Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
セキュリティ担当者から見た re:Invent と AWS Security Hub / Im...
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Hokuto Hoshi
December 20, 2018
Technology
4.3k
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub
Hokuto Hoshi
December 20, 2018
More Decks by Hokuto Hoshi
See All by Hokuto Hoshi
AIとともに歩む情報セキュリティ / Information Security with AI
kanny
5
4.9k
開発も運用もビジネス部門も! クラウドで実現する「つらくない」統制とセキュリティ / Effortless Governance and Security Enabled by the Cloud
kanny
5
4.9k
転生CISOサバイバル・ガイド / CISO Career Transition Survival Guide
kanny
4
2.7k
Connecting organisation with Technology
kanny
0
370
Why Slack - 5 years of Cookpad with Slack
kanny
0
190
Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders
kanny
7
2.8k
自由でセキュアな環境のつくりかた / Building free and secure cloud environment
kanny
1
5.3k
事例でわかる、AWS 運用を支える サポート活用方法と エンタープライズサポートという選択 / AWS Enterprise Support and Cookpad
kanny
2
2.6k
AWS で加速する機械学習 / Accelerate Machine Learning with AWS
kanny
1
1.1k
Other Decks in Technology
See All in Technology
Oracle Cloud Infrastructure:2026年6月度サービス・アップデート
oracle4engineer
PRO
1
360
IaC コードを資産へ:AWS CDK 社内ライブラリと横断展開 / aws-summit-japan-2026
gotok365
10
1.6k
クレデンシャル流出 ― 攻撃 3 時間 vs 復旧 10 時間。この非対称性にどう備えるか
kazzpapa3
3
590
2026-06-23 知らないままで大丈夫?開発品質・効率向上が期待できるIBM Bob便利機能6選
yutanonaka
0
130
螺旋型キャリアの生存戦略 / kinoko-conf2026
rakus_dev
1
1.2k
データレイクの「見えない問題」を可視化する
sansantech
PRO
1
220
AIが自律的に回る開発ループを設計してチーム開発に組み込む
nekorush14
0
130
toB プロダクトから見たWAF
tokai235
0
240
そこにあるから地図ができる~位置を示す"モノ"を愉しむ~ - Interface 2026年6月号GPS特集オフ会 / interface_202606_GPS_offline
sakaik
1
100
GitHub Copilot運用のリアル ~AI Credit時代にどう向き合うか~
takafumisu2uk1
0
470
10年間のブログ発信を振り返って見えたWebアプリケーションエンジニアとしての軌跡
stefafafan
0
190
FPC(フレキシブル)基板にZephyr実装してみた。
iotengineer22
0
180
Featured
See All Featured
End of SEO as We Know It (SMX Advanced Version)
ipullrank
3
4.2k
Jess Joyce - The Pitfalls of Following Frameworks
techseoconnect
PRO
1
170
Design in an AI World
tapps
1
250
Ruling the World: When Life Gets Gamed
codingconduct
0
260
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
rkaga
62
44k
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
auna
0
170
GraphQLとの向き合い方2022年版
quramy
50
15k
Ecommerce SEO: The Keys for Success Now & Beyond - #SERPConf2024
aleyda
1
2k
A brief & incomplete history of UX Design for the World Wide Web: 1989–2019
jct
2
400
B2B Lead Gen: Tactics, Traps & Triumph
marketingsoph
0
160
Product Roadmaps are Hard
iamctodd
PRO
55
12k
Chasing Engaging Ingredients in Design
codingconduct
0
230
Transcript
ηΩϡϦςΟ୲ऀ͔Βݟͨ re:Invent ͱ AWS Security Hub Hokuto Hoshi Head of
Infrastructure, Cookpad Inc.
[email protected]
ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ ΠϯϑϥετϥΫνϟʔ෦ ෦
݉ ίʔϙϨʔτΤϯδχΞϦϯά෦ ݉ ࠪҕһձ ࠪิॿऀ • SRE, ηΩϡϦςΟΤϯδχΞ • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional) • AWS ར༻ྺ8͘Β͍
https://kanny.me/
ΠϯϑϥετϥΫνϟʔ෦ • શαʔϏε͕ར༻͢ΔΠϯϑϥڥͮ͘Γ • SRE (Site Reliability Engineering) άϧʔϓ •
σʔλج൫άϧʔϓ • ηΩϡϦςΟάϧʔϓ
ηΩϡϦςΟάϧʔϓ • 3໊ • αʔϏεࣾγεςϜͳͲձࣾʹ͓͚Δ͋ΒΏΔใηΩϡϦ ςΟରࡦͦͷӡ༻ʹैࣄ • γεςϜͷઃܭߏஙɺ࣮ࡍͷӡ༻·Ͱߦ͏
Full-AWS since 2011 ~1,400 EC2 instances 200+ ECS Services Over
3 regions 15,000+ requests/sec
re:Invent ͱࣗ • 2013͔ΒຖࢀՃ • 2012·ֶͩੜόΠτͩͬͨ • 2017Ͱొஃ • ػցֶशϫʔΫϩʔυΛίϯςφͰ࣮ߦ͢Δ
• ࠓͰ6ճ • ϥεϕΨε7ճ
ΫοΫύουͱ re:Invent • 2012͔Βຖෳ໊ࢀՃ • ΠϯϑϥܥͰͳ͘αʔϏε։ൃऀͷࢀՃऀΛ૿͍ͯ͠Δ • ࠓࢀՃऀͷ8ׂҎ্
ηΩϡϦςΟܥηογϣϯ, ϫʔΫγϣοϓ • ຖ͕ͩେྔ • ΑΓߴͳτϐοΫʹߦ͘΄Ͳ “ίʔυΛॻ͍ͯࣗͨͪͰ࡞͍ͬͯ͘” ͷ͕ଟ͍ • AWS
ηΩϡϦςΟαʔϏεͷհ͚ͩͰͳ͘ AWS αʔϏεΛͬͯΑΓྑ͍ηΩϡϦςΟγ εςϜΛͭ͘Δ • ࣗͷҎ֎ͷϫʔΫγϣοϓͳͲʹग़͍ͯΔΤϯδχΞଟ͍ • ηΩϡϦςΟΤϯδχΞ͕ DynamoDB ઃܭͷϫʔΫγϣοϓʹग़͍ͯΔͳͲ • εϥΠυಈըެ։͞Ε͍ͯ·͢
Security Jam • AWS ্ͰηΩϡϦςΟରࡦΠϯγσϯτϨεϙϯεΛମݧͯ͠ ͍͘Πϕϯτ • ָͦ͠͏ͳͷʹຖճ GameDay ͱඃͬͯ͠·͍
ࢀՃͰ͖͍ͯͳ͍… (ಉ྅ᐌָ͔ͬͨ͘͠ͱͷ͜ͱ) • ຊͰΔ͔ GameDay ͱ࣌ؒΛͣΒ͍ͯͩ͘͠͞!!!
Expo • ηΩϡϦςΟͷϓϩόΠμʑ૿Ճ͍ͯ͠Δ • ࠓίϯςφηΩϡϦςΟ͕ଟ͔ͬͨҹ • SIEM, ΠϕϯτϚωδϝϯτͳͲ
ࠓͷൃද • ͍Ζ͍Ζ͋Γ·ͨ͠Ͷ • ML, IoT, Robot ͳͲ͋Γͭͭݎ࣮ͳྖҬʹେྔϦϦʔε
ൃද (ηΩϡϦςΟ) https://aws.amazon.com/jp/new/reinvent/
ηΩϡϦςΟͷൃදগͳ͘ͳ͍ʁʁʁ • ηΩϡϦςΟΛλʔήοτʹͨ͠ͷ͔֬ʹগͳ͍ • ͕ɺηΩϡϦςΟγεςϜͷߏஙͳͲʹ͑Δͷͨ͘͞Μ • “ηΩϡϦςΟ” λά͕͍ͭͨαʔϏε͚͕ͩ AWS ηΩϡϦςΟͰͳ͍
https://speakerdeck.com/mizutani/security-log-search
ηΩϡϦςΟγεςϜʹ͑Δ or ͑ͦ͏ͳ ϦϦʔεͱײΛհ (ݸਓͷݟղͰ͢)
CloudWatch Logs Insights • CW Logs ͷϩάʹର͠ߜΓࠐΈूܭɺੳ͕Մೳʹ • JSON ͳͲʹରԠͰ͖Δ
• ৽όοΫΤϯυʹΑΔരݕࡧ • େྔͷϩάσʔλʹରͯ͠ഒҎ্͍ (࣮ࡍʹͬͯ·͢) • γεςϜϩάΞΫηεϩάͳͲͷετϨʔδͱͯ͠༗ྗީิʹ • ͨͩ͠Ձ֨ཁ֬ೝ
S3 Object Lock • S3 Object ΛҰఆ or ແظݶͰ্ॻ͖/আͰ͖ͳ͘ͳΔػೳ •
࠷ڧͷϞʔυͰ root account Ͱ͢Βআෆೳʹ • MFA Delete ʹΘΔબࢶʹͳΔ • ֤छॏཁϩάͷอ࣋ʹར༻Մೳ • ޡരʹҙ
S3 Glacier ͷػೳڧԽ • ໊শมߋͱಉ࣌ʹ৭ʑग़ͨ • S3 Glacier ετϨʔδΫϥεͷૹ •
ΫϩεϦʔδϣϯϨϓϦέʔγϣϯͷ Glacier ରԠ • ෮ݩ௨ɺ෮ݩΞοϓ • S3 Glacier Deep Archive • ͔͞Έ͕ͪͳηΩϡϦςΟؔ࿈ϩάͷظόοΫΞοϓʹ͑Δ • ΫοΫύουͰ Lifecycle Ͱ Glacier ૹΓʹ͍ͯ͠·͢
S3 Intelligent Tiering • S3 Standard ͱ Standard-IA (ස) ΛࣗಈͰߦ͖དྷͰ͖Δ
• Athena ͳͲΛϩάݕࡧʹ͍ͬͯΔέʔεͰศར • ϑϧεΩϟϯ͢Δͱҙຯ͕ͳ͘ͳΔͷͰϢʔεέʔεઃܭ͕େࣄ
KMS Custom Key Store • KMS ͷΩʔετΞͱͯ͠ CloudHSM ͕͑ΔΑ͏ʹ •
ߟ͑ΒΕΔ༻్ • Ͳ͏ͯ͠ΩʔετΞΛ͢Δඞཁ͕͋Δ • KMS Λ௨ͯ͠Ͱͳ͘ CloudHSM ଆ͔Β伴ͷࠪΛ͍ͨ͠ • զʑʹར༻༻్͕ͳ͍Ͱ͢…
AWS Control Tower • લͷൃදͰઆ໌͕͋ͬͨͷͰجຊઆ໌লུ • େྔΞΧϯτΛཧ͢ΔڥԼͰ͔ͳΓศརͦ͏ • ΧδϡΞϧʹ AWS
ΞΧϯτΛ࡞Γ͘͢ͳΔ
AWS Security Hub • લͷൃදͰઆ໌͕͋ͬͨͷͰجຊઆ໌লུ • ͏গ͠۷ΓԼ͛ͯɺͲͷΑ͏ʹ׆༻͍͔ͨ͠Λ͠·͢
ηΩϡϦςΟγεςϜͷجຊํ • ༷ʑͳιϑτΣΞαʔϏεΛηϯαʔͱͯ͠͏ • ηϯαʔ͔ΒͷϩάΞϥʔτΛूͯ͠ཧ͢Δ • ͦΕͧΕͷཧίϯιʔϧʹϩάΠϯͯ͠…ͱ͍͏ͷ ΘΕͳ͍γεςϜΛੜΉ͚ͩͳͷͰΊΔ • ຊʹඞཁͳஅʹूதͰ͖ΔΈΛͭ͘Δ
(ࣗಈԽ)
ΞʔΩςΫνϟ֓ཁ ύʔτ͚ ϩάϑΝΠϧઃஔͷ ΠϕϯτΛݕग़ Lambda Lambda Lambda Kinesis Stream S3
S3 Athena ϧʔϧΛ༻͍ͨ Ξϥʔτͷݕ Ξϥʔτͷൃใ ϩάͷม EC2 Elasticsearch Service ߴͰΠϯλϥΫςΟϒͳ ظతϩάͷݕࡧ ظؒʹΘͨΔ ϩάͷݕࡧ GHE PagerDuty Slack Ξϥʔτͷൃใɾཧ Ξϥʔτͷௐࠪ EC2 instances ͦͷଞϓϩμΫτ Kinesis Stream Kinesis Stream ϩάऩूύʔτ ϩάॲཧύʔτ Ξϥʔτॲཧύʔτ CloudWatch Logs/ Event, GuardDuty, CloudTrail
֓ཁ • ༷ʑͳϑΥʔϚοτͷϩάΞϥʔτΛ S3 ʹऩू • AWS αʔϏεͱͯ͠ GuardDuty ͳͲΛར༻
• ऩूͨ͠ϩάɾΞϥʔτΛਖ਼نԽͯ͠ Graylog / S3 ʹೖ • Ωϟονͨ͠Ξϥʔτਖ਼نԽͯ͠ GitHub (Enterprise) ʹىථ • ՄೳͳݶΓͷॳظௐࠪΛࣗಈͰߦ͏ • PagerDuty, Slack ͷൃใߦ͏
͞Βʹվળ͍ͨ͠ϙΠϯτ • Ξϥʔτͷਖ਼نԽ͕ͪΐͬͱେม (ࣗͨͪͰ࡞Δ) • ΞϥʔτࣗମͷूܭɺՄࢹԽ • ࣗಈԽΛߋʹਐΊΔ • ௐࠪɺରԠ
• ظతͳੳ
Ξϥʔτਖ਼نԽ • ରԠ͍ͯ͠ΔαʔϏεͰ͋Εਖ਼نԽෆཁ • ଞγεςϜʹΞϥʔτΛॻ͖ࠐΈ͍ͨ߹ Security Hub ΛڬΉ͜ͱͰ ॲཧΛڞ௨ԽͰ͖Δ •
Ξϥʔτʹ͍ͭͯ “ͱΓ͋͑ͣ Security Hub ʹಥͬࠐΉ” ͜ͱ͕ Ͱ͖ΔΑ͏ʹͳΔ • ࠓޙ৽نʹηΩϡϦςΟαʔϏε͕ग़͖ͯͯૉૣ͘౷߹Ͱ͖Δ
Amazon Security Finding Format • ηΩϡϦςΟΞϥʔτʹٻΊΒΕͦ͏ͳ߲Ұ௨ΓΧόʔ • EC2 Πϯελϯε ͳͲ
AWS ݻ༗ͷϑΟʔϧυ༻ҙ • ࠓͷஈ֊Ͱ AWS ϦιʔεΛओʹఆ͍ͯ͠ΔΑ͏ʹݟ͑Δ • ͏ͪΐͬͱ৭ʑͳϦιʔεʹରͯ͑͠Δͱ͏Ε͍͠… • ৄࡉ Security Hub ͷυΩϡϝϯτΛࢀর
ूܭɺՄࢹԽ • Insights Ͱ͋ΔఔՄೳ • Findings ΛϑΟϧλͨ݁͠Ռ (Group by ͳͲՄೳ)
• άϥϑΧελϜͰ͖ͨΒخ͍͚͠Ͳɻɻ • ظతʹոͦ͠͏ͳϦιʔεΛݟ͚ͭΔͷʹ༗ޮ
ࣗಈԽ • CW Events ʹΠϕϯτΛૹ৴Ͱ͖Δ • Finding, Insights, Standards •
Lambda function Step Function ΛݺͿ͜ͱ͕Ͱ͖Δ • ϩάऩूͱඥ͚, Ϩϐϡςʔγϣϯௐࠪ, ݕମௐࠪ, ΠϯελϯεͷίϚϯυൃߦͳͲͳΜͰ͋Γ
ͦͷଞͷྑ͍ػೳ • ϚϧνΞΧϯτରԠ • Control Tower Ͱ৽ن࡞࣌ʹશηΩϡϦςΟαʔϏε༗ޮԽ + Security Hub
ͷૹ৴͕Ͱ͖ΔΑ͏ʹͳΔͱ͏Ε͍͠ • ηΩϡϦςΟඪ४ͷνΣοΫ • ࣮ମ Config Rules ͷू߹ମ (ݱࡏ CIS AWS foundation benchmark ͷΈ) • ͜ΕΧελϜ͕࡞ΕΔͱྑ͍
ͦͷଞ͜͏ͳͬͯ͘ΕΔͱخ͍͠ • Findings ͦͷͷͷΞοϓσʔτ (ଐੑͷՃͳͲ) • ࣗಈԽʹΑΔௐࠪ݁ՌͳͲΛՃ͓͖͍ͯͨ͠ (ݱঢ়ςΩετͷΈ) • Πϕϯτཧπʔϧͱͷ࿈ܞ
• ͋Δ͍ Security Hub ͕ࣗཧπʔϧʹͳΔ • ୲ऀɺௐࠪঢ়گɺݟղɺetc • AWS WAF ࿈ܞ • Ξϥʔτ͕͔ͳΓଟ͘ͳΔͣͳͷͰɺͦͷ··දࣔͯ͠΄͘͠ͳ͍͕…
·ͱΊ
ࠓճͷൃදʹ͍ͭͯ • ͙͢ʹ͑Δͷଟ͘ྑ͔ͬͨͱࢥ͏ • ηΩϡϦςΟʹϑΥʔΧεͨ͠ͷଟ͘ͳ͍͕ɺ ηΩϡϦςΟʹ׆͔͢͜ͱ͕Ͱ͖ΔαʔϏεػೳ͕ग़͍ͯΔ • Control Tower, Security
Hub ੵۃతʹར༻͍ͨ͠
͜Ε͔Βͷ AWS ηΩϡϦςΟ • (طʹͦ͏ͳ͍ͬͯΔ͕) ಛఆͷαʔϏειϑτΣΞΛ ͏͚ͩͰͳ͘ɺ͍ࢹͰηΩϡϦςΟγεςϜΛઃܭ࣮ͯ͢͠Δ • AWS ͕ఏڙ͍ͯ͠ΔύʔπʹΑͬͯ࡞Γ͍͢ڥ͋Δ
• ͦ͏͍ͬͨͷ͕ఏڙ͞Ε͍ͯΔͱࢥ͏͠ɺ͍ͯͬͯ͠΄͍͠
PR
࣍ੈͷηΩϡϦςΟڥΛҰॹʹͭ͘Δ ΤϯδχΞΛืू͍ͯ͠·͢ https://cookpad.jobs/
Fin.