Upgrade to Pro — share decks privately, control downloads, hide ads and more …

自由でセキュアな環境のつくりかた / Building free and secure cloud environment

14a602891dce5c68facca9de28340522?s=47 Hokuto Hoshi
November 08, 2018
Technology
1
3.8k

自由でセキュアな環境のつくりかた / Building free and secure cloud environment

14a602891dce5c68facca9de28340522?s=128

Hokuto Hoshi

November 08, 2018
Tweet

More Decks by Hokuto Hoshi

See All by Hokuto Hoshi
14a602891dce5c68facca9de28340522?s=48 kanny
7
2.1k
14a602891dce5c68facca9de28340522?s=48 kanny
2
3.8k
14a602891dce5c68facca9de28340522?s=48 kanny
2
1.7k
14a602891dce5c68facca9de28340522?s=48 kanny
0
630
14a602891dce5c68facca9de28340522?s=48 kanny
23
14k
14a602891dce5c68facca9de28340522?s=48 kanny
3
7.6k
14a602891dce5c68facca9de28340522?s=48 kanny
30
20k
14a602891dce5c68facca9de28340522?s=48 kanny
64
50k

Other Decks in Technology

See All in Technology
97a7f7899e0df28c3636b8d44bbe6578?s=48 korodroid
0
130
646a01801bac1886ddf86aee2de913ed?s=48 miyukki
0
1k
7a54d6143169419fc6d4d9a0ff3056ea?s=48 maekawa123
0
610
97d180294474e9df01503148f3b11f39?s=48 lambda
0
220
B0cd2f94d292187c9baaf34b3979154d?s=48 quandohr
1
1.6k
7bbb6e8cd78042f30a37c29771002d2a?s=48 nenonaninu
0
140
1fbd94fe0e6c61f43710f4fbb7e1ecdf?s=48 hashiyaman
0
400
60187fe0ab07ea5a46572a3ab05f61dd?s=48 mattstauffer
0
1.3k
A07bf430b58349d4c0c88dabcd4c21f3?s=48 iam326
0
190
B46a00cafe34a9437d3a5bc6afc5bee3?s=48 aditya45
1
470
573d75e1a72107ff5c806d7e70a9e67d?s=48 michimani
1
320
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
PRO
0
200

Featured

See All Featured
E190023b66e2b8aa73a842b106920c93?s=48 zenorocha
298
40k
9fa239b3154a0169d99ab7bf1422dd12?s=48 marcelosomers
221
15k
9375a9529679f1b42b567a640d775e7d?s=48 schacon
147
6.7k
5b6a2bd86ef643786a381a212e0ef2f1?s=48 geoffreycrofte
31
1.2k
Aebc2d07a50011e2a30d38435fde564a?s=48 jrom
116
7.2k
282d599b414022eba5096510f675b6e2?s=48 chrislema
231
16k
79acae287842acf29084005533a7fb3b?s=48 hursman
108
9.3k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
146
20k
Ba530e786553390f3fb271848485681c?s=48 3n
163
22k
Ef32e0b1ac5082450dc8c1fca3a26b5c?s=48 cherdarchuk
73
270k
245cee81a9c424266e5e401d844ea881?s=48 lara
21
3.1k
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
193
8.9k

Transcript

  1. ࣗ༝ͰηΩϡΞͳ؀ڥͷ
 ͭ͘Γ͔ͨ Hokuto Hoshi Head of Infrastructure, Cookpad Inc. hokuto@cookpad.com

  2. ੕ ๺ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ
 ΠϯϑϥετϥΫνϟʔ෦ ෦௕


    ݉ ίʔϙϨʔτΤϯδχΞϦϯά෦
 ݉ ؂ࠪҕһձ ؂ࠪิॿऀ • SRE, ηΩϡϦςΟΤϯδχΞ • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional)

  3. https://speakerdeck.com/kanny

  4. None

  5. Ϩγϐ਺ ໿ສ඼ ࠃ಺ͷ݄ؒར༻ऀ਺ ໿ ສਓ

  6. ରԠݴޠ ݴޠΧࠃ ւ֎ͷ݄ؒར༻ऀ਺ ໿ ສਓ

  7. ৽͍͠औΓ૊Έ • cookpadTV https://www.cookpad.tv/ • Cookpad DO! https://cookpad.do/ • OiCy

    https://oicy.cookpad.com/ • komerco https://komer.co/ • etc…

  8. ΫοΫύουͱΫϥ΢υ • 2011೥ʹ DC ͔Β׬શҠߦ͠ϑϧΫϥ΢υԽ • ଟ͘ͷαʔϏε͕ AWS ͰՔಇ •

    Ұ෦ͷαʔϏε͸ Google Firebase ্ͰՔಇ

  9. എܠ • ػೳɺࣄۀͳͲ৽͍͠औΓ૊ΈΛՃ଎͍ͨ͠

  10. ౰࣌ͷ૊৫ߏ଄ • ࣄۀ෦ + ػೳԣஅ෦ॺ (e.g. Πϯϑϥ෦) • Πϯϑϥͷ؅ཧ͸શͯΠϯϑϥ෦͕ߦ͏
 (=

    AWS ͷ؅ཧ͸શͯΠϯϑϥ෦) • AWS ʹؔ͢Δϊ΢ϋ΢͸શͯΠϯϑϥ෦ʹू໿ • ηΩϡϦςΟରࡦ΋΄΅Πϯϑϥ෦͕ओಋ ࣄۀ෦ Πϯϑϥ෦ ࣄۀ෦ ࣄۀ෦

  11. தԝ؅ཧͷݶք • ςετ༻Πϯελϯε΍ϦιʔεΛ࡞Δͷʹ
 Πϯϑϥ෦Ͱ࡞ۀΛߦ͏ඞཁ͕͋ͬͨ • ηΩϡϦςΟͷϨϏϡʔ΋ • ʮͦ΋ͦ΋ AWS ͷྑ͞Λࡴͯ͠ΔͷͰ͸ʁʁʁʁʁʁʯ

    • αʔϏεͷ҆ఆੑ΍ηΩϡϦςΟΛଛͳΘͣʹ࣮ݱ͍ͨ͠

  12. ؅ཧํ਑ͷస׵ • ݖݶͱ੹೚Λ֤։ൃऀʹҠৡ͢Δํ޲ʹγϑτ • ؅ཧ͢΂͖෦෼Λ͓͑ͯ͞Ҡৡ͍ͯ͘͠

  13. ։ൃऀ༻ΞΧ΢ϯτ • ։ൃऀͰ͋Ε͹୭Ͱ΋ࣗ༝ʹར༻Ͱ͖Δ AWS ΞΧ΢ϯτ • ຊ൪ͷ AWS ΞΧ΢ϯτͱ෼཭͞Ε͍ͯΔ •

    AWS IAM ͷۭؒΛ෼ׂ͢Δ͜ͱ͕Ͱ͖Δ • ϩάΠϯ͸ SAML ܦ༝

  14. ݖݶ؅ཧ • ඞཁͳαʔϏεͷ Admin ݖݶΛ޿͘෇༩ • “ಛఆαʔϏεͷΈڐՄ͠ ͳ͍” ϙϦγʔ \

    7FSTJPO  4UBUFNFOU< \ &⒎FDU"MMPX  /PU"DUJPO< DMPVEUSBJM   DPOpH   EJSFDUDPOOFDU   SPVUF   SPVUFEPNBJOT   BXTQPSUBM.PEJGZ"DDPVOU  BXTQPSUBM.PEJGZ#JMMJOH  BXTQPSUBM.PEJGZ1BZNFOU.FUIPET  JBN$SFBUF6TFS  FD$SFBUF7QD >  3FTPVSDF  ^ > ^

  15. ϩάͷه࿥ • CloudTrail, VPC Flow Logs • AWS શମͷ API

    ϩά΍ VPC ͷ௨৴ϩάΛه࿥Ͱ͖Δ • ຊ൪ΞΧ΢ϯτͷ S3 όέοτʹอ࣋ • ϩάͷมߋ΍࡟আ͸Ͱ͖ͳ͘ͳΔ

  16. ϩάͷ෼ੳ • Graylog ʹऔΓࠐΈ෼ੳͰ͖ΔΑ͏ʹ https://speakerdeck.com/mizutani/ohuisuawshuan-jing-wosekiyuritei-jian-shi-surutamefalserokushou-ji

  17. AWS Config • EC2 ΍֤छϦιʔεͷมߋཤྺΛه࿥Ͱ͖Δ

  18. ࢖͍ํ • Output ઌΛຊ൪ΞΧ΢ϯτ (CloudTrail ͱಉ͡) ʹηοτͯ͠༗ޮԽ • “͜Εมߋͨ͠ͷ୭ͩΖ͏ʁ” Λ୳͢ࡍʹར༻

    • ಛఆͷΠϯελϯε΍ηΩϡϦςΟάϧʔϓͳͲʹඥ͚ͮͯ୳ͤΔ ͷͰศར

  19. AWS Config Rules • ઃఆมߋΛτϦΨͱͯ͠ lambda function ͰઃఆΛνΣοΫͰ͖Δ • ηΩϡϦςΟάϧʔϓͷΠϯλʔωοτղ์ͳͲΛνΣοΫ

    • Fail ͨ͠৔߹ Slack ͳͲʹ௨஌ͤ͞Δ • શαʔϏεରԠͯ͠΄͍͠…
  20. None

  21. awslabs/aws-config-rules • ศརϨϙδτϦ • https://github.com/awslabs/aws-config-rules • Config Rules ʹ࢖͑Δ Lambda

    function ͕͍Ζ͍Ζ͋Δ • EBS ͸҉߸Խ͞Ε͍ͯΔ͔ʁ • IAM Ϣʔβͷ MFA ͸༗ޮԽʁ • etc…

  22. Amazon GuardDuty • CloudTrail ΍ VPC FlowLog Λ෼ੳͯ͠Ξϥʔτ • Ξϥʔτͷྫ

    • ීஈ࢖ΘΕͳ͍ IP ͔Βͷ API ίʔϧ • Πϯελϯεͷ௨৴ઌ͕͍ͭ΋ͱҧ͏ • Πϯελϯεͷ௨৴ઌ͕ C&C ͬΆ͍αʔό

  23. ΫοΫύουͰͷ࢖͍ํ • Ξϥʔτ͸ GitHub -> PagerDuty ܦ༝Ͱൃใ͠
 ηΩϡϦςΟνʔϜ͕؂ࢹ • ௐࠪ෼ੳʹ

    CloudTrail ΍ Config Λ࢖͏ • ϩά͸ Graylog ʹ஝ੵ • ͪΐͬͱաහͳͷ͕࠷ۙͷ೰Έ

  24. ωοτϫʔΫߏ੒ • ౿Έ୆ SSH αʔό͕͋Δ VPC (ຊ൪ΞΧ΢ϯτ) ͔Β
 VPC Peering

    ܦ༝Ͱ઀ଓͰ͖ΔΑ͏ʹ͢Δ • ౿Έ୆Λू໿ (TOTP ΍ FIDO U2F ʹ΋ରԠ͍ͯͯ͠ศར) • Name λάΛ࢖ͬͨਖ਼Ҿ͖ɺٯҾ͖Λఏڙ

  25.    https://speakerdeck.com/kanny/machine-learning-ops-at-cookpad

  26. ։ൃऀΞΧ΢ϯτͷಛ௃ • “໰୊Λະવʹ๷͙” ͜ͱΑΓ “໰୊Λ͋ͱ͔ΒͰ΋͍͍ͷͰݕग़ Ͱ͖Δ” ରࡦʹϑΥʔΧε • ΞΧ΢ϯτʹٻΊΒΕΔॊೈੑͳͲ͔Βߟ͑ͨ݁Ռ •

    AWS αʔϏεΛׂͱૉ๿ʹ࢖ͬͨߏ੒ • ͜͏͍͏ͱ͜Ζ·ͰͰ͖ΔΑ͏ʹͳͬͨɺͱ͍͑Δ

  27. ࣮ࡍͷӡ༻ • ։ൃऀΞΧ΢ϯτ͔ΒͷΞϥʔτ͸ଟ͘͸ͳ͍ঢ়گ • ར༻ͷ૯ྔ͸ଟ͍ • EC2 ΠϯελϯεΛىಈͯ͠ͷ࣮ݧ • AWS

    ৽αʔϏεͳͲͷݕূ

  28. ·ͱΊ • ηΩϡϦςΟͱࣗ༝͞Λཱ྆ͤͨ͞։ൃ؀ڥΛͭ͘Δ࿩ • ͍ΘΏΔ “ηΩϡϦςΟଆ” ͕Ͳ͏ߟ͑ΒΕΔ͔ʹΑͬͯ
 ࣮ݱͰ͖Δࣗ༝౓͕มΘͬͯ͘Δ • AWS

    αʔϏεΛϑϧʹ࢖ͬͯΈΔ͚ͩͰ΋ׂͱ৭ʑͰ͖Δ • ʮ͏ͪͰ͸͜͏͍͏ײ͡ʯͳͲ͕͋Ε͹ڭ͑ͯ΄͍͠Ͱ͢

  29. PR

  30. We’re Hiring!!! • Software Engineer (Security) • Software Engineer (Site

    Reliability) • ͦͷଞͷϙδγϣϯ΋͍Ζ͍Ζ͋Γ·͢ • https://cookpad.jobs/

  31. Q?