簡単に始めるAWS基盤のセキュリティ分析~Sumo Logic~

؆୯ʹ࢝ΊΔ"84ج൫ͷηΩϡϦςΟ෼ੳ d4VNP-PHJDd ӓాɹՂ༞

ࣗݾ঺հ ӓాɹՂ༞ ɾΫϥεϝιουגࣜձࣾ ɾ"84ࣄۀຊ෦ ɹιϦϡʔγϣϯΞʔΩςΫτ ɹɹηΩϡϦςΟνʔϜ ɾ4FDVSJUZ+"84ӡӦ ɾ޷͖ͳαʔϏε
ɹ"848"'Ϛωʔδυϧʔϧ

ಥવͰ͕͢ AWS؀ڥ্ͰͷηΩϡϦςΟରࡦ͸ ສશͰ͔͢ʁ

Α͘࢖͏"84ͷηΩϡϦςΟܥαʔϏε w "844IJFME w ηΩϡϦςΟάϧʔϓ w "848"' w
(VBSE%VUZ w *OTQFDUPS w $MPVE5SBJM w "84$POpH w *". w όέοτϙϦγʔ w 4FDVSJUZ)VC w ֤छϩά

͍ΖΜͳαʔϏε׆༻͍ͯ͠·͔͢ʁ ࠓճ͸ϩάʹϑΥʔΧεΛ౰ͯ·͢

"84ͷϩάͬͯͲΜͳ΋ͷ͕͋Δʁ w $MPVE5SBJMϩά w *". w &$ૢ࡞ w
4σʔλૢ࡞ w ωοτϫʔΫϦιʔεૢ࡞ w ͳͲͳͲ"1*શൠ w 71$'MPX-PHT w &-#ϩά w 8"'ϩά w $MPVE'SPOUϩά w (VBSE%VUZ w 4ΞΫηεϩά w 4"VEJUϩά

"84ͷϩά෼ੳ͸ ಛʹCloudTrailͷ΢ΣΠτ͕ߴ͍

$MPVE5SBJMϩά෼ੳͷඞཁੑ w $MPVE5SBJM͸"84ʹର͢Δ"1*ίʔϧͷϩάΛҰݩ తʹऔಘ͍ͯ͠Δ w *".ͷϩάΠϯ΍ωοτϫʔΫϦιʔεͷૢ࡞ɺ&$ͷى ಈ΍ఀࢭͳͲ w
"84ଆͷ؅ཧΛߦ͏৔߹ʹඞཁͳ৘ใ͕େྔʹ٧·ͬ ͍ͯΔ w ٯʹݴ͏ͱɺଞͷϩά͸ͲͪΒ͔ͱ͍͏ͱߏஙͨ͠γ εςϜͷϩάͱ͍͏Ґஔ͚ͮ

$MPVE5SBJM׆༻ྫ ͓٬༷ʮͳΜ͔஌Βͳ͍EC2͕ಈ͍ͯ·͚͢Ͳʁʯ ࢲʮ͓٬༷؅ཧͷxxx_userͱ͍͏IAMϢʔβ͕8࣌ʹ ɹɹ࡞੒͍ͯ͠·͢ʯ

ੲ͸͜ͷαʔϏε΋ͳ͔ͬͨΜͰ͢ w ૝૾ͯ͠Έ͍ͯͩ͘͞ɺ୭͕ૢ࡞͔ͨ͠Θ͔Βͳ͍ੈք Λʜ w ୭ཱ͕ͯͨ&$͔Θ͔Βͳ͍ w ηΩϡϦςΟάϧʔϓ͕͍ͭͷ·ʹ͔มߋ͞Ε͍ͯΔ
w ΋͔ͨ͠͠Β*".ϢʔβͷΞΫηεΩʔ͕࿙Ӯ͍ͯ͠Δ͔΋ w *".Ϣʔβ͕Ͳͷ*1͔ΒΞΫηε͍ͯ͠Δ͔Θ͔Βͳ͍

CloudTrailͷ༗ޮԽͱ ϩά෼ੳͷඞཁੑ͸఻Θͬͨͱࢥ͍·͢

Ͱ΋$MPVE5SBJMͷϩά෼ੳ͸ਏ͍ \l3FDPSET<\ FWFOU7FSTJPO VTFS*EFOUJUZ\ UZQF*".6TFS QSJODJQBM*E&9@13*/$*1"-@*%
BSOBSOBXTJBN VTFS"MJDF BDDFTT,FZ*E&9".1-&@,&:@*% BDDPVOU*E VTFS/BNF"MJDF ^ FWFOU5JNF5; FWFOU4PVSDFFDBNB[POBXTDPN FWFOU/BNF4UBSU*OTUBODFT BXT3FHJPOVTFBTU TPVSDF*1"EESFTT VTFS"HFOUFDBQJUPPMT SFRVFTU1BSBNFUFST\JOTUBODFT4FU \JUFNT<\JOTUBODF*EJFCFBGF^>^^ SFTQPOTF&MFNFOUT\JOTUBODFT4FU \JUFNT<\ JOTUBODF*EJFCFBGF DVSSFOU4UBUF\ DPEF OBNFQFOEJOH ^ QSFWJPVT4UBUF\ DPEF OBNFTUPQQFE ^ ^>^^ ^>^ ͱʹ͔͘৘ใ͕͍ͬͺ͍

σϑΥϧτͷ7JFX ৘ใগͳ͍ɺϩάྔ͸ଟ͍ɺจࣈͷΈ

"84ͱͯ͠ͷΞϓϩʔν ෼ੳʹར༻͢ΔαʔϏε w "NB[PO"UIFOB w ΫΤϦΛ࢖༻ͯ͠܏޲Λࣝผͨ͠ΓɺΞΫςΟϏςΟΛଐੑ ιʔ ε*1ΞυϨε΍ϢʔβʔͳͲ
Ͱ͞Βʹ෼཭ͨ͠ΓͰ͖·͢ɻ w $MPVE8BUDI-PHT w $MPVE8BUDI-PHTϝτϦοΫεϑΟϧλΛఆٛ͠ɺ͜ΕΒ ͷΞϥʔϜ͕τϦΨʔ͞Εͨͱ͖ʹ௨஌Λૹ৴Ͱ͖·͢ɻ IUUQTEPDTBXTBNB[PODPNKB@KQBXTDMPVEUSBJMMBUFTUVTFSHVJEFDMPVEUSBJMBXTTFSWJDFTQFDJpDUPQJDTIUNM

4FDVSJUZ+"84Ͱͷϩά෼ੳ w ୈճ w ߹ಉձࣾύϩϯΰۙ౻ֶ͞Μʮ8IBUZPVTFFJTXIBUZPVHFUʙΠϯγσϯτର Ԡ͢Δͷʹɺ·ͩϩά෼ੳͰফ໣ͯ͠Δͷ ʯ w
ୈճ w 4QMVOL4FSWJDFT+BQBOԣా૱͞ΜʮࣄྫʹֶͿɺ4QMVOLº"84ηΩϡϦςΟϞ χλϦϯάͷ۩ମࡦʯ w ୈճ w ϑϡʔνϟʔΞʔΩςΫτגࣜձࣾ೔ൺ໺߃͞ΜɺதҪ༞ق͞Μʮ,JCBOB$BOWBTͰ ັͤΔʂ"84؀ڥʹ͓͚ΔڴҖ෼ੳϢʔεέʔεʯ w גࣜձࣾ/55υίϞक԰༟थ͞Μʮ+"84%":4Ͱ࿩ͤͳ͔ͬͨʮ4FDVSJUZY 4FSWFSMFTTʯͷ࿩ʯ w ΫοΫύουגࣜձࣾਫ୩ਖ਼ܚ͞ΜʮηΩϡϦςΟϩάϩά෼ੳج൫ͷߏஙPO"84ʯ ͍ΖΜͳαʔϏε΍ख๏Λར༻ͯ͠औΓ૊ΜͰ͍Δ

ͱ͍͏Θ͚Ͱࠓճ͸ ϩά෼ੳSaaSαʔϏεͷ Sumo LogicΛ঺հ͠·͢ ଞͷαʔϏεͱ͔ؾʹͳΔਓ͸աڈϒϩάݟͯͶˑϛ

4VNP-PHJDͱ͸ w 4BB4ϕʔεͷϩά෼ੳج൫ w σϑΥϧτͰ༻ҙ͞Ε͍ͯΔଟ਺ͷμογϡϘʔυͰ͙͢ ʹϩάͷՄࢹԽ͕Մೳ w "84
w $MPVE5SBJM w 71$'MPX-PHT w &-# w "QBDIFͦͷଞΫϥ΢υηΩϡϦςΟ੡඼ w ैྔϕʔεͷ ༏͍͠ ྉۚମܥ

μογϡϘʔυͷྫ$MPVE5SBJM σʔλೖΕͯμογϡϘʔυબͿ͚ͩͰ͜͏ͳΔʂ

ରԠ͍ͯ͠Δ"QQ͸͍ͬͺ͍ "84͚ͩͰ ͜Μͳʹ

ηΩϡϦςΟܥ΋͍Ζ͍Ζ 8"'ܥ ೝূܥ '8ܥ ίϯϓϥΠΞ ϯεܥ౳

ͳΜͱͳ͍͍͘ͷ͸Θ͔Δ ۩ମతʹ͸Ͳ͏͍͍ͷʁ

σϞ͠·͢

σϞ$MPVE5SBJMμογϡϘʔυͷछྨ w "84$MPVE5SBJM0WFSWJFX w $MPVE5SBJMͷதͰಛʹॏཁͳϩάΠϯपΓ΍Ϧιʔεͷ࡟আ౳Λදࣔ͠·͢ɻ w "84$MPVE5SBJM$POTPMF-PHJOT w
ϩάΠϯ͍ͯ͠ΔϢʔβͷϩέʔγϣϯ΍.'"ͷར༻ঢ়گɺϩάΠϯࣦഊ౳Λදࣔ͠·͢ɻ w "84$MPVE5SBJM6TFS.POJUPSJOH w ϢʔβͷΞΫςΟϏςΟ΍"ENJOϢʔβͷΞΫςΟϏςΟ͕֬ೝͰ͖·͢ɻ w "84$MPVE5SBJM/FUXPSLBOE4FDVSJUZ w Ϧιʔε΁ͷΞΫηεࣦഊ΍/FUXPSL"-$ɾ4FDVSJUZ(SPVQͷมߋͳͲͷมߋ͕֬ೝͰ͖·͢ɻ w "84$MPVE5SBJM0QFSBUJPOT w Ͳͷ"84αʔϏε΍Ϧʔδϣϯ͔Β"1*͕ݺ͹Ε͍ͯΔ͔΍ɺϦιʔεͷ௥Ճ࡟আ͕֬ೝͰ͖·͢ɻ w "84$MPVE5SBJM41VCMJD0CKFDUTBOE#VDLFUT w ެ։͞Εͨόέοτ΍ΦϒδΣΫτ͕֬ೝͰ͖·͢ɻ

σϞ$MPVE5SBJMμογϡϘʔυͷछྨ ৄ͘͠͸ԼهϒϩάΛࢀর IUUQTEFWDMBTTNFUIPEKQDMPVEBXTDMPVEUSBJMTFDVSJUZBOBMZUJDTXJUITVNPMPHJD

ଞʹ΋4VNP-PHJDͷ͍͍ͱ͜Ζ w ಛڐΛ͍࣋ͬͯΔػցֶशػೳ w -PH3FEVDF-PH$PNQBSF w ϩάΛ͏·͘·ͱΊͯΫϦςΟΧϧͳϩάΛൃݟ͢Δ w
0VUMJFS%FUFDUJPO w ಈతͳ͖͍͠஋ௐ੔Λߦ͍ҟৗΛݕ஌͢Δ w 1SFEJDUJWF"OBMZUJDT w ܏޲͔Βকདྷͷ༧ଌΛߦ͏

ଞʹ΋4VNP-PHJDͷ͍͍ͱ͜Ζ -PH3FEVDF-PH$PNQBSFͷྑ͞͸ݟͳ͍ͱΘ ͔Βͳ͍ͷͰͱΓ͋͑ͣ͜ͷಈըΛݟ͍ͯͩ͘͞ IUUQTIFMQTVNPMPHJDDPN4FBSDI-PH3FEVDF

͡Ό͋ͱΓ͋͑ͣ৮ͬͯΈΑ͏͔ͳʁ ͬͯࢥ͍·͔ͨ͠ʁ

ແྉͰτϥΠΞϧ࢝ΊΒΕ·͢ ͔͠΋౦ژϦʔδϣϯͰʂ ࢝ΊΔํ๏͸ԼهϒϩάͰ IUUQTEFWDMBTTNFUIPEKQDMPVEBXTTVNPMPHJDJOUPLZP ˞ಉҰϦʔδϣϯͩͱ4ͷσʔλసૹྔ͕͔͔Γ·ͤΜ

ͱΓ͋͑ͣҰճ͖ͪΜͱڭΘΓ͍ͨͱ͍͏ํ

ϋϯζΦϯηϛφʔ΍ͬͯ·͢ʂ ఆظతʹ։࠵͍ͯ͠·࣍͢ճ͸ ਫ IUUQTEFWDMBTTNFUIPEKQOFXTTVNPMPHJD

·ͱΊ w "84ͷηΩϡϦςΟϩά෼ੳ͸$MPVE5SBJMͷՄ ࢹԽ͔Β w 4VNP-PHJD͸ͪΐͬͺ΍ͰϩάΛऔΓࠐΜͰՄ ࢹԽͰ͖Δ w
݁ߏ͍҆͠ɺ·ͣ͸ແྉτϥΠΞϧ͔Β΍ͬͯΈͯ

簡単に始めるAWS基盤のセキュリティ分析~Sumo Logic~

簡単に始めるAWS基盤のセキュリティ分析~Sumo Logic~

cm-usuda-keisuke

More Decks by cm-usuda-keisuke

Other Decks in Technology

Featured

Transcript

؆୯ʹ࢝ΊΔ"84ج൫ͷηΩϡϦςΟ෼ੳ d4VNP-PHJDd ӓాɹՂ༞

ࣗݾ঺հ ӓాɹՂ༞ ɾΫϥεϝιουגࣜձࣾ ɾ"84ࣄۀຊ෦ ɹιϦϡʔγϣϯΞʔΩςΫτ ɹɹηΩϡϦςΟνʔϜ ɾ4FDVSJUZ+"84ӡӦ ɾ޷͖ͳαʔϏε

ಥવͰ͕͢ AWS؀ڥ্ͰͷηΩϡϦςΟରࡦ͸ ສશͰ͔͢ʁ

Α͘࢖͏"84ͷηΩϡϦςΟܥαʔϏε w "844IJFME w ηΩϡϦςΟάϧʔϓ w "848"' w

͍ΖΜͳαʔϏε׆༻͍ͯ͠·͔͢ʁ ࠓճ͸ϩάʹϑΥʔΧεΛ౰ͯ·͢

"84ͷϩάͬͯͲΜͳ΋ͷ͕͋Δʁ w $MPVE5SBJMϩά w *". w &$ૢ࡞ w

"84ͷϩά෼ੳ͸ ಛʹCloudTrailͷ΢ΣΠτ͕ߴ͍

$MPVE5SBJMϩά෼ੳͷඞཁੑ w $MPVE5SBJM͸"84ʹର͢Δ"1ίʔϧͷϩάΛҰݩ తʹऔಘ͍ͯ͠Δ w ".ͷϩάΠϯ΍ωοτϫʔΫϦιʔεͷૢ࡞ɺ&$ͷى ಈ΍ఀࢭͳͲ w

$MPVE5SBJM׆༻ྫ ͓٬༷ʮͳΜ͔஌Βͳ͍EC2͕ಈ͍ͯ·͚͢Ͳʁʯ ࢲʮ͓٬༷؅ཧͷxxx_userͱ͍͏IAMϢʔβ͕8࣌ʹ ɹɹ࡞੒͍ͯ͠·͢ʯ

ੲ͸͜ͷαʔϏε΋ͳ͔ͬͨΜͰ͢ w ૝૾ͯ͠Έ͍ͯͩ͘͞ɺ୭͕ૢ࡞͔ͨ͠Θ͔Βͳ͍ੈք Λʜ w ୭ཱ͕ͯͨ&$͔Θ͔Βͳ͍ w ηΩϡϦςΟάϧʔϓ͕͍ͭͷ·ʹ͔มߋ͞Ε͍ͯΔ

CloudTrailͷ༗ޮԽͱ ϩά෼ੳͷඞཁੑ͸఻Θͬͨͱࢥ͍·͢

Ͱ΋$MPVE5SBJMͷϩά෼ੳ͸ਏ͍ \l3FDPSET<\ FWFOU7FSTJPO VTFSEFOUJUZ\ UZQF".6TFS QSJODJQBME&9@13/$1"-@%

σϑΥϧτͷ7JFX ৘ใগͳ͍ɺϩάྔ͸ଟ͍ɺจࣈͷΈ

"84ͱͯ͠ͷΞϓϩʔν ෼ੳʹར༻͢ΔαʔϏε w "NB[PO"UIFOB w ΫΤϦΛ࢖༻ͯ͠܏޲Λࣝผͨ͠ΓɺΞΫςΟϏςΟΛଐੑ ιʔ ε*1ΞυϨε΍ϢʔβʔͳͲ

4FDVSJUZ+"84Ͱͷϩά෼ੳ w ୈճ w ߹ಉձࣾύϩϯΰۙ౻ֶ͞Μʮ8IBUZPVTFFJTXIBUZPVHFUʙΠϯγσϯτର Ԡ͢Δͷʹɺ·ͩϩά෼ੳͰফ໣ͯ͠Δͷ ʯ w

ͱ͍͏Θ͚Ͱࠓճ͸ ϩά෼ੳSaaSαʔϏεͷ Sumo LogicΛ঺հ͠·͢ ଞͷαʔϏεͱ͔ؾʹͳΔਓ͸աڈϒϩάݟͯͶˑϛ

4VNP-PHJDͱ͸ w 4BB4ϕʔεͷϩά෼ੳج൫ w σϑΥϧτͰ༻ҙ͞Ε͍ͯΔଟ਺ͷμογϡϘʔυͰ͙͢ ʹϩάͷՄࢹԽ͕Մೳ w "84

μογϡϘʔυͷྫ$MPVE5SBJM σʔλೖΕͯμογϡϘʔυબͿ͚ͩͰ͜͏ͳΔʂ

ରԠ͍ͯ͠Δ"QQ͸͍ͬͺ͍ "84͚ͩͰ ͜Μͳʹ

ηΩϡϦςΟܥ΋͍Ζ͍Ζ 8"'ܥ ೝূܥ '8ܥ ίϯϓϥΠΞ ϯεܥ౳

ͳΜͱͳ͍͍͘ͷ͸Θ͔Δ ۩ମతʹ͸Ͳ͏͍͍ͷʁ

σϞ͠·͢

σϞ$MPVE5SBJMμογϡϘʔυͷछྨ w "84$MPVE5SBJM0WFSWJFX w $MPVE5SBJMͷதͰಛʹॏཁͳϩάΠϯपΓ΍Ϧιʔεͷ࡟আ౳Λදࣔ͠·͢ɻ w "84$MPVE5SBJM$POTPMF-PHJOT w

σϞ$MPVE5SBJMμογϡϘʔυͷछྨ ৄ͘͠͸ԼهϒϩάΛࢀর IUUQTEFWDMBTTNFUIPEKQDMPVEBXTDMPVEUSBJMTFDVSJUZBOBMZUJDTXJUITVNPMPHJD

ଞʹ΋4VNP-PHJDͷ͍͍ͱ͜Ζ w ಛڐΛ͍࣋ͬͯΔػցֶशػೳ w -PH3FEVDF-PH$PNQBSF w ϩάΛ͏·͘·ͱΊͯΫϦςΟΧϧͳϩάΛൃݟ͢Δ w

ଞʹ΋4VNP-PHJDͷ͍͍ͱ͜Ζ -PH3FEVDF-PH$PNQBSFͷྑ͞͸ݟͳ͍ͱΘ ͔Βͳ͍ͷͰͱΓ͋͑ͣ͜ͷಈըΛݟ͍ͯͩ͘͞ IUUQTIFMQTVNPMPHJDDPN4FBSDI-PH3FEVDF

͡Ό͋ͱΓ͋͑ͣ৮ͬͯΈΑ͏͔ͳʁ ͬͯࢥ͍·͔ͨ͠ʁ

ແྉͰτϥΠΞϧ࢝ΊΒΕ·͢ ͔͠΋౦ژϦʔδϣϯͰʂ ࢝ΊΔํ๏͸ԼهϒϩάͰ IUUQTEFWDMBTTNFUIPEKQDMPVEBXTTVNPMPHJDJOUPLZP ˞ಉҰϦʔδϣϯͩͱ4ͷσʔλసૹྔ͕͔͔Γ·ͤΜ

ͱΓ͋͑ͣҰճ͖ͪΜͱڭΘΓ͍ͨͱ͍͏ํ

ϋϯζΦϯηϛφʔ΍ͬͯ·͢ʂ ఆظతʹ։࠵͍ͯ͠·࣍͢ճ͸ ਫ IUUQTEFWDMBTTNFUIPEKQOFXTTVNPMPHJD

·ͱΊ w "84ͷηΩϡϦςΟϩά෼ੳ͸$MPVE5SBJMͷՄ ࢹԽ͔Β w 4VNP-PHJD͸ͪΐͬͺ΍ͰϩάΛऔΓࠐΜͰՄ ࢹԽͰ͖Δ w