UnConfig - AWS Configの幻想との戦い#secjaws #secjaws14

Transcript

1. UnConfig Until XXX turns into gold. At S-JAWS # 14

   2019.08.28

2. ͏Μ͜Μ;͙͌ AWS Configͷݬ૝ͱͷઓ͍ S-JAWS # 14 ʹͯ 2019.08.24

3. Who am I !? (͓લ୭Α?) • Hirokazu YoshidaˏCloud Native Inc.


   Security Engineer • Community
 - Security-JAWS • Favorite AWS Service https://www.fnifni.net/

4. Attention • ຊηογϣϯ͸ɺݸਓͷݟղʹجͮ͘΋ͷͰ͢ • ॴଐ͢ΔاۀɺஂମͷҙݟΛ୅ද͢Δ΋ͷͰ͸ ͋Γ·ͤΜ

5. ͱ͍͏Θ͚Ͱ ຊ୊

6. AWS Config ༗ޮʹ͍ͯ͠·͔͢ʁ

7. ࠷ߴͰ͢Ͷ

8. AWS Config ׆༻͍ͯ͠·͔͢ʁ

9. What is AWS Config ? • AWSϦιʔεͷΠϯϕϯτϦ/ߏ੒؅ཧͷͨΊͷϑϧϚ ωʔδυαʔϏε • AWSϦιʔεͷߏ੒มߋΛϩΪϯά

   • ߏ੒৘ใͷεφοϓγϣοτΛs3อ؅ • ߏ੒มߋͷ௥੻΍ηΩϡϦςΟ෼ੳɺτϥϒϧγϡʔ ςΟϯάɺίϯϓϥΠΞϯε४ڌΛ༰қʹ͢Δ https://aws.amazon.com/jp/blogs/news/webinar-bb-aws-config-2019/

10. AWS Config Features • Snapshot
 - ͋Δ࣌఺ͰͷConfiguration Itemͷू߹(s3อ؅)
 - Config

    Rulesͷ൑ఆλΠϛϯάͷҰͭ • History
 - ϦιʔελΠϓͷू߹ɻઃఆཤྺΛs3όέοτʹอଘ • Stream
 - Ϧιʔε࡞੒/มߋ/࡟আʹ൐͍࡞੒͞ΕɺSNS΁௨஌Մ https://aws.amazon.com/jp/blogs/news/webinar-bb-aws-config-2019/

11. ߏ੒؅ཧ/؂ࠪܥͷ੕ ༗ޮʹ͠ͳ͍ख͸ͳ͍

12. ࠓ೔ͷςʔϚ

13. AWS Configʹ๊͘ ؁͍ݬ૝ΛͿͬ͜Θ͢ˑ

14. ͱ͋Δ͓୊ ҆ఆͨ͠AWS؀ڥ͕͋ΔͷͰ มߋΛݕ஌͍ͨ͠ͷͰ͢Α

15. ๊͘ݬ૝1 StreamΛ௨஌ͯ͠ ϑΟϧλ͢Ε͹͍͍

16. ๊͘ݬ૝2 SnapShotͷDiffΛऔΕ͹͍͍

17. What you can learn by doing it • དྷΔͷ͸มߋ௨஌͚ͩͰ͸ͳ͍
 -

    Config SnapShot/Historyͷऔಘ௨஌
 - Config RulesͷධՁ݁Ռ/NOT_APPLICABLE௨஌ • ͢΂ͯͷมߋ௨஌͕དྷΔ
 - AWS͕ߦ͏ૢ࡞΋มߋ͸͢΂ͯ௨஌͞ΕΔ

18. AWS Changes Example • ELBͷεέʔϧin/out/retirementʹ܎Δॾมߋ
 - NIC࡟আ/࡞੒ɺSecurity GroupͷAttach • ৽ػೳ௥Ճʹ൐͏EC2ͷଐੑ௥Ճ


    - Capacity Reservationͷ௥Ճ • EC2ىಈ࣌ͷManagedInstanceInventory࡞੒

19. ;͊ͬ ͏Μࠞͬ͜͡ͱΔ΍Μ͚ʂ ͠Όʔͳ͍ɺϑΟϧλ͢Δ͔

20. an inconvenient fact • ໊݅ͰͷϑΟϧλʹ͸ݶք͕͋Δ • มߋ৘ใ͸ɺϦιʔεຖʹεΩʔϚ͕όϥόϥ
 - Resources໊ΛऔΔͷ΋Ұۤ࿑ •

    ͦ΋ͦ΋ConfigͰऩू͞ΕΔ৘ใʹ͸ɺ
 มߋऀͷ৘ใ͸هࡌ͞Εͳ͍

21. ͱ͋Δ͓୊ʢ࠶ܝʣ ҆ఆͨ͠AWS؀ڥ͕͋ΔͷͰ (ਓҝతͳ)มߋΛݕ஌͍ͨ͠ ͷͰ͢Α

22. ͋ɺ٧Μͩʁ

23. ͍΍ͪΐͬͱ଴ͯ Config Timeline͕͋ͬͨΖ

24. Config TimeLine

25. ͜ΕɺͲ͏΍ͬͯΜͶΜ

26. Ask an Expert (2 minutes) • Configuration ItemͷtimestampͱResources TypeΛΩʔʹɺCloudTrailΛLookupͯ͠ΔΜ Ͱ͢Α

27. cloudtrail lookup-events • աڈ90೔ͷCloudTrailΠϕϯτΛࢀরͰ͖Δ • ࣌ؒൣғͱ୯ҰଐੑͰߜΓࠐΈ
 AccessKeyId, EventId, EventName, EventSource,

    Username, ReadOnly, ResourceName, ResourceType https://docs.aws.amazon.com/ja_jp/awscloudtrail/latest/ userguide/view-cloudtrail-events-cli.html

28. ΑΖ͍͠ ͳΒ͹࣮૷ͩ

29. manual-changes-detector-poc

30. Output

31. Link Destination

32. Use Case • ҆ఆͨ͠؀ڥ΁ͷϢʔβʔʹඥͮ͘มߋૢ࡞ Λݕग़͍ͨ͠ • Terraform΍CloudFormationͳͲίʔυͰͷ σϓϩΠΛӡ༻ϧʔϧͱ͍ͯ͠Δ؀ڥͰɺͦ ΕҎ֎ͷϢʔβʔʹΑΔมߋΛݕग़͍ͨ͠

33. GithubͰެ։͍ͯ͠·͢

34. Attention • ֓೦࣮ূίʔυͰ͢
 - ຊ൪ϫʔΫϩʔυͰ͸ɺঢ়گʹԠͨ͡վम΍ௐ੔Λ
 ඞཁͱ͠·͢(MIT LicenseͰ͢ɻ͝ར༻͸ܭըతʹ) • ݱ࣌఺ͷ׬੒౓͸60%
 -

    ਵ࣌ߋ৽͠·͢ͷͰஆ͔͘ݟक͍ͬͯͩ͘͞ • Pull Requestେ׻ܴʂ

35. Summary • Config StreamΛ࢖͑͹”౎߹Α͍͍͘ײ͡ʹ”
 มߋΛ௥͏͜ͱ͕Ͱ͖Δ͸ݬ૝ • “Կ͔͋ͬͨΒ௥͑·͢"͔ΒҰาલ΁ • ࠔͬͨ࣌͸ɺExpertʹฉ͘ͷ΋ख

36. Thank You !