Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
自由でセキュアな環境のつくりかた / Building free and secure cloud environment
Search
Hokuto Hoshi
November 08, 2018
Technology
1
4.6k
自由でセキュアな環境のつくりかた / Building free and secure cloud environment
Hokuto Hoshi
November 08, 2018
Tweet
Share
More Decks by Hokuto Hoshi
See All by Hokuto Hoshi
Connecting organisation with Technology
kanny
0
100
Why Slack - 5 years of Cookpad with Slack
kanny
0
44
Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders
kanny
7
2.5k
セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub
kanny
2
4.1k
事例でわかる、AWS 運用を支える サポート活用方法と エンタープライズサポートという選択 / AWS Enterprise Support and Cookpad
kanny
2
2.2k
AWS で加速する機械学習 / Accelerate Machine Learning with AWS
kanny
0
910
クックパッドのログをいい感じにしているアーキテクチャ / Logging architecture at Cookpad
kanny
23
15k
クックパッドの機械学習を支える基盤のつくりかた / Machine Learning ops at Cookpad
kanny
3
8.4k
cookpad.com 全 HTTPS 化の軌跡
kanny
30
22k
Other Decks in Technology
See All in Technology
Tableau事例紹介 / Tableau Case Study of Eureka
kazuya_araki_tokyo
1
170
強みを伸ばすキャリアデザイン
yug1224
0
200
プロトタイピングによる不確実性の低減 / Reducing Uncertainty through Prototyping
ohbarye
3
190
コードを書く隙間を見つけて生きていく技術/Findy 思考の現在地
fujiwara3
24
4.8k
コンテナセキュリティの基本と脅威への対策
kyohmizu
3
670
Tebiki株式会社 エンジニア採用資料
tebiki
0
4.1k
〜小さく始めて大きく育てる〜データ分析基盤の開発から活用まで
kniino
0
2k
"好き"との生活/Regularly update profile with GitHub Actions
judeeeee
0
150
レガシーをぶっ壊せ。AEONで始めるDevRelの話 / Qiita Night 2024-2-22
aeonpeople
3
130
株式会社EventHub・エンジニア採用資料
eventhub
0
1.9k
インシデントレスポンスのライフサイクルを廻すポイントってなに / Pinpoints of Incidentresponse Lifecycle for Operation
sakaitakeshi
0
290
HEXA OSINT CTF V3 作戦会議
meow_noisy
0
110
Featured
See All Featured
Reflections from 52 weeks, 52 projects
jeffersonlam
343
19k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Teambox: Starting and Learning
jrom
128
8.4k
Thoughts on Productivity
jonyablonski
57
3.8k
Typedesign – Prime Four
hannesfritz
36
2k
A designer walks into a library…
pauljervisheath
199
23k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
240
1.2M
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
What's in a price? How to price your products and services
michaelherold
237
11k
KATA
mclloyd
14
12k
Art, The Web, and Tiny UX
lynnandtonic
288
19k
Pencils Down: Stop Designing & Start Developing
hursman
116
11k
Transcript
ࣗ༝ͰηΩϡΞͳڥͷ ͭ͘Γ͔ͨ Hokuto Hoshi Head of Infrastructure, Cookpad Inc.
[email protected]
ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ ΠϯϑϥετϥΫνϟʔ෦ ෦
݉ ίʔϙϨʔτΤϯδχΞϦϯά෦ ݉ ࠪҕһձ ࠪิॿऀ • SRE, ηΩϡϦςΟΤϯδχΞ • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional)
https://speakerdeck.com/kanny
None
Ϩγϐ ສ ࠃͷ݄ؒར༻ऀ ສਓ
ରԠݴޠ ݴޠΧࠃ ւ֎ͷ݄ؒར༻ऀ ສਓ
৽͍͠औΓΈ • cookpadTV https://www.cookpad.tv/ • Cookpad DO! https://cookpad.do/ • OiCy
https://oicy.cookpad.com/ • komerco https://komer.co/ • etc…
ΫοΫύουͱΫϥυ • 2011ʹ DC ͔ΒશҠߦ͠ϑϧΫϥυԽ • ଟ͘ͷαʔϏε͕ AWS ͰՔಇ •
Ұ෦ͷαʔϏε Google Firebase ্ͰՔಇ
എܠ • ػೳɺࣄۀͳͲ৽͍͠औΓΈΛՃ͍ͨ͠
࣌ͷ৫ߏ • ࣄۀ෦ + ػೳԣஅ෦ॺ (e.g. Πϯϑϥ෦) • ΠϯϑϥͷཧશͯΠϯϑϥ෦͕ߦ͏ (=
AWS ͷཧશͯΠϯϑϥ෦) • AWS ʹؔ͢ΔϊϋશͯΠϯϑϥ෦ʹू • ηΩϡϦςΟରࡦ΄΅Πϯϑϥ෦͕ओಋ ࣄۀ෦ Πϯϑϥ෦ ࣄۀ෦ ࣄۀ෦
தԝཧͷݶք • ςετ༻ΠϯελϯεϦιʔεΛ࡞Δͷʹ Πϯϑϥ෦Ͱ࡞ۀΛߦ͏ඞཁ͕͋ͬͨ • ηΩϡϦςΟͷϨϏϡʔ • ʮͦͦ AWS ͷྑ͞Λࡴͯ͠ΔͷͰʁʁʁʁʁʁʯ
• αʔϏεͷ҆ఆੑηΩϡϦςΟΛଛͳΘͣʹ࣮ݱ͍ͨ͠
ཧํͷస • ݖݶͱΛ֤։ൃऀʹҠৡ͢Δํʹγϑτ • ཧ͖͢෦Λ͓͑ͯ͞Ҡৡ͍ͯ͘͠
։ൃऀ༻ΞΧϯτ • ։ൃऀͰ͋Ε୭Ͱࣗ༝ʹར༻Ͱ͖Δ AWS ΞΧϯτ • ຊ൪ͷ AWS ΞΧϯτͱ͞Ε͍ͯΔ •
AWS IAM ͷۭؒΛׂ͢Δ͜ͱ͕Ͱ͖Δ • ϩάΠϯ SAML ܦ༝
ݖݶཧ • ඞཁͳαʔϏεͷ Admin ݖݶΛ͘༩ • “ಛఆαʔϏεͷΈڐՄ͠ ͳ͍” ϙϦγʔ \
7FSTJPO 4UBUFNFOU< \ &⒎FDU"MMPX /PU"DUJPO< DMPVEUSBJM DPOpH EJSFDUDPOOFDU SPVUF SPVUFEPNBJOT BXTQPSUBM.PEJGZ"DDPVOU BXTQPSUBM.PEJGZ#JMMJOH BXTQPSUBM.PEJGZ1BZNFOU.FUIPET JBN$SFBUF6TFS FD$SFBUF7QD > 3FTPVSDF ^ > ^
ϩάͷه • CloudTrail, VPC Flow Logs • AWS શମͷ API
ϩά VPC ͷ௨৴ϩάΛهͰ͖Δ • ຊ൪ΞΧϯτͷ S3 όέοτʹอ࣋ • ϩάͷมߋআͰ͖ͳ͘ͳΔ
ϩάͷੳ • Graylog ʹऔΓࠐΈੳͰ͖ΔΑ͏ʹ https://speakerdeck.com/mizutani/ohuisuawshuan-jing-wosekiyuritei-jian-shi-surutamefalserokushou-ji
AWS Config • EC2 ֤छϦιʔεͷมߋཤྺΛهͰ͖Δ
͍ํ • Output ઌΛຊ൪ΞΧϯτ (CloudTrail ͱಉ͡) ʹηοτͯ͠༗ޮԽ • “͜Εมߋͨ͠ͷ୭ͩΖ͏ʁ” Λ୳͢ࡍʹར༻
• ಛఆͷΠϯελϯεηΩϡϦςΟάϧʔϓͳͲʹඥ͚ͮͯ୳ͤΔ ͷͰศར
AWS Config Rules • ઃఆมߋΛτϦΨͱͯ͠ lambda function ͰઃఆΛνΣοΫͰ͖Δ • ηΩϡϦςΟάϧʔϓͷΠϯλʔωοτղ์ͳͲΛνΣοΫ
• Fail ͨ͠߹ Slack ͳͲʹ௨ͤ͞Δ • શαʔϏεରԠͯ͠΄͍͠…
None
awslabs/aws-config-rules • ศརϨϙδτϦ • https://github.com/awslabs/aws-config-rules • Config Rules ʹ͑Δ Lambda
function ͕͍Ζ͍Ζ͋Δ • EBS ҉߸Խ͞Ε͍ͯΔ͔ʁ • IAM Ϣʔβͷ MFA ༗ޮԽʁ • etc…
Amazon GuardDuty • CloudTrail VPC FlowLog Λੳͯ͠Ξϥʔτ • Ξϥʔτͷྫ
• ීஈΘΕͳ͍ IP ͔Βͷ API ίʔϧ • Πϯελϯεͷ௨৴ઌ͕͍ͭͱҧ͏ • Πϯελϯεͷ௨৴ઌ͕ C&C ͬΆ͍αʔό
ΫοΫύουͰͷ͍ํ • Ξϥʔτ GitHub -> PagerDuty ܦ༝Ͱൃใ͠ ηΩϡϦςΟνʔϜ͕ࢹ • ௐࠪੳʹ
CloudTrail Config Λ͏ • ϩά Graylog ʹੵ • ͪΐͬͱաහͳͷ͕࠷ۙͷΈ
ωοτϫʔΫߏ • ౿Έ SSH αʔό͕͋Δ VPC (ຊ൪ΞΧϯτ) ͔Β VPC Peering
ܦ༝ͰଓͰ͖ΔΑ͏ʹ͢Δ • ౿ΈΛू (TOTP FIDO U2F ʹରԠ͍ͯͯ͠ศར) • Name λάΛͬͨਖ਼Ҿ͖ɺٯҾ͖Λఏڙ
https://speakerdeck.com/kanny/machine-learning-ops-at-cookpad
։ൃऀΞΧϯτͷಛ • “Λະવʹ͙” ͜ͱΑΓ “Λ͋ͱ͔ΒͰ͍͍ͷͰݕग़ Ͱ͖Δ” ରࡦʹϑΥʔΧε • ΞΧϯτʹٻΊΒΕΔॊೈੑͳͲ͔Βߟ͑ͨ݁Ռ •
AWS αʔϏεΛׂͱૉʹͬͨߏ • ͜͏͍͏ͱ͜Ζ·ͰͰ͖ΔΑ͏ʹͳͬͨɺͱ͍͑Δ
࣮ࡍͷӡ༻ • ։ൃऀΞΧϯτ͔ΒͷΞϥʔτଟ͘ͳ͍ঢ়گ • ར༻ͷ૯ྔଟ͍ • EC2 ΠϯελϯεΛىಈͯ͠ͷ࣮ݧ • AWS
৽αʔϏεͳͲͷݕূ
·ͱΊ • ηΩϡϦςΟͱࣗ༝͞Λཱ྆ͤͨ͞։ൃڥΛͭ͘Δ • ͍ΘΏΔ “ηΩϡϦςΟଆ” ͕Ͳ͏ߟ͑ΒΕΔ͔ʹΑͬͯ ࣮ݱͰ͖Δࣗ༝͕มΘͬͯ͘Δ • AWS
αʔϏεΛϑϧʹͬͯΈΔ͚ͩͰׂͱ৭ʑͰ͖Δ • ʮ͏ͪͰ͜͏͍͏ײ͡ʯͳͲ͕͋Εڭ͑ͯ΄͍͠Ͱ͢
PR
We’re Hiring!!! • Software Engineer (Security) • Software Engineer (Site
Reliability) • ͦͷଞͷϙδγϣϯ͍Ζ͍Ζ͋Γ·͢ • https://cookpad.jobs/
Q?