ηΩϡϦςΟ୲ऀ͔Βݟͨre:Invent ͱ AWS Security HubHokuto HoshiHead of Infrastructure, Cookpad Inc.[email protected]
View Slide
ే (΄͠ ΄͘ͱ) / @kani_b• ΫοΫύουגࣜձࣾ ΠϯϑϥετϥΫνϟʔ෦ ෦ ݉ ίʔϙϨʔτΤϯδχΞϦϯά෦ ݉ ࠪҕһձ ࠪิॿऀ• SRE, ηΩϡϦςΟΤϯδχΞ• AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional)• AWS ར༻ྺ8͘Β͍
https://kanny.me/
ΠϯϑϥετϥΫνϟʔ෦• શαʔϏε͕ར༻͢ΔΠϯϑϥڥͮ͘Γ• SRE (Site Reliability Engineering) άϧʔϓ• σʔλج൫άϧʔϓ• ηΩϡϦςΟάϧʔϓ
ηΩϡϦςΟάϧʔϓ• 3໊• αʔϏεࣾγεςϜͳͲձࣾʹ͓͚Δ͋ΒΏΔใηΩϡϦςΟରࡦͦͷӡ༻ʹैࣄ• γεςϜͷઃܭߏஙɺ࣮ࡍͷӡ༻·Ͱߦ͏
Full-AWS since 2011~1,400 EC2 instances200+ ECS ServicesOver 3 regions 15,000+ requests/sec
re:Invent ͱࣗ• 2013͔ΒຖࢀՃ• 2012·ֶͩੜόΠτͩͬͨ• 2017Ͱొஃ• ػցֶशϫʔΫϩʔυΛίϯςφͰ࣮ߦ͢Δ• ࠓͰ6ճ• ϥεϕΨε7ճ
ΫοΫύουͱ re:Invent• 2012͔Βຖෳ໊ࢀՃ• ΠϯϑϥܥͰͳ͘αʔϏε։ൃऀͷࢀՃऀΛ૿͍ͯ͠Δ• ࠓࢀՃऀͷ8ׂҎ্
ηΩϡϦςΟܥηογϣϯ, ϫʔΫγϣοϓ• ຖ͕ͩେྔ• ΑΓߴͳτϐοΫʹߦ͘΄Ͳ “ίʔυΛॻ͍ͯࣗͨͪͰ࡞͍ͬͯ͘” ͷ͕ଟ͍• AWS ηΩϡϦςΟαʔϏεͷհ͚ͩͰͳ͘ AWS αʔϏεΛͬͯΑΓྑ͍ηΩϡϦςΟγεςϜΛͭ͘Δ• ࣗͷҎ֎ͷϫʔΫγϣοϓͳͲʹग़͍ͯΔΤϯδχΞଟ͍• ηΩϡϦςΟΤϯδχΞ͕ DynamoDB ઃܭͷϫʔΫγϣοϓʹग़͍ͯΔͳͲ• εϥΠυಈըެ։͞Ε͍ͯ·͢
Security Jam• AWS ্ͰηΩϡϦςΟରࡦΠϯγσϯτϨεϙϯεΛମݧ͍ͯ͘͠Πϕϯτ• ָͦ͠͏ͳͷʹຖճ GameDay ͱඃͬͯ͠·͍ ࢀՃͰ͖͍ͯͳ͍… (ಉ྅ᐌָ͔ͬͨ͘͠ͱͷ͜ͱ)• ຊͰΔ͔ GameDay ͱ࣌ؒΛͣΒ͍ͯͩ͘͠͞!!!
Expo• ηΩϡϦςΟͷϓϩόΠμʑ૿Ճ͍ͯ͠Δ• ࠓίϯςφηΩϡϦςΟ͕ଟ͔ͬͨҹ• SIEM, ΠϕϯτϚωδϝϯτͳͲ
ࠓͷൃද• ͍Ζ͍Ζ͋Γ·ͨ͠Ͷ• ML, IoT, Robot ͳͲ͋Γͭͭݎ࣮ͳྖҬʹେྔϦϦʔε
ൃද (ηΩϡϦςΟ)https://aws.amazon.com/jp/new/reinvent/
ηΩϡϦςΟͷൃදগͳ͘ͳ͍ʁʁʁ• ηΩϡϦςΟΛλʔήοτʹͨ͠ͷ͔֬ʹগͳ͍• ͕ɺηΩϡϦςΟγεςϜͷߏஙͳͲʹ͑Δͷͨ͘͞Μ• “ηΩϡϦςΟ” λά͕͍ͭͨαʔϏε͚͕ͩ AWS ηΩϡϦςΟͰͳ͍
https://speakerdeck.com/mizutani/security-log-search
ηΩϡϦςΟγεςϜʹ͑Δ or ͑ͦ͏ͳϦϦʔεͱײΛհ (ݸਓͷݟղͰ͢)
CloudWatch Logs Insights• CW Logs ͷϩάʹର͠ߜΓࠐΈूܭɺੳ͕Մೳʹ• JSON ͳͲʹରԠͰ͖Δ• ৽όοΫΤϯυʹΑΔരݕࡧ• େྔͷϩάσʔλʹରͯ͠ഒҎ্͍ (࣮ࡍʹͬͯ·͢)• γεςϜϩάΞΫηεϩάͳͲͷετϨʔδͱͯ͠༗ྗީิʹ• ͨͩ͠Ձ֨ཁ֬ೝ
S3 Object Lock• S3 Object ΛҰఆ or ແظݶͰ্ॻ͖/আͰ͖ͳ͘ͳΔػೳ• ࠷ڧͷϞʔυͰ root account Ͱ͢Βআෆೳʹ• MFA Delete ʹΘΔબࢶʹͳΔ• ֤छॏཁϩάͷอ࣋ʹར༻Մೳ• ޡരʹҙ
S3 Glacier ͷػೳڧԽ• ໊শมߋͱಉ࣌ʹ৭ʑग़ͨ• S3 Glacier ετϨʔδΫϥεͷૹ• ΫϩεϦʔδϣϯϨϓϦέʔγϣϯͷ Glacier ରԠ• ෮ݩ௨ɺ෮ݩΞοϓ• S3 Glacier Deep Archive• ͔͞Έ͕ͪͳηΩϡϦςΟؔ࿈ϩάͷظόοΫΞοϓʹ͑Δ• ΫοΫύουͰ Lifecycle Ͱ Glacier ૹΓʹ͍ͯ͠·͢
S3 Intelligent Tiering• S3 Standard ͱ Standard-IA (ස) ΛࣗಈͰߦ͖དྷͰ͖Δ• Athena ͳͲΛϩάݕࡧʹ͍ͬͯΔέʔεͰศར• ϑϧεΩϟϯ͢Δͱҙຯ͕ͳ͘ͳΔͷͰϢʔεέʔεઃܭ͕େࣄ
KMS Custom Key Store• KMS ͷΩʔετΞͱͯ͠ CloudHSM ͕͑ΔΑ͏ʹ• ߟ͑ΒΕΔ༻్• Ͳ͏ͯ͠ΩʔετΞΛ͢Δඞཁ͕͋Δ• KMS Λ௨ͯ͠Ͱͳ͘ CloudHSM ଆ͔Β伴ͷࠪΛ͍ͨ͠• զʑʹར༻༻్͕ͳ͍Ͱ͢…
AWS Control Tower• લͷൃදͰઆ໌͕͋ͬͨͷͰجຊઆ໌লུ• େྔΞΧϯτΛཧ͢ΔڥԼͰ͔ͳΓศརͦ͏• ΧδϡΞϧʹ AWS ΞΧϯτΛ࡞Γ͘͢ͳΔ
AWS Security Hub• લͷൃදͰઆ໌͕͋ͬͨͷͰجຊઆ໌লུ• ͏গ͠۷ΓԼ͛ͯɺͲͷΑ͏ʹ׆༻͍͔ͨ͠Λ͠·͢
ηΩϡϦςΟγεςϜͷجຊํ• ༷ʑͳιϑτΣΞαʔϏεΛηϯαʔͱͯ͠͏• ηϯαʔ͔ΒͷϩάΞϥʔτΛूͯ͠ཧ͢Δ• ͦΕͧΕͷཧίϯιʔϧʹϩάΠϯͯ͠…ͱ͍͏ͷ ΘΕͳ͍γεςϜΛੜΉ͚ͩͳͷͰΊΔ• ຊʹඞཁͳஅʹूதͰ͖ΔΈΛͭ͘Δ (ࣗಈԽ)
ΞʔΩςΫνϟ֓ཁ ύʔτ͚ϩάϑΝΠϧઃஔͷΠϕϯτΛݕग़LambdaLambdaLambdaKinesisStreamS3S3 AthenaϧʔϧΛ༻͍ͨΞϥʔτͷݕΞϥʔτͷൃใϩάͷมEC2ElasticsearchServiceߴͰΠϯλϥΫςΟϒͳظతϩάͷݕࡧظؒʹΘͨΔϩάͷݕࡧGHE PagerDuty SlackΞϥʔτͷൃใɾཧΞϥʔτͷௐࠪEC2 instancesͦͷଞϓϩμΫτKinesisStreamKinesisStreamϩάऩूύʔτ ϩάॲཧύʔτ ΞϥʔτॲཧύʔτCloudWatch Logs/Event, GuardDuty,CloudTrail
֓ཁ• ༷ʑͳϑΥʔϚοτͷϩάΞϥʔτΛ S3 ʹऩू• AWS αʔϏεͱͯ͠ GuardDuty ͳͲΛར༻• ऩूͨ͠ϩάɾΞϥʔτΛਖ਼نԽͯ͠ Graylog / S3 ʹೖ• Ωϟονͨ͠Ξϥʔτਖ਼نԽͯ͠ GitHub (Enterprise) ʹىථ• ՄೳͳݶΓͷॳظௐࠪΛࣗಈͰߦ͏• PagerDuty, Slack ͷൃใߦ͏
͞Βʹվળ͍ͨ͠ϙΠϯτ• Ξϥʔτͷਖ਼نԽ͕ͪΐͬͱେม (ࣗͨͪͰ࡞Δ)• ΞϥʔτࣗମͷूܭɺՄࢹԽ• ࣗಈԽΛߋʹਐΊΔ• ௐࠪɺରԠ• ظతͳੳ
Ξϥʔτਖ਼نԽ• ରԠ͍ͯ͠ΔαʔϏεͰ͋Εਖ਼نԽෆཁ• ଞγεςϜʹΞϥʔτΛॻ͖ࠐΈ͍ͨ߹ Security Hub ΛڬΉ͜ͱͰॲཧΛڞ௨ԽͰ͖Δ• Ξϥʔτʹ͍ͭͯ “ͱΓ͋͑ͣ Security Hub ʹಥͬࠐΉ” ͜ͱ͕ Ͱ͖ΔΑ͏ʹͳΔ• ࠓޙ৽نʹηΩϡϦςΟαʔϏε͕ग़͖ͯͯૉૣ͘౷߹Ͱ͖Δ
Amazon Security Finding Format• ηΩϡϦςΟΞϥʔτʹٻΊΒΕͦ͏ͳ߲Ұ௨ΓΧόʔ• EC2 Πϯελϯε ͳͲ AWS ݻ༗ͷϑΟʔϧυ༻ҙ• ࠓͷஈ֊Ͱ AWS ϦιʔεΛओʹఆ͍ͯ͠ΔΑ͏ʹݟ͑Δ• ͏ͪΐͬͱ৭ʑͳϦιʔεʹରͯ͑͠Δͱ͏Ε͍͠…• ৄࡉ Security Hub ͷυΩϡϝϯτΛࢀর
ूܭɺՄࢹԽ• Insights Ͱ͋ΔఔՄೳ• Findings ΛϑΟϧλͨ݁͠Ռ (Group by ͳͲՄೳ)• άϥϑΧελϜͰ͖ͨΒخ͍͚͠Ͳɻɻ• ظతʹոͦ͠͏ͳϦιʔεΛݟ͚ͭΔͷʹ༗ޮ
ࣗಈԽ• CW Events ʹΠϕϯτΛૹ৴Ͱ͖Δ• Finding, Insights, Standards• Lambda function Step Function ΛݺͿ͜ͱ͕Ͱ͖Δ• ϩάऩूͱඥ͚, Ϩϐϡςʔγϣϯௐࠪ, ݕମௐࠪ, ΠϯελϯεͷίϚϯυൃߦͳͲͳΜͰ͋Γ
ͦͷଞͷྑ͍ػೳ• ϚϧνΞΧϯτରԠ• Control Tower Ͱ৽ن࡞࣌ʹશηΩϡϦςΟαʔϏε༗ޮԽ + Security Hubͷૹ৴͕Ͱ͖ΔΑ͏ʹͳΔͱ͏Ε͍͠• ηΩϡϦςΟඪ४ͷνΣοΫ• ࣮ମ Config Rules ͷू߹ମ (ݱࡏ CIS AWS foundation benchmark ͷΈ)• ͜ΕΧελϜ͕࡞ΕΔͱྑ͍
ͦͷଞ͜͏ͳͬͯ͘ΕΔͱخ͍͠• Findings ͦͷͷͷΞοϓσʔτ (ଐੑͷՃͳͲ)• ࣗಈԽʹΑΔௐࠪ݁ՌͳͲΛՃ͓͖͍ͯͨ͠ (ݱঢ়ςΩετͷΈ)• Πϕϯτཧπʔϧͱͷ࿈ܞ• ͋Δ͍ Security Hub ͕ࣗཧπʔϧʹͳΔ• ୲ऀɺௐࠪঢ়گɺݟղɺetc• AWS WAF ࿈ܞ• Ξϥʔτ͕͔ͳΓଟ͘ͳΔͣͳͷͰɺͦͷ··දࣔͯ͠΄͘͠ͳ͍͕…
·ͱΊ
ࠓճͷൃදʹ͍ͭͯ• ͙͢ʹ͑Δͷଟ͘ྑ͔ͬͨͱࢥ͏• ηΩϡϦςΟʹϑΥʔΧεͨ͠ͷଟ͘ͳ͍͕ɺ ηΩϡϦςΟʹ׆͔͢͜ͱ͕Ͱ͖ΔαʔϏεػೳ͕ग़͍ͯΔ• Control Tower, Security Hub ੵۃతʹར༻͍ͨ͠
͜Ε͔Βͷ AWS ηΩϡϦςΟ• (طʹͦ͏ͳ͍ͬͯΔ͕) ಛఆͷαʔϏειϑτΣΞΛ ͏͚ͩͰͳ͘ɺ͍ࢹͰηΩϡϦςΟγεςϜΛઃܭ࣮ͯ͢͠Δ• AWS ͕ఏڙ͍ͯ͠ΔύʔπʹΑͬͯ࡞Γ͍͢ڥ͋Δ• ͦ͏͍ͬͨͷ͕ఏڙ͞Ε͍ͯΔͱࢥ͏͠ɺ͍ͯͬͯ͠΄͍͠
PR
࣍ੈͷηΩϡϦςΟڥΛҰॹʹͭ͘Δ ΤϯδχΞΛืू͍ͯ͠·͢https://cookpad.jobs/
Fin.