DevSecOps実践

Transcript

1. DevSecOps࣮ફ ੴڮ ३ࢤ Finatext Ltd. AWS DevDay Tokyo 2018 11/2

2. ࣗݾ঺հ - ੴڮ ३ࢤ • ࡏֶதʹגࣜձࣾFinatextʹ૑ۀϝϯόʔͱͯ͠δϣΠϯ • גࣜձࣾεϚʔτϓϥεͷBaaSϓϩδΣΫτʹͯϦʔυΤϯδ χΞͱͯࣥ͠ߦγεςϜ౳Λઃܭɾ։ൃ •

   Golang • ͓͢͢ΊͷAWSษڧํ๏ɿ
 SDKͷChangelogΛcheck • ਪ͠αʔϏεɿRoute53 Auto Naming • झຯɿα΢φʢϗʔϜɿα΢φηϯλʔʣ

3. N F E E E A & v h SlM

   Ic IXI l h Sl . 6r l i R yN o / c U I ek dTIg r l c U I ( rv B B C BE 8 sO c a e k dTIg r l p t 1 X T I N AFB .0 4 64 B C 2 C BE ձࣾ঺հ

4. ηΩϡϦςΟͷ೰Έɾ೉͠͞ • Կ΍Ε͹͍͍ͷʁ • Ͳ͜·Ͱ͢Ε͹͍͍ͷʁ • Ͳ͕͜ηΩϡΞͰɺͲ͕͜ηΩϡΞ͡Όͳ͍ͷʁ • ڴҖ͸֎෦Ͱൃੜ͠ɺηΩϡϦςΟ࣮૷ͷݻఆԽ͸ऑମԽ Λҙຯ͢Δ

   → ܧଓతͳੑ࣭Ͱ͋Δ • ࠷ऑͳ෦෼͕ͦͷγεςϜͷηΩϡϦςΟڧ౓

5. DevSecOpsͬͯԿʁ DevOpsͰ։ൃͱӡ༻͕ҰମͱͳͬͯεϐʔυΞοϓ Ͱ΋ηΩϡϦςΟ΋ߟ͑ͳ͍ͱϦϦʔεͰ͖ͳ͍͔Β Security΋Ճ͑ͯߟ͑Α͏ʂ

6. ͰɺҙࣝߴΊΔଞʹԿ͢Ε͹͍͍ͷʁʁ Ͳ͔͜Β࢝ΊΕ͹͍͍ͷʁʁ

7. ηΩϡϦςΟͷࣗಈԽͬͯ Կ͢Ε͹͍͍ͷʁ • GuardDutyʹΑΔΠϯγσϯτϨεϙϯεࣗಈԽ • ΞΫηεϩά͔ΒWAFϧʔϧͷࣗಈߋ৽ • Inspector΍ͦͷଞπʔϧͷಋೖ ͳͲ…

8. Ͱɺ࣍͸Կ͢Ε͹͍͍ͷʁʁ Ͳ͕͜·ͩ੬ऑͳͷʁʁ

9. ຊηογϣϯͷ໨త • ମܥతʹ։ൃϓϩηεʹ͓͚ΔܧଓతͳηΩϡϦςΟΛఆ ٛ͢Δ • ମܥతʹ෼ྨͨ͠ޙʹ੬ऑͳ෦෼ͱࣗಈԽ߲໨Λݕ౼ͯ͠ ͍͘

10. ४උ : : : W : γεςϜͷঢ়ଶू߹ ग़ྗͷू߹ ධՁۭؒ ηΩϡϦςΟͷ஌ࣝɺW

    ⊂

11. ఆٛ: ೖྗ ҎԼΛຬͨࣸ͢૾ x ΛೖྗɺXΛೖྗू߹ͱ͢Δ ఆٛ: ධՁ ҎԼΛຬͨࣸ͢૾ v ΛධՁɺVΛධՁू߹ͱ͢Δ

    X := {x : → × } V := {v : × → }

12. ఆٛ: ༧๷త౷੍ ∀v ∈ V′, ∀x ∈ X′ v(x(S)) ∉

    W ʹରͯ͠ɺ ͕ҎԼΛຬͨ࣌͢ɺ ͸ ʹؔͯ͠༧๷త౷੍Ͱ͋Δͱ͍͏ W, X′ ⊂ X (S, V′) (S, V′) (W, X′)

13. ఆٛ: ൃݟత౷੍ ∀x ∈ X′, ∃v ∈ V′ v(x(S)) ∈

    W ʹରͯ͠ɺ ͕ҎԼΛຬͨ࣌͢ɺ ͸ ʹؔͯ͠ൃݟత౷੍Ͱ͋Δͱ͍͏ W, X′ ⊂ X (S, V′) (S, V′) (W, X′)

14. ఆٛ: ڴҖ W ⊂ ΛηΩϡϦςΟʹؔͯ͠ͷ஌ࣝͱ͢Δ V′ Λ࣮૷ࡁΈͷධՁू߹ͱ͢Δ A = {a|∃v

    ∈ V′, v(a( * )) ∈ W} A ⊂ X ΛڴҖɺ ΛڴҖू߹ͱ͍͏ W* ·ͨ࠷ڧͷηΩϡϦςΟ஌ࣝΛ ͱ͢Δɻ V′ ͕༩͑ΒΕͨͱ͖ɺ ͕ҎԼΛຬͨ࣌͢ɺ ͸े෼Ͱ͋Δͱ͍͏ {a|∃v ∈ V′, v(a( * )) ∈ W*} A A a A

15. ఆٛ: DevSecOps DevSecOpsͱ͸ҎԼͷ̍ͭҎ্Λ׆ಈΛܧଓత։ൃϓϩηεʹ͓͍ͯߦ͏͜ͱΛ͍͏ 1: W → W* ⇒ A →

    A* 2: 3: X′ → X′′ s . t . A ∩ X′ ⊆ A ∩ X′′ X′ → X′′ s . t . A ∩ X′ ⊆ A ∩ X′′ ༧๷త౷੍ʹؔͯ͠ɺҎԼΛຬͨ͢Α͏ʹγεςϜ ʹมߋΛՃ͑Δ S ൃݟత౷੍ʹؔͯ͠ɺҎԼΛຬͨ͢Α͏ ʹมߋΛՃ͑Δ (S, V′)

16. X (W, S, V) ͸ॴ༩ A A* ༧๷త౷੍ ൃݟత౷੍

17. X A A* ༧๷త౷੍ ൃݟత౷੍ • ೝࣝͰ͖ΔڴҖू߹ͷे෼ੑ͕ ૿͢ • ޡݕ஌͍ͯͨ͠༧๷త౷੍ͷྖ

    ҬͷҰ෦෼͕ޮՌతͳྖҬͱͳ Δ • ޡݕ஌͍ͯͨ͠ൃݟత౷੍ͷྖ ҬͷҰ෦෼͕ޮՌతͳྖҬͱͳ Δ W → W* ⇒ A → A*

18. ༧๷త౷੍ʹؔͯ͠ɺҎԼΛຬͨ͢Α͏ʹγεςϜ ʹมߋΛՃ͑Δ S X A A* ༧๷త౷੍ ൃݟత౷੍ • ೝࣝͰ͖ΔڴҖू߹ʹରͯ͠༧

    ๷త౷੍ͷͳ͞ΕΔڞ௨ू߹͕ େ͖͘ͳΔ • ޡݕ஌͍ͯͨ͠༧๷త౷੍ͷྖ ҬͷҰ෦෼͕ޮՌతͳྖҬͱͳ Δ

19. X A A* ༧๷త౷੍ ൃݟత౷੍ • ೝࣝͰ͖ΔڴҖू߹ʹରͯ͠ൃ ݟత౷੍ͷͳ͞ΕΔڞ௨ू߹͕ େ͖͘ͳΔ •

    ޡݕ஌͍ͯͨ͠ൃݟత౷੍ͷྖ ҬͷҰ෦෼͕ݮΔ ൃݟత౷੍ʹؔͯ͠ɺҎԼΛຬͨ͢Α͏ ʹมߋΛՃ͑Δ (S, V′)

20. ෼ྨͰଊ͑Δ X 3ͭͷཁૉ कΔର৅ X S x L

21. ෼ྨͰଊ͑Δ(ྫ) X ɾ1ͷཁૉ ɾdirective(2) ɾpreventive(2) ɾdetective(3) ɾresponsive(3) ɾID / ΞΫηε

    ɾαʔό ɾωοτϫʔΫ ɾσʔλϕʔε ɾετϨʔδ ɾɾɾ ɾΞϓϦέʔγϣϯ X ɾS ɾL ɾS x L (ൃల) ɾS x T ɾL x T ɾS x L x T ʢࢀߟʣAWS CAF ( https://d1.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf )

22. 1ͷཁૉ ֶͿ͔͠ແ͍… ͕ɺମܥతͳ෼ྨΛҙࣝ͠ͳ͕Β΍Δͱޮ཰త͔΋ • Security Bulletins ( https://aws.amazon.com/security/security-bulletins/feed/ ) •

    ηΩϡϦςΟϒϩά • AWS Security Blog ( https://aws.amazon.com/jp/blogs/security/ ) • Google Security Blog ( https://security.googleblog.com/ ) • JPCERTͷRSS ( https://www.jpcert.or.jp/rss/jpcert.rdf ) ͳͲ…

23. 2ͷཁૉ - directive • directive x IDɾΞΫηε؅ཧ • IAMͷ࠷খݖݶ •

    directive x αʔό • ConfigͰSSM Complianceͷ؂ࢹ • directive x ωοτϫʔΫ • portͷ੍ݶ 2ͷཁૉ - preventive • preventive x IDɾΞΫηε • IAM Policyͷ࠷খԽ • ݖݶͷό΢ϯμϦ(IAM Permission Boundary) • preventive x αʔό • ηΩϡϦςΟάϧʔϓͷ࠷খԽ • preventive x ετϨʔδ • ConfigͰS3΁ͷTLSͰͷϦΫΤετʹ੍ ݶ • preventive x ΞϓϦέʔγϣϯ • WAFͷࣗಈߋ৽

24. 3ͷཁૉ - detective • detective x IDɾΞΫηε x S •

    terraformͰͷঢ়ଶ؅ཧͱͷࠩ෼ݕ஌ • detective x IDɾΞΫηε x L • GuardDutyʹΑΔ • detective x IDɾΞΫηε x S x L • rootΞΧ΢ϯτͷMFAແޮԽݕ஌ • detective x αʔό x S • SSM Patch BaselineͰͷύονݕ஌ • detective x σʔλϕʔε x S • ConfigͰ҉߸Խਫ਼ࠪ • detective x ετϨʔδ x L • CloudTrailͷϩάվ᜵ݕ஌ • detective x ΞϓϦέʔγϣϯ x L • ECR - CWE - clairͰͷΠϝʔδ੬ऑੑ ਍அ • ELBΞΫηεϩά͔Βҟৗݕ஌ 3ͷཁૉ - responsive • responsive x IDɾΞΫηε • ΞΫηεΩʔͷϩʔςʔγϣϯ • GuardDuty-CWE-LambdaͰෆਖ਼ϩάΠϯ ରԠ • responsive x αʔό • GuardDuty-CWE-LambdaͰͷෆਖ਼৵ೖ • responsive x ωοτϫʔΫ x S x L • VPCϑϩʔϩάͷແޮԽम෮ • responsive x ετϨʔδ x L • Config - LambdaͰS3ͷpublicΞΫηεͷ म෮ • ConfigͰS3ͷTLSϙϦγʔͷम෮
25. None

26. ͜ͷ͋ͱͷొ৔ਓ෺ Lambda ΧελϜॲཧɾϩδοΫΛ ͍࣋ͪͨ৔߹͸ͱΓ͋͑ͣ͜Ε Config ઃఆมߋΛ؂ࢹͰ͖Δ CloudWatchEvent(CWE) ΠϕϯτɾεέδϡʔϧϕʔεͰ LambdaΛ࣮ߦͰ͖Δ CloudTrail

    AWS APIͷϩάऩू CWE͕ͦͷϩάΛर͑Δ ͱΓ͋͑ͣ༗ޮԽ͠ͱ͘΍ͭ GuardDuty ༷ʑͳϩάΛ෼ੳɾղੳ ෆ৹ͳಈ͖΍ҟৗΛݕ஌ CWE͕ͦͷϩάΛर͑Δ ͱΓ͋͑ͣ༗ޮԽ͠ͱ͘΍ͭ Terraform HashicorpࣾͷOSS ႈ౳ʹঢ়ଶ؅ཧΛ͢Δ

27. directive x αʔό ConfigͰSSM Patch Compliance؂ࢹ EC2 SSM Maintenance Windows

    Config ఆظεΩϟϯ ίϯϓϥΠΞϯε νΣοΫ CWE Lambda

28. directive x IDɾΞΫηε / ωοτϫʔΫ IAMݖݶɺηΩϡϦςΟάϧʔϓͷ࠷খԽ CloudTrail S3 ఆظूܭ IAM

    ্͕ཧ૝͕ͩɺCloudTrailͷϩά͕೉͘͠ɺ IAMͷΞΫηεΞυόΠβʔͰ…(^^; VPC S3 ఆظूܭ Security Group

29. preventive x ΞϓϦέʔγϣϯ WAFͷIPϒϥοΫϦετͷߋ৽ S3 CWE Lambda WAF ఆظ࣮ߦ ۀքڞ༗΍

    ಠࣗͷIPϒϥοΫϦετ ఆظ࣮ߦ Spamhaus DROP List ͳͲ ELB CloudFront

30. detective x ͋ΒΏΔϦιʔεʢಛʹSG΍IAMʣx S terraformͰͷঢ়ଶͷas-is, to-be؅ཧ Terraform stateϑΝΠϧͱͷ ࠩ෼Λݕग़ as-is

    to-be ࠩ෼͕͋Ε͹ apply

31. detective x ετϨʔδ x S CloudTrailͷϩάվ᜵ݕ஌ CWE Lambda ఆظ࣮ߦ CloudTrail

    S3 ϩάϑΝΠϧͷ ੔߹ੑݕূ ෆ੔߹͋Ε͹௨஌

32. detective x ΞϓϦέʔγϣϯ x S ECRͷDockerΠϝʔδͷ੬ऑੑ਍அ ECR CWE Lambda SSM

    EC2 image nameͱtagͰ run command clairͳͲ Πϝʔδ਍அ

33. detective x ΞϓϦέʔγϣϯ x L ELBΞΫηεϩά͔ΒAPIભҠͰͷҟৗݕ஌ ELB S3 ΞΫηεϩά URLϕʔεͷ

    ਪҠߦྻ S3

34. responsive x IDɾΞΫηε؅ཧ x S x T IAM ΞΫηεΩʔͷϩʔςʔγϣϯ CWE

    ఆظ࣮ߦ IAM ৽ΞΫηεΩʔ

35. responsive x αʔό x L GuardDutyʹΑΔEC2ͷҟৗݕ஌ ߈ܸऀ ൃݟ CWE ίϐʔ

    SSM Session Manager

36. responsive x ؂ࢹαʔϏε x S x L CloudTrailແޮԽͷࣗಈम෮ ߈ܸऀ CloudTrail

    ແޮԽ Config CWE ༗ޮԽ

37. ·ͱΊ

38. ηΩϡϦςΟͷࠔ೉ʢ࠶ܝʣ • ηΩϡϦςΟରࡦ͸ܧଓతͰͳ͚Ε͹ͳΒͳ͍ • γεςϜͷڧ౓͸ऑ͍ͱ͜Ζͷਫ४ʹͳΔ • ࢪࡦϕʔεͰߟ͍͑ͯΔͱܧଓੑ΋ࠔ೉ɺDevOps͔Β΋ ဃ཭ɺηΩϡϦςΟڧ౓ʹภΓ ମܥతʹଊ͑ͯ෼ྨ͢Δɻ ޿͘ରࡦΛෑ͍ͯڧ౓ͷภΓΛແ͍ͯ͘͘͠ɻ

39. ΞϓϦέʔγϣϯΤϯδχΞ͕ ։ൃϓϩηεͰҙࣝ͠΍͍͢͜ͱ • Λ͍͔ʹਖ਼͘͠े෼ʹ؍ଌ͢Δ͔ • S͸AWSͷϦιʔεʹݶͬͯݴ͑͹҆৺ • L͸ɺɺɺͦΕ͸ͦΕͰେ͖ͳςʔϚͳͷͰଞʹৡΔ • V

    ͰԿΛͲ͏ධՁ͢Δ͔ • S x L 㲗 W 㲗 V ͷ૬ޓؔ܎͔Βվળ͍ͯ͘͠ • Dev(༧๷త౷੍)ɺOps(ൃݟత౷੍)ΛܧଓੑΛཁٻ͞ΕΔ ηΩϡϦςΟͷಛੑΛ׆͔ͯ͠DevSecOpsͱͯ͠ɺ։ൃ ϓϩηεʹ͓͍ͯ݁߹͠ɺ͜Ε·ͰͷDevOpsͷ݁߹౓΋ ߴΊ͍ͨʂ ,

40. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠