Slide 1
Slide 1 text
Everyone!
Are you doing?
Proposal of using Amazon Macie in Bastion
At S-JAWS # 8
2018.02.23
Slide 2
Slide 2 text
ΈΜͳʂ!
ͬͯΔ͔͍?
౿Έ ڥʹ͓͚ΔAmazon Macie׆༻ͷఏҊ
S-JAWS # 8 ʹͯ
2018.02.23
Slide 3
Slide 3 text
Who Am I !?ʢ͓લ୭Αʁʣ
• Hirokazu YoshidaˏCloud Native Inc.
Security Engineer
• Community
- Security-JAWS
- Deep Security User Group
• Favorite AWS Service
https://qiita.com/fnifni
Slide 4
Slide 4 text
ͱ͍͏Θ͚Ͱ
ຊ
Slide 5
Slide 5 text
౿Έͱฉ͍ͯ
ԿΛ࿈͠·͔͢ʁ
Slide 6
Slide 6 text
౿Έαʔό࡞ͬͯ
ͱݴΘΕͯ
ςϯγϣϯ্͕Γ·͔͢ʁ
Slide 7
Slide 7 text
Ͱ
Slide 8
Slide 8 text
ཁ࠹αʔό࡞ͬͯ
ͱݴΘΕͨΒʁ
Slide 9
Slide 9 text
Motivation of Bastion server
• ୭͕ϩάΠϯͰ͖Δ͔ʢೝূ/ೝՄʣ
• ڥͷ།Ұͷ௨Γಓʢ৴པ͢Δܦ࿏ʣ
• Ϣʔβʔͷߦಈهσʔλ͕௨ա
ʢࠪϙΠϯτʣ
Slide 10
Slide 10 text
ͬͱݴ͏ͱ
Slide 11
Slide 11 text
Really scary Bastion server
• ੑѱઆʹཱͭͱɺ
ΠϯλϥΫςΟϒͳϩάΠϯૢ࡞ΞϯηΩϡΞ
• ۀޮʢϏδωεͷʣʹ݁͢ΔͨΊɺ
ηΩϡϦςΟͱརศੑ͕ৗʹఱṝʹྔΒΕΔ
• ϏδωεͱηΩϡϦςΟͷલઢج
Slide 12
Slide 12 text
ଧ伴ϩάͷऔಘ/ੳ
ෆՄආ
Slide 13
Slide 13 text
ίϯϓϥΠΞϯεͰ
ఆΊΒΕͯΔ͠ɺऔͬͯΔΑ
Կ͔͋Ε͑Δ͠ɻ
Slide 14
Slide 14 text
ͦΜͳϞνϕʔγϣϯͰ
ྑ͔ͬͨΜ͚ͩͬʁ
Slide 15
Slide 15 text
https://www.cisecurity.org/controls/
Slide 16
Slide 16 text
20 CIS Controls is Կ
• NIST SP800-53 (࿈ใγεςϜ ͓Αͼ
࿈৫ͷͨΊͷ ηΩϡϦςΟཧࡦͱϓϥ
Πόγʔཧࡦ) Λ࣮͢Δ্ͰॏཁͱͳΔ20
ͷηΩϡϦςΟίϯτϩʔϧΛ·ͱΊͨจॻ
Slide 17
Slide 17 text
6. Maintenance, Monitoring,
and Analysis of Audit Logs
• ݕग़ɺཧղɺ·ͨ߈ܸ͔Βͷճ෮ʹཱͭ
Մೳੑͷ͋ΔΠϕϯτͷࠪϩάΛऩूɺ
ཧɺ͓Αͼੳ
• ଟ͘ͷ৫ͰɺίϯϓϥΠΞϯεͷతͰ
ࠪهΛอ͍࣋ͯ͠·͕͢ɺࠪϩάΛ΄
ͱΜͲࢀর͠ͳ͍ͨΊɺγεςϜ͕৵͞Ε
͍ͯΔ͔Ͳ͏͔Θ͔Γ·ͤΜɻ
Slide 18
Slide 18 text
13. Data Protection
• ओʹ҉߸ԽͱDLPʹ͍ͭͯͷهࡌ
• DLPίϯτϩʔϧϙϦγʔʹج͍͓ͮͯ
Γɺػີσʔλͷྨɺاۀશମͷσʔλͷ
ݕग़ɺ੍ޚͷ࣮ࢪɺϙϦγʔͷ४ڌΛอূ͢
ΔͨΊͷϨϙʔτ࡞ͱࠪͳͲؚ͕·Ε·
͢ɻ
Slide 19
Slide 19 text
ͭ·Γ
• ଧ伴ϩάΛऩूͯ͠ɺࠪ͠ͳ͍ͳΒҙຯ͕
ͳ͍
• ϙϦγʔʹج͍ͮͨػີσʔλͷྨͳͯ͘͠ɺ
ػີσʔλΞΫηε͢Δӡ༻ʹؾ͘͜ͱ͢
ΒͰ͖ͳ͍
Slide 20
Slide 20 text
ੳ is grep …?
Slide 21
Slide 21 text
What is Amazon Macie?
• ػցֶशʹͯS3ͷػີσʔλΛࣗಈతʹݕ
ग़ɺྨɺอޢ͢ΔηΩϡϦςΟαʔϏε
• ݸਓใ (PII) తࡒ࢈ͳͲͷػີσʔλ͕ೝ
ࣝ͞ΕΔɻ
• όʔδχΞͱΦϨΰϯͰར༻Մೳ
https://docs.aws.amazon.com/ja_jp/macie/latest/userguide/what-is-macie.html
Slide 22
Slide 22 text
ඦฉҰݟʹ͔ͣ͠
Slide 23
Slide 23 text
ATTENTION !
• ઃఆखॱ؆୯͗͢ΔͷͰհ͠·ͤΜɻ
AWSϒϩάͰྲྀΕΛ֬ೝ͍ͯͩ͘͠͞ɻ
https://aws.amazon.com/jp/blogs/news/launch-amazon-macie-securing-your-s3-buckets/
• CloudTrailྑ͍ײ͡ʹධՁͯ͘͠Ε·͕͢ɺ
ࠓճհ͠·ͤΜɻ
ઃఆ͢Δͱ͙͢ʹݟΕΔͷͰɺମײ͍ͯͩ͘͠͞
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
case1: logs/linux_syslog
Slide 26
Slide 26 text
No content
Slide 27
Slide 27 text
case2: PII Priority / moderate
Slide 28
Slide 28 text
No content
Slide 29
Slide 29 text
No content
Slide 30
Slide 30 text
ΞϥʔτʂϨϙʔτʂͷલʹ
ڥͷบੑ࣭ΛΖ͏ʂ
Slide 31
Slide 31 text
མͱ݀͠ͷڞ༗
Slide 32
Slide 32 text
Pitfall
• MacieͷධՁλΠϛϯάɺόέοτઃఆ࣌ͱ
s3ΦϒδΣΫτ͕Put͞Εͨ࣌
• Macie͕͏αʔϏεϩʔϧɺ
CloudFormationͰఏڙ͞Ε͍ͯΔ
ελοΫΛޡͬͯফ͢ͱ
෮ؼ·ͰͷؒʹPut͞ΕͨObjectධՁ͞Εͳ͍
Slide 33
Slide 33 text
Α͋͘Δޡղ
Slide 34
Slide 34 text
MacieͬͯS3όέοτΛ
ධՁ͢ΔΜͰ͠ΐʁ
S3ใ࿙͍͕͑৺
Slide 35
Slide 35 text
Cause is
a misconfiguration of S3
• WWE Leaks 3 Million Emails
https://mackeepersecurity.com/post/world-wrestling-entertainment-leaks-3-
million-emails
• Dow Jones customer data exposed in cloud error
http://thehill.com/policy/cybersecurity/342333-dow-jones-customer-data-exposed-
in-cloud-error
• VerizonՃೖऀ1400ສਓͷݸਓใɺۀҕୗઌ͕
ʮແඋঢ়ଶʯͰΫϥυʹอଘ
http://www.itmedia.co.jp/enterprise/articles/1707/13/news055.html
Slide 36
Slide 36 text
Α͋͘Δ৺
Slide 37
Slide 37 text
AWS MacieͰ
ػີใಡΈऔΒͤͯ
େৎͳͷʁ
Slide 38
Slide 38 text
Third Party Authentication
~See AWS Artifact~
• ISO 27001:2013 Certification
• ISO 27017:2015 Certification
• ISO 27018:2014 Certification
• ISO 9001:2015 Certification
• PCIDSSv3.2
• SoC1/2ݸผʹௐͯͶΜ(ཁผ్ใೖྗ)
Slide 39
Slide 39 text
·ͱΊ
• ᘳͳͷͳ͍ɻ
͔֬Β͠͞ΛੵΈॏͶΔ͜ͱɻ
• ਓྗͰͷఆٛʹϛεݶք͕͋Δɻ
ੵۃతʹػցͷྗʹཔΓͭͭڍಈΛ؍ͯ͠ɺ
ΧόʔͰ͖ͳ͍ͱ͜ΖผͷͷͰϑΥϩʔ
• νϟϨϯδ͢Δ͜ͱɻ
ͬͯΈͯॳΊͯؾ͘͜ͱ͕͋Δ(ص্ݕ౼͘)
Slide 40
Slide 40 text
͏Ұ͍·͢
Slide 41
Slide 41 text
ΈΜͳʂ
ͬͯΔ͔͍ʁ