atsushi-ishibashi
November 02, 2018

DevSecOps実践

atsushi-ishibashi

November 02, 2018

Transcript

2. ࣗݾ঺հ - ੴڮ ३ࢤ • ࡏֶதʹגࣜձࣾFinatextʹ૑ۀϝϯόʔͱͯ͠δϣΠϯ • גࣜձࣾεϚʔτϓϥεͷBaaSϓϩδΣΫτʹͯϦʔυΤϯδ χΞͱͯࣥ͠ߦγεςϜ౳Λઃܭɾ։ൃ •

Golang • ͓͢͢ΊͷAWSษڧํ๏ɿ  SDKͷChangelogΛcheck • ਪ͠αʔϏεɿRoute53 Auto Naming • झຯɿα΢φʢϗʔϜɿα΢φηϯλʔʣ
3. N F E E E A & v h SlM

Ic IXI l h Sl . 6r l i R yN o / c U I ek dTIg r l c U I ( rv B B C BE 8 sO c a e k dTIg r l p t 1 X T I N AFB .0 4 64 B C 2 C BE ձࣾ঺հ
4. ηΩϡϦςΟͷ೰Έɾ೉͠͞ • Կ΍Ε͹͍͍ͷʁ • Ͳ͜·Ͱ͢Ε͹͍͍ͷʁ • Ͳ͕͜ηΩϡΞͰɺͲ͕͜ηΩϡΞ͡Όͳ͍ͷʁ • ڴҖ͸֎෦Ͱൃੜ͠ɺηΩϡϦςΟ࣮૷ͷݻఆԽ͸ऑମԽ Λҙຯ͢Δ

→ ܧଓతͳੑ࣭Ͱ͋Δ • ࠷ऑͳ෦෼͕ͦͷγεςϜͷηΩϡϦςΟڧ౓

11. ఆٛ: ೖྗ ҎԼΛຬͨࣸ͢૾ x ΛೖྗɺXΛೖྗू߹ͱ͢Δ ఆٛ: ධՁ ҎԼΛຬͨࣸ͢૾ v ΛධՁɺVΛධՁू߹ͱ͢Δ

X := {x : → × } V := {v : × → }
12. ఆٛ: ༧๷త౷੍ ∀v ∈ V′, ∀x ∈ X′ v(x(S)) ∉

W ʹରͯ͠ɺ ͕ҎԼΛຬͨ࣌͢ɺ ͸ ʹؔͯ͠༧๷త౷੍Ͱ͋Δͱ͍͏ W, X′ ⊂ X (S, V′) (S, V′) (W, X′)
13. ఆٛ: ൃݟత౷੍ ∀x ∈ X′, ∃v ∈ V′ v(x(S)) ∈

W ʹରͯ͠ɺ ͕ҎԼΛຬͨ࣌͢ɺ ͸ ʹؔͯ͠ൃݟత౷੍Ͱ͋Δͱ͍͏ W, X′ ⊂ X (S, V′) (S, V′) (W, X′)
14. ఆٛ: ڴҖ W ⊂ ΛηΩϡϦςΟʹؔͯ͠ͷ஌ࣝͱ͢Δ V′ Λ࣮૷ࡁΈͷධՁू߹ͱ͢Δ A = {a|∃v

∈ V′, v(a( * )) ∈ W} A ⊂ X ΛڴҖɺ ΛڴҖू߹ͱ͍͏ W* ·ͨ࠷ڧͷηΩϡϦςΟ஌ࣝΛ ͱ͢Δɻ V′ ͕༩͑ΒΕͨͱ͖ɺ ͕ҎԼΛຬͨ࣌͢ɺ ͸े෼Ͱ͋Δͱ͍͏ {a|∃v ∈ V′, v(a( * )) ∈ W*} A A a A
15. ఆٛ: DevSecOps DevSecOpsͱ͸ҎԼͷ̍ͭҎ্Λ׆ಈΛܧଓత։ൃϓϩηεʹ͓͍ͯߦ͏͜ͱΛ͍͏ 1: W → W* ⇒ A →

A* 2: 3: X′ → X′′ s . t . A ∩ X′ ⊆ A ∩ X′′ X′ → X′′ s . t . A ∩ X′ ⊆ A ∩ X′′ ༧๷త౷੍ʹؔͯ͠ɺҎԼΛຬͨ͢Α͏ʹγεςϜ ʹมߋΛՃ͑Δ S ൃݟత౷੍ʹؔͯ͠ɺҎԼΛຬͨ͢Α͏ ʹมߋΛՃ͑Δ (S, V′)

17. X A A* ༧๷త౷੍ ൃݟత౷੍ • ೝࣝͰ͖ΔڴҖू߹ͷे෼ੑ͕ ૿͢ • ޡݕ஌͍ͯͨ͠༧๷త౷੍ͷྖ

ҬͷҰ෦෼͕ޮՌతͳྖҬͱͳ Δ • ޡݕ஌͍ͯͨ͠ൃݟత౷੍ͷྖ ҬͷҰ෦෼͕ޮՌతͳྖҬͱͳ Δ W → W* ⇒ A → A*
18. ༧๷త౷੍ʹؔͯ͠ɺҎԼΛຬͨ͢Α͏ʹγεςϜ ʹมߋΛՃ͑Δ S X A A* ༧๷త౷੍ ൃݟత౷੍ • ೝࣝͰ͖ΔڴҖू߹ʹରͯ͠༧

๷త౷੍ͷͳ͞ΕΔڞ௨ू߹͕ େ͖͘ͳΔ • ޡݕ஌͍ͯͨ͠༧๷త౷੍ͷྖ ҬͷҰ෦෼͕ޮՌతͳྖҬͱͳ Δ
19. X A A* ༧๷త౷੍ ൃݟత౷੍ • ೝࣝͰ͖ΔڴҖू߹ʹରͯ͠ൃ ݟత౷੍ͷͳ͞ΕΔڞ௨ू߹͕ େ͖͘ͳΔ •

ޡݕ஌͍ͯͨ͠ൃݟత౷੍ͷྖ ҬͷҰ෦෼͕ݮΔ ൃݟత౷੍ʹؔͯ͠ɺҎԼΛຬͨ͢Α͏ ʹมߋΛՃ͑Δ (S, V′)

21. ෼ྨͰଊ͑Δ(ྫ) X ɾ1ͷཁૉ ɾdirective(2) ɾpreventive(2) ɾdetective(3) ɾresponsive(3) ɾID / ΞΫηε

ɾαʔό ɾωοτϫʔΫ ɾσʔλϕʔε ɾετϨʔδ ɾɾɾ ɾΞϓϦέʔγϣϯ X ɾS ɾL ɾS x L (ൃల) ɾS x T ɾL x T ɾS x L x T ʢࢀߟʣAWS CAF ( https://d1.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf )

23. 2ͷཁૉ - directive • directive x IDɾΞΫηε؅ཧ • IAMͷ࠷খݖݶ •

directive x αʔό • ConﬁgͰSSM Complianceͷ؂ࢹ • directive x ωοτϫʔΫ • portͷ੍ݶ 2ͷཁૉ - preventive • preventive x IDɾΞΫηε • IAM Policyͷ࠷খԽ • ݖݶͷό΢ϯμϦ(IAM Permission Boundary) • preventive x αʔό • ηΩϡϦςΟάϧʔϓͷ࠷খԽ • preventive x ετϨʔδ • ConﬁgͰS3΁ͷTLSͰͷϦΫΤετʹ੍ ݶ • preventive x ΞϓϦέʔγϣϯ • WAFͷࣗಈߋ৽
24. 3ͷཁૉ - detective • detective x IDɾΞΫηε x S •

terraformͰͷঢ়ଶ؅ཧͱͷࠩ෼ݕ஌ • detective x IDɾΞΫηε x L • GuardDutyʹΑΔ • detective x IDɾΞΫηε x S x L • rootΞΧ΢ϯτͷMFAແޮԽݕ஌ • detective x αʔό x S • SSM Patch BaselineͰͷύονݕ஌ • detective x σʔλϕʔε x S • ConﬁgͰ҉߸Խਫ਼ࠪ • detective x ετϨʔδ x L • CloudTrailͷϩάվ᜵ݕ஌ • detective x ΞϓϦέʔγϣϯ x L • ECR - CWE - clairͰͷΠϝʔδ੬ऑੑ ਍அ • ELBΞΫηεϩά͔Βҟৗݕ஌ 3ͷཁૉ - responsive • responsive x IDɾΞΫηε • ΞΫηεΩʔͷϩʔςʔγϣϯ • GuardDuty-CWE-LambdaͰෆਖ਼ϩάΠϯ ରԠ • responsive x αʔό • GuardDuty-CWE-LambdaͰͷෆਖ਼৵ೖ • responsive x ωοτϫʔΫ x S x L • VPCϑϩʔϩάͷແޮԽम෮ • responsive x ετϨʔδ x L • Conﬁg - LambdaͰS3ͷpublicΞΫηεͷ म෮ • ConﬁgͰS3ͷTLSϙϦγʔͷम෮
25. None
26. ͜ͷ͋ͱͷొ৔ਓ෺ Lambda ΧελϜॲཧɾϩδοΫΛ ͍࣋ͪͨ৔߹͸ͱΓ͋͑ͣ͜Ε Conﬁg ઃఆมߋΛ؂ࢹͰ͖Δ CloudWatchEvent(CWE) ΠϕϯτɾεέδϡʔϧϕʔεͰ LambdaΛ࣮ߦͰ͖Δ CloudTrail

AWS APIͷϩάऩू CWE͕ͦͷϩάΛर͑Δ ͱΓ͋͑ͣ༗ޮԽ͠ͱ͘΍ͭ GuardDuty ༷ʑͳϩάΛ෼ੳɾղੳ ෆ৹ͳಈ͖΍ҟৗΛݕ஌ CWE͕ͦͷϩάΛर͑Δ ͱΓ͋͑ͣ༗ޮԽ͠ͱ͘΍ͭ Terraform HashicorpࣾͷOSS ႈ౳ʹঢ়ଶ؅ཧΛ͢Δ
27. directive x αʔό ConﬁgͰSSM Patch Compliance؂ࢹ EC2 SSM Maintenance Windows

Conﬁg ఆظεΩϟϯ ίϯϓϥΠΞϯε νΣοΫ CWE Lambda
28. directive x IDɾΞΫηε / ωοτϫʔΫ IAMݖݶɺηΩϡϦςΟάϧʔϓͷ࠷খԽ CloudTrail S3 ఆظूܭ IAM

্͕ཧ૝͕ͩɺCloudTrailͷϩά͕೉͘͠ɺ IAMͷΞΫηεΞυόΠβʔͰ…(^^; VPC S3 ఆظूܭ Security Group
29. preventive x ΞϓϦέʔγϣϯ WAFͷIPϒϥοΫϦετͷߋ৽ S3 CWE Lambda WAF ఆظ࣮ߦ ۀքڞ༗΍

ಠࣗͷIPϒϥοΫϦετ ఆظ࣮ߦ Spamhaus DROP List ͳͲ ELB CloudFront
30. detective x ͋ΒΏΔϦιʔεʢಛʹSG΍IAMʣx S terraformͰͷঢ়ଶͷas-is, to-be؅ཧ Terraform stateϑΝΠϧͱͷ ࠩ෼Λݕग़ as-is

to-be ࠩ෼͕͋Ε͹ apply
31. detective x ετϨʔδ x S CloudTrailͷϩάվ᜵ݕ஌ CWE Lambda ఆظ࣮ߦ CloudTrail

S3 ϩάϑΝΠϧͷ ੔߹ੑݕূ ෆ੔߹͋Ε͹௨஌
32. detective x ΞϓϦέʔγϣϯ x S ECRͷDockerΠϝʔδͷ੬ऑੑ਍அ ECR CWE Lambda SSM

EC2 image nameͱtagͰ run command clairͳͲ Πϝʔδ਍அ

ਪҠߦྻ S3
34. responsive x IDɾΞΫηε؅ཧ x S x T IAM ΞΫηεΩʔͷϩʔςʔγϣϯ CWE

ఆظ࣮ߦ IAM ৽ΞΫηεΩʔ
35. responsive x αʔό x L GuardDutyʹΑΔEC2ͷҟৗݕ஌ ߈ܸऀ ൃݟ CWE ίϐʔ

SSM Session Manager
36. responsive x ؂ࢹαʔϏε x S x L CloudTrailແޮԽͷࣗಈम෮ ߈ܸऀ CloudTrail

ແޮԽ Conﬁg CWE ༗ޮԽ

39. ΞϓϦέʔγϣϯΤϯδχΞ͕ ։ൃϓϩηεͰҙࣝ͠΍͍͢͜ͱ • Λ͍͔ʹਖ਼͘͠े෼ʹ؍ଌ͢Δ͔ • S͸AWSͷϦιʔεʹݶͬͯݴ͑͹҆৺ • L͸ɺɺɺͦΕ͸ͦΕͰେ͖ͳςʔϚͳͷͰଞʹৡΔ • V

ͰԿΛͲ͏ධՁ͢Δ͔ • S x L 㲗 W 㲗 V ͷ૬ޓؔ܎͔Βվળ͍ͯ͘͠ • Dev(༧๷త౷੍)ɺOps(ൃݟత౷੍)ΛܧଓੑΛཁٻ͞ΕΔ ηΩϡϦςΟͷಛੑΛ׆͔ͯ͠DevSecOpsͱͯ͠ɺ։ൃ ϓϩηεʹ͓͍ͯ݁߹͠ɺ͜Ε·ͰͷDevOpsͷ݁߹౓΋ ߴΊ͍ͨʂ ,