[Security - Controls Effort] SBOM for AMIs

[hgbarreto]

Description

To meet and mature in the ID.AM-1 and ID.AM-2 security controls, Infrastructure Services would like to create the same SBOM GHA workflow logic utilized for the container images. Leverage the already created logic of GHA Task -> S3 Bucket -> AWS Glue -> Athena for our Amazon Machine Images Builds (AMIs). Note - Same JSON formatting will be required

Resources

• https://github.com/aquasecurity/trivy

Acceptance Criteria

• [ ] Instrument new folder in SBOM bucket for AMIs
• [ ] Attach AWS Glue crawler (same one as container images or new one?)
• [ ] Create queries that pull data on AMI packages
• [ ] Add anything to the IaC as needed

Refinement Guidance - Check the following before working on this issue:

• [ ] Team label assigned ("platform-tech-team-2")
• [ ] Epic assigned (if needed)
• [ ] Estimated (points assigned)
• [ ] Sprint assigned (once planned)
• [ ] Team member(s) assigned
• [ ] Understands how this work aligns with the overall platform

[Efe-Oddball]

Working on implementing Trivy and then SBOM on the AMI workflows. Should begin testing this afternoon

[Efe-Oddball]

Trivy worked good. Working on implementing SBOM using the existing SBOM work flow. I have to make some updates on the SBOM workflow, considering that the workflow was built with he assumption that the image is being pushed to ECR, which is not the case for the AMIs. Making adjustment so SBOM is created and pushed to S3 regardless of ECR usage.

[Efe-Oddball]

Updating ticket point to a 5 as it involves updating the shared SBOM workflow to accommodate AMI builds before before referencing the SBOM workflow within the AMI workflow

[Efe-Oddball]

I am having some issues with with Trivy functionality for the ami scanning that I am trying to work around. Trivy scan was showing complete, but I noticed it was not actually scanning the correct ami because the AMI_ID was not being properly extracted after being built. I found that out, modified the code and confirmed that we were extracting the correct AMI_ID but the Trivy scan is refusing to scan the AMI. I am currently troubleshooting to figure out the reason for that. I have created a separate shared SBOM workflow for the ami with slightly different set up from the docker image SBOM workflow

[Efe-Oddball]

Once I am done with the workflows, I will have to update the terraform to include crawlers for the AMI SBOM. Unfortunately, this ticket will have to be carried over to the next sprint

[Efe-Oddball]

I have gotten a breakthrough with Trivy and Cyclonedx for security and SBOM. functioning. I will update the the other workflows and terraform code, then push out the PR