AWS上のセキュリティ対策をどういう順序でやっていけばいいか

Transcript

1. جௐߨԋ 

2. ࣗݾ঺հ
    ӓాɹՂ༞
   ɾΫϥεϝιουגࣜձࣾ
   ɾ"84ࣄۀຊ෦
   ɹιϦϡʔγϣϯΞʔΩςΫτ
   ɹɹηΩϡϦςΟνʔϜ
   ɾ4FDVSJUZ+"84ӡӦ
   ɾ޷͖ͳαʔϏε
   

   ɹ"84
   8"'Ϛωʔδυϧʔϧ AWS WAF

3. ΞδΣϯμ
    w ηΩϡϦςΟରࡦͬͯେมͰ͢ΑͶ
   w "84্Ͱ࠷௿ݶ΍ͬͨ΄͏͕͍͍͜ͱ
   w ηΩϡϦςΟରࡦͷݕ౼ॱং

4. ΋͏Ұ౓Ͱ͕͢
    ηΩϡϦςΟରࡦͬͯେมͰ͢ΑͶ

5. "84ͷ੹೚ڞ༗Ϟσϧ
    "84Ͱ͸ΦϯϓϨϛεΑΓ΋ߟ͑ΔྖҬ͸ݶఆత
   ͓٬༷੹೚ྖҬ΋·͍ͩͬͺ͍͋Γ·͕͢ɺ͓͜͜ख఻͍Ͱ͖·͢ ͓ ख ఻ ͍ Ͱ

   ͖ · ͢

6. ͓ख఻͍Ͱ͖Δ͜ͱ
    ·ͣ͸ηΩϡϦςΟରࡦશମ͔Β

7. ηΩϡϦςΟରࡦ͕େมͳཁҼͷҰͭ
    ଟ਺ͷηΩϡϦςΟରࡦ αʔϏεɾιϦϡʔγϣϯ

8. ू໿ ηΩϡϦςΟରࡦ੡඼ɾαʔϏεϚοϓ
    ੬ऑੑରࡦ ෆਖ਼ϓϩάϥϜରࡦ ੬ऑੑ਍அ ੬ऑੑ(ύον)؅ཧ ๷ޚ ηΩϡϦςΟϩά؂ࢹ

   มߋ؂ࢹ ɾ IDS/IPS ΞϯνϚϧ΢ΣΞ ݕ஌ ίϯϓϥΠΞϯεɾ Ψόφϯε ϩΪϯάɾ෼ੳ ίϯςφ ؂ࢹ Inspector SSM Shield WAF GuardDuty Macie Security Hub CloudWatch CloudWatch Config CloudTrail Config Trusted Advisor Well-Arch SSM

9. ͜Ε͸͋͘·ͰҰྫͰ͢
    w ओʹ"84पΓ΍ฐࣾऔѻͷαʔϏεɾιϦϡʔγϣ ϯͷҰ෦Ͱ͢
   w ΋ͪΖΜଞʹ΋୔ࢁ͋Γ·͢
   w ͦΕ͸΋͏͢΂ͯʹ͍ͭͯߟ͑Δͷ͸େมͰ͢ΑͶ

10. ࣮ࡍʹͲͷରࡦ͕ඞཁͰ͠ΐ͏͔ʁ
     Ұྫ: ߈ܸϑϩʔ͔Βߟ͑ͯΈΔ

11. ߈ܸϑϩʔͷҰྫ 8FCΞϓϦέʔγϣϯ
     Ϛϧ΢ΣΞײછ BotԽ ίΠϯϚΠχϯά SQLΠϯδΣΫγϣϯ (CWEܥ) ৘ใࡡऔ

    (ύεϫʔυ / ΫϨδοτΧʔυ৘ใ) Wordpressͷ੬ऑੑ (CVEܥ) ߈ܸऀ w ྫ͑͹42-ΠϯδΣΫγϣϯ͔ΒΫϨδοτΧʔυ৘ใ͕࿙Ӯ͢Δ
    w ྫ͑͹8PSEQSFTTͷ੬ऑੑ͔ΒίΠϯϚΠφʔ͕࢓ࠐ·ΕΔ

12. ϋογϡԽ ඇอ࣋Խ ݕ஌ ϩΪϯά ෆਖ਼ϓϩάϥϜରࡦ ߈ܸϑϩʔ΁ͷରࡦҰྫ
     ੬ऑੑରࡦ ੬ऑੑ਍அ

    Ϛϧ΢ΣΞײછ BotԽ ίΠϯϚΠχϯά SQLΠϯδΣΫγϣϯ (CWEܥ) ৘ใࡡऔ (ύεϫʔυ / ΫϨδοτΧʔυ৘ใ) Wordpressͷ੬ऑੑ (CVEܥ) ߈ܸऀ ੬ऑੑ਍அ / ੬ऑੑ(ύον)؅ཧ WAF

13. ߟ͑ͳ͍ͱ͍͚ͳ͍͜ͱ
     w ੬ऑੑରࡦ
    w ෆਖ਼ϓϩάϥϜରࡦ
    w ϩΪϯά΍ݕ஌
    w

    ͦΕͧΕͲΕ͘Β͍ɺͲΜͳॱংͰɺ۩ମతʹԿΛ ࢖ͬͯ΍͍͚ͬͯ͹͍͍͔
    w Ұॹʹߟ͑Δ͓ख఻͍Ͱ͖·͢

14. 
     AWS্Ͱ࠷௿ݶ΍ͬͨ΄͏͕͍͍͜ͱ

15. "84αʔϏεͰඞਢͳ߲໨
     w *".ͷ؅ཧ
    w 4FDVSJUZ(SPVQΛద੾ʹߜΔ
    w $MPVE5SBJM
    
    "84
    $POpH༗ޮԽ
    w

    (VBSE%VUZઃఆ
    
    4/4௨஌

16. (VBSE%VUZ͸શΞΧ΢ϯτશϦʔδϣϯ༗ޮԽඞਢ
     w (VBSE%VUZ͸"84্Ͱར༻Ͱ͖ΔڴҖݕ஌αʔϏε
    w ೥ͷSF*OWFOUͰϦϦʔε
    w $MPVE5SBJM΍71$ϑϩʔϩάɾ%/4ϩάΛػցֶशͰ෼ੳͯ͠ڴҖΛݕ஌
    w

    ༗ޮԽ͢Δ͚ͩͰ༷ʑͳҟৗΛݕ஌
    w ίΠϯϚΠχϯά
    w ϒϧʔτϑΥʔε
    w ීஈͱҧ͏৔ॴ͔ΒͷΞΫηε
    w $$αʔό΁ͷ௨৴
    w ΦϯϓϨϛε΍ࣗલͰ΍Ζ͏ͱࢥ͏ͱ݁ߏߴΊͷ੡඼͕ඞཁͳରࡦ͕֨҆ Ͱɺ௒͓खܰʹ࣮ࢪՄೳ

17. (VBSE%VUZͷίεύ
     w ྉۚ
    w $MPVE5SBJM
    
    64%  
    Πϕϯτ
    w

    71$ϑϩʔϩάͱ%/4ϩά෼ੳ
    
    64%(#
    w ͜Ε͚ͩͩͱϩά͕ͲΕ͘Β͍ग़Δ͔Θ͔Βͳ͍ͷͰ Θ͔Γ΍͘͢͠·ͨ͠

18. (VBSE%VUZར༻අ࣮੷
     ฐࣾॴ͓࣋٬༷ΞΧ΢ϯτͷ 85%Ҏ্͸ར༻අશମͷ1%ҎԼʹऩ·Δ 95%Ҏ্͕2%ҎԼʹऩ·Δ ※ۃ୺ʹར༻අ͕௿͍΋ͷΛআ͘ɾҰ࣌ظͷ࣮੷

19. (VBSE%VUZͷτϥΠΞϧ
     w (VBSE%VUZ͸೔ؒແྉͰར༻Ͱ͖࣮ͯࡍͷඅ༻ ΋֬ೝͰ͖ΔͷͰ·ͣ͸༗ޮԽʂ

20. ͋ΘͤͯಡΈ͍ͨ
     ҰൃͰ(VBSE%VUZΛશϦʔδϣϯ༗ޮԽͯ͠௨஌ઃ ఆ͢ΔςϯϓϨʔτ࡞ͬͨ
    IUUQTEFWDMBTTNFUIPEKQDMPVEBXTTFUHVBSEEVUZBMMSFHJPO
    ·ͣ͸Ұൃ༗ޮԽʂ

21. ͋ΘͤͯಡΈ͍ͨ
     "84͝ར༻։࢝࣌ʹ࠷௿ݶ͓͓͖͍͑ͯͨ͞ͷ͜ͱ IUUQTXXXTMJEFTIBSFOFU"NB[PO8FC4FSWJDFT+BQBO EBZXJUIBNB[POXFCTFSWJDFTBXT

22. 
     ηΩϡϦςΟରࡦͷݕ౼ॱং

23. ηΩϡϦςΟରࡦͷݕ౼ॱং 8FCαΠτͷྫ
     w ඞਢݕ౼ࣄ߲
    w ෆਖ਼ϓϩάϥϜରࡦ
    w ੬ऑੑରࡦ
    

    w ؂ࢹɾϩΪϯά
    w Φϓγϣϯ
    w ϩά෼ੳ
    w ίϯϓϥΠΞϯεɾΨόφϯε
    w ˞͋͘·ͰҰྫͰ͢

24. ෆਖ਼ϓϩάϥϜରࡦ
     w 04ϨΠϠʔҎ্͸͓٬༷੹೚ൣғ Ͱɺಛʹαʔό಺෦ͷରࡦ͸αʔυ ύʔςΟ੡඼͕ඞਢ
    w 8FCαΠτͰ͸Πϯλʔωοτʹ৮ ΕΔαʔό͸߈ܸΛ࠷ॳʹड͚Δ෦

    ෼ͷͨΊରࡦඞਢ
    w ฐࣾͷఏҊͱͯ͠͸04಺Ͱෳ਺ϨΠ ϠʔͷػೳΛ࣋ͭ%FFQ4FDVSJUZ͕ ਪ঑ "84ͱͷ਌࿨ੑ͕ߴ͍ ෆਖ਼ϓϩάϥϜରࡦ ηΩϡϦςΟϩά؂ࢹ มߋ؂ࢹ ɾ IDS/IPS ΞϯνϚϧ΢ΣΞ

25. ੬ऑੑରࡦ
     w ੬ऑੑ؅ཧ͸͢΂ͯͷαʔόͰඞਢ
    w 44.୯ମͰ΋Ͱ͖ͳ͘ͳ͍͕ɺύο νద༻ͷΈͷར༻͕޲͍͍ͯΔ
    w ੬ऑੑͷνΣοΫ͸'VUVSF7VMT͔'

    4FDVSF
    3"%"3͕͍͍
    w εΩϟϯͱ੬ऑੑ؅ཧɺνέοτػೳ ͕͋Γ"1*࿈ܞͰ$*$%αΠΫϧʹ' 4FDVSF
    3"%"3Λ૊ΈࠐΊΔͷͰ ͦΕ΋ݕ౼ͯ͠ΈΔ ੬ऑੑରࡦ ੬ऑੑ਍அ ੬ऑੑ(ύον)؅ཧ ๷ޚ Inspector SSM

26. ੬ऑੑରࡦ
     w ੬ऑੑ਍அ͸ϓϥοτϑΥʔϜ਍அͱ8FC ΞϓϦέʔγϣϯ਍அΛ྆ํ࣮ࢪ͢Δ
    w "NB[PO
    *OTQFDUPS͸ϓϥοτϑΥʔϜ਍ அͷΈͷͨΊɺఆৗతͳνΣοΫʹ͸޲͕͘ ϦϦʔεલͷશମνΣοΫʹ͸ྗෆ଍
    

    w ؆қతͳ8FCαΠτ ݸਓ৘ใΛ࣋ͨͳ͍ɾ ෳࡶͳϩδοΫ͕ͳ͍ ͳΒ'4FDVSF
    3"%"3 πʔϧͰͷ਍அ Ͱ͍͍
    w ্هʹ౰ͯ͸·Βͳ͍৔߹ʹ͸ΠΤϥΤη ΩϡϦςΟͷΑ͏ʹਓͰ਍அ͢ΔαʔϏεਪ ঑ ੬ऑੑରࡦ ੬ऑੑ਍அ ੬ऑੑ(ύον)؅ཧ ๷ޚ Inspector SSM

27. ੬ऑੑରࡦ
     w ๷ޚ͸࢑ఆରॲͷͨΊ਍அ΍؅ཧΛ͠ ্ͨͰ׆༻
    w %FFQ4FDVSJUZͰ04্Ͱͷରࡦ΋Մೳ ͕ͩɺՄೳͳΒલஈͰ8"'౳ͰࢭΊ͍ͨ
    w

    "84
    8"'͸ΞϓϥΠΞϯε8"'ΑΓ ΋ػೳ͸ݶఆత͕ͩεέʔϧ౳૬ੑ͸͍ ͍ͷͰΤϯτϦʔϨϕϧ͔Βݕ౼͢Δ
    w "84
    8"'ӡ༻ͷφϨοδ͕ͳ͍৔߹ʹ ͸8BG$IBSNʹΑΔࣗಈӡ༻΋ݕ౼ ੬ऑੑରࡦ ੬ऑੑ਍அ ੬ऑੑ(ύον)؅ཧ ๷ޚ Inspector SSM

28. ίϯςφͷෆਖ਼ϓϩάϥϜ΍੬ऑੑରࡦ
     w 'BSHBUFͳͲϗετΛૢ࡞Ͱ͖ͳ͍ ίϯςφܥͰ͸ಛʹηΩϡϦςΟ੡඼ ͸·ͩࢢ৔ʹग़ἧ͍ͬͯͳ͍
    w "RVBͳΒϦϦʔεલͷίϯςφͷ੩ తεΩϟϯ΍ՔಇதͷಈతͳεΩϟϯ

    ʹ΋ରԠ͍ͯ͠Δ ίϯςφ

29. ؂ࢹɾϩΪϯάɾ෼ੳ
     w ֤छϦιʔεͷϝτϦΫεͱϩάͷऔಘ͸ඞਢ
    w ϩά෼ੳ͸୯७ͳ8FCαΠτͳΒ༏ઌ౓͸௿Ίɻύ ϑΥʔϚϯε΍ηΩϡϦςΟཁ͕݅ߴ͍৔߹ʹ͸ݕ౼ ͢Δ
    w

    ϩάʹ͍ͭͯอଘ͸جຊ4อଘɺ෼ੳΛݕ౼͢Δͳ Β$MPVE8BUDI
    -PHT&MBTUJDTFBSDI4VNP
    -PHJD͕બ୒ࢶʹͳΔ
    w ෼ੳΛॳΊͯߦ͏৔߹΍෼ੳʹूத͍ͨ͠৔߹ɺε έʔϧ͕ಡΊͳ͍৔߹ʹ͸4VNP
    -PHJD͕ॳظμο γϡϘʔυͱΠϯςάϨʔγϣϯʹ༏Ε͍ͯΔͷͰ͍ ͍ ϩΪϯάɾ෼ੳ CloudWatch Config CloudTrail ؂ࢹ CloudWatch

30. ίϯϓϥΠΞϯεɾΨόφϯε
     w ࠷௿ݶͷηΩϡϦςΟνΣοΫ͕Մೳͳ JOTJHIUXBUDI͸ແྉͷͨΊ͢΂ͯͷΞΧ΢ϯτͰ༗ ޮ׆༻ͯ͠΄͍͠
    w "84
    5SVTUFE
    "EWJTPS΋ඞͣνΣοΫ
    w

    ΞϓϦن໛͕େ͖͍ɾεςʔΫϗϧμʔ͕ଟ͍ɾίϯ ϓϥΠΞϯε༻͕݅ߴ͍৔߹ʹ͸௥Ճͷ׆༻Λݕ౼
    w %PNF͸1$*
    %44ͳͲͷίϯϓϥΠΞϯενΣοΫ ͕Ͱ͖Δଞɺ4FDVSJUZ
    (SPVQ͔ΒωοτϫʔΫΛՄ ࢹԽͨ͠Γ*".ͷ؅ཧΛߦ͑ΔͷͰେن໛ΞΧ΢ϯ τɾϚϧνΞΧ΢ϯτͷ؅ཧίετΛେ͖͘࡟ݮͰ͖ Δ ίϯϓϥΠΞϯεɾ Ψόφϯε Config Trusted Advisor Well-Arch SSM

31. 
     ·ͱΊ

32. ·ͱΊ
     w (VBSE%VUZ͸࣮֬ʹ༗ޮԽ
    w ෆਖ਼ϓϩάϥϜରࡦ੬ऑੑରࡦ؂ࢹɾϩΪϯά͸ ࠷௿ݶ࣮֬ʹ࣮ࢪͭͭ͠कΔ΋ͷͷن໛ʹԠͯ͡௥ ՃΛݕ౼
    w

    ΫϥεϝιουͰ͸ߏங͔Βӡ༻·Ͱ·Δͬͱ͓ख఻ ͍Ͱ͖·͢
    w ࠔͬͨΒͳΜͰ΋૬ஊ͍ͯͩ͘͠͞