AWS CDKでコンテナイメージスキャンを行う〜ECRとその他の方法〜 / cdk-container-image-scan

LHPUP าͷςοΫ "84$%,Ͱ ίϯςφΠϝʔδεΩϟϯΛߦ͏ ʙ&$3ͱͦͷଞͷํ๏ʙ +"846(ίϯςφࢧ෦º+"846(ઍ༿ࢧ෦ ࠓ஌Γ͍ͨίϯςφηΩϡϦςΟ

ࣗݾ঺հ LHPUP w ςοΫϦʔυɾϥʔϝϯ޷͖ w "84$PNNVOJUZ#VJMEFS %FW5PPMT w าͷςοΫ
ٕज़ϒϩά w ࣗ࡞"84πʔϧͷ044։ൃ w "84$%,ίϯτϦϏϡʔλʔ w 9 5XJUUFS !@TUFQ@UFDI ‣ LHPUP าͷςοΫ

͜ͷ೥ͷొஃৼΓฦΓ ˙"84%FW%BZ+BQBO ‣ αʔόʔϨεͳϝʔϧૹ৴γεςϜΛ"84$%,Ͱߏங͠਺ઍਓن໛ͷ؀ڥͰӡ༻ͨ͠࿩ ˙+"846($%,ࢧ෦ ‣ $%,Ͱ7BMJEBUJPO͢Δຊ౰ͷํ๏ ˙"QQ3VOOFS/JHIU "844UBSUVQ.FFUVQ
‣ "QQ3VOOFSͰ"QQͰͳ͍΋ͷΛ3VO͢Δ ˙"84$%,$POGFSFODF+BQBO ‣ "84$%,ͱ;PEΛ׆༻ͨ͠όϦσʔγϣϯύλʔϯू ˙+"846(43&ࢧ෦ ‣ $MPVE8BUDIෳ߹ΞϥʔϜͰ&-#ͷ99Λ͍͍ײ͡ʹݕ஌͠Α͏ͱͨ͠Β͏·͍͔͘ͳ͔ͬͨ࿩ ˙"84%FW%BZ5PLZP ‣ "84$%,ͰֶͿ(P'σβΠϯύλʔϯʙ*B$ʹ΋ίʔυઃܭʙ ˙+"846($%,ࢧ෦ ‣ "84$%,Ͱ࢖͏(P'σβΠϯύλʔϯʙ࣮ࡍͲ͏ͳͷʁʙ ˙4UBSUVQ%BZ ‣ ελʔτΞοϓͰͦ͜$%,͕׆͖ͨʙੜ࢈ੑΛ޲্Ͱ͖ͨͭͷཧ༝ʙ ˙+"846($%,ࢧ෦ ‣ $MPVE'PSNBUJPOϢʔβʔ͕$%,ʹೖ໳ͯ͠Έͯࢥͬͨ͜ͱ ύωϧσΟεΧογϣϯ ˙+"846(ίϯςφࢧ෦º+"846(ઍ༿ࢧ෦ ‣ "84$%,ͰίϯςφΠϝʔδεΩϟϯΛߦ͏ʙ&$3ͱͦͷଞͷํ๏ʙ $%,ωλ શొஃɿຊ $%,ωλɿຊ $%,ͷେϑΝϯͰ͢ʂʂʂ $%,ͷܒ໤׆ಈத

ίϯςφηΩϡϦςΟ

AWS CDKͰίϯςφΠϝʔδεΩϟϯΛߦ͏

"84$%,Ͱίϯςφʁ

"84$%, º ίϯςφΠϝʔδϏϧυ

"84$%,ºίϯςφΠϝʔδϏϧυ w "84$%,Ͱ͸؆୯ʹίϯςφΠϝʔδͷϏϧυ͕Ͱ͖Δ ‣ *B$ϨΠϠʔ *B$ίʔυ಺ ͰͷΠϝʔδϏϧυɾΠϝʔδϓογϡ͕Մೳ $%,Ҏ֎ͷ*B$πʔϧͰ͸*B$ͷ؅ཧ֎Ͱ΍Δ͜ͱ͕ଟ͍ ϦϙδτϦ࡞੒
ΠϝʔδϏϧυ Πϝʔδϓογϡ

"84$%,ºίϯςφΠϝʔδεΩϟϯʁ w "84$%,͚ͩͰΠϝʔδͷϏϧυ͔Βϓογϡ·Ͱग़དྷͯศརʂ w Ͱ΋ɺ"84$%,಺ͰϏϧυͨ͠ΠϝʔδͷεΩϟϯ͸Ͳ͏΍ͬͯʁ ‣ ࣮͸ɾɾɾ

"84$%,ºίϯςφΠϝʔδεΩϟϯʁ w "84$%,͚ͩͰΠϝʔδͷϏϧυ͔Βϓογϡ·Ͱग़དྷͯศརʂ w Ͱ΋ɺ"84$%,಺ͰϏϧυͨ͠ΠϝʔδͷεΩϟϯ͸Ͳ͏΍ͬͯʁ ‣ ࣮͸ɾɾɾ ཱ֬͞Ε͍ͯͳ͍

"84$%,ºίϯςφΠϝʔδεΩϟϯʁ w "84$%,͚ͩͰΠϝʔδͷϏϧυ͔Βϓογϡ·Ͱग़དྷͯศརʂ w Ͱ΋ɺ"84$%,಺ͰϏϧυͨ͠ΠϝʔδͷεΩϟϯ͸Ͳ͏΍ͬͯʁ ‣ ࣮͸ɾɾɾ ཱ֬͞Ε͍ͯͳ͍ ͱ͍͏͔ ͋·Γฉ͔ͳ͍
Ͱ͢ΑͶʁ

ҰൠతͳίϯςφΠϝʔδͷεΩϟϯํ๏ w Ұൠతʹ͸Ͳ͏΍ͬͯΠϝʔδεΩϟϯ͢Δͷʁ πʔϧ ‣ &$3 ϕʔγοΫεΩϟϯ
֦ுεΩϟϯ XJUI"NB[PO*OTQFDUPS ‣ αʔυύʔςΟπʔϧ 5SJWZ %PDLMF FUDʜ

ҰൠతͳίϯςφΠϝʔδͷεΩϟϯํ๏ w Ұൠతʹ͸Ͳ͏΍ͬͯΠϝʔδεΩϟϯ͢Δͷʁ ϑϩʔ ‣ Ұఆִؒ ఆظ ࣮ߦ
೔ʹճ ‣ ඇಉظ Πϕϯτ ࣮ߦ ΠϝʔδͷϓογϡΛτϦΨʔ ‣ ಉظ࣮ߦ $*$%ύΠϓϥΠϯͷεςοϓ

ҰൠతͳίϯςφΠϝʔδͷεΩϟϯํ๏ w ಉظ࣮ߦ $*$%ύΠϓϥΠϯͷεςοϓ ͷྫ ΠϝʔδεΩϟϯ ΠϝʔδϏϧυ Πϝʔδϓογϡ

ҰൠతͳίϯςφΠϝʔδͷεΩϟϯํ๏ w ಉظ࣮ߦ $*$%ύΠϓϥΠϯͷεςοϓ ͷྫ ΠϝʔδεΩϟϯ ΠϝʔδϏϧυ Πϝʔδϓογϡ ੬ऑੑݕग़

ҰൠతͳίϯςφΠϝʔδͷεΩϟϯํ๏ w ಉظ࣮ߦ $*$%ύΠϓϥΠϯͷεςοϓ ͷྫ ΠϝʔδεΩϟϯ ΠϝʔδϏϧυ Πϝʔδϓογϡ ͤ͞ͳ͍ ੬ऑੑݕग़

ҰൠతͳίϯςφΠϝʔδͷεΩϟϯํ๏ w ಉظ࣮ߦ $*$%ύΠϓϥΠϯͷεςοϓ ͷྫ ΠϝʔδεΩϟϯ ΠϝʔδϏϧυ Πϝʔδϓογϡ ͤ͞ͳ͍ ੬ऑੑݕग़
ϓογϡΛτϦΨʔʹ σϓϩΠ͢Δέʔε΋҆৺ σϓϩΠલʹऴྃ

͋ΒͨΊͯ

"84$%,Ͱ ίϯςφΠϝʔδεΩϟϯͬͯ Ͳ͏΍Δͷʁ

ͱΓ͋͑ͣ

&$3Ͱ ΍ͬͯΈ·͢

"84$%,º&$3Πϝʔδ ϓογϡ εΩϟϯ w 3FQPTJUPSZJNBHF4DBO0O1VTI

"84$%,º&$3Πϝʔδ ϓογϡ εΩϟϯ w ੬ऑੑݕग़࣌ͷಉظతରԠʹ͸࢖͑ͳ͍ ϓογϡ͕τϦΨʔ ੬ऑੑ͕͋ͬͯ΋ ϓογϡ͸ࢭΊΒΕͳ͍ʂ ࣮ߦ͸ඇಉظ σϓϩΠ΋ࢭ·Βͳ͍ʂ
Ϗϧυ ϓογϡ

͡Ό͋ͦͷଞͷํ๏͸ʁ

"84$%,ºͦͷଞͷΠϝʔδεΩϟϯ w αʔυύʔςΟπʔϧʁ ‣ 5SJWZ ‣ %PDLMF ‣ FUDʜ w
͔͠͠ʜ ‣ $%,͸"84༻πʔϧͳͷͰ"84Ϧιʔεͷ΋ͷ͔͠ແ͍ جຊతʹ͸ ྫ֎͋Γ

ͦͷଞͷํ๏͸

͡Ό͋

Ͳ͏͢Δʁ

࡞Ε͹͍͍͡ΌΜ

$POTUSVDU)VC w $%,ίϯετϥΫτϥΠϒϥϦू IUUQTDPOTUSVDUTEFW ‣ Ҏ্ͷΦʔϓϯιʔεͷ$%,ίϯετϥΫτ͕ެ։ ‣ ݸਓͰ࡞ͬͨࣗ࡞ίϯετϥΫτͷެ։΋Մೳ
044ͱͯ͠ (JU)VCʹύϒϦοΫϦϙδτϦΛ࡞੒ $%,ίϯετϥΫτΛ࣮૷ OQNʹύϒϦογϡ $%,༻λά෇͚Λͯ͠ ਺෼ʙ਺े෼ܦͭͱ$POTUSVDU)VCʹࣗಈͰొ࿥͞ΕΔ ίϯετϥΫτ $POTUSVDU $%,ಛ༗ͷࣗ༝ͳཻ౓ͷϦιʔεू߹ ίϯϙʔωϯτ ɻ "84ఏڙͷ΋ͷ͚ͩͰͳ͘Ϣʔβ΋ࣗ༝ʹ૊ΊΔɻ

࡞ͬͯΈ·ͨ͠

ࣗ࡞ίϯετϥΫτ "84$%,༻ ˞IUUQTDPOTUSVDUTEFWQBDLBHFTJNBHFTDBOOFSXJUIUSJWZ ˞IUUQTDPOTUSVDUTEFWQBDLBHFTJNBHFTDBOOFSXJUIEPDLMF ᶃ JNBHFTDBOOFSXJUIUSJWZ ˞ ᶄ JNBHFTDBOOFSXJUIEPDLMF
˞ ˞ͱΓ͋͑ͣ5ZQF4DSJQUݶఆͰ࢖༻Մೳ ࠓޙ޿͛ͯ΋͍͍͔ͳͱ ˞ ˞

ࣗ࡞ίϯετϥΫτ "84$%,༻ w ಛ௃ ᶃ $%,ϨΠϠʔ $%,ίʔυ ಺ͰɺίϯςφΠϝʔδεΩϟϯΛߦ͏ ʮ5SJWZʯɾʮ%PDLMFʯΛ$%,Ͱ࢖͑ΔΑ͏ʹͳͬͨʂ
$%,͚ͩͰϏϧυɾϓογϡʹՃ͑ͯεΩϟϯ·Ͱߦ͑ΔΑ͏ʹͳͬͨʂ ᶄ σϓϩΠաఔͰϏϧυͨ͠ΠϝʔδΛ࢖͍ճͨ͢ΊɺແବͳϏϧυ͕ൃੜ͠ͳ͍ ʮεΩϟϯͷͨΊʹϏϧυ͠ɺσϓϩΠͷͨΊʹ΋ϏϧυʯͳͲΛ͠ͳ͍ ᶅ ੬ऑੑݕ஌ͷࡍɺ&$3΁ͷΠϝʔδͷϓογϡ΍$%,σϓϩΠΛࢭΊΒΕΔ

ࣗ࡞ίϯετϥΫτ "84$%,༻ w ࢓૊Έ ‣ $%, $MPVE'PSNBUJPO ʹ͸ʮΧελϜϦιʔεʯͱ͍͏ಛघͳϦιʔε͕͋Δ $%,͕ରԠ͍ͯ͠ͳ͍ॲཧΛ-BNCEBͰࣗલͰ࣮૷Ͱ͖Δػೳ
4/4Ͱ΋Մ ‣ ͜ͷΧελϜϦιʔε-BNCEBͰʮ5SJWZʯʮ%PDLMFʯΛୟ࣮͘૷Λ͢Δ ‣ ͜ΕΛ$POTUSVDUԽ͠ɺ$%,ίʔυͰσϓϩΠϑϩʔʹ૊ΈࠐΊΔΑ͏ʹ

ࣗ࡞ίϯετϥΫτ "84$%,༻ ᶃJNBHFTDBOOFSXJUIUSJWZ

ࣗ࡞ίϯετϥΫτ "84$%,༻ ᶃJNBHFTDBOOFSXJUIUSJWZ Ϗϧυ εΩϟϯ ϓογϡ

ࣗ࡞ίϯετϥΫτ "84$%,༻ ᶃJNBHFTDBOOFSXJUIUSJWZ ੬ऑੑݕग़࣌͸Τϥʔʹͯ͠ ϓογϡͤ͞ͳ͍ʂ σϓϩΠ΋Τϥʔऴྃ Ϗϧυ εΩϟϯ ϓογϡ

ࣗ࡞ίϯετϥΫτ "84$%,༻ ᶃJNBHFTDBOOFSXJUIUSJWZ Φϓγϣϯ΋৭ʑ͋Γʂ ࢦఆͳ͠Ͱ΋͍͍ײ͡ʹಈ͖·͢ʂ

ࣗ࡞ίϯετϥΫτ "84$%,༻ ᶃJNBHFTDBOOFSXJUIUSJWZ ΤσΟλ্Ͱͷೖྗ஋બ୒ɾೖྗิ׬ɾEPDग़ྗ ͳͲʹΑΓੜͷπʔϧΑΓศར͔΋ʂʁ

ࣗ࡞ίϯετϥΫτ "84$%,༻ ᶄJNBHFTDBOOFSXJUIEPDLMF

ࣗ࡞ίϯετϥΫτ "84$%,༻ ᶄJNBHFTDBOOFSXJUIEPDLMF *HOPSFϧʔϧ͕ࢦఆՄೳʂ Ϗϧυ εΩϟϯ ϓογϡ

ࣗ࡞ίϯετϥΫτ "84$%,༻ ᶄJNBHFTDBOOFSXJUIEPDLMF *HOPSFϧʔϧ͕ࢦఆՄೳʂ Ϗϧυ εΩϟϯ ϓογϡ ੬ऑੑݕग़࣌͸Τϥʔʹͯ͠ ϓογϡͤ͞ͳ͍ʂ σϓϩΠ΋Τϥʔऴྃ

ࣗ࡞ίϯετϥΫτ "84$%,༻ w 5SJWZͷެࣜυΩϡϝϯτͷΤίγεςϜϖʔδʹࡌͤͯ΋Β͍·ͨ͠ʂ

࠶ܝ ࣗ࡞ίϯετϥΫτ "84$%,༻ ˞IUUQTDPOTUSVDUTEFWQBDLBHFTJNBHFTDBOOFSXJUIUSJWZ ˞IUUQTDPOTUSVDUTEFWQBDLBHFTJNBHFTDBOOFSXJUIEPDLMF ᶃ JNBHFTDBOOFSXJUIUSJWZ ˞ ᶄ
JNBHFTDBOOFSXJUIEPDLMF ˞ ˞ͱΓ͋͑ͣ5ZQF4DSJQUݶఆͰ࢖༻Մೳ ࠓޙ޿͛ͯ΋͍͍͔ͳͱ ˞ ˞

$%,ͰͷΠϝʔδεΩϟϯํ๏͸ ཱ֬͞Ε͍ͯͳ͍ʁ

ཱ֬͞Ε·ͨ͠ʂ

·ͱΊ w "84$%,Ͱ ಉظతͳ ίϯςφΠϝʔδεΩϟϯͷํ๏͸ཱ֬͞Ε͍ͯͳ͍ ‣ Ϗϧυɾϓογϡࣗମ͸؆୯ ‣ &$3ͰͷඇಉظͳϓογϡεΩϟϯ͸͋Δ w
"84$%,༻ͷࣗ࡞ίϯετϥΫτΛ࡞ͬͨ 5SJWZ൛ɾ%PDLMF൛ ‣ 044ͱͯ͠$POTUSVDU)VCʹެ։ͨ͠ w $%,ͰͷίϯςφΠϝʔδεΩϟϯํ๏ཱ͕֬͞Εͨʂ ʁ ‣ Α͔ͬͨΒ࢖ͬͯΈ͍ͯͩ͘͞

ࢀߟɿαϯϓϧίʔυ (JU)VC w "84$%,Ͱ ‣ JNBHFTDBOOFSXJUIUSJWZ ‣ JNBHFTDBOOFSXJUIEPDLMF w Λ࢖ͬͨαϯϓϧίʔυΛ(JU)VCʹࡌ͍ͤͯΔͷͰΑ͔ͬͨΒͥͻ
IUUQTHJUIVCDPNHPUPLDELJNBHFTDBOUFTU

એ఻ɿࣗ࡞"84πʔϧ044 ʲEFMTUBDLʳ"84$MPVE'PSNBUJPOελοΫڧ੍࡟আπʔϧ ‣ IUUQTHPUPLIBUFOBCMPHDPNFOUSZEFMTUBDL ʲDMTʳ4όέοτߴ଎࡟আɾۭʹ͢Δπʔϧ όʔδϣχϯάରԠ ‣ IUUQTHPUPLIBUFOBCMPHDPNFOUSZDMT ʲMBNWFSʳ-BNCEBϥϯλΠϜόʔδϣϯݕࡧπʔϧ
Ϧʔδϣϯԣஅ ‣ IUUQTHPUPLIBUFOBCMPHDPNFOUSZMBNWFS

એ఻ɿDMTεϖΠϯޠهࣄ "84&TQBÑPM w "84&TQBÑPMͷํ͕ʮDMT 4࡟আπʔϧ ʯͷεϖΠϯޠهࣄΛॻ͍ͯ͘Ε ·ͨ͠ʂ ‣ ͜ΕͰ೔ຊޠɾӳޠɾεϖΠϯޠͷ͔ࠃޠͷهࣄ͕ग़དྷ·ͨ͠ʂ IUUQTEFWUPBXTFTQBOPMDMTCVTRVFEBZFMJNJOBDJPONBTJWBEFCVDLFUTTHC

એ఻ɿDMTͷొஃ͠·͢ʂ w 4UPSBHF+"84ͷه೦͢΂͖ୈճʹ͓ݺͼ௖͖ɺDMTͷηογϣϯΛͤ͞ ͯ௖͘͜ͱʹͳΓ·ͨ͠ʂ ‣ ਫ 4UPSBHF+"84

5IBOL:PV LHPUP าͷςοΫ

AWS CDKで コンテナイメージスキャンを行う 〜ECRとその他の方法〜 / cdk-container-image-scan

AWS CDKで コンテナイメージスキャンを行う 〜ECRとその他の方法〜 / cdk-container-image-scan

More Decks by k.goto

Other Decks in Programming

Featured

Transcript

AWS CDKでコンテナイメージスキャンを行う〜ECRとその他の方法〜 / cdk-container-image-scan

AWS CDKでコンテナイメージスキャンを行う〜ECRとその他の方法〜 / cdk-container-image-scan