Save 37% off PRO during our Black Friday Sale! »

DevSecOps実践

 DevSecOps実践

5a2478d5008e1c64bca72c650178341e?s=128

atsushi-ishibashi

November 02, 2018
Tweet

Transcript

  1. DevSecOps࣮ફ ੴڮ ३ࢤ Finatext Ltd. AWS DevDay Tokyo 2018 11/2

  2. ࣗݾ঺հ - ੴڮ ३ࢤ • ࡏֶதʹגࣜձࣾFinatextʹ૑ۀϝϯόʔͱͯ͠δϣΠϯ • גࣜձࣾεϚʔτϓϥεͷBaaSϓϩδΣΫτʹͯϦʔυΤϯδ χΞͱͯࣥ͠ߦγεςϜ౳Λઃܭɾ։ൃ •

    Golang • ͓͢͢ΊͷAWSษڧํ๏ɿ
 SDKͷChangelogΛcheck • ਪ͠αʔϏεɿRoute53 Auto Naming • झຯɿα΢φʢϗʔϜɿα΢φηϯλʔʣ
  3. N F E E E A & v h SlM

    Ic IXI l h Sl . 6r l i R yN o / c U I ek dTIg r l c U I ( rv B B C BE 8 sO c a e k dTIg r l p t 1 X T I N AFB .0 4 64 B C 2 C BE ձࣾ঺հ
  4. ηΩϡϦςΟͷ೰Έɾ೉͠͞ • Կ΍Ε͹͍͍ͷʁ • Ͳ͜·Ͱ͢Ε͹͍͍ͷʁ • Ͳ͕͜ηΩϡΞͰɺͲ͕͜ηΩϡΞ͡Όͳ͍ͷʁ • ڴҖ͸֎෦Ͱൃੜ͠ɺηΩϡϦςΟ࣮૷ͷݻఆԽ͸ऑମԽ Λҙຯ͢Δ

    → ܧଓతͳੑ࣭Ͱ͋Δ • ࠷ऑͳ෦෼͕ͦͷγεςϜͷηΩϡϦςΟڧ౓
  5. DevSecOpsͬͯԿʁ DevOpsͰ։ൃͱӡ༻͕ҰମͱͳͬͯεϐʔυΞοϓ Ͱ΋ηΩϡϦςΟ΋ߟ͑ͳ͍ͱϦϦʔεͰ͖ͳ͍͔Β Security΋Ճ͑ͯߟ͑Α͏ʂ

  6. ͰɺҙࣝߴΊΔଞʹԿ͢Ε͹͍͍ͷʁʁ Ͳ͔͜Β࢝ΊΕ͹͍͍ͷʁʁ

  7. ηΩϡϦςΟͷࣗಈԽͬͯ Կ͢Ε͹͍͍ͷʁ • GuardDutyʹΑΔΠϯγσϯτϨεϙϯεࣗಈԽ • ΞΫηεϩά͔ΒWAFϧʔϧͷࣗಈߋ৽ • Inspector΍ͦͷଞπʔϧͷಋೖ ͳͲ…

  8. Ͱɺ࣍͸Կ͢Ε͹͍͍ͷʁʁ Ͳ͕͜·ͩ੬ऑͳͷʁʁ

  9. ຊηογϣϯͷ໨త • ମܥతʹ։ൃϓϩηεʹ͓͚ΔܧଓతͳηΩϡϦςΟΛఆ ٛ͢Δ • ମܥతʹ෼ྨͨ͠ޙʹ੬ऑͳ෦෼ͱࣗಈԽ߲໨Λݕ౼ͯ͠ ͍͘

  10. ४උ : : : W : γεςϜͷঢ়ଶू߹ ग़ྗͷू߹ ධՁۭؒ ηΩϡϦςΟͷ஌ࣝɺW

  11. ఆٛ: ೖྗ ҎԼΛຬͨࣸ͢૾ x ΛೖྗɺXΛೖྗू߹ͱ͢Δ ఆٛ: ධՁ ҎԼΛຬͨࣸ͢૾ v ΛධՁɺVΛධՁू߹ͱ͢Δ

    X := {x : → × } V := {v : × → }
  12. ఆٛ: ༧๷త౷੍ ∀v ∈ V′, ∀x ∈ X′ v(x(S)) ∉

    W ʹରͯ͠ɺ ͕ҎԼΛຬͨ࣌͢ɺ ͸ ʹؔͯ͠༧๷త౷੍Ͱ͋Δͱ͍͏ W, X′ ⊂ X (S, V′) (S, V′) (W, X′)
  13. ఆٛ: ൃݟత౷੍ ∀x ∈ X′, ∃v ∈ V′ v(x(S)) ∈

    W ʹରͯ͠ɺ ͕ҎԼΛຬͨ࣌͢ɺ ͸ ʹؔͯ͠ൃݟత౷੍Ͱ͋Δͱ͍͏ W, X′ ⊂ X (S, V′) (S, V′) (W, X′)
  14. ఆٛ: ڴҖ W ⊂ ΛηΩϡϦςΟʹؔͯ͠ͷ஌ࣝͱ͢Δ V′ Λ࣮૷ࡁΈͷධՁू߹ͱ͢Δ A = {a|∃v

    ∈ V′, v(a( * )) ∈ W} A ⊂ X ΛڴҖɺ ΛڴҖू߹ͱ͍͏ W* ·ͨ࠷ڧͷηΩϡϦςΟ஌ࣝΛ ͱ͢Δɻ V′ ͕༩͑ΒΕͨͱ͖ɺ ͕ҎԼΛຬͨ࣌͢ɺ ͸े෼Ͱ͋Δͱ͍͏ {a|∃v ∈ V′, v(a( * )) ∈ W*} A A a A
  15. ఆٛ: DevSecOps DevSecOpsͱ͸ҎԼͷ̍ͭҎ্Λ׆ಈΛܧଓత։ൃϓϩηεʹ͓͍ͯߦ͏͜ͱΛ͍͏ 1: W → W* ⇒ A →

    A* 2: 3: X′ → X′′ s . t . A ∩ X′ ⊆ A ∩ X′′ X′ → X′′ s . t . A ∩ X′ ⊆ A ∩ X′′ ༧๷త౷੍ʹؔͯ͠ɺҎԼΛຬͨ͢Α͏ʹγεςϜ ʹมߋΛՃ͑Δ S ൃݟత౷੍ʹؔͯ͠ɺҎԼΛຬͨ͢Α͏ ʹมߋΛՃ͑Δ (S, V′)
  16. X (W, S, V) ͸ॴ༩ A A* ༧๷త౷੍ ൃݟత౷੍

  17. X A A* ༧๷త౷੍ ൃݟత౷੍ • ೝࣝͰ͖ΔڴҖू߹ͷे෼ੑ͕ ૿͢ • ޡݕ஌͍ͯͨ͠༧๷త౷੍ͷྖ

    ҬͷҰ෦෼͕ޮՌతͳྖҬͱͳ Δ • ޡݕ஌͍ͯͨ͠ൃݟత౷੍ͷྖ ҬͷҰ෦෼͕ޮՌతͳྖҬͱͳ Δ W → W* ⇒ A → A*
  18. ༧๷త౷੍ʹؔͯ͠ɺҎԼΛຬͨ͢Α͏ʹγεςϜ ʹมߋΛՃ͑Δ S X A A* ༧๷త౷੍ ൃݟత౷੍ • ೝࣝͰ͖ΔڴҖू߹ʹରͯ͠༧

    ๷త౷੍ͷͳ͞ΕΔڞ௨ू߹͕ େ͖͘ͳΔ • ޡݕ஌͍ͯͨ͠༧๷త౷੍ͷྖ ҬͷҰ෦෼͕ޮՌతͳྖҬͱͳ Δ
  19. X A A* ༧๷త౷੍ ൃݟత౷੍ • ೝࣝͰ͖ΔڴҖू߹ʹରͯ͠ൃ ݟత౷੍ͷͳ͞ΕΔڞ௨ू߹͕ େ͖͘ͳΔ •

    ޡݕ஌͍ͯͨ͠ൃݟత౷੍ͷྖ ҬͷҰ෦෼͕ݮΔ ൃݟత౷੍ʹؔͯ͠ɺҎԼΛຬͨ͢Α͏ ʹมߋΛՃ͑Δ (S, V′)
  20. ෼ྨͰଊ͑Δ X 3ͭͷཁૉ कΔର৅ X S x L

  21. ෼ྨͰଊ͑Δ(ྫ) X ɾ1ͷཁૉ ɾdirective(2) ɾpreventive(2) ɾdetective(3) ɾresponsive(3) ɾID / ΞΫηε

    ɾαʔό ɾωοτϫʔΫ ɾσʔλϕʔε ɾετϨʔδ ɾɾɾ ɾΞϓϦέʔγϣϯ X ɾS ɾL ɾS x L (ൃల) ɾS x T ɾL x T ɾS x L x T ʢࢀߟʣAWS CAF ( https://d1.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf )
  22. 1ͷཁૉ ֶͿ͔͠ແ͍… ͕ɺମܥతͳ෼ྨΛҙࣝ͠ͳ͕Β΍Δͱޮ཰త͔΋ • Security Bulletins ( https://aws.amazon.com/security/security-bulletins/feed/ ) •

    ηΩϡϦςΟϒϩά • AWS Security Blog ( https://aws.amazon.com/jp/blogs/security/ ) • Google Security Blog ( https://security.googleblog.com/ ) • JPCERTͷRSS ( https://www.jpcert.or.jp/rss/jpcert.rdf ) ͳͲ…
  23. 2ͷཁૉ - directive • directive x IDɾΞΫηε؅ཧ • IAMͷ࠷খݖݶ •

    directive x αʔό • ConfigͰSSM Complianceͷ؂ࢹ • directive x ωοτϫʔΫ • portͷ੍ݶ 2ͷཁૉ - preventive • preventive x IDɾΞΫηε • IAM Policyͷ࠷খԽ • ݖݶͷό΢ϯμϦ(IAM Permission Boundary) • preventive x αʔό • ηΩϡϦςΟάϧʔϓͷ࠷খԽ • preventive x ετϨʔδ • ConfigͰS3΁ͷTLSͰͷϦΫΤετʹ੍ ݶ • preventive x ΞϓϦέʔγϣϯ • WAFͷࣗಈߋ৽
  24. 3ͷཁૉ - detective • detective x IDɾΞΫηε x S •

    terraformͰͷঢ়ଶ؅ཧͱͷࠩ෼ݕ஌ • detective x IDɾΞΫηε x L • GuardDutyʹΑΔ • detective x IDɾΞΫηε x S x L • rootΞΧ΢ϯτͷMFAແޮԽݕ஌ • detective x αʔό x S • SSM Patch BaselineͰͷύονݕ஌ • detective x σʔλϕʔε x S • ConfigͰ҉߸Խਫ਼ࠪ • detective x ετϨʔδ x L • CloudTrailͷϩάվ᜵ݕ஌ • detective x ΞϓϦέʔγϣϯ x L • ECR - CWE - clairͰͷΠϝʔδ੬ऑੑ ਍அ • ELBΞΫηεϩά͔Βҟৗݕ஌ 3ͷཁૉ - responsive • responsive x IDɾΞΫηε • ΞΫηεΩʔͷϩʔςʔγϣϯ • GuardDuty-CWE-LambdaͰෆਖ਼ϩάΠϯ ରԠ • responsive x αʔό • GuardDuty-CWE-LambdaͰͷෆਖ਼৵ೖ • responsive x ωοτϫʔΫ x S x L • VPCϑϩʔϩάͷແޮԽम෮ • responsive x ετϨʔδ x L • Config - LambdaͰS3ͷpublicΞΫηεͷ म෮ • ConfigͰS3ͷTLSϙϦγʔͷम෮
  25. None
  26. ͜ͷ͋ͱͷొ৔ਓ෺ Lambda ΧελϜॲཧɾϩδοΫΛ ͍࣋ͪͨ৔߹͸ͱΓ͋͑ͣ͜Ε Config ઃఆมߋΛ؂ࢹͰ͖Δ CloudWatchEvent(CWE) ΠϕϯτɾεέδϡʔϧϕʔεͰ LambdaΛ࣮ߦͰ͖Δ CloudTrail

    AWS APIͷϩάऩू CWE͕ͦͷϩάΛर͑Δ ͱΓ͋͑ͣ༗ޮԽ͠ͱ͘΍ͭ GuardDuty ༷ʑͳϩάΛ෼ੳɾղੳ ෆ৹ͳಈ͖΍ҟৗΛݕ஌ CWE͕ͦͷϩάΛर͑Δ ͱΓ͋͑ͣ༗ޮԽ͠ͱ͘΍ͭ Terraform HashicorpࣾͷOSS ႈ౳ʹঢ়ଶ؅ཧΛ͢Δ
  27. directive x αʔό ConfigͰSSM Patch Compliance؂ࢹ EC2 SSM Maintenance Windows

    Config ఆظεΩϟϯ ίϯϓϥΠΞϯε νΣοΫ CWE Lambda
  28. directive x IDɾΞΫηε / ωοτϫʔΫ IAMݖݶɺηΩϡϦςΟάϧʔϓͷ࠷খԽ CloudTrail S3 ఆظूܭ IAM

    ্͕ཧ૝͕ͩɺCloudTrailͷϩά͕೉͘͠ɺ IAMͷΞΫηεΞυόΠβʔͰ…(^^; VPC S3 ఆظूܭ Security Group
  29. preventive x ΞϓϦέʔγϣϯ WAFͷIPϒϥοΫϦετͷߋ৽ S3 CWE Lambda WAF ఆظ࣮ߦ ۀքڞ༗΍

    ಠࣗͷIPϒϥοΫϦετ ఆظ࣮ߦ Spamhaus DROP List ͳͲ ELB CloudFront
  30. detective x ͋ΒΏΔϦιʔεʢಛʹSG΍IAMʣx S terraformͰͷঢ়ଶͷas-is, to-be؅ཧ Terraform stateϑΝΠϧͱͷ ࠩ෼Λݕग़ as-is

    to-be ࠩ෼͕͋Ε͹ apply
  31. detective x ετϨʔδ x S CloudTrailͷϩάվ᜵ݕ஌ CWE Lambda ఆظ࣮ߦ CloudTrail

    S3 ϩάϑΝΠϧͷ ੔߹ੑݕূ ෆ੔߹͋Ε͹௨஌
  32. detective x ΞϓϦέʔγϣϯ x S ECRͷDockerΠϝʔδͷ੬ऑੑ਍அ ECR CWE Lambda SSM

    EC2 image nameͱtagͰ run command clairͳͲ Πϝʔδ਍அ
  33. detective x ΞϓϦέʔγϣϯ x L ELBΞΫηεϩά͔ΒAPIભҠͰͷҟৗݕ஌ ELB S3 ΞΫηεϩά URLϕʔεͷ

    ਪҠߦྻ S3
  34. responsive x IDɾΞΫηε؅ཧ x S x T IAM ΞΫηεΩʔͷϩʔςʔγϣϯ CWE

    ఆظ࣮ߦ IAM ৽ΞΫηεΩʔ
  35. responsive x αʔό x L GuardDutyʹΑΔEC2ͷҟৗݕ஌ ߈ܸऀ ൃݟ CWE ίϐʔ

    SSM Session Manager
  36. responsive x ؂ࢹαʔϏε x S x L CloudTrailແޮԽͷࣗಈम෮ ߈ܸऀ CloudTrail

    ແޮԽ Config CWE ༗ޮԽ
  37. ·ͱΊ

  38. ηΩϡϦςΟͷࠔ೉ʢ࠶ܝʣ • ηΩϡϦςΟରࡦ͸ܧଓతͰͳ͚Ε͹ͳΒͳ͍ • γεςϜͷڧ౓͸ऑ͍ͱ͜Ζͷਫ४ʹͳΔ • ࢪࡦϕʔεͰߟ͍͑ͯΔͱܧଓੑ΋ࠔ೉ɺDevOps͔Β΋ ဃ཭ɺηΩϡϦςΟڧ౓ʹภΓ ମܥతʹଊ͑ͯ෼ྨ͢Δɻ ޿͘ରࡦΛෑ͍ͯڧ౓ͷภΓΛແ͍ͯ͘͘͠ɻ

  39. ΞϓϦέʔγϣϯΤϯδχΞ͕ ։ൃϓϩηεͰҙࣝ͠΍͍͢͜ͱ • Λ͍͔ʹਖ਼͘͠े෼ʹ؍ଌ͢Δ͔ • S͸AWSͷϦιʔεʹݶͬͯݴ͑͹҆৺ • L͸ɺɺɺͦΕ͸ͦΕͰେ͖ͳςʔϚͳͷͰଞʹৡΔ • V

    ͰԿΛͲ͏ධՁ͢Δ͔ • S x L 㲗 W 㲗 V ͷ૬ޓؔ܎͔Βվળ͍ͯ͘͠ • Dev(༧๷త౷੍)ɺOps(ൃݟత౷੍)ΛܧଓੑΛཁٻ͞ΕΔ ηΩϡϦςΟͷಛੑΛ׆͔ͯ͠DevSecOpsͱͯ͠ɺ։ൃ ϓϩηεʹ͓͍ͯ݁߹͠ɺ͜Ε·ͰͷDevOpsͷ݁߹౓΋ ߴΊ͍ͨʂ ,
  40. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠