Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
踏み台で環境にTeleportする.pdf
Search
Kengo Suzuki
December 05, 2018
Technology
1
340
踏み台で環境にTeleportする.pdf
#Teleport #Bastion
Kengo Suzuki
December 05, 2018
Tweet
Share
More Decks by Kengo Suzuki
See All by Kengo Suzuki
適応し続けるプロダクトとセキュリティ
ken5scal
5
1.6k
同志諸君よ、ゼロトラストを撃て_CloudNativeDays2022
ken5scal
2
3k
なぜLayerXのセキュリティでSoftware指向が重視されているか
ken5scal
0
230
暇だしDevSecOpsやってみた - CodePipeline Now and Then
ken5scal
3
5.4k
やはりタグ。タグは全てを解決する
ken5scal
2
8.7k
サプライチェーン・セキュリティ Infra Study 2nd #4「セキュリティエンジニアリングの世界」
ken5scal
4
2k
外部Identityから考える Azure ADの向かい先
ken5scal
1
810
俺たちはマルチステークホルダー間のセキュリティインシデントから何を学ぶのか
ken5scal
9
4.9k
Zero Trust上から見るか?下から見るか?
ken5scal
8
13k
Other Decks in Technology
See All in Technology
汎用ポリシー言語Rego + OPAと認可・検証事例の紹介 / Introduction Rego & OPA for authorization and validation
mizutani
1
160
LINEヤフーのウェブアクセシビリティ
lycorptech_jp
PRO
2
180
データ基盤を支える技術
chanyou0311
5
3k
【TSkaigi】2024/05/11 当日スライド
kimitashoichi
14
4k
Oracle Cloud Infrastructureデータベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
12
7.9k
RailsConf 2024 Keynote "Startups on Rails in 2024"
irinanazarova
0
810
グイグイ系QAエンジニアでやっていくよ!
____rina____
0
770
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
1.7k
本当のガバクラ基礎
toru_kubota
0
320
「知的単純作業」を自動化する、地に足の着いた大規模言語モデル (LLM) の活用
nrryuya
8
8.3k
社内での継続的な機械学習勉強会の開催のコツ
yudai00
2
390
TiDBにおけるテーブル設計と最適化の事例
cygames
0
800
Featured
See All Featured
How GitHub (no longer) Works
holman
305
140k
Optimizing for Happiness
mojombo
370
69k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Gamification - CAS2011
davidbonilla
77
4.6k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
358
22k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
Practical Orchestrator
shlominoach
183
9.8k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Why Our Code Smells
bkeepers
PRO
331
56k
What's new in Ruby 2.0
geeforr
338
31k
jQuery: Nuts, Bolts and Bling
dougneiner
60
7.2k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
126
32k
Transcript
౿ΈͰڥʹTeleport͢Δ 2018/10/31 By @ken5scal
- Access Control - Environmental Separation - Separation of Duties
- Audit Bastion
- Teleport - Our Architecture - Deployment - TSURAMI Outline
Teleport
- OSS and CNCF - Browser Based Bastion - Session
Sharable - Byebye to SSH Teleport
OSS and CNCF
Browser Based (login)
Browser Based (Audit)
Session Sharable
- No local SSH private key required - Less Credential
in local - IdP Federated - SAML, OIDC SSO - So RBAC can be done - Makes user Identifiable Bye Bye to SSH
OpenSSH is still possible
- Teleport - Our Architecture - Deployment - TSURAMI Outline
Our Architecture
None
Emergency Bastion - Accessible from Internet - SSH Key Based
- Krypton - Save private key in Smart Phone - No local private key :)
Managed in Terraform Module - Terraform module - I'm not
a big fun of Ansible - But about to give up - TSURAMI
- Teleport - Our Architecture - Deployment - TSURAMI Outline
Deployment
- Terraform apply - and… Deployment
- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ
ݟग़͠ IUUQTXXXTFLBJSPDPNIUNM
Ts˒ura˒mi
- Multi-Deploy - Multi-Envs Manual Environment
- Multi-Deploy - Code Deploy - Multi-Envs Manual Environment
- Multi-Deploy - Multi-Envs - Trusted Clusters Manual Environment
- Min-privilege w/ 15-microservices - 5 different environments - No
centralized AuthZ service - Distributed but same config RBAC
- RBAC -> ABAC? - JWT base federation? - Controll
Plane? RBAC Solution?
- RBAC -> ABAC? - JWT base federation? - Controll
Plane? RBAC Solution? $POUSPM1MBOF
- Hard to read in Dynamo DB - Datadog log
Logs
Isolate, for real
͜͜ʹςΩετΛೖΕ·͢ɻ ͻͱͭͷεϥΠυʹ༰Λ٧Ί͗͢ ͳ͍Α͏ʹ͠·͠ΐ͏ɻ ʮ̍ຕͷεϥΠυʹ̍ͭͷҙຯʯ͕ εϥΠυ࡞ΓͷجຊͰ͢ɻ ݟग़͠
And More
͜͜ʹςΩετΛೖΕ·͢ɻ ͻͱͭͷεϥΠυʹ༰Λ٧Ί͗͢ ͳ͍Α͏ʹ͠·͠ΐ͏ɻ ʮ̍ຕͷεϥΠυʹ̍ͭͷҙຯʯ͕ εϥΠυ࡞ΓͷجຊͰ͢ɻ ݟग़͠
We are hiring!
Thank you @ken5scal
ಊʑͱͨ͠ݟग़͠
None