セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub

14a602891dce5c68facca9de28340522?s=47 Hokuto Hoshi
December 20, 2018

セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub

14a602891dce5c68facca9de28340522?s=128

Hokuto Hoshi

December 20, 2018
Tweet

Transcript

  1. ηΩϡϦςΟ୲౰ऀ͔Βݟͨ re:Invent ͱ AWS Security Hub Hokuto Hoshi Head of

    Infrastructure, Cookpad Inc. hokuto@cookpad.com
  2. ੕ ๺ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ
 ΠϯϑϥετϥΫνϟʔ෦ ෦௕


    ݉ ίʔϙϨʔτΤϯδχΞϦϯά෦
 ݉ ؂ࠪҕһձ ؂ࠪิॿऀ • SRE, ηΩϡϦςΟΤϯδχΞ • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional) • AWS ར༻ྺ͸8೥͘Β͍
  3. https://kanny.me/

  4. ΠϯϑϥετϥΫνϟʔ෦ • શαʔϏε͕ར༻͢ΔΠϯϑϥ؀ڥͮ͘Γ • SRE (Site Reliability Engineering) άϧʔϓ •

    σʔλج൫άϧʔϓ • ηΩϡϦςΟάϧʔϓ
  5. ηΩϡϦςΟάϧʔϓ • 3໊ • αʔϏε΍ࣾ಺γεςϜͳͲձࣾʹ͓͚Δ͋ΒΏΔ৘ใηΩϡϦ ςΟରࡦ΍ͦͷӡ༻ʹैࣄ • γεςϜͷઃܭ΍ߏஙɺ࣮ࡍͷӡ༻·Ͱߦ͏

  6. Full-AWS since 2011 ~1,400 EC2 instances 200+ ECS Services Over

    3 regions 15,000+ requests/sec
  7. re:Invent ͱࣗ෼ • 2013೥͔Βຖ೥ࢀՃ • 2012೥͸·ֶͩੜόΠτͩͬͨ • 2017Ͱొஃ • ػցֶशϫʔΫϩʔυΛίϯςφͰ࣮ߦ͢Δ࿩

    • ࠓ೥Ͱ6ճ໨ • ϥεϕΨε͸7ճ໨
  8. ΫοΫύουͱ re:Invent • 2012೥͔Βຖ೥ෳ਺໊ࢀՃ • ΠϯϑϥܥͰ͸ͳ͘αʔϏε։ൃऀͷࢀՃऀΛ૿΍͍ͯ͠Δ • ࠓ೥͸ࢀՃऀͷ8ׂҎ্

  9. ηΩϡϦςΟܥηογϣϯ, ϫʔΫγϣοϓ • ຖ೥͕ͩେྔ • ΑΓߴ౓ͳτϐοΫʹߦ͘΄Ͳ “ίʔυΛॻ͍ͯࣗ෼ͨͪͰ࡞͍ͬͯ͘” ΋ͷ͕ଟ͍ • AWS

    ηΩϡϦςΟαʔϏεͷ঺հ͚ͩͰͳ͘ AWS αʔϏεΛ࢖ͬͯΑΓྑ͍ηΩϡϦςΟγ εςϜΛͭ͘Δ • ࣗ෼ͷ෼໺Ҏ֎ͷϫʔΫγϣοϓͳͲʹग़͍ͯΔΤϯδχΞ΋ଟ͍ • ηΩϡϦςΟΤϯδχΞ͕ DynamoDB ઃܭͷϫʔΫγϣοϓʹग़͍ͯΔͳͲ • εϥΠυ΍ಈը͸ެ։͞Ε͍ͯ·͢
  10. Security Jam • AWS ্ͰηΩϡϦςΟରࡦ΍ΠϯγσϯτϨεϙϯεΛମݧͯ͠ ͍͘Πϕϯτ • ָͦ͠͏ͳͷʹຖճ GameDay ͱඃͬͯ͠·͍


    ࢀՃͰ͖͍ͯͳ͍… (ಉ྅ᐌָ͔ͬͨ͘͠ͱͷ͜ͱ) • ೔ຊͰ΍Δ͔ GameDay ͱ࣌ؒΛͣΒ͍ͯͩ͘͠͞!!!
  11. Expo • ηΩϡϦςΟ੡඼ͷϓϩόΠμ͸೥ʑ૿Ճ͍ͯ͠Δ • ࠓ೥͸ίϯςφηΩϡϦςΟ͕ଟ͔ͬͨҹ৅ • SIEM, ΠϕϯτϚωδϝϯτͳͲ΋

  12. ࠓ೥ͷൃද • ͍Ζ͍Ζ͋Γ·ͨ͠Ͷ • ML, IoT, Robot ͳͲ΋͋Γͭͭݎ࣮ͳྖҬʹ΋େྔϦϦʔε

  13. ൃද (ηΩϡϦςΟ) https://aws.amazon.com/jp/new/reinvent/

  14. ηΩϡϦςΟͷൃදগͳ͘ͳ͍ʁʁʁ • ௚઀ηΩϡϦςΟΛλʔήοτʹͨ͠΋ͷ͸͔֬ʹগͳ͍ • ͕ɺηΩϡϦςΟγεςϜͷߏஙͳͲʹ࢖͑Δ΋ͷ͸ͨ͘͞Μ • “ηΩϡϦςΟ” λά͕͍ͭͨαʔϏε͚͕ͩ
 AWS ηΩϡϦςΟͰ͸ͳ͍

  15. https://speakerdeck.com/mizutani/security-log-search

  16. ηΩϡϦςΟγεςϜʹ࢖͑Δ or ࢖͑ͦ͏ͳ ϦϦʔεͱײ૝Λ঺հ (ݸਓͷݟղͰ͢)

  17. CloudWatch Logs Insights • CW Logs ͷϩάʹର͠ߜΓࠐΈ΍ूܭɺ෼ੳ͕Մೳʹ • JSON ͳͲʹ΋ରԠͰ͖Δ

    • ৽όοΫΤϯυʹΑΔര଎ݕࡧ • େྔͷϩάσʔλʹରͯ͠΋਺ഒҎ্଎͍ (࣮ࡍʹ࢖ͬͯ·͢) • γεςϜϩά΍ΞΫηεϩάͳͲͷετϨʔδͱͯ͠༗ྗީิʹ • ͨͩ͠Ձ֨͸ཁ֬ೝ
  18. S3 Object Lock • S3 Object ΛҰఆ or ແظݶͰ্ॻ͖/࡟আͰ͖ͳ͘ͳΔػೳ •

    ࠷ڧͷϞʔυͰ͸ root account Ͱ͢Β࡟আෆೳʹ • MFA Delete ʹ୅ΘΔબ୒ࢶʹͳΔ • ֤छॏཁϩάͷอ࣋ʹར༻Մೳ • ޡരʹ͸஫ҙ
  19. S3 Glacier ͷػೳڧԽ • ໊শมߋͱಉ࣌ʹ৭ʑग़ͨ • S3 Glacier ετϨʔδΫϥε΁ͷ௚ૹ •

    ΫϩεϦʔδϣϯϨϓϦέʔγϣϯͷ Glacier ରԠ • ෮ݩ௨஌ɺ෮ݩ଎౓Ξοϓ • S3 Glacier Deep Archive • ͔͞Έ͕ͪͳηΩϡϦςΟؔ࿈ϩάͷ௕ظόοΫΞοϓʹ࢖͑Δ • ΫοΫύουͰ΋ Lifecycle Ͱ Glacier ૹΓʹ͍ͯ͠·͢
  20. S3 Intelligent Tiering • S3 Standard ͱ Standard-IA (௿ස౓) ΛࣗಈͰߦ͖དྷͰ͖Δ

    • Athena ͳͲΛϩάݕࡧʹ࢖͍ͬͯΔέʔεͰ͸ศར • ϑϧεΩϟϯ͢Δͱҙຯ͕ͳ͘ͳΔͷͰϢʔεέʔε΍ઃܭ͕େࣄ
  21. KMS Custom Key Store • KMS ͷΩʔετΞͱͯ͠ CloudHSM ͕࢖͑ΔΑ͏ʹ •

    ߟ͑ΒΕΔ༻్ • Ͳ͏ͯ͠΋ΩʔετΞΛ෼཭͢Δඞཁ͕͋Δ • KMS Λ௨ͯ͠Ͱͳ͘ CloudHSM ଆ͔Β௚઀伴ͷ؂ࠪΛ͍ͨ͠ • զʑʹ͸ར༻༻్͕ͳ͍Ͱ͢…
  22. AWS Control Tower • લͷൃදͰઆ໌͕͋ͬͨͷͰجຊઆ໌͸লུ • େྔΞΧ΢ϯτΛ؅ཧ͢Δ؀ڥԼͰ͸͔ͳΓศརͦ͏ • ΧδϡΞϧʹ AWS

    ΞΧ΢ϯτΛ࡞Γ΍͘͢ͳΔ
  23. AWS Security Hub • લͷൃදͰઆ໌͕͋ͬͨͷͰجຊઆ໌͸লུ • ΋͏গ͠۷ΓԼ͛ͯɺͲͷΑ͏ʹ׆༻͍͔ͨ͠Λ࿩͠·͢

  24. ηΩϡϦςΟγεςϜͷجຊํ਑ • ༷ʑͳιϑτ΢ΣΞ΍αʔϏεΛηϯαʔͱͯ͠࢖͏ • ηϯαʔ͔Βͷϩά΍ΞϥʔτΛू໿ͯ͠؅ཧ͢Δ • ͦΕͧΕͷ؅ཧίϯιʔϧʹϩάΠϯͯ͠…ͱ͍͏ͷ͸
 ࢖ΘΕͳ͍γεςϜΛੜΉ͚ͩͳͷͰ΍ΊΔ • ຊ౰ʹඞཁͳ൑அʹूதͰ͖Δ࢓૊ΈΛͭ͘Δ

    (ࣗಈԽ)
  25. ΞʔΩςΫνϟ֓ཁ ύʔτ෼͚ ϩάϑΝΠϧઃஔͷ ΠϕϯτΛݕग़ Lambda Lambda Lambda Kinesis Stream S3

    S3 Athena ϧʔϧΛ༻͍ͨ Ξϥʔτͷݕ஌ Ξϥʔτͷൃใ ϩάͷม׵ EC2 Elasticsearch Service ߴ଎ͰΠϯλϥΫςΟϒͳ ୹ظతϩάͷݕࡧ ௕ظؒʹΘͨΔ ϩάͷݕࡧ GHE PagerDuty Slack Ξϥʔτͷൃใɾ؅ཧ Ξϥʔτͷௐࠪ EC2 instances ͦͷଞϓϩμΫτ Kinesis Stream Kinesis Stream ϩάऩूύʔτ ϩάॲཧύʔτ Ξϥʔτॲཧύʔτ CloudWatch Logs/ Event, GuardDuty, CloudTrail
  26. ֓ཁ • ༷ʑͳϑΥʔϚοτͷϩά΍ΞϥʔτΛ S3 ʹऩू • AWS αʔϏεͱͯ͠͸ GuardDuty ͳͲΛར༻

    • ऩूͨ͠ϩάɾΞϥʔτΛਖ਼نԽͯ͠ Graylog / S3 ʹ౤ೖ • Ωϟονͨ͠Ξϥʔτ͸ਖ਼نԽͯ͠ GitHub (Enterprise) ʹىථ • ՄೳͳݶΓͷॳظௐࠪΛࣗಈͰߦ͏ • PagerDuty, Slack ΁ͷൃใ΋ߦ͏
  27. ͞Βʹվળ͍ͨ͠ϙΠϯτ • Ξϥʔτͷਖ਼نԽ͕ͪΐͬͱେม (ࣗ෼ͨͪͰ࡞Δ) • ΞϥʔτࣗମͷूܭɺՄࢹԽ • ࣗಈԽΛߋʹਐΊΔ • ௐࠪɺରԠ

    • ௕ظతͳ෼ੳ
  28. Ξϥʔτਖ਼نԽ • ରԠ͍ͯ͠ΔαʔϏεͰ͋Ε͹ਖ਼نԽෆཁ • ଞγεςϜʹΞϥʔτΛॻ͖ࠐΈ͍ͨ৔߹΋ Security Hub ΛڬΉ͜ͱͰ ॲཧΛڞ௨ԽͰ͖Δ •

    Ξϥʔτʹ͍ͭͯ͸ “ͱΓ͋͑ͣ Security Hub ʹಥͬࠐΉ” ͜ͱ͕
 Ͱ͖ΔΑ͏ʹͳΔ • ࠓޙ৽نʹηΩϡϦςΟαʔϏε͕ग़͖ͯͯ΋ૉૣ͘౷߹Ͱ͖Δ
  29. Amazon Security Finding Format • ηΩϡϦςΟΞϥʔτʹٻΊΒΕͦ͏ͳ߲໨͸Ұ௨ΓΧόʔ • EC2 Πϯελϯε ͳͲ

    AWS ݻ༗ͷϑΟʔϧυ΋༻ҙ • ࠓͷஈ֊Ͱ͸ AWS ಺ϦιʔεΛओʹ૝ఆ͍ͯ͠ΔΑ͏ʹݟ͑Δ • ΋͏ͪΐͬͱ৭ʑͳϦιʔεʹରͯ͠࢖͑Δͱ͏Ε͍͠… • ৄࡉ͸ Security Hub ͷυΩϡϝϯτΛࢀর
  30. ूܭɺՄࢹԽ • Insights Ͱ͋Δఔ౓Մೳ • Findings ΛϑΟϧλͨ݁͠Ռ (Group by ͳͲ΋Մೳ)

    • άϥϑ΋ΧελϜͰ͖ͨΒخ͍͚͠Ͳɻɻ • ௕ظతʹոͦ͠͏ͳϦιʔεΛݟ͚ͭΔͷʹ΋༗ޮ
  31. ࣗಈԽ • CW Events ʹΠϕϯτΛૹ৴Ͱ͖Δ • Finding, Insights, Standards •

    Lambda function ΍ Step Function ΛݺͿ͜ͱ͕Ͱ͖Δ • ϩάऩूͱඥ෇͚, Ϩϐϡςʔγϣϯௐࠪ, ݕମௐࠪ, 
 Πϯελϯε΁ͷίϚϯυൃߦͳͲͳΜͰ΋͋Γ
  32. ͦͷଞͷྑ͍ػೳ • ϚϧνΞΧ΢ϯτରԠ • Control Tower Ͱ৽ن࡞੒࣌ʹશηΩϡϦςΟαʔϏε༗ޮԽ + Security Hub

    ΁ͷૹ৴͕Ͱ͖ΔΑ͏ʹͳΔͱ͏Ε͍͠ • ηΩϡϦςΟඪ४ͷνΣοΫ • ࣮ମ͸ Config Rules ͷू߹ମ (ݱࡏ͸ CIS AWS foundation benchmark ͷΈ) • ͜Ε΋ΧελϜ͕࡞ΕΔͱྑ͍
  33. ͦͷଞ͜͏ͳͬͯ͘ΕΔͱخ͍͠ • Findings ͦͷ΋ͷͷΞοϓσʔτ (ଐੑͷ௥ՃͳͲ) • ࣗಈԽʹΑΔௐࠪ݁ՌͳͲΛ෇Ճ͓͖͍ͯͨ͠ (ݱঢ়ςΩετͷΈ) • Πϕϯτ؅ཧπʔϧͱͷ࿈ܞ

    • ͋Δ͍͸ Security Hub ࣗ਎͕؅ཧπʔϧʹͳΔ • ୲౰ऀɺௐࠪঢ়گɺݟղɺetc • AWS WAF ࿈ܞ • Ξϥʔτ͕͔ͳΓଟ͘ͳΔ͸ͣͳͷͰɺͦͷ··දࣔ͸ͯ͠΄͘͠ͳ͍͕…
  34. ·ͱΊ

  35. ࠓճͷൃදʹ͍ͭͯ • ͙͢ʹ࢖͑Δ΋ͷ΋ଟ͘ྑ͔ͬͨͱࢥ͏ • ηΩϡϦςΟʹ௚઀ϑΥʔΧεͨ͠΋ͷ͸ଟ͘͸ͳ͍͕ɺ
 ηΩϡϦςΟʹ׆͔͢͜ͱ͕Ͱ͖ΔαʔϏε΍ػೳ͕ग़͍ͯΔ • Control Tower, Security

    Hub ΋ੵۃతʹར༻͍ͨ͠
  36. ͜Ε͔Βͷ AWS ηΩϡϦςΟ • (طʹͦ͏ͳ͍ͬͯΔ͕) ಛఆͷαʔϏε΍ιϑτ΢ΣΞΛ
 ࢖͏͚ͩͰͳ͘ɺ޿͍ࢹ఺ͰηΩϡϦςΟγεςϜΛઃܭ࣮ͯ͠૷͢Δ • AWS ͕ఏڙ͍ͯ͠ΔύʔπʹΑͬͯ࡞Γ΍͍͢؀ڥ͸͋Δ

    • ͦ͏͍ͬͨ΋ͷ͕ఏڙ͞Ε͍ͯΔͱࢥ͏͠ɺ͍ͯͬͯ͠΄͍͠
  37. PR

  38. ࣍ੈ୅ͷηΩϡϦςΟ؀ڥΛҰॹʹͭ͘Δ
 ΤϯδχΞΛืू͍ͯ͠·͢ https://cookpad.jobs/

  39. Fin.