Upgrade to Pro — share decks privately, control downloads, hide ads and more …

自由でセキュアな環境のつくりかた / Building free and secure cloud environment

14a602891dce5c68facca9de28340522?s=47 Hokuto Hoshi
November 08, 2018
Technology
1
3.7k

自由でセキュアな環境のつくりかた / Building free and secure cloud environment

14a602891dce5c68facca9de28340522?s=128

Hokuto Hoshi

November 08, 2018
Tweet

More Decks by Hokuto Hoshi

See All by Hokuto Hoshi
14a602891dce5c68facca9de28340522?s=48 kanny
7
2k
14a602891dce5c68facca9de28340522?s=48 kanny
2
3.7k
14a602891dce5c68facca9de28340522?s=48 kanny
2
1.7k
14a602891dce5c68facca9de28340522?s=48 kanny
0
630
14a602891dce5c68facca9de28340522?s=48 kanny
23
14k
14a602891dce5c68facca9de28340522?s=48 kanny
3
7.5k
14a602891dce5c68facca9de28340522?s=48 kanny
30
20k
14a602891dce5c68facca9de28340522?s=48 kanny
64
50k

Other Decks in Technology

See All in Technology
563d2e1e4cabf5ca21404f7104c90e91?s=48 prog893
0
140
A64ac825509279a770c13c6fc517f11a?s=48 kawaguti
2
210
94870c02836167043f37f05ae1032690?s=48 tatsy
0
120
B1bddcb899ec3060fe9913f3cb70dbb6?s=48 lmt_swallow
0
200
585cdfa5a081d53de7529e9b58926af2?s=48 kota2and3kan
2
320
0d9e60b12d0a40841b1a746b112ad36b?s=48 aamine
4
890
7b3e0dbc0d712ad5df602d9f9e5e4209?s=48 sei88888
5
450
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
PRO
0
850
0e8fbeb3dc2da3e502483edea80be7d6?s=48 htomine
0
170
Cc49268bebed3e30cb943a9de7b6eb3a?s=48 lain21
14
5.3k
842515eaf8fbb2dfcc75197e7797dc15?s=48 sat
1
270
3115a782126be714b5f94d24073c957d?s=48 oracle4engineer
2
500

Featured

See All Featured
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
370
42k
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
8
780
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
312
21k
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
8
590
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
20
760
78b475797a14c84799063c7cd073962f?s=48 holman
462
280k
245cee81a9c424266e5e401d844ea881?s=48 lara
17
2.9k
6804f1775cb4babfcc3851298566fbce?s=48 tanoku
259
24k
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
6
770
8ec1383b240b5ba15ffb9743fceb3c0e?s=48 philnash
10
670
F68cb25ae3e5c2106997454b13b7737d?s=48 brad_frost
157
6.5k
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
82
4.8k

Transcript

  1. ࣗ༝ͰηΩϡΞͳ؀ڥͷ
 ͭ͘Γ͔ͨ Hokuto Hoshi Head of Infrastructure, Cookpad Inc. hokuto@cookpad.com

  2. ੕ ๺ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ
 ΠϯϑϥετϥΫνϟʔ෦ ෦௕


    ݉ ίʔϙϨʔτΤϯδχΞϦϯά෦
 ݉ ؂ࠪҕһձ ؂ࠪิॿऀ • SRE, ηΩϡϦςΟΤϯδχΞ • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional)

  3. https://speakerdeck.com/kanny

  4. None

  5. Ϩγϐ਺ ໿ສ඼ ࠃ಺ͷ݄ؒར༻ऀ਺ ໿ ສਓ

  6. ରԠݴޠ ݴޠΧࠃ ւ֎ͷ݄ؒར༻ऀ਺ ໿ ສਓ

  7. ৽͍͠औΓ૊Έ • cookpadTV https://www.cookpad.tv/ • Cookpad DO! https://cookpad.do/ • OiCy

    https://oicy.cookpad.com/ • komerco https://komer.co/ • etc…

  8. ΫοΫύουͱΫϥ΢υ • 2011೥ʹ DC ͔Β׬શҠߦ͠ϑϧΫϥ΢υԽ • ଟ͘ͷαʔϏε͕ AWS ͰՔಇ •

    Ұ෦ͷαʔϏε͸ Google Firebase ্ͰՔಇ

  9. എܠ • ػೳɺࣄۀͳͲ৽͍͠औΓ૊ΈΛՃ଎͍ͨ͠

  10. ౰࣌ͷ૊৫ߏ଄ • ࣄۀ෦ + ػೳԣஅ෦ॺ (e.g. Πϯϑϥ෦) • Πϯϑϥͷ؅ཧ͸શͯΠϯϑϥ෦͕ߦ͏
 (=

    AWS ͷ؅ཧ͸શͯΠϯϑϥ෦) • AWS ʹؔ͢Δϊ΢ϋ΢͸શͯΠϯϑϥ෦ʹू໿ • ηΩϡϦςΟରࡦ΋΄΅Πϯϑϥ෦͕ओಋ ࣄۀ෦ Πϯϑϥ෦ ࣄۀ෦ ࣄۀ෦

  11. தԝ؅ཧͷݶք • ςετ༻Πϯελϯε΍ϦιʔεΛ࡞Δͷʹ
 Πϯϑϥ෦Ͱ࡞ۀΛߦ͏ඞཁ͕͋ͬͨ • ηΩϡϦςΟͷϨϏϡʔ΋ • ʮͦ΋ͦ΋ AWS ͷྑ͞Λࡴͯ͠ΔͷͰ͸ʁʁʁʁʁʁʯ

    • αʔϏεͷ҆ఆੑ΍ηΩϡϦςΟΛଛͳΘͣʹ࣮ݱ͍ͨ͠

  12. ؅ཧํ਑ͷస׵ • ݖݶͱ੹೚Λ֤։ൃऀʹҠৡ͢Δํ޲ʹγϑτ • ؅ཧ͢΂͖෦෼Λ͓͑ͯ͞Ҡৡ͍ͯ͘͠

  13. ։ൃऀ༻ΞΧ΢ϯτ • ։ൃऀͰ͋Ε͹୭Ͱ΋ࣗ༝ʹར༻Ͱ͖Δ AWS ΞΧ΢ϯτ • ຊ൪ͷ AWS ΞΧ΢ϯτͱ෼཭͞Ε͍ͯΔ •

    AWS IAM ͷۭؒΛ෼ׂ͢Δ͜ͱ͕Ͱ͖Δ • ϩάΠϯ͸ SAML ܦ༝

  14. ݖݶ؅ཧ • ඞཁͳαʔϏεͷ Admin ݖݶΛ޿͘෇༩ • “ಛఆαʔϏεͷΈڐՄ͠ ͳ͍” ϙϦγʔ \

    7FSTJPO  4UBUFNFOU< \ &⒎FDU"MMPX  /PU"DUJPO< DMPVEUSBJM   DPOpH   EJSFDUDPOOFDU   SPVUF   SPVUFEPNBJOT   BXTQPSUBM.PEJGZ"DDPVOU  BXTQPSUBM.PEJGZ#JMMJOH  BXTQPSUBM.PEJGZ1BZNFOU.FUIPET  JBN$SFBUF6TFS  FD$SFBUF7QD >  3FTPVSDF  ^ > ^

  15. ϩάͷه࿥ • CloudTrail, VPC Flow Logs • AWS શମͷ API

    ϩά΍ VPC ͷ௨৴ϩάΛه࿥Ͱ͖Δ • ຊ൪ΞΧ΢ϯτͷ S3 όέοτʹอ࣋ • ϩάͷมߋ΍࡟আ͸Ͱ͖ͳ͘ͳΔ

  16. ϩάͷ෼ੳ • Graylog ʹऔΓࠐΈ෼ੳͰ͖ΔΑ͏ʹ https://speakerdeck.com/mizutani/ohuisuawshuan-jing-wosekiyuritei-jian-shi-surutamefalserokushou-ji

  17. AWS Config • EC2 ΍֤छϦιʔεͷมߋཤྺΛه࿥Ͱ͖Δ

  18. ࢖͍ํ • Output ઌΛຊ൪ΞΧ΢ϯτ (CloudTrail ͱಉ͡) ʹηοτͯ͠༗ޮԽ • “͜Εมߋͨ͠ͷ୭ͩΖ͏ʁ” Λ୳͢ࡍʹར༻

    • ಛఆͷΠϯελϯε΍ηΩϡϦςΟάϧʔϓͳͲʹඥ͚ͮͯ୳ͤΔ ͷͰศར

  19. AWS Config Rules • ઃఆมߋΛτϦΨͱͯ͠ lambda function ͰઃఆΛνΣοΫͰ͖Δ • ηΩϡϦςΟάϧʔϓͷΠϯλʔωοτղ์ͳͲΛνΣοΫ

    • Fail ͨ͠৔߹ Slack ͳͲʹ௨஌ͤ͞Δ • શαʔϏεରԠͯ͠΄͍͠…
  20. None

  21. awslabs/aws-config-rules • ศརϨϙδτϦ • https://github.com/awslabs/aws-config-rules • Config Rules ʹ࢖͑Δ Lambda

    function ͕͍Ζ͍Ζ͋Δ • EBS ͸҉߸Խ͞Ε͍ͯΔ͔ʁ • IAM Ϣʔβͷ MFA ͸༗ޮԽʁ • etc…

  22. Amazon GuardDuty • CloudTrail ΍ VPC FlowLog Λ෼ੳͯ͠Ξϥʔτ • Ξϥʔτͷྫ

    • ීஈ࢖ΘΕͳ͍ IP ͔Βͷ API ίʔϧ • Πϯελϯεͷ௨৴ઌ͕͍ͭ΋ͱҧ͏ • Πϯελϯεͷ௨৴ઌ͕ C&C ͬΆ͍αʔό

  23. ΫοΫύουͰͷ࢖͍ํ • Ξϥʔτ͸ GitHub -> PagerDuty ܦ༝Ͱൃใ͠
 ηΩϡϦςΟνʔϜ͕؂ࢹ • ௐࠪ෼ੳʹ

    CloudTrail ΍ Config Λ࢖͏ • ϩά͸ Graylog ʹ஝ੵ • ͪΐͬͱաහͳͷ͕࠷ۙͷ೰Έ

  24. ωοτϫʔΫߏ੒ • ౿Έ୆ SSH αʔό͕͋Δ VPC (ຊ൪ΞΧ΢ϯτ) ͔Β
 VPC Peering

    ܦ༝Ͱ઀ଓͰ͖ΔΑ͏ʹ͢Δ • ౿Έ୆Λू໿ (TOTP ΍ FIDO U2F ʹ΋ରԠ͍ͯͯ͠ศར) • Name λάΛ࢖ͬͨਖ਼Ҿ͖ɺٯҾ͖Λఏڙ

  25.    https://speakerdeck.com/kanny/machine-learning-ops-at-cookpad

  26. ։ൃऀΞΧ΢ϯτͷಛ௃ • “໰୊Λະવʹ๷͙” ͜ͱΑΓ “໰୊Λ͋ͱ͔ΒͰ΋͍͍ͷͰݕग़ Ͱ͖Δ” ରࡦʹϑΥʔΧε • ΞΧ΢ϯτʹٻΊΒΕΔॊೈੑͳͲ͔Βߟ͑ͨ݁Ռ •

    AWS αʔϏεΛׂͱૉ๿ʹ࢖ͬͨߏ੒ • ͜͏͍͏ͱ͜Ζ·ͰͰ͖ΔΑ͏ʹͳͬͨɺͱ͍͑Δ

  27. ࣮ࡍͷӡ༻ • ։ൃऀΞΧ΢ϯτ͔ΒͷΞϥʔτ͸ଟ͘͸ͳ͍ঢ়گ • ར༻ͷ૯ྔ͸ଟ͍ • EC2 ΠϯελϯεΛىಈͯ͠ͷ࣮ݧ • AWS

    ৽αʔϏεͳͲͷݕূ

  28. ·ͱΊ • ηΩϡϦςΟͱࣗ༝͞Λཱ྆ͤͨ͞։ൃ؀ڥΛͭ͘Δ࿩ • ͍ΘΏΔ “ηΩϡϦςΟଆ” ͕Ͳ͏ߟ͑ΒΕΔ͔ʹΑͬͯ
 ࣮ݱͰ͖Δࣗ༝౓͕มΘͬͯ͘Δ • AWS

    αʔϏεΛϑϧʹ࢖ͬͯΈΔ͚ͩͰ΋ׂͱ৭ʑͰ͖Δ • ʮ͏ͪͰ͸͜͏͍͏ײ͡ʯͳͲ͕͋Ε͹ڭ͑ͯ΄͍͠Ͱ͢

  29. PR

  30. We’re Hiring!!! • Software Engineer (Security) • Software Engineer (Site

    Reliability) • ͦͷଞͷϙδγϣϯ΋͍Ζ͍Ζ͋Γ·͢ • https://cookpad.jobs/

  31. Q?