Building a DevSecOps Pipeline on AWS (And You Can Too)

I have been working with CI/CD pipelines for a while now, and honestly, most of them just focus on getting code deployed fast. But what about security? That is usually an afterthought. So I decided to build something different—a platform where security checks happen automatically at every step.

Why I Did This

Look, pushing code fast is great until you realize you just deployed a vulnerability to production. I needed something that could:

• Scan for security issues before deployment
• Block builds that do not meet security standards
• Keep an audit trail (because compliance audits are fun, right?)
• Run without me babysitting it

What is Inside

I built this on AWS using EKS on Fargate. No EC2 instances to patch, which is nice. The whole thing runs on a custom VPC with multi-AZ setup for redundancy.

Here is how it works:

Every time code gets pushed, CodePipeline kicks off. The build stage runs security scans—SBOM generation (Syft), container vulnerability scanning (Trivy/Grype), SAST checks (Semgrep), secrets detection (detect-secrets), and OPA policy validation. If anything fails, the pipeline stops. No exceptions.

I intentionally picked open-source tools for the security gates. This keeps costs down and makes the whole setup reproducible without vendor lock-in. You can swap them out for commercial alternatives if you want, but these work great.

For access, I’m using Cognito for auth and WAF sits in front of the ALB to block sketchy traffic. CloudWatch alarms watch for anything weird—security events, performance drops, unexpected costs.

What I Learned

The automated scans actually caught stuff I missed. SBOM generation showed me I had some old dependencies with known CVEs that I did not even know were there.

Running on Fargate removed a lot of headaches. No patching EC2 instances, no worrying about the control plane. I just focus on securing my containers.

OPA policies are great once you write them. They enforce the same rules on every deployment without me having to remember anything.

Terraform makes this whole thing reproducible. I can destroy everything and rebuild it in 30 minutes flat. No clicking around in the console.

One thing to note: some verification steps need manual commands (like checking EKS addons or testing WAF rules). I kept these manual instead of fully automating them because they are useful for learning. You get to see exactly what is happening at each step. Once you are comfortable, you can script them if you want.

What It Costs

I tested this for a while then ran terraform destroy to clean up. While it was running, costs were around $200-300/month. That is mostly the EKS control plane, Fargate pods, ALB, and NAT gateways. Not cheap for a demo, but reasonable for a production workload with this much security built in.

Check Out the Code

I put everything on GitHub: https://github.com/sprider/aws-devsecops-demo

The repo has the full deployment guide, architecture diagrams, security configs, and screenshots from when I deployed it. I masked all the sensitive stuff so you can clone it and try it yourself.

Who is This For

This is not a perfect production-ready solution. There are things I would do differently for a real enterprise setup. But if you are trying to understand how to build a secure CI/CD pipeline or want a reference implementation to learn from, this is a solid starting point.

It is useful if you are:

• Learning AWS security patterns
• Building a reference pipeline for your team
• Setting up security automation
• Prepping for SOC2 or ISO 27001 audits
• Understanding how security gates fit together

What You Could Add

If you want to extend this setup, here are some ideas worth exploring:

• Multi-region setup for DR
• GitOps with ArgoCD
• GuardDuty integration
• Spot instances to cut costs
• Runtime security monitoring with Falco

Clone it, break it, improve it. That is how you learn.