Capabilities of an internal developer platform
The internal developer platform should provide the following capabilities.
| Capability | Recommended service or tool |
|---|---|
| Templating to ensure the delivery of a packaged and functional set of tools | Amazon CodeCatalyst blueprints |
| Code repository for collaboration between developers and storage of golden path templates | GitHub |
| Configuration repository as a canonical data store for application configuration | AWS AppConfig or AWS Systems Manager Parameter Store |
| Artifact registries that preserve a signed, accessible, and traceable list of packaged components | Amazon Elastic Container Registry (Amazon ECR) or AWS CodeArtifact |
| Secret management to provide secure long-term storage for sensitive data | AWS Secrets Manager |
| Cryptographic signing and validation of artifacts to allow for verification of the consistency and integrity of the data they contain | AWS Signer |
| Developer portal as a software catalog of all components, systems, and domains | Backstage |
| Identity and access management to authenticate and authorize in a well-defined manner | AWS IAM Identity Center or Amazon Cognito |
| Infrastructure as code (IaC) tool to set up infrastructure resources for the application | AWS CloudFormation or the AWS Cloud Development Kit (AWS CDK) |
| Continuous delivery for both infrastructure and application deployment | AWS CodePipeline or Amazon CodeCatalyst |
| Workflow orchestration to prepare resources for delivery | Amazon CodeCatalyst |
| Service discovery for dynamic lookup of service details | AWS Cloud Map or Amazon VPC Lattice |
| Observability that provides workload monitoring, logging, tracing, and alerting | Amazon CloudWatch, AWS X-Ray, Amazon Managed Service for Prometheus, or Amazon Managed Grafana |
| Compute platform that hosts the platform capabilities and its integration points | Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS) |
Although this is not a comprehensive list of all the capabilities that the internal
developer platform can provide, these are the essential capabilities to support the
developer experience from development to production. These capabilities can be automated by
creating a golden path that the developers use. For more information about these
capabilities, see Technology Capabilities
As mentioned previously, golden paths for infrastructure and workload deployment should be aligned with your organization's security standards. The following table describes the security capabilities that golden paths should provide.
| Golden path type | Security capability | Recommended tool |
|---|---|---|
| Infrastructure deployment | Linting | cfn-lint |
| Infrastructure deployment | Security checks | cfn-nag |
| Infrastructure deployment | Policy checks | AWS CloudFormation Guard |
| Workload deployment | Software composition analysis (SCA) and static application security testing (SAST) | Anchore |
| Workload deployment | Artifact registries | Continuous image scanning in Amazon ECR |
| Workload deployment | Secrets scanning | git-secrets |
| Workload deployment | Dynamic application security testing (DAST) | Zed Attack Proxy
(ZAP) |
| Workload deployment | Runtime application self-protection (RASP) | Sysdig
Falco |
