"ざっくり"話す"AWS IAM"の特権昇格の考え方と対策

lͬ͘͟Γz࿩͢ "84 *".ͷ ಛݖঢ֨ͷߟ͑ํͱରࡦ ϞϒηΩϡϦςΟ ୈճ-5େձ NPC@TFDVSJUZ "[BSB !B@[BSB@O

ࣗݾ঺հ ໊લ"[BSB 5XJUUFS!B@[BSB@O "CPVU ηΩϡϦςΟؔ܎ͷ࢓ࣄΛ͍ͯ͠Δ৽ଔΤϯδχΞͰ͢ ηΩϡϦςΟͱ8FCͱΫϥ΢υ "84 ͕޷͖Ͱ͢ ࠷ۙ͸"84440ͱ$POUSPM5PXFSͱٔΕͯ·ͨ͠ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

༨ஊ ࠓͷؾ࣋ͪ • ؇͘࿩ͦ͏ͱࢥͬͯ-5ʹొ࿥ͨ͠ ࣮͸ࡢ೔·Ͱ๨Εͯͨʜ ͋ͱࢀՃऀଟ͍ʜ • ϏΫϏΫ͍ͯ͠·͢ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

ࠓ೔࿩͢͜ͱ • "84 *". ͬͯͳʹ • "84*".ͷಛݖঢ֨ • ͳΜͱͳ͘Θ͔Δఔ౓ʹ࿩͢ •
͢΂ͯͷݸผࣄྫ͸࿩͞ͳ͍ • ରࡦͲ͏͢ΜͶΜ • ূ੻ͷอશͲ͏͢ΜͶΜ "84*".ͷ࿩ ಛݖঢ֨ͷߟ͑ํ ରࡦ΍ূ੻ͷอશ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

࿩͢಺༰ • कΔଆ΋߈ܸऀ͕͢Δ߈ܸͷݪཧΛ ஌͓ͬͯ͘ͱରࡦ͠΍͍͢ΑͶͱ͍͏ؾ࣋ͪͰॻ͍ͯ·͢ • ରࡦํ๏͸ईͷؔ܎্୹͍Ͱ͕ྃ͢͝ঝΛ • ݸʑͷࣄ৅ʹ͍ͭͯৄ͘͠࿩͢Θ͚Ͱ͸͋Γ·ͤΜ • lͳΜͱͳ͘Θ͔ͬͨzͱ͍͏ͱ͜Ζ·Ͱ࿩͠·͢
• ֤αʔϏεͷৄ͍͠ར༻ํ๏ʹؔͯ͠͸ ެࣜυΩϡϝϯτΛࢀরͯ͠Լ͍͞ • ࠓޙͲ͔͜ͰύϫʔΞοϓ൛Λ࿩͔͢΋͠Ε·ͤΜ͕ ࠓճ͸͕࣌ؒ୹͍ͷͰ zͬ͘͟Γzόʔδϣϯ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

஫ҙࣄ߲ • ߈ܸʹ΋ར༻Ͱ͖Δ࿩Λ͠·͢ • ྙཧ؍Λ࣋ͬͯฉ͍ͯ͘ΕΔͱ͏Ε͍͠Ͱ͢ • ຊ൪؀ڥ΍࣮؀ڥʹ͸঺հͨ͠߈ܸͳͲΛ ڐՄͳ͘ʹ࣮ߦ͠ͳ͍Ͱ͍ͩ͘͞ɻ • ࡞ͬͯͨΒ௕͘ͳͬͯ͠·ͬͨͷͰૣޱ͔΋͠Ε·ͤΜ
!B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

!B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ "84*".ͷ࿩ "84 *".ͷ ಛݖঢ֨ͷߟ͑ํ ରࡦ΍ূ੻ͷอશ

࿩͢͜ͱ • "84*".ͱ͸ • lͬ͘͟ΓzΘ͔Δ "84*". • *". 1PMJDZ •
*".6TFS • *".3PMF • *".(SPVQ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

"84*".ͱ͸ ˞͜ͷεϥΠυͰ͸ "84*".͕ఏڙ͢Δ6TFS΍3PMFΛҰׅΓʹ͢Δࡍʹ l"84*".zͱදه͠·͢ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ "84ެࣜͷ *".ͷ঺հϖʔδ ͜ͷεϥΠυͷొ৔ਓ෺

lͬ͘͟ΓzΘ͔Δ "84*". *".1PMJDZ • *".ͷج൫ • ͜ͷϙϦγʔʹݖݶΛॻ͘ • ར༻Ͱ͖Δ৚݅΍ڋ൱ʹؔͯ͠΋͔͚Δ •
ݖݶʹ l zΛ͚ͭΔͱϫΠϧυΧʔυʹͳΔ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ こいつ ͜Μͳײ͡ʹهड़͢Δ Πϝʔδ

lͬ͘͟ΓzΘ͔Δ "84*". *".6TFS • "84Λ࢝ΊΔͱΈΜͳ࢖͏ • ίϯιʔϧʹ΋$-*ʹ΋ରԠ͍ͯ͠Δ • ࿙ΕΔͱΊΜͲ͍͘͞ •
࿙ΕΔέʔε • ਓҝతϛεͰ࿙Εͯ͠·͏ • ΫϥΠΞϯτϚγϯ͕৵ೖ͞Ε౪·ΕΔ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ こいつ

lͬ͘͟ΓzΘ͔Δ "84*". *".6TFS !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ ϙϦγʔΛΞλον΍ޙड़ͷάϧʔϓʹ ௥Ճͯ͠ݖݶΛ෇༩͢Δ *".6TFS͸ΞΫηεʹؔ͢Δ ೝূ৘ใ΋ఏڙ͍ͯ͠·͢

lͬ͘͟ΓzΘ͔Δ "84*". *".3PMF • Ұ࣌తͳೝূ৘ใΛ෇༩ͯ͘͠ΕΔ • ผΞΧ΢ϯτʹ΋෇༩Ͱ͖ΔΑ ΫϩεΞΧ΢ϯτ • αʔϏεʹΞλον͢Δ͜ͱͰ
ͦͷαʔϏε͔Βͷૢ࡞ʹར༻Ͱ͖Δ Ұ࣌తͳೝূ৘ใΛ෷͍ग़͢Α • &$΍-BNCEBɺ$PEF#VJMEͳͲͳͲ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ こいつ

lͬ͘͟ΓzΘ͔Δ "84*". *".6TFS !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ *".6TFSͷΑ͏ʹQPMJDZΛΞλονͯ͠ ݖݶΛ෇༩͢Δ *". 3PMFΛར༻Ͱ͖ΔϦιʔε΍ ΞΧ΢ϯτͳͲʹ৴པؔ܎Λઃఆ͠·͢
&$Ͱ࢖͍͍ͨ࣌͸͜Μͳײ͡ Πϝʔδ

lͬ͘͟ΓzΘ͔Δ "84*". *".(SPVQ • *". 6TFSΛ·ͱΊͯ͘ΕΔ • ͜ΕʹϙϦγʔΛΞλον͢Δͱάϧʔϓʹ ଐ͍ͯ͠Δ*".6TFS͕ΈΜͳڧ͘ͳΔ •
*".6TFS͕૿͑Δͱׂͱ࢖͏ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ こいつら

lͬ͘͟ΓzΘ͔Δ "84*". *".6TFS !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ ϢʔβʔΛ௥Ճͯ͠·ͱΊͯ ϙϦγʔΛ෇༩Ͱ͖Δ *".6TFS΍3PMFಉ༷ ϙϦγʔʹΑΔݖݶΛΞλον͢Δ

*".ͷzͬ͘͟Γz·ͱΊ *".1PMJDZ • ݖݶΛهड़͢Δ • 3PMF΍6TFSɺ(SPVQʹΞλονΛͯ͠ݖݶΛ෇༩Ͱ͖Δ *". 6TFS • 6TFSͷར༻͢Δೝূ৘ใͳͲΛఏڙͰ͖Δ
*". 3PMF • αʔϏε΍ผΞΧ΢ϯτʹҰ࣌తͳݖݶΛ෇༩Ͱ͖Δ *". (SPVQ • *".6TFSΛ·ͱΊͯ؅ཧͰ͖Δ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

!B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ "84*".ͷ࿩ ରࡦ΍ূ੻ͷอશ "84*".ͷ ಛݖঢ֨ͷߟ͑ํ

࿩͢͜ͱ • "84*".ʹ͓͚Δಛݖঢ֨ͱ͸ • ߈ܸαΠΫϧͷҰ෦ͱͯ͠ͷಛݖঢ֨ • ख๏ʹ͍ͭͯ • lͬ͘͟Γzख๏Λେผ͢Δͱ •
"84*".ʹ௚઀తͳมߋ΍ૢ࡞Λߦ͏ • طଘͷ΋ͷΛѱ༻͢Δ • FUD !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

"84*".ʹ͓͚Δಛݖঢ֨ͱ͸ • "846TFS΍ 3PMF͕ʹ෇༩͞ΕͨݖݶΛ ΑΓڧྗ·ͨ͸༗༻ͳݖݶʹΞοϓάϨʔυ͢Δߦҝ • ΞοϓάϨʔυͷख๏͸ • ݖݶͷॻ͖׵͑มߋ •
ଞͰར༻͞Ε͍ͯΔผͷೝূ৘ใͷऔಘ • *". 3PMF΍ϙϦγʔͷ͛͢ସ͑ • FUD !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

߈ܸαΠΫϧͷҰ෦ͱͯ͠ͷಛݖঢ֨ • ߈ܸऀ͕ "84Λૂ͏ཧ༝ • ଞਓͷ&$Ϧιʔε࢖͍͍ͨͥ • 3%4ͱ͔ͷ৘ใൈ͖औΓ͍ͨͥ • SPPUݖݶऔͬͯΈ͍ͨͥ
• FUD ʜ • ͱ΋͔͘ѱ༻ͷͨΊʹ ͍ΖΜͳ͜ͱΛͯ͘͠Δ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ ೝূ৘ใΛऔಘ ͲͷΑ͏ͳݖݶ͕ ෇༩͞Ε͍ͯΔ͔ ୳ࡧ ಛݖঢ֨ ѱ༻ ͋͘·Ͱ΋ Πϝʔδ

lͬ͘͟Γz ख๏Λେผ͢Δ • "84*". ʹ௚઀తͳมߋ΍ૢ࡞Λߦ͏ • ྫ • *".QPMJDZͷ௚઀తͳมߋ •
*".3PMF΁ͷϙϦγʔΞλον • ϦιʔεΛܦ༝ͯ͠طଘͷ*".3PMF͔Βऔಘ • ྫ • -BNCEBͷίʔυΛมߋ͠ɺFOW͔Βೝূ৘ใΛൈ͘ • ϋΠϒϦοτ • ྫ • *". 3PMFΛ৽͘͠࡞Γ &$ʹΞλον • ͦͷଞ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

lͬ͘͟Γz ख๏Λେผ͢Δ • "84*". ʹ௚઀తͳมߋ΍ૢ࡞Λߦ͏ ܰ͘৮Ε·͢ • ྫ • *".QPMJDZͷ௚઀తͳมߋ
• *".3PMF΁ͷϙϦγʔΞλον • ϦιʔεΛܦ༝ͯ͠طଘͷ*".3PMF͔Βऔಘ ͬͪ͜Λ࿩͠·͢ • ྫ • -BNCEBͷίʔυΛมߋ͠ɺFOW͔Βೝূ৘ใΛൈ͘ • ϋΠϒϦοτ • ྫ • *". 3PMFΛ৽͘͠࡞Γ &$ʹΞλον • ͦͷଞ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

"84*". ʹ௚઀తͳมߋ΍ૢ࡞Λߦ͏ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ ͲͷΑ͏ͳ΋ͷͷ͜ͱΛࢦ͢ͷ͔ • *".6TFSͷ࡞੒ • طଘͷ*".6TFS͔ΒݤΛ࡞੒ •
*". 1PMJDZͷ࡞੒มߋ • *".3PMFʹ*".1PMJDZͷΞλον ͳͲ ෇༩͞Εͨ "84*".΁ͷݖݶΛར༻͠ ࣗ෼ͷཉ͍ͯ͠ΔݖݶΛऔಘઃఆ͢Δ

ϦιʔεΛܦ༝ͯ͠ طଘͷ*".3PMF͔Βऔಘ ͲͷΑ͏ͳ΋ͷͷ͜ͱΛࢦ͢ͷ͔ • طଘͷ-BNCEBͷίʔυΛมߋ • $MPVE'PSNBUJPOʹ*". 3PMFΛ෇༩ • &$ʹ*".3PMFΛ෇༩
ͳͲ Ϧιʔεʹ෇༩͞ΕΔҰ࣌తͳೝূ৘ใΛ ͳΜΒ͔ͷख๏Ͱऔಘ͠ར༻͢Δ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ 例: Lambdaから取得する場合の⼤体のイメージ

ϦιʔεΛܦ༝ͯ͠ طଘͷ*".3PMF͔Βऔಘ ొ৔͢Δ෺ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ ˞ ຊղઆʹ͓͍ͯ߈ܸऀ͸ࣄલʹ*".3PMF໊Λ೺Ѳ͍ͯ͠Δલఏͱ͢Δ

ϦιʔεΛܦ༝ͯ͠ طଘͷ*".3PMF͔Βऔಘ طଘͷϦιʔεΛ࣮ߦ͢Δ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

ϦιʔεΛܦ༝ͯ͠ طଘͷ*".3PMF͔Βऔಘ طଘͷϦιʔεΛߋ৽͢Δ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

ϦιʔεΛܦ༝ͯ͠ طଘͷ*".3PMF͔Βऔಘ ৽نͰϦιʔεΛ্ཱͪ͛3PMFΛड͚౉͢ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

!B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ "84*".ͷ࿩ "84 *".ͷ ಛݖঢ֨ͷߟ͑ํ ରࡦ΍ূ੻ͷอશ

ରࡦ • औಘΛ·ͣ͸્ࢭ͢Δ • HJUTFDSFUͷಋೖͰ HJU΁ͷೝূ৘ใࠞೖΛ๷͙ • ΍ͨΒʹೝূ৘ใΛڞ༗͠ͳ͍૿΍͞ͳ͍ • FUD
• ࠷খݖݶͷݪଇΛकΓ *".ͷϙϦγʔΛ࡞੒ • Θ͔Βͳ͍৔߹͸*"."DDFTT"OBMZ[FSͳͲΛ༻͍Δ • ݖݶ͚ͩͰ͸ͳ͘ར༻Ͱ͖ΔϦιʔεͳͲΛ੍ݶ͢Δ • 4FDVSJUZ)VCΛ༻͍ͯΞΧ΢ϯτͷڴҖ৘ใΛऩू • ΞΧ΢ϯτͰར༻͠ͳ͍ݖݶ͸ 4$1 4FSWJDF$POUSPM1PMJDZ Ͱ੍ݶ͢Δ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

ূ੻ͷऔಘͱอશ ূ੻ͷऔಘ • $MPVE5SBJMͳͲΛ"1*ͷར༻ϩάΛऔಘ • ΞϓϦέʔγϣϯͷϩάͳͲ΋$MPVE 8BUDI-PHTΛ༻͍ͯऔಘ ূ੻ͷอଘ • 4΍ΫϩεΞΧ΢ϯτઌͷ4ʹอଘ
ূ੻ͷอશ • ࡟আͤ͞ͳ͍ͨΊʹ΋ • 4ͷόʔδϣχϯάΛ༗ޮԽ • .'" EFMFUFͷ༗ޮԽ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

!B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ ·ͱΊ "84*".ͷ࿩ "84 *".ͷ ಛݖঢ֨ͷߟ͑ํ ରࡦ΍ূڌͷอશ

·ͱΊ ͜ͷ-5Ͱ͸ͬ͘͟Γͱͨ͠ݖݶঢ֨ͷϑϩʔʹ͍ͭͯ৮Ε·ͨ͠ • "84*". ʹ௚઀తͳมߋͳͲʹΑΓѱ༻͢Δ΋ͷ • طଘͷ΋ͷΛѱ༻͢Δ΋ͷ • ೋͭΛ߹ΘͤͨϋΠϒϦοτ "84ͳͲͷΫϥ΢υαʔϏεʹରͯ͠ɺ߈ܸऀ͸ৗʹ໨ΛޫΒͤ
͍ͯ·͢ɻ ར༻ऀͱͯ͠ɺࢲͨͪ͸Ͱ͖ΔݶΓͷରࡦͱূڌΛूΊམͪண͍ͨ Ϋϥ΢υϥΠϑΛա͝͠·͠ΐ͏ɻ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

͓͠·͍ 4QFDJBMUIBOLT*$000/.0/0 IUUQTJDPPPONPOPDPN !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

!B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ ͓·͚ ֶशʹ͍ͭͯ

ֶशؔ࿈ • "84ެࣜυΩϡϝϯτͱᛀΊͬ͜ • ࣮؀ڥͰࢼͯ͠ΈΔ • ࠷ॳ͸ GMBXTDMPVE ͱ͔Ͱ΋͍͍͔΋ •
4FSWFSMFTTपΓͩͱಈ͘ͷগͳ͍ • ҰԠ঺հ • 08"41%74" • 08"414FSWFSMFTT(PBU !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

ֶशؔ࿈ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ

ֶशؔ࿈ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ https://github.com/RhinoSecurityLabs/cloudgoat

ֶशؔ࿈ !B@[BSB@ONPC@TFDVSJUZϞϒηΩϡϦςΟ https://rhinosecuritylabs.com/blog/?category=cloud-security

"ざっくり"話す"AWS IAM"の特権昇格の考え方と対策

"ざっくり"話す"AWS IAM"の特権昇格の考え方と対策

More Decks by a_zara_n

Featured

Transcript