Upgrade to Pro — share decks privately, control downloads, hide ads and more …

セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub

Hokuto Hoshi
December 20, 2018
Technology
2
3.9k

セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub

Hokuto Hoshi

December 20, 2018
Tweet

More Decks by Hokuto Hoshi

See All by Hokuto Hoshi
Connecting organisation with Technology
kanny
0
14
Why Slack - 5 years of Cookpad with Slack
kanny
0
5
Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders
kanny
7
2.4k
自由でセキュアな環境のつくりかた / Building free and secure cloud environment
kanny
1
4.3k
事例でわかる、AWS 運用を支える
サポート活用方法と
エンタープライズサポートという選択 / AWS Enterprise Support and Cookpad
kanny
2
2k
AWS で加速する機械学習 / Accelerate Machine Learning with AWS
kanny
0
810
クックパッドのログをいい感じにしているアーキテクチャ / Logging architecture at Cookpad
kanny
23
14k
クックパッドの機械学習を支える基盤のつくりかた / Machine Learning ops at Cookpad
kanny
3
8.1k
cookpad.com 全 HTTPS 化の軌跡
kanny
30
21k

Other Decks in Technology

See All in Technology
新リリース:microCMSテンプレート
microcms
1
820
IaCのCI/CDを考えよう / JAWS-UG_Okayama_IaC_CICD
taishin
1
190
MagicPod開発における テスト自動化とCI
nozomiito
0
150
しつこくじわじわパフォーマンスチューニング
netmarkjp
0
450
GitHub最新情報キャッチアップ 2023年6月
dzeyelid
1
210
Large Language Models: From Prototype to Production
inesmontani
PRO
9
3.1k
株式会社オプティム_採用会社紹介資料 / optim-recruit
optim
0
9.6k
組織の立ち上げと体制変更の1年
tarappo
2
940
Go1.20からサポートされるtree構造のerrの紹介と、treeを考慮した複数マッチができるライブラリを作った話/introduction of tree structure err added since go 1_20
convto
0
230
Blueskyちゃん作った話
kojira
0
110
2023.06.01_LangChain/Llamaindex/Whisperを使ったアプリケーション開発のまとめと展望
pharma_x_tech
0
750
k6による負荷試験 入門から実践まで
fujiwara3
3
1.2k

Featured

See All Featured
Build your cross-platform service in a week with App Engine
jlugia
222
17k
Designing for Performance
lara
601
65k
How GitHub (no longer) Works
holman
299
140k
The Mythical Team-Month
searls
211
41k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
RailsConf 2023
tenderlove
0
110
How to train your dragon (web standard)
notwaldorf
69
4.4k
In The Pink: A Labor of Love
frogandcode
133
21k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
50k
A Modern Web Designer's Workflow
chriscoyier
689
190k
How to name files
jennybc
51
80k
Learning to Love Humans: Emotional Interface Design
aarron
264
38k

Transcript

  1. ηΩϡϦςΟ୲౰ऀ͔Βݟͨ
    re:Invent ͱ AWS Security Hub
    Hokuto Hoshi
    Head of Infrastructure, Cookpad Inc.
    [email protected]

    View Slide

  2. ੕ ๺ే (΄͠ ΄͘ͱ) / @kani_b
    • ΫοΫύουגࣜձࣾ

    ΠϯϑϥετϥΫνϟʔ෦ ෦௕

    ݉ ίʔϙϨʔτΤϯδχΞϦϯά෦

    ݉ ؂ࠪҕһձ ؂ࠪิॿऀ
    • SRE, ηΩϡϦςΟΤϯδχΞ
    • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional)
    • AWS ར༻ྺ͸8೥͘Β͍

    View Slide

  3. https://kanny.me/

    View Slide

  4. ΠϯϑϥετϥΫνϟʔ෦
    • શαʔϏε͕ར༻͢ΔΠϯϑϥ؀ڥͮ͘Γ
    • SRE (Site Reliability Engineering) άϧʔϓ
    • σʔλج൫άϧʔϓ
    • ηΩϡϦςΟάϧʔϓ

    View Slide

  5. ηΩϡϦςΟάϧʔϓ
    • 3໊
    • αʔϏε΍ࣾ಺γεςϜͳͲձࣾʹ͓͚Δ͋ΒΏΔ৘ใηΩϡϦ
    ςΟରࡦ΍ͦͷӡ༻ʹैࣄ
    • γεςϜͷઃܭ΍ߏஙɺ࣮ࡍͷӡ༻·Ͱߦ͏

    View Slide

  6. Full-AWS since 2011
    ~1,400 EC2 instances
    200+ ECS Services
    Over 3 regions 15,000+ requests/sec

    View Slide

  7. re:Invent ͱࣗ෼
    • 2013೥͔Βຖ೥ࢀՃ
    • 2012೥͸·ֶͩੜόΠτͩͬͨ
    • 2017Ͱొஃ
    • ػցֶशϫʔΫϩʔυΛίϯςφͰ࣮ߦ͢Δ࿩
    • ࠓ೥Ͱ6ճ໨
    • ϥεϕΨε͸7ճ໨

    View Slide

  8. ΫοΫύουͱ re:Invent
    • 2012೥͔Βຖ೥ෳ਺໊ࢀՃ
    • ΠϯϑϥܥͰ͸ͳ͘αʔϏε։ൃऀͷࢀՃऀΛ૿΍͍ͯ͠Δ
    • ࠓ೥͸ࢀՃऀͷ8ׂҎ্

    View Slide

  9. ηΩϡϦςΟܥηογϣϯ, ϫʔΫγϣοϓ
    • ຖ೥͕ͩେྔ
    • ΑΓߴ౓ͳτϐοΫʹߦ͘΄Ͳ “ίʔυΛॻ͍ͯࣗ෼ͨͪͰ࡞͍ͬͯ͘” ΋ͷ͕ଟ͍
    • AWS ηΩϡϦςΟαʔϏεͷ঺հ͚ͩͰͳ͘ AWS αʔϏεΛ࢖ͬͯΑΓྑ͍ηΩϡϦςΟγ
    εςϜΛͭ͘Δ
    • ࣗ෼ͷ෼໺Ҏ֎ͷϫʔΫγϣοϓͳͲʹग़͍ͯΔΤϯδχΞ΋ଟ͍
    • ηΩϡϦςΟΤϯδχΞ͕ DynamoDB ઃܭͷϫʔΫγϣοϓʹग़͍ͯΔͳͲ
    • εϥΠυ΍ಈը͸ެ։͞Ε͍ͯ·͢

    View Slide

  10. Security Jam
    • AWS ্ͰηΩϡϦςΟରࡦ΍ΠϯγσϯτϨεϙϯεΛମݧͯ͠
    ͍͘Πϕϯτ
    • ָͦ͠͏ͳͷʹຖճ GameDay ͱඃͬͯ͠·͍

    ࢀՃͰ͖͍ͯͳ͍… (ಉ྅ᐌָ͔ͬͨ͘͠ͱͷ͜ͱ)
    • ೔ຊͰ΍Δ͔ GameDay ͱ࣌ؒΛͣΒ͍ͯͩ͘͠͞!!!

    View Slide

  11. Expo
    • ηΩϡϦςΟ੡඼ͷϓϩόΠμ͸೥ʑ૿Ճ͍ͯ͠Δ
    • ࠓ೥͸ίϯςφηΩϡϦςΟ͕ଟ͔ͬͨҹ৅
    • SIEM, ΠϕϯτϚωδϝϯτͳͲ΋

    View Slide

  12. ࠓ೥ͷൃද
    • ͍Ζ͍Ζ͋Γ·ͨ͠Ͷ
    • ML, IoT, Robot ͳͲ΋͋Γͭͭݎ࣮ͳྖҬʹ΋େྔϦϦʔε

    View Slide

  13. ൃද (ηΩϡϦςΟ)
    https://aws.amazon.com/jp/new/reinvent/

    View Slide

  14. ηΩϡϦςΟͷൃදগͳ͘ͳ͍ʁʁʁ
    • ௚઀ηΩϡϦςΟΛλʔήοτʹͨ͠΋ͷ͸͔֬ʹগͳ͍
    • ͕ɺηΩϡϦςΟγεςϜͷߏஙͳͲʹ࢖͑Δ΋ͷ͸ͨ͘͞Μ
    • “ηΩϡϦςΟ” λά͕͍ͭͨαʔϏε͚͕ͩ

    AWS ηΩϡϦςΟͰ͸ͳ͍

    View Slide

  15. https://speakerdeck.com/mizutani/security-log-search

    View Slide

  16. ηΩϡϦςΟγεςϜʹ࢖͑Δ or ࢖͑ͦ͏ͳ
    ϦϦʔεͱײ૝Λ঺հ (ݸਓͷݟղͰ͢)

    View Slide

  17. CloudWatch Logs Insights
    • CW Logs ͷϩάʹର͠ߜΓࠐΈ΍ूܭɺ෼ੳ͕Մೳʹ
    • JSON ͳͲʹ΋ରԠͰ͖Δ
    • ৽όοΫΤϯυʹΑΔര଎ݕࡧ
    • େྔͷϩάσʔλʹରͯ͠΋਺ഒҎ্଎͍ (࣮ࡍʹ࢖ͬͯ·͢)
    • γεςϜϩά΍ΞΫηεϩάͳͲͷετϨʔδͱͯ͠༗ྗީิʹ
    • ͨͩ͠Ձ֨͸ཁ֬ೝ

    View Slide

  18. S3 Object Lock
    • S3 Object ΛҰఆ or ແظݶͰ্ॻ͖/࡟আͰ͖ͳ͘ͳΔػೳ
    • ࠷ڧͷϞʔυͰ͸ root account Ͱ͢Β࡟আෆೳʹ
    • MFA Delete ʹ୅ΘΔબ୒ࢶʹͳΔ
    • ֤छॏཁϩάͷอ࣋ʹར༻Մೳ
    • ޡരʹ͸஫ҙ

    View Slide

  19. S3 Glacier ͷػೳڧԽ
    • ໊শมߋͱಉ࣌ʹ৭ʑग़ͨ
    • S3 Glacier ετϨʔδΫϥε΁ͷ௚ૹ
    • ΫϩεϦʔδϣϯϨϓϦέʔγϣϯͷ Glacier ରԠ
    • ෮ݩ௨஌ɺ෮ݩ଎౓Ξοϓ
    • S3 Glacier Deep Archive
    • ͔͞Έ͕ͪͳηΩϡϦςΟؔ࿈ϩάͷ௕ظόοΫΞοϓʹ࢖͑Δ
    • ΫοΫύουͰ΋ Lifecycle Ͱ Glacier ૹΓʹ͍ͯ͠·͢

    View Slide

  20. S3 Intelligent Tiering
    • S3 Standard ͱ Standard-IA (௿ස౓) ΛࣗಈͰߦ͖དྷͰ͖Δ
    • Athena ͳͲΛϩάݕࡧʹ࢖͍ͬͯΔέʔεͰ͸ศར
    • ϑϧεΩϟϯ͢Δͱҙຯ͕ͳ͘ͳΔͷͰϢʔεέʔε΍ઃܭ͕େࣄ

    View Slide

  21. KMS Custom Key Store
    • KMS ͷΩʔετΞͱͯ͠ CloudHSM ͕࢖͑ΔΑ͏ʹ
    • ߟ͑ΒΕΔ༻్
    • Ͳ͏ͯ͠΋ΩʔετΞΛ෼཭͢Δඞཁ͕͋Δ
    • KMS Λ௨ͯ͠Ͱͳ͘ CloudHSM ଆ͔Β௚઀伴ͷ؂ࠪΛ͍ͨ͠
    • զʑʹ͸ར༻༻్͕ͳ͍Ͱ͢…

    View Slide

  22. AWS Control Tower
    • લͷൃදͰઆ໌͕͋ͬͨͷͰجຊઆ໌͸লུ
    • େྔΞΧ΢ϯτΛ؅ཧ͢Δ؀ڥԼͰ͸͔ͳΓศརͦ͏
    • ΧδϡΞϧʹ AWS ΞΧ΢ϯτΛ࡞Γ΍͘͢ͳΔ

    View Slide

  23. AWS Security Hub
    • લͷൃදͰઆ໌͕͋ͬͨͷͰجຊઆ໌͸লུ
    • ΋͏গ͠۷ΓԼ͛ͯɺͲͷΑ͏ʹ׆༻͍͔ͨ͠Λ࿩͠·͢

    View Slide

  24. ηΩϡϦςΟγεςϜͷجຊํ਑
    • ༷ʑͳιϑτ΢ΣΞ΍αʔϏεΛηϯαʔͱͯ͠࢖͏
    • ηϯαʔ͔Βͷϩά΍ΞϥʔτΛू໿ͯ͠؅ཧ͢Δ
    • ͦΕͧΕͷ؅ཧίϯιʔϧʹϩάΠϯͯ͠…ͱ͍͏ͷ͸

    ࢖ΘΕͳ͍γεςϜΛੜΉ͚ͩͳͷͰ΍ΊΔ
    • ຊ౰ʹඞཁͳ൑அʹूதͰ͖Δ࢓૊ΈΛͭ͘Δ (ࣗಈԽ)

    View Slide

  25. ΞʔΩςΫνϟ֓ཁ ύʔτ෼͚

    ϩάϑΝΠϧઃஔͷ
    ΠϕϯτΛݕग़
    Lambda
    Lambda
    Lambda
    Kinesis
    Stream
    S3
    S3 Athena
    ϧʔϧΛ༻͍ͨ
    Ξϥʔτͷݕ஌
    Ξϥʔτͷൃใ
    ϩάͷม׵
    EC2
    Elasticsearch
    Service
    ߴ଎ͰΠϯλϥΫςΟϒͳ
    ୹ظతϩάͷݕࡧ
    ௕ظؒʹΘͨΔ
    ϩάͷݕࡧ
    GHE PagerDuty Slack
    Ξϥʔτͷൃใɾ؅ཧ
    Ξϥʔτͷௐࠪ
    EC2 instances
    ͦͷଞϓϩμΫτ
    Kinesis
    Stream
    Kinesis
    Stream
    ϩάऩूύʔτ ϩάॲཧύʔτ Ξϥʔτॲཧύʔτ
    CloudWatch Logs/
    Event, GuardDuty,
    CloudTrail

    View Slide

  26. ֓ཁ
    • ༷ʑͳϑΥʔϚοτͷϩά΍ΞϥʔτΛ S3 ʹऩू
    • AWS αʔϏεͱͯ͠͸ GuardDuty ͳͲΛར༻
    • ऩूͨ͠ϩάɾΞϥʔτΛਖ਼نԽͯ͠ Graylog / S3 ʹ౤ೖ
    • Ωϟονͨ͠Ξϥʔτ͸ਖ਼نԽͯ͠ GitHub (Enterprise) ʹىථ
    • ՄೳͳݶΓͷॳظௐࠪΛࣗಈͰߦ͏
    • PagerDuty, Slack ΁ͷൃใ΋ߦ͏

    View Slide

  27. ͞Βʹվળ͍ͨ͠ϙΠϯτ
    • Ξϥʔτͷਖ਼نԽ͕ͪΐͬͱେม (ࣗ෼ͨͪͰ࡞Δ)
    • ΞϥʔτࣗମͷूܭɺՄࢹԽ
    • ࣗಈԽΛߋʹਐΊΔ
    • ௐࠪɺରԠ
    • ௕ظతͳ෼ੳ

    View Slide

  28. Ξϥʔτਖ਼نԽ
    • ରԠ͍ͯ͠ΔαʔϏεͰ͋Ε͹ਖ਼نԽෆཁ
    • ଞγεςϜʹΞϥʔτΛॻ͖ࠐΈ͍ͨ৔߹΋ Security Hub ΛڬΉ͜ͱͰ
    ॲཧΛڞ௨ԽͰ͖Δ
    • Ξϥʔτʹ͍ͭͯ͸ “ͱΓ͋͑ͣ Security Hub ʹಥͬࠐΉ” ͜ͱ͕

    Ͱ͖ΔΑ͏ʹͳΔ
    • ࠓޙ৽نʹηΩϡϦςΟαʔϏε͕ग़͖ͯͯ΋ૉૣ͘౷߹Ͱ͖Δ

    View Slide

  29. Amazon Security Finding Format
    • ηΩϡϦςΟΞϥʔτʹٻΊΒΕͦ͏ͳ߲໨͸Ұ௨ΓΧόʔ
    • EC2 Πϯελϯε ͳͲ AWS ݻ༗ͷϑΟʔϧυ΋༻ҙ
    • ࠓͷஈ֊Ͱ͸ AWS ಺ϦιʔεΛओʹ૝ఆ͍ͯ͠ΔΑ͏ʹݟ͑Δ
    • ΋͏ͪΐͬͱ৭ʑͳϦιʔεʹରͯ͠࢖͑Δͱ͏Ε͍͠…
    • ৄࡉ͸ Security Hub ͷυΩϡϝϯτΛࢀর

    View Slide

  30. ूܭɺՄࢹԽ
    • Insights Ͱ͋Δఔ౓Մೳ
    • Findings ΛϑΟϧλͨ݁͠Ռ (Group by ͳͲ΋Մೳ)
    • άϥϑ΋ΧελϜͰ͖ͨΒخ͍͚͠Ͳɻɻ
    • ௕ظతʹոͦ͠͏ͳϦιʔεΛݟ͚ͭΔͷʹ΋༗ޮ

    View Slide

  31. ࣗಈԽ
    • CW Events ʹΠϕϯτΛૹ৴Ͱ͖Δ
    • Finding, Insights, Standards
    • Lambda function ΍ Step Function ΛݺͿ͜ͱ͕Ͱ͖Δ
    • ϩάऩूͱඥ෇͚, Ϩϐϡςʔγϣϯௐࠪ, ݕମௐࠪ, 

    Πϯελϯε΁ͷίϚϯυൃߦͳͲͳΜͰ΋͋Γ

    View Slide

  32. ͦͷଞͷྑ͍ػೳ
    • ϚϧνΞΧ΢ϯτରԠ
    • Control Tower Ͱ৽ن࡞੒࣌ʹશηΩϡϦςΟαʔϏε༗ޮԽ + Security Hub
    ΁ͷૹ৴͕Ͱ͖ΔΑ͏ʹͳΔͱ͏Ε͍͠
    • ηΩϡϦςΟඪ४ͷνΣοΫ
    • ࣮ମ͸ Config Rules ͷू߹ମ (ݱࡏ͸ CIS AWS foundation benchmark ͷΈ)
    • ͜Ε΋ΧελϜ͕࡞ΕΔͱྑ͍

    View Slide

  33. ͦͷଞ͜͏ͳͬͯ͘ΕΔͱخ͍͠
    • Findings ͦͷ΋ͷͷΞοϓσʔτ (ଐੑͷ௥ՃͳͲ)
    • ࣗಈԽʹΑΔௐࠪ݁ՌͳͲΛ෇Ճ͓͖͍ͯͨ͠ (ݱঢ়ςΩετͷΈ)
    • Πϕϯτ؅ཧπʔϧͱͷ࿈ܞ
    • ͋Δ͍͸ Security Hub ࣗ਎͕؅ཧπʔϧʹͳΔ
    • ୲౰ऀɺௐࠪঢ়گɺݟղɺetc
    • AWS WAF ࿈ܞ
    • Ξϥʔτ͕͔ͳΓଟ͘ͳΔ͸ͣͳͷͰɺͦͷ··දࣔ͸ͯ͠΄͘͠ͳ͍͕…

    View Slide

  34. ·ͱΊ

    View Slide

  35. ࠓճͷൃදʹ͍ͭͯ
    • ͙͢ʹ࢖͑Δ΋ͷ΋ଟ͘ྑ͔ͬͨͱࢥ͏
    • ηΩϡϦςΟʹ௚઀ϑΥʔΧεͨ͠΋ͷ͸ଟ͘͸ͳ͍͕ɺ

    ηΩϡϦςΟʹ׆͔͢͜ͱ͕Ͱ͖ΔαʔϏε΍ػೳ͕ग़͍ͯΔ
    • Control Tower, Security Hub ΋ੵۃతʹར༻͍ͨ͠

    View Slide

  36. ͜Ε͔Βͷ AWS ηΩϡϦςΟ
    • (طʹͦ͏ͳ͍ͬͯΔ͕) ಛఆͷαʔϏε΍ιϑτ΢ΣΞΛ

    ࢖͏͚ͩͰͳ͘ɺ޿͍ࢹ఺ͰηΩϡϦςΟγεςϜΛઃܭ࣮ͯ͠૷͢Δ
    • AWS ͕ఏڙ͍ͯ͠ΔύʔπʹΑͬͯ࡞Γ΍͍͢؀ڥ͸͋Δ
    • ͦ͏͍ͬͨ΋ͷ͕ఏڙ͞Ε͍ͯΔͱࢥ͏͠ɺ͍ͯͬͯ͠΄͍͠

    View Slide

  37. PR

    View Slide

  38. ࣍ੈ୅ͷηΩϡϦςΟ؀ڥΛҰॹʹͭ͘Δ

    ΤϯδχΞΛืू͍ͯ͠·͢
    https://cookpad.jobs/

    View Slide

  39. Fin.

    View Slide