RDSのパスワードローテーションについて考えてみた話

Transcript

1. 3%4ͷύεϫʔυϩʔςʔγϣϯʹ͍ͭͯ
   ߟ͑ͯΈͨ࿩ PNPUFTBOEPSC
   
   

2. ࣗݾ঺հ w ໊લ
   IPTIJOPUTVZPTIJ HJUIVC
   
   IPQQJFTUBS UXJUUFS
   
   w PNPUFTBOEPSC
   ճ໨͙Β͍ͷ-5Ͱ͢ ໿೥ͿΓ

   
   w 8FCΞϓϦέʔγϣϯΤϯδχΞ
   w %9ؔ࿈ͷ4BB4اۀॴଐ

3. ࿩͍ͨ͜͠ͱ w ࢓૊Έ
   w 3BJMTΞϓϦͰͲ͏΍Δ͔
   w ΠϯϑϥपΓͷઃఆ ͕࣌ؒ͋Ε͹

4. ࠓճྫͱͯ͠ߟ͑Δ3BJMTΞϓϦपลͷߏ੒ w 'BSHBUF্Ͱ&$4λεΫ ͕ಈ͘
   w QVNB XFC
   w TJEFLJR

   XPSLFS
   w όονॲཧ ύεϫʔυ͸
   3BJMTͷ$SFEFOUJBMػೳɺ"84
   4FDSFU.BOBHFSɺ
   "84
   44.ύϥϝʔλ ετΞ౳Λ࢖͏͜ͱ͕ଟ͍ͱࢥ͍·͢ ϢʔβʔɾύεϫʔυͰೝূ ϢʔβʔɾύεϫʔυͰೝূ

5. ΋͠ɺ͍·%#αʔόʔͷύεϫʔυΛม͑ͨ͘ͳͬͨΒʁ
   ʢΈͳ͞Μ΋ߟ͑ͯΈ͍ͯͩ͘͞ʣ w ͍͖ͳΓม͑ΒΕΔ͔ʁ
   w όονॲཧతͳ΋ͷͷ৔߹
   w
   
   w ࠓ·͞ʹಈ͍͍ͯΔ
   XFCαʔόʔ

   QVNB ΍XPSLFSαʔόʔ TJEFLJR
   
   w
   
   w
   

6. ΋͠ɺ͍·%#αʔόʔͷύεϫʔυΛม͑ͨ͘ͳͬͨΒʁ
   ʢΈͳ͞Μ΋ߟ͑ͯΈ͍ͯͩ͘͞ʣ w ͍͖ͳΓม͑ΒΕΔ͔ʁ
   w όονॲཧతͳ΋ͷͷ৔߹
   w 
   Ͱ͖ͦ͏
   w ࠓ·͞ʹಈ͍͍ͯΔ
   XFCαʔόʔ

   QVNB ΍XPSLFSαʔόʔ TJEFLJR
   
   w
   
   w
   

7. ΋͠ɺ͍·%#αʔόʔͷύεϫʔυΛม͑ͨ͘ͳͬͨΒʁ
   ʢΈͳ͞Μ΋ߟ͑ͯΈ͍ͯͩ͘͞ʣ w ͍͖ͳΓม͑ΒΕΔ͔ʁ
   w όονॲཧతͳ΋ͷͷ৔߹
   w 
   Ͱ͖ͦ͏
   w ࠓ·͞ʹಈ͍͍ͯΔ
   XFCαʔόʔ

   QVNB ΍XPSLFSαʔόʔ TJEFLJR
   
   w 
   %#αʔόʔଆͰมߋͨ͠ॠؒʹΤϥʔଟൃͦ͠͏
   w 
   Τϥʔͳ͘ߦ͏ͷ͸
   ೉ͦ͠͏ʁ🤔
   Ͳ͏͢Ε͹Α͍͔

8. 💡
   ϢʔβʔΛͭ࡞Ε͹͍͍ͷͰ͸ʁ w ࠓ࢖͍ͬͯΔ%#ϢʔβʔΛϢʔβʔ"ͱ͢Δ
   w ͦΕΛίϐʔͯ͠શ͘ಉ͡ݖݶΛ࣋ͭϢʔβʔ#Λ࡞Δ
   w 3BJMTΞϓϦͰ࢖͏ϢʔβʔɾύεϫʔυΛϢʔβʔ#ͷ΋ͷʹ͢Δ
   ճ໨
   ׬
   w

   
   
   w
   
   w
   

9. 💡
   ϢʔβʔΛͭ࡞ͬͯ౎౓ύεϫʔυΛ৽͍͠΋ͷʹ͢Ε͹ w ࠓ࢖͍ͬͯΔ%#ϢʔβʔΛϢʔβʔ"ͱ͢Δ
   w ͦΕΛίϐʔͯ͠શ͘ಉ͡ݖݶΛ࣋ͭϢʔβʔ#Λ࡞Δ
   w 3BJMTΞϓϦͰ࢖͏ϢʔβʔɾύεϫʔυΛϢʔβʔ#ͷ΋ͷʹ͢Δ
   ճ໨
   ׬
   w

   3BJMTΞϓϦͰ࢖͏ϢʔβʔɾύεϫʔυΛϢʔβʔ"ͷ΋ͷʹ͢Δ
   ճ໨
   ׬
   w 3BJMTΞϓϦͰ࢖͏ϢʔβʔɾύεϫʔυΛϢʔβʔ#ͷ΋ͷʹ͢Δ
   ճ໨
   ׬
   w 

10. "84ʹ͸ͳΜͰ΋͋Δ

11. "84
    4FDSFUT
    .BOBHFS

12. "84ʹ͸ͳΜͰ΋͋Δ w ࢀߟ
    <ϩʔςʔγϣϯઓུ
    "84
    4FDSFUT
    .BOBHFS
    ͷ֓೦
    
    "84
    4FDSFUT
    .BOBHFS> IUUQT EPDTBXTBNB[PODPNKB@KQTFDSFUTNBOBHFSMBUFTUVTFSHVJEFHFUUJOHTUBSUFEIUNMSPUBUJPOTUSBUFHZ

13. "84ʹ͸ͳΜͰ΋͋Δ w ࢀߟ
    <ϩʔςʔγϣϯઓུ
    "84
    4FDSFUT
    .BOBHFS
    ͷ֓೦
    
    "84
    4FDSFUT
    .BOBHFS> IUUQT EPDTBXTBNB[PODPNKB@KQTFDSFUTNBOBHFSMBUFTUVTFSHVJEFHFUUJOHTUBSUFEIUNMSPUBUJPOTUSBUFHZ 1⃣ 2⃣ 3⃣ 4⃣

14. 1⃣ 2⃣

15. 2⃣ 3⃣

16. 3⃣ 4⃣

17. ࢓૊Έͷઆ໌

18. ࢓૊Έͷઆ໌ ϩʔςʔγϣϯؔ਺ "84
    MBNCEB 3%4 ϩʔςʔγϣϯؔ਺Ͱ3%4ʹΞΫηεͯ͠42-࣮ߦͯ͠Ϣʔβʔ৘ใΛߋ৽͢Δ

19. "84
    4FDSFUT
    .BOBHFS
    ઃఆΠϝʔδ

20. "84
    4FDSFUT
    .BOBHFS
    ઃఆΠϝʔδ

21. "84
    4FDSFUT
    .BOBHFS
    ઃఆΠϝʔδ w ˠ
    ը໘ΛਐΊ͍ͯ͘ͱɺ-BNCEBؔ਺΍$MPVE'PSNBUJPOͷઃఆ͕࢝·Δ Β͍͠
    w ެࣜࢀߟ
    
    IUUQTEPDTBXTBNB[PODPNKB@KQTFDSFUTNBOBHFSMBUFTU VTFSHVJEFUVUPSJBMT@SPUBUJPOBMUFSOBUJOHIUNMUVUPSJBMT@SPUBUJPO BMUFSOBUJOH@TUFQSPUBUF
    w

    ࠓճ͸͜ͷը໘͸࢖ΘͣʹUFSSBGSPNͷBXT@DMPVEGSPNBUJPO@TUBDLΛ࢖͍·ͨ͠
    w ҎԼͷϖʔδ΋େ͍ʹࢀߟʹ͠·ͨ͠
    w
    <"84
    4FDSFUT
    .BOBHFSͰ
    3%4ͷύεϫʔυϩʔςʔγϣϯͯ͠ΈΔ
    JO
    
    @
    %FWFMPQFST*0> IUUQTEFWDMBTTNFUIPEKQBSUJDMFTTFDSFUTNBOBHFS QBTTXPSESPUBUJPO

22. ࿩͍ͨ͜͠ͱ w ࢓૊Έ
    ✅
    w 3BJMTΞϓϦͰͲ͏΍Δ͔
    ˡ
    w ΠϯϑϥपΓͷઃఆ ͕࣌ؒ͋Ε͹

23. 3BJMTΞϓϦͰͲ͏͢Δ͔ w ࠓ·Ͱʮύεϫʔυ୯ମʯΛTFDSFUͱͯ͠؅ཧ͍͕ͯͨ͠ɺࠓޙ͸ ʮ"84
    4FDSFUT
    .BOBHFS
    γʔΫϨοτͷ
    +40/
    ߏ଄ʯͰ؅ཧ͞ΕΔΑ ͏ʹͳͬͨɻ
    w ͳͷͰɺͦΕʹରԠ͢Δ

24. "84
    4FDSFUT
    .BOBHFS
    γʔΫϨοτͷ
    +40/
    ߏ଄
    ͱ͸ w "VSPSB
    1PTUHSFTͷ৔߹ w ࢀߟ
    <"84
    4FDSFUT
    .BOBHFS
    γʔΫϨοτͷ
    +40/
    ߏ଄
    
    "84
    4FDSFUT
    .BOBHFS> IUUQTEPDTBXTBNB[PODPNKB@KQ TFDSFUTNBOBHFSMBUFTUVTFSHVJEFSFGFSFODF@TFDSFU@KTPO@TUSVDUVSFIUNMSFGFSFODF@TFDSFU@KTPO@TUSVDUVSF@SETQPTUHSFT

25. 3BJMTଆରॲ
    ࡞ઓ w લทͷ+40/Λ
    A3%4@%#@4&$3&5A
    ͱ͍͏؀ڥม਺Ͱड͚औΔ͜ͱʹ͠ ͨ
    w ͜ΕΛύʔεͯ͠૊Έཱͯ௚ͯ͠
    A%"5"#"4&@63-A
    ͷܗʹ͢Δ
    w 3BJMT͸ɺ؀ڥม਺
    A%"5"#"4&@63-A
    ͕͋Ε͹͜ΕΛར༻͢Δ࢓૊Έ
    w AQPTUHSFTVTFSOBNF!QBTTXPSEQPSUECOBNF

    PQUJPOTA
    ͷܗʹ ͢Δ

26. CFGPSF DPO fi HEBUBCBTFZNM BGUFS

27. CFGPSF ίϯςφఆٛͷKTPO KTPOOFU BGUFS

28. ύʔε CJOSFBE@SET@EC@TFDSFU

29. ૊Έཱͯ௚͢ EPDLFSFOUSZQPJOUTI

30. ಈ͔ͳ͔ͬͨ࿩ ͭ·͖ͮϙΠϯτ

31. ͍ΖΜͳ౎߹Ͱ ύεϫʔυʹ͸࢖͑ͳ͍จࣈ͕͋Δ w ϥϯμϜʹ࡞ͬͨύεϫʔυΛಡ΋͏ͱ͢ΔͱSBJMTىಈ࣌ʹΤϥʔ
    w ௐ΂Δͱύεϫʔυʹʮʨ ʯ͕ೖͬͯΔͱΤϥʔ
    w ϥϯμϜʹ࡞ͬͨύεϫʔυΛಡ΋͏ͱ͢ΔͱSJEHFQPMF࣮ߦ࣌ʹΤϥʔ
    w

    ௐ΂Δͱύεϫʔυʹʮʴ ʯ͕ೖͬͯΔͱΤϥʔ

32. ͍ΖΜͳ౎߹Ͱ ύεϫʔυʹ͸࢖͑ͳ͍จࣈ͕͋Δ TFF
    BMTP
    <3BJMTͷ
    %"5"#"4&@63-
    ͰࢦఆͰ͖ Δύεϫʔυͷจࣈछ> IUUQT TJOTPLVIBUFOBCMPHDPNFOUSZ 

33. ͜ͷํ๏Ͱͷϩʔςʔγϣϯͷ஫ҙ w ϩʔςʔγϣϯͷִؒΑΓ΋୹͍εύϯͰ&$4λεΫ͕ೖΕସΘΔඞཁ͕ ͋Δ
    w ྫ
    ճ໨ͷϩʔςʔγϣϯͷͱ͖ʹ͸ɺճ໨ͷϩʔςʔγϣϯΑΓલ ͔Βಈ͍͍ͯΔ&$4λεΫ͕͋Δ৔߹͸ͦͷ&$4λεΫΛઌʹTUPQ͢ Δඞཁ͕͋Δ

34. ͜ͷํ๏Ͱͷϩʔςʔγϣϯͷ஫ҙ ճ໨ͷϩʔςʔγϣϯͷ͋ͱ͸ɺ1⃣
    ͷͱ͖ ʹಈ͍͍ͯͨίϯςφ͕·ͩ࢒͍ͬͯΔ৔߹ ͸઀ଓΤϥʔʹͳͬͯ͠·͏ w ࠶ܝ 1⃣ 2⃣ 3⃣

35. ࿩͍ͨ͜͠ͱ w ࢓૊Έ
    ✅
    w 3BJMTΞϓϦͰͲ͏΍Δ͔
    ✅
    w ΠϯϑϥपΓͷઃఆ ͕࣌ؒ͋Ε͹
    ˡ

36. $MPVE'PSNBUJPOͰઃఆ͞ΕΔ΋ͷ w -BNCEBؔ਺
    w ͦͷ-BNCEBؔ਺ͷύʔϛογϣϯ
    w 4FDSFU.BOBHFS͔ΒͷΞΫηεʹݶఆ͞ΕΔ
    w *".ϩʔϧ

37. ͲΜͳ-BNCEBؔ਺͔ʁ w IUUQTHJUIVCDPNBXTTBNQMFTBXTTFDSFUTNBOBHFSSPUBUJPOMBNCEBT
    ͱ͍͏Ϧϙ δτϦͰެ։͞Ε͍ͯΔ

38. ͲΜͳ-BNCEBؔ਺͔ʁ w MBNCEB@IBOEMFSͱ͍͏ϝΠϯؔ਺͔ΒҎԼͷؔ਺ΛݺͿ lambda_handlerؔ਺͸AWS Secrets Manager͔ΒͷϩʔςʔγϣϯΠϕϯτΛॲཧ͢ΔͨΊͷΤϯτϦ ϙΠϯτͱͳΓ·͢ɻ ͜ͷؔ਺͸࣍ͷ4ͭͷεςοϓΛ࣮ߦ͠·͢: •createSecret: ৽͍͠γʔΫϨοτΛ࡞੒͠·͢ɻ

    •setSecret: ৽͍͠γʔΫϨοτΛσʔλϕʔεʹద༻͠·͢ɻ •testSecret: ৽͍͠γʔΫϨοτ͕σʔλϕʔεʹਖ਼͘͠ద༻͞Εͨ͜ͱΛςετ͠·͢ɻ • fi nishSecret: ৽͍͠γʔΫϨοτΛAWSCURRENTͱͯ͠ϚʔΫ͠ɺݹ͍γʔΫϨοτΛ AWSPREVIOUSͱͯ͠ϚʔΫ͠·͢ɻ

39. ͦͷଞඞཁͳઃఆ
    FUD w -BNCEBؔ਺͕࣮ࡍʹ3%4ʹΞΫηε͢ΔͨΊͷ४උ
    w ωοτϫʔΫपΓ
    w 71$΍ηΩϡϦςΟάϧʔϓͷઃఆ͕ඞཁ
    w 3%4ࣗମ
    w

    ͜ͷ-BNCEBؔ਺༻ͷ%#Ϣʔβʔ ٴͼύεϫʔυ ΋ࣄલʹඞཁ
    w ͦͷೝূ৘ใ΋ผ్4FDSFUT
    .BOBHFSʹೖΕ͓ͯ͘ඞཁ͋Γ
    w 1PTUHSFTͷ৔߹͸$3&"5&30-&ݖݶ͕ඞཁ

40. UFSSBGPSNઃఆྫ

41. ࿩͍ͨ͜͠ͱ w ࢓૊Έ
    ✅
    w 3BJMTΞϓϦͰͲ͏΍Δ͔
    ✅
    w ΠϯϑϥपΓͷઃఆ ͕࣌ؒ͋Ε͹
    ✅

42. ͜͜·ͰͰ৮Εͳ͔ͬͨ࿩ w 3BJMTͷDPO fi HDSFEFOUJBMTZNMFOD
    3"*-4@."45&3@,&:
    w 💭
    ࢖͏ʹ͸͏·͘؂ࠪϩάऔΓ͍ͨ
    w 3%4ͷ*".ೝূ
    

    w 💭
    ͜Ε͸΋͔ͨ͠͠Β΂ΜΓͦ͏ɾ3BJMTͰ͏·͘࢖͑ͨΒڭ͑ͯ΄ ͍͠ɾύϑΥʔϚϯε͸ͪΐͬͱؾ͕͔Γ

43. ࠷ޙʹ w 3BJMTʹ͸σʔλϕʔεͷύεϫʔυʹ࢖͑ͳ͍จࣈ͕͋Δ͜ͱΛ஌ͬͨ ͷ͸ऩ֭Ͱͨ͠
    w օ͞Μͷ΍Γํͱ͔ΞΠσΞ΍ϊ΢ϋ΢ͱ͔͋Ε͹ڭ͑ͯԼ͍͞