Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps実践

 DevSecOps実践

atsushi-ishibashi

November 02, 2018
Tweet

More Decks by atsushi-ishibashi

Other Decks in Technology

Transcript

  1. ࣗݾ঺հ - ੴڮ ३ࢤ • ࡏֶதʹגࣜձࣾFinatextʹ૑ۀϝϯόʔͱͯ͠δϣΠϯ • גࣜձࣾεϚʔτϓϥεͷBaaSϓϩδΣΫτʹͯϦʔυΤϯδ χΞͱͯࣥ͠ߦγεςϜ౳Λઃܭɾ։ൃ •

    Golang • ͓͢͢ΊͷAWSษڧํ๏ɿ
 SDKͷChangelogΛcheck • ਪ͠αʔϏεɿRoute53 Auto Naming • झຯɿα΢φʢϗʔϜɿα΢φηϯλʔʣ
  2. N F E E E A & v h SlM

    Ic IXI l h Sl . 6r l i R yN o / c U I ek dTIg r l c U I ( rv B B C BE 8 sO c a e k dTIg r l p t 1 X T I N AFB .0 4 64 B C 2 C BE ձࣾ঺հ
  3. ఆٛ: ༧๷త౷੍ ∀v ∈ V′, ∀x ∈ X′ v(x(S)) ∉

    W ʹରͯ͠ɺ ͕ҎԼΛຬͨ࣌͢ɺ ͸ ʹؔͯ͠༧๷త౷੍Ͱ͋Δͱ͍͏ W, X′ ⊂ X (S, V′) (S, V′) (W, X′)
  4. ఆٛ: ൃݟత౷੍ ∀x ∈ X′, ∃v ∈ V′ v(x(S)) ∈

    W ʹରͯ͠ɺ ͕ҎԼΛຬͨ࣌͢ɺ ͸ ʹؔͯ͠ൃݟత౷੍Ͱ͋Δͱ͍͏ W, X′ ⊂ X (S, V′) (S, V′) (W, X′)
  5. ఆٛ: ڴҖ W ⊂ ΛηΩϡϦςΟʹؔͯ͠ͷ஌ࣝͱ͢Δ V′ Λ࣮૷ࡁΈͷධՁू߹ͱ͢Δ A = {a|∃v

    ∈ V′, v(a( * )) ∈ W} A ⊂ X ΛڴҖɺ ΛڴҖू߹ͱ͍͏ W* ·ͨ࠷ڧͷηΩϡϦςΟ஌ࣝΛ ͱ͢Δɻ V′ ͕༩͑ΒΕͨͱ͖ɺ ͕ҎԼΛຬͨ࣌͢ɺ ͸े෼Ͱ͋Δͱ͍͏ {a|∃v ∈ V′, v(a( * )) ∈ W*} A A a A
  6. ఆٛ: DevSecOps DevSecOpsͱ͸ҎԼͷ̍ͭҎ্Λ׆ಈΛܧଓత։ൃϓϩηεʹ͓͍ͯߦ͏͜ͱΛ͍͏ 1: W → W* ⇒ A →

    A* 2: 3: X′ → X′′ s . t . A ∩ X′ ⊆ A ∩ X′′ X′ → X′′ s . t . A ∩ X′ ⊆ A ∩ X′′ ༧๷త౷੍ʹؔͯ͠ɺҎԼΛຬͨ͢Α͏ʹγεςϜ ʹมߋΛՃ͑Δ S ൃݟత౷੍ʹؔͯ͠ɺҎԼΛຬͨ͢Α͏ ʹมߋΛՃ͑Δ (S, V′)
  7. X A A* ༧๷త౷੍ ൃݟత౷੍ • ೝࣝͰ͖ΔڴҖू߹ͷे෼ੑ͕ ૿͢ • ޡݕ஌͍ͯͨ͠༧๷త౷੍ͷྖ

    ҬͷҰ෦෼͕ޮՌతͳྖҬͱͳ Δ • ޡݕ஌͍ͯͨ͠ൃݟత౷੍ͷྖ ҬͷҰ෦෼͕ޮՌతͳྖҬͱͳ Δ W → W* ⇒ A → A*
  8. ༧๷త౷੍ʹؔͯ͠ɺҎԼΛຬͨ͢Α͏ʹγεςϜ ʹมߋΛՃ͑Δ S X A A* ༧๷త౷੍ ൃݟత౷੍ • ೝࣝͰ͖ΔڴҖू߹ʹରͯ͠༧

    ๷త౷੍ͷͳ͞ΕΔڞ௨ू߹͕ େ͖͘ͳΔ • ޡݕ஌͍ͯͨ͠༧๷త౷੍ͷྖ ҬͷҰ෦෼͕ޮՌతͳྖҬͱͳ Δ
  9. X A A* ༧๷త౷੍ ൃݟత౷੍ • ೝࣝͰ͖ΔڴҖू߹ʹରͯ͠ൃ ݟత౷੍ͷͳ͞ΕΔڞ௨ू߹͕ େ͖͘ͳΔ •

    ޡݕ஌͍ͯͨ͠ൃݟత౷੍ͷྖ ҬͷҰ෦෼͕ݮΔ ൃݟత౷੍ʹؔͯ͠ɺҎԼΛຬͨ͢Α͏ ʹมߋΛՃ͑Δ (S, V′)
  10. ෼ྨͰଊ͑Δ(ྫ) X ɾ1ͷཁૉ ɾdirective(2) ɾpreventive(2) ɾdetective(3) ɾresponsive(3) ɾID / ΞΫηε

    ɾαʔό ɾωοτϫʔΫ ɾσʔλϕʔε ɾετϨʔδ ɾɾɾ ɾΞϓϦέʔγϣϯ X ɾS ɾL ɾS x L (ൃల) ɾS x T ɾL x T ɾS x L x T ʢࢀߟʣAWS CAF ( https://d1.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf )
  11. 1ͷཁૉ ֶͿ͔͠ແ͍… ͕ɺମܥతͳ෼ྨΛҙࣝ͠ͳ͕Β΍Δͱޮ཰త͔΋ • Security Bulletins ( https://aws.amazon.com/security/security-bulletins/feed/ ) •

    ηΩϡϦςΟϒϩά • AWS Security Blog ( https://aws.amazon.com/jp/blogs/security/ ) • Google Security Blog ( https://security.googleblog.com/ ) • JPCERTͷRSS ( https://www.jpcert.or.jp/rss/jpcert.rdf ) ͳͲ…
  12. 2ͷཁૉ - directive • directive x IDɾΞΫηε؅ཧ • IAMͷ࠷খݖݶ •

    directive x αʔό • ConfigͰSSM Complianceͷ؂ࢹ • directive x ωοτϫʔΫ • portͷ੍ݶ 2ͷཁૉ - preventive • preventive x IDɾΞΫηε • IAM Policyͷ࠷খԽ • ݖݶͷό΢ϯμϦ(IAM Permission Boundary) • preventive x αʔό • ηΩϡϦςΟάϧʔϓͷ࠷খԽ • preventive x ετϨʔδ • ConfigͰS3΁ͷTLSͰͷϦΫΤετʹ੍ ݶ • preventive x ΞϓϦέʔγϣϯ • WAFͷࣗಈߋ৽
  13. 3ͷཁૉ - detective • detective x IDɾΞΫηε x S •

    terraformͰͷঢ়ଶ؅ཧͱͷࠩ෼ݕ஌ • detective x IDɾΞΫηε x L • GuardDutyʹΑΔ • detective x IDɾΞΫηε x S x L • rootΞΧ΢ϯτͷMFAແޮԽݕ஌ • detective x αʔό x S • SSM Patch BaselineͰͷύονݕ஌ • detective x σʔλϕʔε x S • ConfigͰ҉߸Խਫ਼ࠪ • detective x ετϨʔδ x L • CloudTrailͷϩάվ᜵ݕ஌ • detective x ΞϓϦέʔγϣϯ x L • ECR - CWE - clairͰͷΠϝʔδ੬ऑੑ ਍அ • ELBΞΫηεϩά͔Βҟৗݕ஌ 3ͷཁૉ - responsive • responsive x IDɾΞΫηε • ΞΫηεΩʔͷϩʔςʔγϣϯ • GuardDuty-CWE-LambdaͰෆਖ਼ϩάΠϯ ରԠ • responsive x αʔό • GuardDuty-CWE-LambdaͰͷෆਖ਼৵ೖ • responsive x ωοτϫʔΫ x S x L • VPCϑϩʔϩάͷແޮԽम෮ • responsive x ετϨʔδ x L • Config - LambdaͰS3ͷpublicΞΫηεͷ म෮ • ConfigͰS3ͷTLSϙϦγʔͷम෮
  14. ͜ͷ͋ͱͷొ৔ਓ෺ Lambda ΧελϜॲཧɾϩδοΫΛ ͍࣋ͪͨ৔߹͸ͱΓ͋͑ͣ͜Ε Config ઃఆมߋΛ؂ࢹͰ͖Δ CloudWatchEvent(CWE) ΠϕϯτɾεέδϡʔϧϕʔεͰ LambdaΛ࣮ߦͰ͖Δ CloudTrail

    AWS APIͷϩάऩू CWE͕ͦͷϩάΛर͑Δ ͱΓ͋͑ͣ༗ޮԽ͠ͱ͘΍ͭ GuardDuty ༷ʑͳϩάΛ෼ੳɾղੳ ෆ৹ͳಈ͖΍ҟৗΛݕ஌ CWE͕ͦͷϩάΛर͑Δ ͱΓ͋͑ͣ༗ޮԽ͠ͱ͘΍ͭ Terraform HashicorpࣾͷOSS ႈ౳ʹঢ়ଶ؅ཧΛ͢Δ
  15. directive x αʔό ConfigͰSSM Patch Compliance؂ࢹ EC2 SSM Maintenance Windows

    Config ఆظεΩϟϯ ίϯϓϥΠΞϯε νΣοΫ CWE Lambda
  16. directive x IDɾΞΫηε / ωοτϫʔΫ IAMݖݶɺηΩϡϦςΟάϧʔϓͷ࠷খԽ CloudTrail S3 ఆظूܭ IAM

    ্͕ཧ૝͕ͩɺCloudTrailͷϩά͕೉͘͠ɺ IAMͷΞΫηεΞυόΠβʔͰ…(^^; VPC S3 ఆظूܭ Security Group
  17. preventive x ΞϓϦέʔγϣϯ WAFͷIPϒϥοΫϦετͷߋ৽ S3 CWE Lambda WAF ఆظ࣮ߦ ۀքڞ༗΍

    ಠࣗͷIPϒϥοΫϦετ ఆظ࣮ߦ Spamhaus DROP List ͳͲ ELB CloudFront
  18. detective x ΞϓϦέʔγϣϯ x S ECRͷDockerΠϝʔδͷ੬ऑੑ਍அ ECR CWE Lambda SSM

    EC2 image nameͱtagͰ run command clairͳͲ Πϝʔδ਍அ
  19. ΞϓϦέʔγϣϯΤϯδχΞ͕ ։ൃϓϩηεͰҙࣝ͠΍͍͢͜ͱ • Λ͍͔ʹਖ਼͘͠े෼ʹ؍ଌ͢Δ͔ • S͸AWSͷϦιʔεʹݶͬͯݴ͑͹҆৺ • L͸ɺɺɺͦΕ͸ͦΕͰେ͖ͳςʔϚͳͷͰଞʹৡΔ • V

    ͰԿΛͲ͏ධՁ͢Δ͔ • S x L 㲗 W 㲗 V ͷ૬ޓؔ܎͔Βվળ͍ͯ͘͠ • Dev(༧๷త౷੍)ɺOps(ൃݟత౷੍)ΛܧଓੑΛཁٻ͞ΕΔ ηΩϡϦςΟͷಛੑΛ׆͔ͯ͠DevSecOpsͱͯ͠ɺ։ൃ ϓϩηεʹ͓͍ͯ݁߹͠ɺ͜Ε·ͰͷDevOpsͷ݁߹౓΋ ߴΊ͍ͨʂ ,