Upgrade to Pro — share decks privately, control downloads, hide ads and more …

自由でセキュアな環境のつくりかた / Building free and secure cloud environment

Hokuto Hoshi
November 08, 2018
Technology
1
4.3k

自由でセキュアな環境のつくりかた / Building free and secure cloud environment

Hokuto Hoshi

November 08, 2018
Tweet

More Decks by Hokuto Hoshi

See All by Hokuto Hoshi
Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders
kanny
7
2.4k
セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub
kanny
2
3.9k
事例でわかる、AWS 運用を支える
サポート活用方法と
エンタープライズサポートという選択 / AWS Enterprise Support and Cookpad
kanny
2
2k
AWS で加速する機械学習 / Accelerate Machine Learning with AWS
kanny
0
800
クックパッドのログをいい感じにしているアーキテクチャ / Logging architecture at Cookpad
kanny
23
14k
クックパッドの機械学習を支える基盤のつくりかた / Machine Learning ops at Cookpad
kanny
3
8.1k
cookpad.com 全 HTTPS 化の軌跡
kanny
30
21k
秒間数万のログをいい感じにするアーキテクチャ
kanny
64
56k

Other Decks in Technology

See All in Technology
IBM Cloud PLUS - #3 IBM PowerVS 入門と最新情報
6onoda
0
110
Privacy Techによる新しいデータ活用の形
line_developers
PRO
1
230
AWS Lambda PHPのProduction利用を続ける僕がAWS App Runnerの可能性を探る
seike460
PRO
3
440
PHPの最高機能、配列を捨てよう!! / Throw away all PHP array now!!!
uzulla
8
5.3k
PHPマジックメソッドクイズ!/PHP Magic Method Quiz
ykanoh
0
280
大規模言語モデル活用総まとめ with Azure OpenAI
hirosatogamo
4
2.1k
シゴトをジモトに運び込め〜大企業でCCoEやってた私が地元に事業所を作るまで〜
mamohacy
2
130
ローコード自動テストを1ヶ月半で導入した話
sumiren
0
230
大規模ブロックチェーンゲームの マスアダプションまでの課題と解決への期待
miyatakoji
0
110
大規模言語モデルで変わるMLシステム開発
hirosatogamo
13
10k
試して分かった!AWS を使った PLCのデータ収集と分析基盤の実践ノウハウ #FA設備技術勉強会#13
ganota
1
13k
スマート東京実施戦略_2023(令和5)年度の取組
tokyo_metropolitan_gov_smart_tokyo_strat
0
510

Featured

See All Featured
GraphQLとの向き合い方2022年版
quramy
22
10k
Build your cross-platform service in a week with App Engine
jlugia
221
17k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k
Unsuck your backbone
ammeep
660
56k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
14
5.6k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.2k
No one is an island. Learnings from fostering a developers community.
thoeni
12
1.6k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
Building an army of robots
kneath
300
41k
What’s in a name? Adding method to the madness
productmarketing
PRO
13
2k
Infographics Made Easy
chrislema
236
17k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
7
680

Transcript

  1. ࣗ༝ͰηΩϡΞͳ؀ڥͷ

    ͭ͘Γ͔ͨ
    Hokuto Hoshi
    Head of Infrastructure, Cookpad Inc.
    [email protected]

    View Slide

  2. ੕ ๺ే (΄͠ ΄͘ͱ) / @kani_b
    • ΫοΫύουגࣜձࣾ

    ΠϯϑϥετϥΫνϟʔ෦ ෦௕

    ݉ ίʔϙϨʔτΤϯδχΞϦϯά෦

    ݉ ؂ࠪҕһձ ؂ࠪิॿऀ
    • SRE, ηΩϡϦςΟΤϯδχΞ
    • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional)

    View Slide

  3. https://speakerdeck.com/kanny

    View Slide

  4. View Slide

  5. Ϩγϐ਺
    ໿ສ඼
    ࠃ಺ͷ݄ؒར༻ऀ਺
    ໿ ສਓ

    View Slide

  6. ରԠݴޠ
    ݴޠΧࠃ
    ւ֎ͷ݄ؒར༻ऀ਺
    ໿ ສਓ

    View Slide

  7. ৽͍͠औΓ૊Έ
    • cookpadTV https://www.cookpad.tv/
    • Cookpad DO! https://cookpad.do/
    • OiCy https://oicy.cookpad.com/
    • komerco https://komer.co/
    • etc…

    View Slide

  8. ΫοΫύουͱΫϥ΢υ
    • 2011೥ʹ DC ͔Β׬શҠߦ͠ϑϧΫϥ΢υԽ
    • ଟ͘ͷαʔϏε͕ AWS ͰՔಇ
    • Ұ෦ͷαʔϏε͸ Google Firebase ্ͰՔಇ

    View Slide

  9. എܠ
    • ػೳɺࣄۀͳͲ৽͍͠औΓ૊ΈΛՃ଎͍ͨ͠

    View Slide

  10. ౰࣌ͷ૊৫ߏ଄
    • ࣄۀ෦ + ػೳԣஅ෦ॺ (e.g. Πϯϑϥ෦)
    • Πϯϑϥͷ؅ཧ͸શͯΠϯϑϥ෦͕ߦ͏

    (= AWS ͷ؅ཧ͸શͯΠϯϑϥ෦)
    • AWS ʹؔ͢Δϊ΢ϋ΢͸શͯΠϯϑϥ෦ʹू໿
    • ηΩϡϦςΟରࡦ΋΄΅Πϯϑϥ෦͕ओಋ
    ࣄۀ෦
    Πϯϑϥ෦
    ࣄۀ෦ ࣄۀ෦

    View Slide

  11. தԝ؅ཧͷݶք
    • ςετ༻Πϯελϯε΍ϦιʔεΛ࡞Δͷʹ

    Πϯϑϥ෦Ͱ࡞ۀΛߦ͏ඞཁ͕͋ͬͨ
    • ηΩϡϦςΟͷϨϏϡʔ΋
    • ʮͦ΋ͦ΋ AWS ͷྑ͞Λࡴͯ͠ΔͷͰ͸ʁʁʁʁʁʁʯ
    • αʔϏεͷ҆ఆੑ΍ηΩϡϦςΟΛଛͳΘͣʹ࣮ݱ͍ͨ͠

    View Slide

  12. ؅ཧํ਑ͷస׵
    • ݖݶͱ੹೚Λ֤։ൃऀʹҠৡ͢Δํ޲ʹγϑτ
    • ؅ཧ͢΂͖෦෼Λ͓͑ͯ͞Ҡৡ͍ͯ͘͠

    View Slide

  13. ։ൃऀ༻ΞΧ΢ϯτ
    • ։ൃऀͰ͋Ε͹୭Ͱ΋ࣗ༝ʹར༻Ͱ͖Δ AWS ΞΧ΢ϯτ
    • ຊ൪ͷ AWS ΞΧ΢ϯτͱ෼཭͞Ε͍ͯΔ
    • AWS IAM ͷۭؒΛ෼ׂ͢Δ͜ͱ͕Ͱ͖Δ
    • ϩάΠϯ͸ SAML ܦ༝

    View Slide

  14. ݖݶ؅ཧ
    • ඞཁͳαʔϏεͷ Admin
    ݖݶΛ޿͘෇༩
    • “ಛఆαʔϏεͷΈڐՄ͠
    ͳ͍” ϙϦγʔ
    \
    7FSTJPO
    4UBUFNFOU
    \
    &⒎FDU"MMPX
    /PU"DUJPO
    DMPVEUSBJM
    DPOpH
    EJSFDUDPOOFDU
    SPVUF
    SPVUFEPNBJOT
    BXTQPSUBM.PEJGZ"DDPVOU
    BXTQPSUBM.PEJGZ#JMMJOH
    BXTQPSUBM.PEJGZ1BZNFOU.FUIPET
    JBN$SFBUF6TFS
    FD$SFBUF7QD
    >
    3FTPVSDF
    ^
    >
    ^

    View Slide

  15. ϩάͷه࿥
    • CloudTrail, VPC Flow Logs
    • AWS શମͷ API ϩά΍ VPC ͷ௨৴ϩάΛه࿥Ͱ͖Δ
    • ຊ൪ΞΧ΢ϯτͷ S3 όέοτʹอ࣋
    • ϩάͷมߋ΍࡟আ͸Ͱ͖ͳ͘ͳΔ

    View Slide

  16. ϩάͷ෼ੳ
    • Graylog ʹऔΓࠐΈ෼ੳͰ͖ΔΑ͏ʹ
    https://speakerdeck.com/mizutani/ohuisuawshuan-jing-wosekiyuritei-jian-shi-surutamefalserokushou-ji

    View Slide

  17. AWS Config
    • EC2 ΍֤छϦιʔεͷมߋཤྺΛه࿥Ͱ͖Δ

    View Slide

  18. ࢖͍ํ
    • Output ઌΛຊ൪ΞΧ΢ϯτ (CloudTrail ͱಉ͡) ʹηοτͯ͠༗ޮԽ
    • “͜Εมߋͨ͠ͷ୭ͩΖ͏ʁ” Λ୳͢ࡍʹར༻
    • ಛఆͷΠϯελϯε΍ηΩϡϦςΟάϧʔϓͳͲʹඥ͚ͮͯ୳ͤΔ
    ͷͰศར

    View Slide

  19. AWS Config Rules
    • ઃఆมߋΛτϦΨͱͯ͠ lambda function ͰઃఆΛνΣοΫͰ͖Δ
    • ηΩϡϦςΟάϧʔϓͷΠϯλʔωοτղ์ͳͲΛνΣοΫ
    • Fail ͨ͠৔߹ Slack ͳͲʹ௨஌ͤ͞Δ
    • શαʔϏεରԠͯ͠΄͍͠…

    View Slide

  20. View Slide

  21. awslabs/aws-config-rules
    • ศརϨϙδτϦ
    • https://github.com/awslabs/aws-config-rules
    • Config Rules ʹ࢖͑Δ Lambda function ͕͍Ζ͍Ζ͋Δ
    • EBS ͸҉߸Խ͞Ε͍ͯΔ͔ʁ
    • IAM Ϣʔβͷ MFA ͸༗ޮԽʁ
    • etc…

    View Slide

  22. Amazon GuardDuty
    • CloudTrail ΍ VPC FlowLog Λ෼ੳͯ͠Ξϥʔτ
    • Ξϥʔτͷྫ
    • ීஈ࢖ΘΕͳ͍ IP ͔Βͷ API ίʔϧ
    • Πϯελϯεͷ௨৴ઌ͕͍ͭ΋ͱҧ͏
    • Πϯελϯεͷ௨৴ઌ͕ C&C ͬΆ͍αʔό

    View Slide

  23. ΫοΫύουͰͷ࢖͍ํ
    • Ξϥʔτ͸ GitHub -> PagerDuty ܦ༝Ͱൃใ͠

    ηΩϡϦςΟνʔϜ͕؂ࢹ
    • ௐࠪ෼ੳʹ CloudTrail ΍ Config Λ࢖͏
    • ϩά͸ Graylog ʹ஝ੵ
    • ͪΐͬͱաහͳͷ͕࠷ۙͷ೰Έ

    View Slide

  24. ωοτϫʔΫߏ੒
    • ౿Έ୆ SSH αʔό͕͋Δ VPC (ຊ൪ΞΧ΢ϯτ) ͔Β

    VPC Peering ܦ༝Ͱ઀ଓͰ͖ΔΑ͏ʹ͢Δ
    • ౿Έ୆Λू໿ (TOTP ΍ FIDO U2F ʹ΋ରԠ͍ͯͯ͠ศར)
    • Name λάΛ࢖ͬͨਖ਼Ҿ͖ɺٯҾ͖Λఏڙ

    View Slide




  25. https://speakerdeck.com/kanny/machine-learning-ops-at-cookpad

    View Slide

  26. ։ൃऀΞΧ΢ϯτͷಛ௃
    • “໰୊Λະવʹ๷͙” ͜ͱΑΓ “໰୊Λ͋ͱ͔ΒͰ΋͍͍ͷͰݕग़
    Ͱ͖Δ” ରࡦʹϑΥʔΧε
    • ΞΧ΢ϯτʹٻΊΒΕΔॊೈੑͳͲ͔Βߟ͑ͨ݁Ռ
    • AWS αʔϏεΛׂͱૉ๿ʹ࢖ͬͨߏ੒
    • ͜͏͍͏ͱ͜Ζ·ͰͰ͖ΔΑ͏ʹͳͬͨɺͱ͍͑Δ

    View Slide

  27. ࣮ࡍͷӡ༻
    • ։ൃऀΞΧ΢ϯτ͔ΒͷΞϥʔτ͸ଟ͘͸ͳ͍ঢ়گ
    • ར༻ͷ૯ྔ͸ଟ͍
    • EC2 ΠϯελϯεΛىಈͯ͠ͷ࣮ݧ
    • AWS ৽αʔϏεͳͲͷݕূ

    View Slide

  28. ·ͱΊ
    • ηΩϡϦςΟͱࣗ༝͞Λཱ྆ͤͨ͞։ൃ؀ڥΛͭ͘Δ࿩
    • ͍ΘΏΔ “ηΩϡϦςΟଆ” ͕Ͳ͏ߟ͑ΒΕΔ͔ʹΑͬͯ

    ࣮ݱͰ͖Δࣗ༝౓͕มΘͬͯ͘Δ
    • AWS αʔϏεΛϑϧʹ࢖ͬͯΈΔ͚ͩͰ΋ׂͱ৭ʑͰ͖Δ
    • ʮ͏ͪͰ͸͜͏͍͏ײ͡ʯͳͲ͕͋Ε͹ڭ͑ͯ΄͍͠Ͱ͢

    View Slide

  29. PR

    View Slide

  30. We’re Hiring!!!
    • Software Engineer (Security)
    • Software Engineer (Site Reliability)
    • ͦͷଞͷϙδγϣϯ΋͍Ζ͍Ζ͋Γ·͢
    • https://cookpad.jobs/

    View Slide

  31. Q?

    View Slide