Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
自由でセキュアな環境のつくりかた / Building free and secure clo...
Search
Hokuto Hoshi
November 08, 2018
Technology
1
5k
自由でセキュアな環境のつくりかた / Building free and secure cloud environment
Hokuto Hoshi
November 08, 2018
Tweet
Share
More Decks by Hokuto Hoshi
See All by Hokuto Hoshi
開発も運用もビジネス部門も! クラウドで実現する「つらくない」統制とセキュリティ / Effortless Governance and Security Enabled by the Cloud
kanny
4
3.4k
転生CISOサバイバル・ガイド / CISO Career Transition Survival Guide
kanny
4
2.1k
Connecting organisation with Technology
kanny
0
290
Why Slack - 5 years of Cookpad with Slack
kanny
0
120
Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders
kanny
7
2.7k
セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub
kanny
2
4.2k
事例でわかる、AWS 運用を支える サポート活用方法と エンタープライズサポートという選択 / AWS Enterprise Support and Cookpad
kanny
2
2.5k
AWS で加速する機械学習 / Accelerate Machine Learning with AWS
kanny
1
1k
クックパッドのログをいい感じにしているアーキテクチャ / Logging architecture at Cookpad
kanny
23
15k
Other Decks in Technology
See All in Technology
怖くない!はじめてのClaude Code
shinya337
0
310
本が全く読めなかった過去の自分へ
genshun9
0
720
生成AI活用の組織格差を解消する 〜ビジネス職のCursor導入が開発効率に与えた好循環〜 / Closing the Organizational Gap in AI Adoption
upamune
5
4.6k
5min GuardDuty Extended Threat Detection EKS
takakuni
0
180
LangSmith×Webhook連携で実現するプロンプトドリブンCI/CD
sergicalsix
1
160
CI/CD/IaC 久々に0から環境を作ったらこうなりました
kaz29
1
200
Lambda Web Adapterについて自分なりに理解してみた
smt7174
5
140
rubygem開発で鍛える設計力
joker1007
2
270
How Community Opened Global Doors
hiroramos4
PRO
1
130
Geminiとv0による高速プロトタイピング
shinya337
0
200
Liquid Glass革新とSwiftUI/UIKit進化
fumiyasac0921
0
300
LangChain Interrupt & LangChain Ambassadors meetingレポート
os1ma
2
230
Featured
See All Featured
Build your cross-platform service in a week with App Engine
jlugia
231
18k
Rails Girls Zürich Keynote
gr2m
94
14k
Git: the NoSQL Database
bkeepers
PRO
430
65k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
130
19k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
The Straight Up "How To Draw Better" Workshop
denniskardys
234
140k
KATA
mclloyd
30
14k
Building a Modern Day E-commerce SEO Strategy
aleyda
42
7.4k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.9k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
22k
Transcript
ࣗ༝ͰηΩϡΞͳڥͷ ͭ͘Γ͔ͨ Hokuto Hoshi Head of Infrastructure, Cookpad Inc.
[email protected]
ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ ΠϯϑϥετϥΫνϟʔ෦ ෦
݉ ίʔϙϨʔτΤϯδχΞϦϯά෦ ݉ ࠪҕһձ ࠪิॿऀ • SRE, ηΩϡϦςΟΤϯδχΞ • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional)
https://speakerdeck.com/kanny
None
Ϩγϐ ສ ࠃͷ݄ؒར༻ऀ ສਓ
ରԠݴޠ ݴޠΧࠃ ւ֎ͷ݄ؒར༻ऀ ສਓ
৽͍͠औΓΈ • cookpadTV https://www.cookpad.tv/ • Cookpad DO! https://cookpad.do/ • OiCy
https://oicy.cookpad.com/ • komerco https://komer.co/ • etc…
ΫοΫύουͱΫϥυ • 2011ʹ DC ͔ΒશҠߦ͠ϑϧΫϥυԽ • ଟ͘ͷαʔϏε͕ AWS ͰՔಇ •
Ұ෦ͷαʔϏε Google Firebase ্ͰՔಇ
എܠ • ػೳɺࣄۀͳͲ৽͍͠औΓΈΛՃ͍ͨ͠
࣌ͷ৫ߏ • ࣄۀ෦ + ػೳԣஅ෦ॺ (e.g. Πϯϑϥ෦) • ΠϯϑϥͷཧશͯΠϯϑϥ෦͕ߦ͏ (=
AWS ͷཧશͯΠϯϑϥ෦) • AWS ʹؔ͢ΔϊϋશͯΠϯϑϥ෦ʹू • ηΩϡϦςΟରࡦ΄΅Πϯϑϥ෦͕ओಋ ࣄۀ෦ Πϯϑϥ෦ ࣄۀ෦ ࣄۀ෦
தԝཧͷݶք • ςετ༻ΠϯελϯεϦιʔεΛ࡞Δͷʹ Πϯϑϥ෦Ͱ࡞ۀΛߦ͏ඞཁ͕͋ͬͨ • ηΩϡϦςΟͷϨϏϡʔ • ʮͦͦ AWS ͷྑ͞Λࡴͯ͠ΔͷͰʁʁʁʁʁʁʯ
• αʔϏεͷ҆ఆੑηΩϡϦςΟΛଛͳΘͣʹ࣮ݱ͍ͨ͠
ཧํͷస • ݖݶͱΛ֤։ൃऀʹҠৡ͢Δํʹγϑτ • ཧ͖͢෦Λ͓͑ͯ͞Ҡৡ͍ͯ͘͠
։ൃऀ༻ΞΧϯτ • ։ൃऀͰ͋Ε୭Ͱࣗ༝ʹར༻Ͱ͖Δ AWS ΞΧϯτ • ຊ൪ͷ AWS ΞΧϯτͱ͞Ε͍ͯΔ •
AWS IAM ͷۭؒΛׂ͢Δ͜ͱ͕Ͱ͖Δ • ϩάΠϯ SAML ܦ༝
ݖݶཧ • ඞཁͳαʔϏεͷ Admin ݖݶΛ͘༩ • “ಛఆαʔϏεͷΈڐՄ͠ ͳ͍” ϙϦγʔ \
7FSTJPO 4UBUFNFOU< \ &⒎FDU"MMPX /PU"DUJPO< DMPVEUSBJM DPOpH EJSFDUDPOOFDU SPVUF SPVUFEPNBJOT BXTQPSUBM.PEJGZ"DDPVOU BXTQPSUBM.PEJGZ#JMMJOH BXTQPSUBM.PEJGZ1BZNFOU.FUIPET JBN$SFBUF6TFS FD$SFBUF7QD > 3FTPVSDF ^ > ^
ϩάͷه • CloudTrail, VPC Flow Logs • AWS શମͷ API
ϩά VPC ͷ௨৴ϩάΛهͰ͖Δ • ຊ൪ΞΧϯτͷ S3 όέοτʹอ࣋ • ϩάͷมߋআͰ͖ͳ͘ͳΔ
ϩάͷੳ • Graylog ʹऔΓࠐΈੳͰ͖ΔΑ͏ʹ https://speakerdeck.com/mizutani/ohuisuawshuan-jing-wosekiyuritei-jian-shi-surutamefalserokushou-ji
AWS Config • EC2 ֤छϦιʔεͷมߋཤྺΛهͰ͖Δ
͍ํ • Output ઌΛຊ൪ΞΧϯτ (CloudTrail ͱಉ͡) ʹηοτͯ͠༗ޮԽ • “͜Εมߋͨ͠ͷ୭ͩΖ͏ʁ” Λ୳͢ࡍʹར༻
• ಛఆͷΠϯελϯεηΩϡϦςΟάϧʔϓͳͲʹඥ͚ͮͯ୳ͤΔ ͷͰศར
AWS Config Rules • ઃఆมߋΛτϦΨͱͯ͠ lambda function ͰઃఆΛνΣοΫͰ͖Δ • ηΩϡϦςΟάϧʔϓͷΠϯλʔωοτղ์ͳͲΛνΣοΫ
• Fail ͨ͠߹ Slack ͳͲʹ௨ͤ͞Δ • શαʔϏεରԠͯ͠΄͍͠…
None
awslabs/aws-config-rules • ศརϨϙδτϦ • https://github.com/awslabs/aws-config-rules • Config Rules ʹ͑Δ Lambda
function ͕͍Ζ͍Ζ͋Δ • EBS ҉߸Խ͞Ε͍ͯΔ͔ʁ • IAM Ϣʔβͷ MFA ༗ޮԽʁ • etc…
Amazon GuardDuty • CloudTrail VPC FlowLog Λੳͯ͠Ξϥʔτ • Ξϥʔτͷྫ
• ීஈΘΕͳ͍ IP ͔Βͷ API ίʔϧ • Πϯελϯεͷ௨৴ઌ͕͍ͭͱҧ͏ • Πϯελϯεͷ௨৴ઌ͕ C&C ͬΆ͍αʔό
ΫοΫύουͰͷ͍ํ • Ξϥʔτ GitHub -> PagerDuty ܦ༝Ͱൃใ͠ ηΩϡϦςΟνʔϜ͕ࢹ • ௐࠪੳʹ
CloudTrail Config Λ͏ • ϩά Graylog ʹੵ • ͪΐͬͱաහͳͷ͕࠷ۙͷΈ
ωοτϫʔΫߏ • ౿Έ SSH αʔό͕͋Δ VPC (ຊ൪ΞΧϯτ) ͔Β VPC Peering
ܦ༝ͰଓͰ͖ΔΑ͏ʹ͢Δ • ౿ΈΛू (TOTP FIDO U2F ʹରԠ͍ͯͯ͠ศར) • Name λάΛͬͨਖ਼Ҿ͖ɺٯҾ͖Λఏڙ
https://speakerdeck.com/kanny/machine-learning-ops-at-cookpad
։ൃऀΞΧϯτͷಛ • “Λະવʹ͙” ͜ͱΑΓ “Λ͋ͱ͔ΒͰ͍͍ͷͰݕग़ Ͱ͖Δ” ରࡦʹϑΥʔΧε • ΞΧϯτʹٻΊΒΕΔॊೈੑͳͲ͔Βߟ͑ͨ݁Ռ •
AWS αʔϏεΛׂͱૉʹͬͨߏ • ͜͏͍͏ͱ͜Ζ·ͰͰ͖ΔΑ͏ʹͳͬͨɺͱ͍͑Δ
࣮ࡍͷӡ༻ • ։ൃऀΞΧϯτ͔ΒͷΞϥʔτଟ͘ͳ͍ঢ়گ • ར༻ͷ૯ྔଟ͍ • EC2 ΠϯελϯεΛىಈͯ͠ͷ࣮ݧ • AWS
৽αʔϏεͳͲͷݕূ
·ͱΊ • ηΩϡϦςΟͱࣗ༝͞Λཱ྆ͤͨ͞։ൃڥΛͭ͘Δ • ͍ΘΏΔ “ηΩϡϦςΟଆ” ͕Ͳ͏ߟ͑ΒΕΔ͔ʹΑͬͯ ࣮ݱͰ͖Δࣗ༝͕มΘͬͯ͘Δ • AWS
αʔϏεΛϑϧʹͬͯΈΔ͚ͩͰׂͱ৭ʑͰ͖Δ • ʮ͏ͪͰ͜͏͍͏ײ͡ʯͳͲ͕͋Εڭ͑ͯ΄͍͠Ͱ͢
PR
We’re Hiring!!! • Software Engineer (Security) • Software Engineer (Site
Reliability) • ͦͷଞͷϙδγϣϯ͍Ζ͍Ζ͋Γ·͢ • https://cookpad.jobs/
Q?