b/docs/deployment_guide/images/snyk_org_id_settings.png index ab9e613..d392394 100644 Binary files a/docs/deployment_guide/images/snyk_org_id_settings.png and b/docs/deployment_guide/images/snyk_org_id_settings.png differ diff --git a/docs/deployment_guide/images/snyk_service_account_settings.png b/docs/deployment_guide/images/snyk_service_account_settings.png index 7261027..500f359 100644 Binary files a/docs/deployment_guide/images/snyk_service_account_settings.png and b/docs/deployment_guide/images/snyk_service_account_settings.png differ diff --git a/docs/deployment_guide/partner_editable/_settings.adoc b/docs/deployment_guide/partner_editable/_settings.adoc index dd21ac0..27663dc 100644 --- a/docs/deployment_guide/partner_editable/_settings.adoc +++ b/docs/deployment_guide/partner_editable/_settings.adoc @@ -3,12 +3,10 @@ :partner-product-name: Snyk Developer-First Security :partner-product-short-name: Snyk :partner-company-name: Snyk -:doc-month: February -:doc-year: 2022 -:partner-contributors: John Smith and Carwin Young, {partner-company-name} -//:other-contributors: Akua Mansa, Trek10 -//:aws-contributors: Carwin Young, {partner-company-name} +:doc-month: May +:doc-year: 2023 +:partner-contributors: Jay Yeras, John Smith, Carwin Young, David Schott, {partner-company-name} :aws-ia-contributors: Dylan Owen, AWS Integration & Automation team -:deployment_time: 15 minutes +:deployment_time: 5 minutes :default_deployment_region: us-east-1 -//:private_repo: + diff --git a/docs/deployment_guide/partner_editable/architecture.adoc b/docs/deployment_guide/partner_editable/architecture.adoc index 8c13486..1e69429 100644 --- a/docs/deployment_guide/partner_editable/architecture.adoc +++ b/docs/deployment_guide/partner_editable/architecture.adoc @@ -1,18 +1,16 @@ :xrefstyle: short -Deploying this Quick Start for a new virtual private cloud (VPC) with -default parameters builds the following {partner-product-short-name} environment in the -AWS Cloud. +The following resources may be created in your AWS account depending on how you configure and deploy this Partner Solution. -// Replace this example diagram with your own. Follow our wiki guidelines: https://w.amazon.com/bin/view/AWS_Quick_Starts/Process_for_PSAs/#HPrepareyourarchitecturediagram. Upload your source PowerPoint file to the GitHub {deployment name}/docs/images/ directory in this repo. +// Replace this example diagram with your own. Follow our wiki guidelines: https://w.amazon.com/bin/view/AWS_Quick_Starts/Process_for_PSAs/#HPrepareyourarchitecturediagram. Upload your source PowerPoint file to the GitHub {deployment name}/docs/images/ directory in this repo. [#architecture1] -.Quick Start architecture for {partner-product-short-name} on AWS +.Partner Solution architecture for {partner-product-short-name} on AWS image::../docs/deployment_guide/images/snyk-security-architecture-diagram.png[Architecture] -As shown in <>, this Quick Start for {partner-product-short-name} Security provides the following deployment options: +As shown in <>, this Partner Solution for {partner-product-short-name} provides the following deployment options: -* AWS Lambda and Amazon ECR full integration with {partner-product-short-name}, including two cross-account AWS Identity and Access Management (IAM) roles for each product. -* AWS Lambda integration with {partner-product-short-name}, including one cross-account IAM role. -* Amazon ECR integration with {partner-product-short-name}, including one cross-account IAM role. -* Amazon ECR integration with {partner-product-short-name} with automated configuration, including one cross-account IAM role. +* Snyk Cloud and Snyk Container integration in a single deployment with Amazon Elastic Container Registry (Amazon ECR) and cross-account AWS Identity and Access Management (IAM) roles. +* A Snyk Cloud-only integration option with cross-account IAM role for Snyk Container. +* A Snyk Container-only integration option with Amazon ECR and cross-account IAM role for Snyk Container. +* A Snyk Container-only integration option with Amazon ECR, a cross-account IAM role for Snyk Container, and AWS Lambda. This deployment option uses Lambda to create and configure a new organization in Snyk's system. diff --git a/docs/deployment_guide/partner_editable/deployment_options.adoc b/docs/deployment_guide/partner_editable/deployment_options.adoc index 3122a61..2e69485 100644 --- a/docs/deployment_guide/partner_editable/deployment_options.adoc +++ b/docs/deployment_guide/partner_editable/deployment_options.adoc @@ -1,10 +1,10 @@ // Edit this placeholder text to accurately describe your architecture. -This Quick Start provides four deployment options: +This Partner Solution provides four deployment options: -* https://fwd.aws/E4m9w?[Deploy {partner-product-short-name} Security full integration^]. This option deploys both Amazon ECR and AWS Lambda integrations for {partner-product-short-name} as a single deployment. -* https://fwd.aws/8rKEy?[Deploy {partner-product-short-name} Security integration with AWS Lambda^]. This option deploys only the AWS Lambda integration for {partner-product-short-name}. -* https://fwd.aws/Nx5kQ?[Deploy {partner-product-short-name} Security integration with Amazon ECR^]. This option deploys only the Amazon ECR integration for {partner-product-short-name}. -* https://fwd.aws/9P7vj?[Deploy {partner-product-short-name} Security integration with Amazon ECR and automated Snyk integration^]. This option deploys the Amazon ECR integration for {partner-product-short-name}. It creates a new organization within a Snyk account that's preconfigured with an Amazon ECR integration. +* https://fwd.aws/E4m9w?[Deploy Snyk full integration^]. This option deploys both Snyk Container and Snyk Cloud integrations as a single deployment. +* https://fwd.aws/eAv97?[Deploy Snyk Cloud integration^]. This option deploys only the Snyk Cloud integration. +* https://fwd.aws/A9jbM?[Deploy Snyk Container integration^]. This option deploys only the Snyk Container integration. +* https://fwd.aws/eeAky?[Deploy Snyk Container integration with automatic installation^]. This option deploys the Snyk Container integration and creates a new Snyk organization that's preconfigured with an Amazon ECR integration. -The Quick Start provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and {partner-product-short-name} settings. +The Partner Solution provides separate AWS CloudFormation templates for each of these options. diff --git a/docs/deployment_guide/partner_editable/licenses.adoc b/docs/deployment_guide/partner_editable/licenses.adoc index 0145960..c113047 100644 --- a/docs/deployment_guide/partner_editable/licenses.adoc +++ b/docs/deployment_guide/partner_editable/licenses.adoc @@ -1,5 +1,7 @@ // Include details about any licenses and how to sign up. Provide links as appropriate. -This Quick Start is available to Snyk customers of all pricing plans. If you're not a Snyk customer, you can register for a free account from https://app.snyk.io/login?utm_campaign=Snyk-Security-QS&utm_medium=Partner&utm_source=AWS[Snyk^]. For information about payment plans (required for Amazon ECR on AWS Control Tower option), refer to https://aws.amazon.com/marketplace/pp/prodview-nw2naibu6b2ks?sr=0-1&ref_=beagle&applicationId=AWSMPContessa[Snyk: Developer Security Platform (Business and Enterprise Tiers)^]. +The Snyk Container portion of this Partner Solution is available to Snyk customers of all pricing plans, including the free plan. If you're not a Snyk customer, you can create a free account on the https://app.snyk.io/login?utm_campaign=Snyk-Security-QS&utm_medium=Partner&utm_source=AWS[Snyk^] web page. -There is no cost to use this Quick Start, but you will be billed for any AWS resources it deploys. For more information, refer to the https://fwd.aws/rA69w?[AWS Quick Start General Information Guide^]. +Other portions of this Partner Solution, such as Snyk Cloud integration and the automated configuration template for Amazon ECR, require a paid plan. For information about payment plans, refer to https://aws.amazon.com/marketplace/pp/prodview-nw2naibu6b2ks?sr=0-1&ref_=beagle&applicationId=AWSMPContessa[Snyk: Developer Security Platform (Team and Enterprise Tiers)^]. + +There is no cost to use this Partner Solution, but you will be billed for any AWS resources it deploys. For more information, refer to the https://fwd.aws/rA69w?[AWS Partner Solution General Information Guide^]. diff --git a/docs/deployment_guide/partner_editable/overview.adoc b/docs/deployment_guide/partner_editable/overview.adoc index 78aebab..157cb54 100644 --- a/docs/deployment_guide/partner_editable/overview.adoc +++ b/docs/deployment_guide/partner_editable/overview.adoc @@ -1,7 +1,7 @@ -This guide provides instructions for deploying {partner-product-short-name} on the AWS Cloud. If you are unfamiliar with AWS Quick Starts, refer to the https://fwd.aws/rA69w?[AWS Quick Start General Information Guide^]. +This guide provides instructions for deploying {partner-product-short-name} integration resources in the AWS Cloud. If you are unfamiliar with AWS Partner Solutions, refer to the https://fwd.aws/rA69w?[AWS Partner Solution General Information Guide^]. -// This deployment guide covers the steps necessary to deploy the Quick Start. For more advanced information on the product, troubleshooting, or additional functionality, refer to the https://{quickstart-github-org}.github.io/{quickstart-project-name}/operational/index.html[Operational guide]. +// This deployment guide covers the steps necessary to deploy the Partner Solution. For more advanced information on the product, troubleshooting, or additional functionality, refer to the https://{quickstart-github-org}.github.io/{quickstart-project-name}/operational/index.html[Operational guide]. -// For information on using this Quick Start for migrations, refer to the https://{quickstart-github-org}.github.io/{quickstart-project-name}/migration/index.html[Migration guide]. +// For information on using this Partner Solution for migrations, refer to the https://{quickstart-github-org}.github.io/{quickstart-project-name}/migration/index.html[Migration guide]. -This Quick Start is for developers, DevOps, security teams, and others who build, deploy, and maintain serverless applications or container images that use AWS Lambda and Amazon Elastic Container Registry (Amazon ECR). \ No newline at end of file +This Partner Solution is for developers, DevOps, security teams, and others who want to quickly integrate the https://snyk.io/product/container-vulnerability-management?utm_campaign=Snyk-Security-QS&utm_medium=Partner&utm_source=AWS[Snyk Container^] and https://snyk.io/product/snyk-cloud?utm_campaign=Snyk-Security-QS&utm_medium=Partner&utm_source=AWS[Snyk Cloud^] products with their AWS environment. diff --git a/docs/deployment_guide/partner_editable/post_deployment.adoc b/docs/deployment_guide/partner_editable/post_deployment.adoc index f735529..cb311a2 100644 --- a/docs/deployment_guide/partner_editable/post_deployment.adoc +++ b/docs/deployment_guide/partner_editable/post_deployment.adoc @@ -1,27 +1,53 @@ //Include any postdeployment steps here, such as steps necessary to test that the deployment was successful. If there are no postdeployment steps leave this file empty. +:xrefstyle: short -== Postdeployment steps +== Post-deployment steps -=== Snyk integration with Amazon ECR -Deploying the Snyk security Quick Start for Amazon Elastic Container Registry (Amazon ECR) creates -an integration for your Snyk organization. After it deploys, you can -add repositories for Snyk to scan by following these steps: +=== Check CloudFormation outputs + +In the AWS CloudFormation console, navigate to the *Outputs* tab on the root stack that you deployed, as shown in <>. You will copy and paste these values into the Snyk UI in subsequent steps. + +[#cfn-outputs] +.CloudFormation Outputs tab +image::../docs/deployment_guide/images/cfn-outputs.png[CloudFormation Outputs tab,width=100%,height=100%] + +=== Snyk Contaner integration + +==== Configure the integration in Snyk + +NOTE: If you used the *Snyk Container integration with automatic installation* option to deploy Snyk Container integration with Amazon ECR, you can ignore this section. + +In the Snyk UI, navigate to your organization's *Integrations* page, then click on *ECR* in the *Container registries* section. Copy the values from the CloudFormation outputs into the Snyk UI as shown in <>. + +[#ecr-configuration] +.ECR configuration +image::../docs/deployment_guide/images/ecr-configuration.png[ECR configuration,width=100%,height=100%] + +==== Import your container images into Snyk + +After installing Snyk Container integration with Amazon ECR, import your container images into Snyk. . Log in to your Snyk account. . Navigate to *Projects*, choose *Add projects*, and then choose *Amazon ECR*. . Select either single or multiple images. -. Choose *Add selected repositories*. +. Choose *Add selected images*. -For more information, refer to https://support.snyk.io/hc/en-us/articles/360003947077-Amazon-Elastic-Container-Registry-ECR-add-images-to-Snyk[Amazon ECR: add images to Snyk^]. +For more information, refer to https://docs.snyk.io/scan-containers?utm_campaign=Snyk-Security-QS&utm_medium=Partner&utm_source=AWS[Scan Containers^]. -NOTE: Both integration options connect the deployed Amazon ECR instance to the Snyk organization provided in the Quick Start parameters. Deployment may fail, however, if your chosen Snyk organization has an existing ECR integration or if the authentication token you provide in the parameters has insufficient permissions. +=== Snyk Cloud integration -=== Snyk integration with AWS Lambda -. Log in to your Snyk account. -. Navigate to *Projects*, choose *Add projects*, and then choose *AWS Lambda*. -. Select the relevant functions. -. Choose *Add selected functions*. +==== Configure the integration in Snyk + +. In the Snyk UI, navigate to your organization's *Integrations* page. +. In the *Cloud platforms* section, choose *AWS*. +. Copy the values from the CloudFormation outputs to the AWS configuration user interface, as shown in <>. + +[#aws-configuration] +.AWS configuration +image::../docs/deployment_guide/images/aws-configuration.png[ECR configuration,width=100%,height=100%] + +==== Scan your AWS Cloud environment with Snyk -NOTE: Snyk supports integrating with AWS Lambda for Node.js, Ruby, and Java projects. +After you install Snyk Cloud integration and Snyk scans your AWS environment, it may take several minutes for scan results to appear. In your Snyk organization, choose *Cloud* to view the scan results. -For more information, refer to https://support.snyk.io/hc/en-us/articles/360004002418-AWS-Lambda-integration[AWS Lambda integration^]. \ No newline at end of file +For more information, refer to https://docs.snyk.io/scan-cloud-deployment/snyk-cloud?utm_campaign=Snyk-Security-QS&utm_medium=Partner&utm_source=AWS[Snyk Cloud^]. diff --git a/docs/deployment_guide/partner_editable/pre_deployment.adoc b/docs/deployment_guide/partner_editable/pre_deployment.adoc index 7581499..ab4b968 100644 --- a/docs/deployment_guide/partner_editable/pre_deployment.adoc +++ b/docs/deployment_guide/partner_editable/pre_deployment.adoc @@ -1,25 +1,29 @@ //Include any predeployment steps here, such as signing up for a Marketplace AMI or making any changes to a Partner account. If there are none leave this file empty. -== Predeployment steps - +== Pre-deployment steps === Prepare your AWS account -This Quick Start assumes that you already have Amazon ECR repositories or Lambda functions provisioned in your account. +This Partner Solution assumes that you already have at least one Amazon Elastic Container Registry (ECR) as well as other AWS resources deployed in your account. === Prepare your {partner-company-name} account -:xrefstyle: short -Regardless of which Quick Start option you choose, log in to your https://app.snyk.io/[Snyk account^], as shown in <>, and obtain your organization ID. -[#settings1] -.Snyk Settings page -image::../docs/deployment_guide/images/snyk_org_id_settings.png[Snyk Organization ID,width=100%,height=100%] +During deployment, you must enter your Snyk organization ID. To find your Snyk organization ID, refer to https://docs.snyk.io/scan-application-code/snyk-code/cli-for-snyk-code/before-you-start-set-the-organization-for-the-cli-tests/finding-the-snyk-id-and-internal-name-of-an-organization[Finding the Snyk ID and internal name of an Organization^]. + +=== Snyk AWS account numbers + +During deployment, enter the folllowing values for the *Snyk Container AWS account number* and *Snyk Cloud AWS account number* parameters. These parameters are required to enable the deployed IAM roles to function. -=== Automated configuration for Amazon ECR -If you deploy Snyk security using the automated configuration option for Amazon ECR, obtain an API authentication token. The token automates the creation of organizations and ECR integrations within Snyk. +* Snyk Container AWS account number: `198361731867` +* Snyk Cloud AWS account number: `370134896156` -You may use either your personal account token, available through your Snyk account's settings page, as shown in <>, or a service-account token. Service-account tokens can be generated through the **Settings** page for your organization within Snyk, as shown in <>. For more information, refer to https://docs.snyk.io/features/integrations/managing-integrations/service-accounts[Service accounts^]. +WARNING: This deployment enables Snyk to assume an IAM role in your AWS account. -NOTE: An automated integration of Amazon ECR with Snyk requires a paid Snyk subscription. +=== [Optional] Automatic installation for Amazon ECR +To deploy the automatic installation option for Amazon ECR, obtain an API authentication token. AWS Lambda and the Snyk API are used to automate the creation of organizations and ECR integrations within Snyk. + +You may use either your personal account token, available through your Snyk account's settings page, as shown in <>, or a service account token. Service account tokens can be generated through the **Settings** page for your organization within Snyk, as shown in <>. For more information, refer to https://docs.snyk.io/snyk-admin/service-accounts?utm_campaign=Snyk-Security-QS&utm_medium=Partner&utm_source=AWS[Service accounts^]. + +NOTE: Automatic installation requires a paid Snyk subscription to use the Snyk API. [#settings2] .Snyk account settings page @@ -27,16 +31,4 @@ image::../docs/deployment_guide/images/snyk_api_token_settings.png[Snyk account [#settings3] .Snyk organization service account settings -image::../docs/deployment_guide/images/snyk_service_account_settings.png[Snyk Service Account settings,width=100%,height=100%] - - -=== Snyk account access - -For IAM roles to function, you must connect your Snyk account to your AWS Lambda account. Enter your Snyk ID for the *Snyk AWS account ID* parameter, as shown in <>. - - -WARNING: This deployment enables Snyk to assume an IAM role in your account. - -[#snyk-aws-account-id] -.Snyk account ID for AWS Lambda -image::../docs/deployment_guide/images/snyk-lambda-account-id.png[Snyk account ID for AWS Lambda,width=60%,height=60%] +image::../docs/deployment_guide/images/snyk_service_account_settings.png[Snyk service account settings,width=100%,height=100%] diff --git a/docs/deployment_guide/partner_editable/troubleshooting.adoc b/docs/deployment_guide/partner_editable/troubleshooting.adoc index 824d8aa..7072977 100644 --- a/docs/deployment_guide/partner_editable/troubleshooting.adoc +++ b/docs/deployment_guide/partner_editable/troubleshooting.adoc @@ -1,3 +1,3 @@ //Add any unique troubleshooting steps here. -For common Quick Start issues, refer to the https://fwd.aws/rA69w?[AWS Quick Start General Information Guide^] and https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html[Troubleshooting CloudFormation^]. +For common Partner Solution issues, refer to the https://fwd.aws/rA69w?[AWS Partner Solution General Information Guide^] and https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html[Troubleshooting CloudFormation^].