| title | Security |
|---|---|
| description | Security practices and processes for Powertools for AWS Lambda (Python) |
This page describes our security processes and supply chain practices.
!!! info "We continuously check and evolve our practices, therefore it is possible some diagrams may be eventually consistent."
--8<-- "SECURITY.md"
!!! note "Starting from v2.20.0 releases, builds are reproducible{target="_blank"} and signed publicly."
Supply Chain Threats visualized by SLSA
We use SLSA{target="_blank"} to ensure our builds are reproducible and to adhere to supply chain security practices.
Within our releases page, you will notice a new metadata file: multiple.intoto.jsonl. It's metadata to describe where, when, and how our build artifacts were produced - or simply, attestation in SLSA terminology.
For this to be useful, we need a verification tool - SLSA Verifier. SLSA Verifier decodes attestation to confirm the authenticity, identity, and the steps we took in our release pipeline (e.g., inputs, git commit/branch, GitHub org/repo, build SHA256, etc.).
You can do this manually or automated via a shell script. We maintain the latter to ease adoption in CI systems (feel free to modify to your needs).
=== "Manually"
* Download [SLSA Verifier binary](https://github.com/slsa-framework/slsa-verifier#download-the-binary)
* Download the [latest release artifact from PyPi](https://pypi.org/project/aws-lambda-powertools/#files) (either wheel or tar.gz )
* Download `multiple.intoto.jsonl` attestation from the [latest release](https://github.com/aws-powertools/powertools-lambda-python/releases/latest) under _Assets_
!!! note "Next steps assume macOS as the operating system, and release v2.20.0"
You should have the following files in the current directory:
* **SLSA Verifier tool**: `slsa-verifier-darwin-arm64`
* **Powertools Release artifact**: `aws_lambda_powertools-2.20.0-py3-none-any.whl`
* **Powertools attestation**: `multiple.intoto.jsonl`
You can now run SLSA Verifier with the following options:
```bash
./slsa-verifier-darwin-arm64 verify-artifact \
--provenance-path "multiple.intoto.jsonl" \
--source-uri github.com/aws-powertools/powertools-lambda-python \
aws_lambda_powertools-2.20.0-py3-none-any.whl
```
=== "Automated"
```shell title="Verifying a release with verify_provenance.sh script"
bash verify_provenance.sh 2.20.0
```
!!! question "Wait, what does this script do?"
I'm glad you asked! It takes the following actions:
1. **Downloads SLSA Verifier** using the pinned version (_e.g., 2.3.0)
2. **Verifies the integrity** of our newly downloaded SLSA Verifier tool
3. **Downloads attestation** file for the given release version
4. **Downloads `aws-lambda-powertools`** release artifact from PyPi for the given release version
5. **Runs SLSA Verifier against attestation**, GitHub Source, and release binary
6. **Cleanup** by removing downloaded files to keep your current directory tidy
??? info "Expand or [click here](https://github.com/heitorlessa/aws-lambda-powertools-python/blob/refactor/ci-seal/.github/actions/verify-provenance/verify_provenance.sh#L95){target="_blank"} to see the script source code"
```bash title=".github/actions/verify-provenance/verify_provenance.sh"
---8<-- ".github/actions/verify-provenance/verify_provenance.sh"
```
!!! note "We adhere to industry recommendations from the OSSF Scorecard project{target="_blank"}, among others{target="_blank"}."
Since all code changes require a pull request (PR) along with one or more reviewers, we automate quality and security checks before, during, and after a PR is merged to trunk (develop).
This is a snapshot of our automated checks at a glance.
!!! note "We adhere to industry recommendations from the OSSF Scorecard project{target="_blank"}, among others{target="_blank"}."
Releases are triggered by maintainers along with a reviewer - detailed info here{target="_blank"}. In addition to checks that run for every code change, our pipeline requires a manual approval before releasing.
We use a combination of provenance and signed attestation for our builds, source code sealing, SAST scanners, Python specific static code analysis, ephemeral credentials that last a given job step, and more.
This is a snapshot of our automated checks at a glance.
