Dome9で始めるAWSセキュリティリスク管理.pdf

Transcript

1. %PNFͰ࢝ΊΔ
   "84ηΩϡϦςΟϦεΫ؅ཧ "84ࣄۀຊ෦ɹίϯαϧςΟϯά෦
   ొஃऀ
   ࢢాળٱ

2. ࣗݾ঺հ • ࢢాળٱ • AWSࣄۀຊ෦ ίϯαϧςΟϯά෦ ◦ ιϦϡʔγϣϯΞʔΩςΫτ • େࡕΦϑΟεॴଐ

   • ޷͖ͳAWSαʔϏε ◦ AWS IoTܥαʔϏεɹ ɹ

3. εϥΠυ͸ޙͰೖख͢Δ͜ͱ͕ग़དྷ·͢ͷͰ ൃදதͷ಺༰ΛϝϞ͢Δඞཁ͸͋Γ·ͤΜɻ ࣸਅࡱӨΛ͢Δ৔߹͸ ϑϥογϡɾγϟολʔԻ͕ग़ͳ͍Α͏ʹ͝഑ྀ͍ͩ͘͞

4. ຊ೔ͷ಺༰ • Dome9ͱ͸ʁ • Dome9ͷ3ͭͷಛ௃ • Network Security • Security

   Groupͷ؅ཧ • IAM Safety • ڧԽ͞ΕͨIAM • Complicence & Governance • ηΩϡϦςΟϑϨʔϜϫʔΫʹ४ڌͨ͠ηΩϡϦςΟΨόφϯε • ·ͱΊ

5. ͓࿩͠ͳ͍͜ͱ • AWSͷηΩϡϦςΟαʔϏεͷઆ໌ • GuardDutyɺWAFˍShieldɺKMSɺCogniteɺInspectorɺMacieͳͲ • AWSͷηΩϡϦςΟαʔϏεΛۦ࢖ͨ͠ηΩϡϦςΟରԠํ๏ • ֤छαʔϏεͷ׆༻ํ๏ •

   ͦͷଞͷAWSରԠSaaSͷઆ໌ • Trend MicroࣾͷDeep SecurityͳͲ

6. 6 ੹೚ڞ༗Ϟσϧ

7. 7 AWSͷ੹೚ڞ༗Ϟσϧ “બ୒ͨ͠ AWS Ϋϥ΢υͷαʔϏεʹԠͯ͡ҟͳ Γ·͢ɻબ୒ʹΑͬͯɺηΩϡϦςΟʹؔ͢Δ੹ ೚ͷҰ؀ͱ͓ͯ͠٬༷͕࣮ߦ͢Δߏ੒࡞ۀͷྔ͕ ܾఆ͞Ε·͢ɻ” “ఏڙ͞ΕΔ͢΂ͯͷαʔϏεΛ࣮ߦ͢ΔΠϯϑ ϥετϥΫνϟͷอޢʹ͍ͭͯ੹೚Λ࣋ͪ·͢ɻ

   ͜ͷΠϯϑϥετϥΫνϟ͸ϋʔυ΢ΣΞɺι ϑτ΢ΣΞɺωοτϫʔΩϯάɺAWSΫϥ΢υ ͷαʔϏεΛ࣮ߦ͢ΔࢪઃͰߏ੒͞Ε·͢ɻ”

8. 2020೥·Ͱʹى͜ΔηΩϡϦςΟࣄނͷ95%
 ͕ϢʔβىҼͱݴΘΕ͍ͯ·͢ɻ

9. 9 Dome9ͱ͸

10. Dome9ͱ͸ • ΠεϥΤϧൃͷΫϥ΢υηΩϡϦςΟελʔτΞοϓ • 2018೥ʹνΣοΫɾϙΠϯτ͕ࣾങऩ • ࠃ಺Ͱ͸ιϑτόϯΫ͕ಠ઎తʹऔΓѻ͍ • AWS, Azure,

    GCPʹରԠ

11. 11 Dome9ͷಛ௃ͱػೳ

12. 12 Dome9ͷಛ௃ Assess(ධՁ) • ωοτϫʔΫɾτϙϩδʔͷϏδϡΞϥΠζ • ϛείϯϑΟά΍ڴҖͷੋਖ਼ Contorl(੍ޚ) • ϕετϓϥΫςΟεͷڧ੍

    • ະೝূͳมߋͷ๷ࢭ • ίϯϓϥΠΞϯεඪ४ʹै͏ Remediate(ੋਖ਼) • ϙϦγʔઃఆʹΑΔ໰୊఺ͷमਖ਼ • Ϋϥ΢υ؀ڥͷΞΫςΟϒͳϓϩςΫτ

13. 13 แׅతͳΫϥ΢υηΩϡϦςΟͷఏڙ - 3ͭͷػೳ Network Security • Security GroupͷՄࢹԽ •

    ૬ޓతͳڐՄϧʔϧͷՄࢹԽ • Security Groupͷ౷੍ • ڐՄ͞Ε͍ͯͳ͍มߋͷ੾Γ໭͠ IAM Safety • ڧԽ͞ΕͨIAMϓϩςΫγϣϯ • ࣌ݶతͳಛݖͷ෇༩ Complience & Governance • αϙʔτ͍ͯ͠ΔηΩϡϦςΟϑϨʔϜϫʔΫͷϧʔϧηοτͰAWS؀ڥΛධՁ • NISTɺCISɺPCI-DSSͳͲ • ಠࣗʹఆٛՄೳ

14. 14 Network Security

15. 15 Security Group؅ཧ Security GroupͷՄࢹԽ • Ͳ͔͜ΒͲ͜΁௨৴͕ڐՄ͞Ε͍ͯΔͷ͔ʁ • ͲͷϦιʔε͕ؔ࿈͍͍ͮͯΔͷ͔ʁ •

    EC2΍RDSͳͲϦιʔεଆ͔Β͔͠ݟ͑ͳ͍ • άϧʔϓಉ࢜ͷؔ܎ੑ͕೺Ѳͮ͠Β͍ • ෼͔Γ΍͘͢ՄࢹԽ͞Εͨ΋ͷ͕ཉ͍͠

16. 16 αϯϓϧߏ੒ αϯϓϧߏ੒ͷSecurityGroupߏ੒ΛՄࢹԽ

17. 17 αϯϓϧߏ੒ͷSecurity Group Application Load Balancer • HTTP : 0.0.0.0/0

    BastionʢEC2ʣ • SSH : 203.0.113.4/32ʢ։ൃڌ఺ʣ WebʢEC2ʣ • HTTP : Application Load Balancer (Security Group) • SSH : Bastion (Security Group) DBʢRDSʣ • MySQL : Web (Security Group)

18. 18 ClarityʹΑΔՄࢹԽ • ࣗಈతʹϨΠϠʔ෼ׂදࣔ • ֎෦κʔϯɿ֎෦ωοτϫʔΫ/ϗετ • DMZɿInternet͔ΒΞΫηεՄೳͳηΩϡϦςΟάϧʔϓ • Ұ෦Φʔϓϯɿಛఆͷ֎෦ωοτϫʔΫ/ϗετ͔ΒΞΫηεՄೳ

    • ಺෦κʔϯɿVPC಺ͷϦιʔε͔ΒΞΫηεՄೳ ( άϧʔϓ಺ͷ਺ࣈ͸ؔ࿈Ϧιʔε਺ʣ

19. 19 ϋΠϥΠτදࣔ • ηΩϡϦςΟάϧʔϓผʹΞΫηεڐՄઃఆΛϋΠϥΠτදࣔ • SourceɿΦϨϯδ৭ • Targetɿਫ৭ • ը໘ӈଆʹৄࡉදࣔ

    • ϧʔϧ಺༰ͷৄࡉʢΠϯό΢ϯυ/Ξ΢τό΢ϯυʣ • ιʔεɺλʔήοτɺλά

20. 20 ؔ࿈Ϧιʔεͷදࣔ • bastion-sgͷ৔߹ • Sourceɿڌ఺IP͔ΒͷΞΫηεΛڐՄʢΦϨϯδ৭ʣ • Targetɿweb-ec2-sg΁ͷΞΫηεΛڐՄʢਫ৭ʣ

21. 21 ؔ࿈Ϧιʔεͷදࣔ • web-ec2-sgͷ৔߹ • Sourceɿalb-sgɺbastion-sg͔ΒͷΞΫηεΛڐՄ • Targetɿrds-sg

22. 22 αϯϓϧྫ

23. 23 Tamper Protection Dynamic Access

24. 24 Tamper Protection Dynamic Access

25. 25 Security Groupͷ՝୊ ՝୊ • ۓٸ࡞ۀͰҰ࣌తʹSSH΍RDPͷΞΫηεΛڐՄ • ࡞ۀޙʹ໭ͭ͢΋Γ͚ͩͬͨͲ๨Ε͍ͯͨ • ఆظతͳݟ௚͠ͷͱ͖ʹʮͳͥڐՄ͞Ε͍ͯΔʯͷ͔෼͔Βͳ͍

    • ϧʔϧͷίϝϯτ͚ͩͰ͸؅ཧ͖͠Εͳ͍

26. 26 Tampler Protection Dome9Λܦ༝͠ͳ͍ηΩϡϦςΟάϧʔϓͷվ͟Μ(Tamper)Λ๷ࢭ(Protect) • มߋ͍ͨ͠৔߹͸ɺDome9͔Βมߋ࡞ۀΛ࣮ࢪ • Tamper Protectionͷ༗ޮԽ୯Ґ͸άϧʔϓ •

    ʮFull-Protectionʯ͕༗ޮʹͳ͍ͬͯΔ͜ͱ

27. 27 Tampler Protectionͷಈ࡞ཤྺ Dome9ͷHistory͔ΒΠϕϯτΛ֬ೝՄೳ

28. 28 Tampler Protectionͷಈ࡞ཤྺͷৄࡉ

29. 29 Tampler ProtectionΛCloudTrailͰัଊ ಉ࣌ࠁʹʮRevokeSecurityGroupIngressʯͷΠϕϯτൃੜ

30. 30 Dome9͔ΒSecurity GroupΛมߋ ର৅ϧʔϧͰʮEDITʯΛΫϦοΫ

31. 31 Dome9͔ΒSecurity GroupΛมߋ - SOURCEͷ௥Ճ 1.ʮ+ADD SOURCEʯΛΫϦοΫ 2. ܗࣜΛબ୒ •

    IP CIDR or DNS Name • IP LIST (Customer managed) • IP LIST (Dome9 managed) • AWS Security Group • AWS Peered VPC

32. 32 Dome9͔ΒSecurity GroupΛมߋ - DNSͰSOURCEΛࢦఆ͢Δͱɾɾɾ ࢼ͠ʹʮDNS NameʯΛબ୒ͯ͠ʮwww.yahoo.co.jpʯΛڐՄର৅ʹͯ͠Έͨ

33. 33 DNSͷਖ਼Ҿ͖݁ՌΛࣗಈొ࿥ • ʮwww.yahoo.co.jpʯͷਖ਼Ҿ͖݁ՌͷIPͰࣗಈొ࿥ • ໊લղܾͷIP͕มΘͬͯ΋௥ैͯ͠ϧʔϧΛมߋ

34. 34 AWS Configͷར༻ AWSͷαʔϏε͚ͩͰ΍ͬͯΈΔ • AWS Config ͷར༻ • Config

    RulesͰΞΫγϣϯͷࢦఆ • ྫɿηΩϡϦςΟάϧʔϓ͕ແ੍ݶڐՄͷSSHΛෆڐՄʹ͢Δ • શ͘ಉ͜͡ͱΛ΍ΔͳΒΧελϜϧʔϧΛࣗ࡞ • Dome9Ͱ΍Δ৔߹͸ɺॳظಋೖɺ؅ཧɺӡ༻͕༰қʹͳΔͷͰτϨʔυΦϑ https://dev.classmethod.jp/cloud/aws/auto-recovery-restricted-ssh-without-lambda/ https://dev.classmethod.jp/cloud/aws/automate-aws-config-remediation-action/

35. 35 Tamper Protectionͷ·ͱΊ Tamper Protection • Dome9 Λܦ༝͠ͳ͍Seurity Groupͷมߋʢվ͟ΜʣΛ๷ࢭ͢Δ •

    Dome9͔Βมߋͨ͠ϧʔϧ͸΋ͱʹ໭͞ΕΔ͜ͱ͸ແ͍ • Dome9্Ͱͷมߋ΋Historyʹ࢒Δ

36. 36 Tamper Protection Dynamic Access

37. 37 Dynamic Access ηΩϡϦςΟάϧʔϓʹҰ࣌తͳΞΫηεڐՄϧʔϧΛ௥Ճ • ର৅ͷάϧʔϓ/ϧʔϧʹରͯ͠Ұ࣌తͳΞΫηεڐՄΛ௥Ճ ڐՄ͞ΕΔIP • Dome9ʹΞΫηε͍ͯ͠ΔIP͕ڐՄର৅ •

    Dome9Ҏ֎ͷϝϯόʔ͔ΒͷΞΫηεΛڐՄͤ͞Δ͜ͱ΋Մೳ • ট଴ϝϯόʔ͕ڐՄϦϯΫΛΫϦοΫͨ͠IPͰڐՄ͞ΕΔ

38. 38 Dynamic Access • Dome9ʹΞΫηε͍ͯ͠ΔIPΛڐՄ(x.x.x.x) • ϝʔϧதͷট଴ΞΫςΟϕʔγϣϯͷϦϯΫΛΫϦοΫͨ͠IPͰڐՄ(y.y.y.y) ট଴ϝʔϧ

39. 39 Dynamic Accessͷར༻ํ๏ • ର৅άϧʔϓͰڐՄΛ௥Ճ͍ͨ͠ϧʔϧʹʮGET ACESSʯ • ڐՄ͢ΔظؒΛબ୒ՄೳʢσϑΥϧτ1࣌ؒʣ • ௥Ճϧʔϧ͕࡟আ͞ΕΔ·Ͱͷ࣌ؒ

40. 40 Dynamic Accessͷར༻ - Send Invitation Send Invitaion Dome9Ҏ֎ͷϝϯόʔ͔ΒͷΞΫηεΛڐՄ •

    ট଴ͷ༗ޮظݶ • ڐՄ͢Δ࣌ؒ • ϝʔϧΞυϨε • ௥ՃϢʔβͷΞυϨε • ࣗ෼ͷΞυϨε • ΞΫςΟϕʔγϣϯϦϯΫੜ੒ͷΈ

41. 41 Dynamic AccessͷϢʔβট଴ ট଴ϝʔϧ • ϝʔϧதͷϦϯΫΛΫϦοΫͯ͠ɺ
 ট଴ΛΞΫςΟϕʔγϣϯ • ઀ଓΛڐՄ͍ͨ͠Ϛγϯ্ͰΞΫςΟ
 ϕʔγϣϯΛ࣮ࢪ

42. 42 ট଴݁Ռ ϦϯΫΫϦοΫޙͷදࣔ • ڐՄͨ͠άϧʔϓͱαʔϏε • ڐՄͨ͠IPͱ࣌ؒ

43. 43 Dynamic Access - ༗ޮͳLeaseͷ؅ཧ • ʮҰ࣌తʹ௥Ճ͍ͯ͠ΔΞΫηεڐՄʯͷҰཡදࣔ • ࣌ؒຬྃલʹࣦޮͤ͞Δ͜ͱ΋Մೳ •

    ট଴࣌ͷIPؒҧ͍΍ະঝೝͷট଴ΛʮPending invitationʯ͔Β࡟আՄೳ

44. 44 Network Security·ͱΊ Tamper Protection • Dome9 Λܦ༝͠ͳ͍Seurity GroupͷมߋΛ๷ࢭ͢Δ •

    Dome9͔Βมߋͨ͠ϧʔϧ͸΋ͱʹ໭͞ΕΔ͜ͱ͸ແ͍ • Dome9্Ͱͷมߋ΋Historyʹ࢒Δ Dynamic Access • ηΩϡϦςΟάϧʔϓʹҰ࣌తͳڐՄϧʔϧΛ௥ՃͰ͖Δ • ࢦఆ࣌ؒܦաޙʹ௥Ճϧʔϧ͸ࣗಈ࡟আͰɺҰ࣌తͳ௥Ճͷ໭͠๨ΕΛ๷ࢭ • มߋ͸Historyʹ࢒Δ

45. 45 IAM Safety

46. 46 IAM Safety IAM Report

47. 47 IAM؅ཧͷ՝୊ IAM؅ཧ͸೉͍͠ • ৗʹඞཁͰ͸ͳ͍ݖݶΛҰ࣌తʹڐՄ͍ͨ͠ • ౎౓ɺมߋ࡞ۀΛ͢Δͷ͸࡞ۀϛε΋͋Γආ͚͍ͨ • ؅ཧऀͱͯਓؒ •

    Systems ManagerͳͲΛۦ࢖ͯࣗ͠ಈԽ͸Մೳ • AutomationυΩϡϝϯτͷ࡞੒ͳͲࣄલ४උ͕ඞཁ
 https://dev.classmethod.jp/cloud/aws/workflow-to-add-temporary-privilege-by-ssm-automation/

48. 48 IAM Safetyͷ࢓૊Έ Ұ࣌తʹࣄલఆٛͨ͠ಛݖΛ෇༩͢Δ͜ͱ͕Ͱ͖Δ - ݖݶͷঢ֨ • ฏ࣌͸੍ݶ͍ͨ͠಺༰Λ·ͱΊͨϙϦγʔΛIAM GroupͷϙϦγʔʹઃఆ •

    ϙϦγʔ͸Dome9্ͰGUIͰ࡞੒Մೳ • GUIૢ࡞ͰJSONͷϙϦγʔΛੜ੒ • Dome9ଆͰςϯϓϨʔτ΋༻ҙ • อޢର৅ͷIAM User/RoleΛબ୒ͯ͠อޢ • อޢ͢Δͱ֘౰ͷIAM User্͕هͷGroupʹॴଐʢ੍ݶϙϦγʔͷద༻ʣ • IAM Roleͷ৔߹͸੍ݶϙϦγʔ͕Ξλον • ಛݖΛ෇༩ʢঢ֨ʣ͍ͤͨ͞ͱ͖ʹɺ੍ݶϙϦγʔ͕σλον͞ΕΔ • ࢦఆ͕࣌ؒܦաޙʹࣗಈతʹ੍ݶϙϦγʔ͕Ξλονʢ߱֨ʣ

49. 49 IAM Safetyͷ࢓૊Έ • ੍ݶɿDome9อޢର৅ͷIAMʹ੍ݶϙϦγʔΞλον • ߱֨ɿDome9อޢର৅ͷIAMʹ੍ݶϙϦγʔΞλον • ঢ֨ɿ੍ݶϙϦγʔΛσλον

50. 50 IAM Safety - ঢ֨ઃఆ ద༻͍ͨ͠IAM UserΛDome9্͔Βબ୒ • Լه͸ʮdome9-test2ʯʮdome9-test3ʯͷIAM UserΛબ୒

51. 51 IAM Safety - ঢ֨ઃఆ อޢର৅ʹ͸伴ϚʔΫ

52. 52 IAM Safety - ฏ࣌ͷIAMઃఆ Dome9ͷ੍ݶϙϦγʔ͕ద༻͞Ε͍ͯΔʢ֘౰άϧʔϓʹೖ͍ͬͯΔʣ

53. 53 IAM Safety - ঢ֨ͷ࣮ߦ ঢ͓֨ͯ͘͠ظؒʢ30෼ɺ1࣌ؒɺ2࣌ؒʣΛࢦఆՄೳ

54. 54 IAM Safety - ঢ֨ͷঢ়گ֬ೝ • ঢ֨தͷ΋ͷΛ֬ೝՄೳ • ظݶલʹঢ֨Λதஅ͢Δ͜ͱ΋Մೳ

55. 55 IAM Safety - ϞόΠϧΞϓϦ • ϞόΠϧΞϓϦ͔Βঢ֨ɾऔΓফ͠ɾઃఆ͕Մೳ ʻঢ֨ʼ ʻઃఆʼ ʻऔΓফ͠

    / ظݶ֬ೝʼ

56. 56 IAM Safety IAM Report

57. 57 IAMϨϙʔτ Policy ReportʢϙϦγʔϨϙʔτʣ • Dome9Ͱ؅ཧ͢ΔAWSΞΧ΢ϯτશͯͷIAM Entityͷ૊Έ߹ΘͤΛҰཡදࣔ • ࡞੒ࡁΈͷIAM User/Roleͷݖݶ΍αʔϏεछผͰநग़Մೳ

    Credential Reportʢೝূ৘ใϨϙʔτʣ • IAM Userͷೝূ৘ใΛநग़ • ίϯιʔϧαΠϯΠϯͷύεϫʔυ͕༗ޮͳϢʔβ • ͦͷύεϫʔυͷར༻ཤྺ ͳͲ

58. 58 ϙϦγʔϨϙʔτ ϑΟϧλϦϯάྫɿKinesis data firehoseʹʮPutRecordʯͰ͖ΔEntity

59. 59 ϑΟϧλϦϯάઃఆͷ׆༻ ϑΟϧλϦϯάઃఆ͸อଘͯ͠࠶ར༻͕Մೳ

60. 60 ϑΟϧλϦϯάઃఆͷ׆༻ อଘͨ͠ϑΟϧλϦϯάΛ࠶ར༻

61. 61 ೝূ৘ใϨϙʔτ ϑΟϧλϦϯάྫɿʮcmichidaʯͱ͍͏ΞΧ΢ϯτͰʮαΠϯΠϯύεϫʔυ͕༗ޮʯ

62. 62 Compliance & Governance

63. 63 ܧଓతͳηΩϡϦςΟνΣοΫ ҧ൓߲໨ͷࣗಈతͳվળ - Remediation

64. 64 ܧଓతͳηΩϡϦςΟνΣοΫ ՝୊ • ४ڌ͢΂͖ηΩϡϦςΟج४ͷҡ͕࣋೉͍͠ • ४ڌ͢΂͖ηΩϡϦςΟج४ͷҡ࣋Λ୲อ͢Δ࢓૊Έ͕ແ͍ • ΞΧ΢ϯτʹΑͬͯηΩϡϦςΟج४͕ҟͳΔ •

    CISɺPCI-DSSɺNISTɺSOC2ɺHIPPAɾɾɾ

65. 65 Dome9͕ରԠ͍ͯ͠ΔηΩϡϦςΟϑϨʔϜϫʔΫʢೝূʣ • Dome9͸نఆ/ಠࣗఆٛͷධՁϧʔϧͰ֤AWSΞΧ΢ϯτΛධՁՄೳ • ෳ਺ͷୈࡾऀೝূΛϕʔεʹͨ͠ϧʔϧηοτ • CIS • NIST

    800-53 • PCI-DSS 3.2 • HIPPA • GDPR • ISO27001 • SOC2

66. 66 ϧʔϧηοτ • ೝূʹԠͨ͡ϧʔϧ͕·ͱ·ͬͨϧʔϧηοτ • ֤ϧʔϧ͸GSLͱ͍͏ಠࣗݴޠͰఆٛ

67. 67 GSLͱ͍͏Dome9ͷಠࣗݴޠ ྫɿAWS Kinesis Server data at rest has server

    side encryption ྫɿEnsure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389) ྫɿEnsure IAM policies are attached only to groups or roles Kinesis should have encrypted=true SecurityGroup should not have inboundRules with [scope = '0.0.0.0/0' and port<=3389 and portTo>=3389] IamUser where not (name regexMatch /^<root_account>$/i ) should have managedPolicies isEmpty() and inlinePolicies isEmpty()

68. 68 ܧଓతͳηΩϡϦςΟνΣοΫ ܧଓతͳνΣοΫͷઃఆ • νΣοΫ͍ͨ͠AWSΞΧ΢ϯτΛબ୒ • ϧʔϧηοτ͔ΒνΣοΫ͍ͨ͠ೝূͷηοτΛબ୒ • ௨஌ઌΛઃఆ

69. 69 ܧଓతͳηΩϡϦςΟνΣοΫ - ઃఆ ʮADD POLICYʯΛΫϦοΫ

70. 70 ܧଓతͳηΩϡϦςΟνΣοΫ - ઃఆ νΣοΫ͍ͨ͠ΞΧ΢ϯτΛબ୒

71. 71 ܧଓతͳηΩϡϦςΟνΣοΫ - ઃఆ ϧʔϧηοτΛબ୒ ʢ͜͜Ͱ͸AWS PCI-DSS 3.2ʣ

72. 72 ܧଓతͳηΩϡϦςΟνΣοΫ - ઃఆ ௨஌ઌΛઃఆ • νΣοΫ݁Ռͷ௨஌ • ௨஌ઌΞυϨεͷઃఆ •

    ௨஌εέδϡʔϧͷઃఆ • Ϩϙʔτछྨ • Summary, Detailed, CSV͋ • ௨஌ઃఆ͸ࣄલ࡞੒ or
 ͜ͷ΢Οβʔυதʹ࡞੒Մೳ

73. 73 ܧଓతͳηΩϡϦςΟνΣοΫ - ઃఆ ධՁ͕࣮ߦ͞ΕΔͱࢦఆͨ࣌ؒ͠ʹϝʔϧͰ Ϩϙʔτ͕ಧ͖·͢ • είΞ஋ • લճͷείΞ஋΋දࣔ

    • Failedͷ߲໨ΛҰཡදࣔ • ৭ͰFailedͷਂࠁ౓Λ෼ྨදࣔ

74. 74 ܧଓతͳηΩϡϦςΟνΣοΫ ҧ൓߲໨ͷࣗಈతͳվળ - Remediation

75. 75 ҧ൓߲໨ͷࣗಈతͳվળ - Remediation ఆظతͳνΣοΫ࣌ʹҧ൓߲໨͕͋Ε͹ࣗಈతʹઃఆΛमਖ਼ • ϕʔλఏڙʢ2019೥10݄10೔ݱࡏʣ • Cloud-botsʹΑΔमਖ਼ΞΫγϣϯ •

    CloudFormationͰσϓϩΠ • ϚϧνΞΧ΢ϯτʹରԠ • ୭Ͱ΋ར༻Մೳ

76. 76 cloud-bots͸୭Ͱ΋ར༻Մೳ https://github.com/dome9/cloud-bots

77. 77 Cloud-botsͷΞʔΩςΫνϟ

78. 78 Cloud-botsͷΞʔΩςΫνϟ • Dome9͕ఆظνΣοΫ࣮ߦ • ҧ൓߲໨͕͋Ε͹SNSτϐοΫʹύϒϦογϡ • LambdaͰࢦఆͷվળΞΫγϣϯΛ࣮ߦ • ݁ՌΛࢦఆͷσϓϩΠ࣌ͷࢦఆΞυϨεʹ௨஌

79. 79 Remediationͷ࡞੒ • RulesetɿʮϙϦγʔʯͰࢦఆͨ͠ϧʔϧ
 ηοτͰҧ൓߲໨͕͋Ε͹ͦͷϧʔϧ
 ηοτʹରԠͨ͠मਖ਼ΞΫγϣϯ͕࣮ߦ
 ͞Ε·͢ • Remediate by

    Ruleɿमਖ਼ΞΫγϣϯΛ
 ࣮ߦ͍߲ͨ͠໨ͷࢦఆ • Remediate by Cloud Accountɿର৅ͷAWS
 ΞΧ΢ϯτΛࢦఆ • Remediate by EntityɿΞΫγϣϯର৅ͷ
 ࢦఆ • Cloud BotsɿCloud-botsͰ࣮ࢪ͢ΔΞΫ
 γϣϯͷࢦఆ • Commentɿίϝϯτ

80. 80 Cloud BotͰͰ͖Δ͜ͱ • ami_set_to_private • cloudtrail_enable • cloudtrail_send_to_cloudwatch •

    cloudwatch_create_metric_filter • config_enable • ec2_attach_instance_role • ec2_create_snapshot • ec2_release_eips • ec2_quarantine_instance • ec2_stop_instance • ec2_terminate_instance • ec2_update_instance_role • iam_role_attach_policy • iam_user_attach_policy • iam_quarantine_role • iam_quarantine_user • iam_turn_on_password_policy • iam_user_force_password_change • igw_delete • kms_enable_rotation • mark_for_stop_ec2_resource • rds_quarantine_instance • s3_delete_acls • s3_delete_permissions • s3_enable_encryption • s3_enable_logging • s3_enable_versioning • sg_delete • sg_rules_delete • sg_single_rule_delete • tag_ec2_resource • vpc_turn_on_flow_logs

81. 81 Botsͷ঺հ sg_single_rule_delete • ηΩϡϦςΟάϧʔϓͷҰͭͷϧʔϧΛ࡟আ͢Δ • ࢦఆ߲໨ • splitɿ࡟আޙʹϧʔϧΛ෼ׂ͢Δ͔Ͳ͏͔ •

    protocolɿϓϩτίϧ • scopeɿϙʔτൣғ • directionɿ௨৴ͷ޲͖ • portɿϙʔτ

82. 82 Botsͷ঺հ sg_single_rule_delete • ࢦఆ߲໨ɿsplit • طଘϧʔϧͰ֘౰ϙʔτ͕ʮΑΓେ͖ͳϙʔτൣғʯͰઃఆ͞Ε͍ͯͨ৔߹ʹɺ ࡟আ͍ͨ͠ϙʔτΛআ͍ͨෳ਺ͷϧʔϧʹ෼ׂ ϧʔϧAɿ[ ڐՄϙʔτɿ1

    - 30 ] SSHϙʔτɿ22 ͷڐՄΛ࡟আ͍ͨ͠ SSHϙʔτɿ22 ͷڐՄΛ࡟আ ϧʔϧBɿ[ ڐՄϙʔτɿ1 - 21 ] ϧʔϧCɿ[ ڐՄϙʔτɿ23 - 30 ] →

83. 83 ఆظνΣοΫͷ࣮ߦ ఆظνΣοΫͷ࣮ߦ࣌ʹRemediation΋࣮ߦ • ʮධՁཤྺʯΑΓνΣοΫ༗ແͱཤྺΛ֬ೝ

84. 84 Remediationͷϝʔϧ௨஌ • ʮRemediationOutputʯͱ͍͏໊݅ͷϝʔϧ

85. 85 Remediationͷϝʔϧ௨஌ྫ • ʮRemediationOutputʯͱ͍͏໊݅ͷϝʔϧ { "ReportTime": "2019-10-03T05:30:37.559Z", "Account id": "xxxxxxxxxxxxxx",

    "findingKey": "xxxxxxxxxxxxxxxxx", "Rules violations found": [ { "Rule": "Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)", "ID": "sg-xxxxxxxxxxxxxxxxx", "Name": "dome9-test-sg", "Remediation": "sg_single_rule_delete", "Execution status": "passed", "Bot message": "Split matching for the port to be remediated is set to False. If the port is contained within a larger scope, it will be skipped.\nThe protocol to be removed is TCP\nScope to be removed found: 0.0.0.0/0 \nThe rule to be removed is going to be for inbound traffic\nPort to be removed: 22 \nMatching rule found that is going to be deleted. Protocol:TCP Direction:inbound Port: 22 Scope:0.0.0.0/0\nSecurity Group rule from port 22 to port 22 successfully removed\n" } ] }

86. 86 BotsͷCloudTrailʹΑΔัଊ • Ϣʔβ໊ɿDome9CloudBots • ࣌ࠁ͸ఆظνΣοΫʢ02:30ʣΑΓλΠϜϥά͕͋Δ • ࣮ߦ͞Εͨͷ͸02:45ͱͳ͍ͬͯΔ

87. 87 Dome9Λ࢖͍ͬͯͳͯ͘΋CloudBots͸ར༻Մೳ ࢦఆϑΥʔϚοτͷϝοηʔδΛSNSτϐοΫʹύϒϦογϡ͢Ε͹OK • Dome9͕CloudBotsʹύϒϦογϡ͢Δϝοηʔδͱಉ͡Ͱ͋Ε͹Α͍ ͜ͷ෦෼

88. 88 Dome9Λ࢖ΘͣʹCloudBotsΛ׆༻ Trusted Advisorͱͷ૊Έ߹Θͤ • Trusted Advisor͕ʮUnrestricted AccessʯͰRedΛݕग़ • CloudWatch

    EventsͰLambda͔ΒϝοηʔδΛCloudBotsʹύϒϦογϡ

89. 89 CloudBotsʹૹΔϝοηʔδϑΥʔϚοτ • id • AWSΞΧ΢ϯτID • accountNumber • AWSΞΧ΢ϯτID

    • entity • վળΞΫγϣϯͷର৅Ϧιʔε { "reportTime": "2018-03-20T05:40:42.043Z", "rule": { "name": "<name for rule>", "complianceTags": "AUTO: <bot-name>" }, "status": "Failed", "account": { "id": "************" }, "entity": { "accountNumber": "************", "id": "i-*****************", "name": "************", "region": "us_west_2", } }

90. 90 ·ͱΊ

91. 91 ·ͱΊ ηΩϡϦςΟͷϦεΫͷൃݟɺ༧๷ɺ؅ཧ • ωοτϫʔΫͷՄࢹԽ • SecurityGroupͷՄࢹԽʹΑΔ௨৴ܦ࿏ͷՄࢹԽ • ෆ༻ҙͳมߋͷ཈੍ͱҰ࣌తͳมߋ࡞ۀʹΑΔϦεΫͷ౷੍ ୈࡾऀͷϙϦγʔʹجͮ͘؂ࠪͱҡ࣋

    • ୈࡾऀͷϙϦγʔ४ڌͷϧʔϧηοτʹΑΔηΩϡϦςΟνΣοΫ • ܧଓతͳνΣοΫͱࣗಈम෮ʹΑΔηΩϡϦςΟϨϕϧͷҡ࣋ ෳ਺ΞΧ΢ϯτͷҰݩ؅ཧ • Dome9ͰҰݩతʹνΣοΫɺ؅ཧɺվળɺϨϙʔςΟϯάΛ࣮ࢪ • ҟͳΔηΩϡϦςΟج४ͷෳ਺ΞΧ΢ϯτΛ༰қʹ؅ཧՄೳ

92. 92 ઃఆखॱ ۩ମతͳखॱ͸ฐࣾϒϩάͰ঺հ͍ͯ͠·͢ʂ

93. 93 ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠