Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security by builders - セキュリティ監視をクラウドで「つくる」 / Se...
Search
Hokuto Hoshi
September 25, 2019
Technology
7
2.7k
Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders
Hokuto Hoshi
September 25, 2019
Tweet
Share
More Decks by Hokuto Hoshi
See All by Hokuto Hoshi
開発も運用もビジネス部門も! クラウドで実現する「つらくない」統制とセキュリティ / Effortless Governance and Security Enabled by the Cloud
kanny
3
3.1k
転生CISOサバイバル・ガイド / CISO Career Transition Survival Guide
kanny
4
2.1k
Connecting organisation with Technology
kanny
0
280
Why Slack - 5 years of Cookpad with Slack
kanny
0
120
セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub
kanny
2
4.2k
自由でセキュアな環境のつくりかた / Building free and secure cloud environment
kanny
1
5k
事例でわかる、AWS 運用を支える サポート活用方法と エンタープライズサポートという選択 / AWS Enterprise Support and Cookpad
kanny
2
2.5k
AWS で加速する機械学習 / Accelerate Machine Learning with AWS
kanny
1
1k
クックパッドのログをいい感じにしているアーキテクチャ / Logging architecture at Cookpad
kanny
23
15k
Other Decks in Technology
See All in Technology
比起獨自升級 我更喜歡 DevOps 文化 <3
line_developers_tw
PRO
0
220
キャディでのApache Iceberg, Trino採用事例 -Apache Iceberg and Trino Usecase in CADDi--
caddi_eng
0
150
IIWレポートからみるID業界で話題のMCP
fujie
0
380
工具人的一生: 開發很多 AI 工具讓我 慵懶過一生
line_developers_tw
PRO
0
210
Amazon Q Developer for GitHubとAmplify Hosting でサクッとデジタル名刺を作ってみた
kmiya84377
0
3.5k
OpenTelemetry Collector internals
ymotongpoo
5
550
CIでのgolangci-lintの実行を約90%削減した話
kazukihayase
0
290
AWS全冠したので振りかえってみる
tajimon
0
140
DroidKnights 2025 - Jetpack XR 살펴보기: XR 개발은 어떻게 이루어지는가?
heesung6701
1
120
Create a Rails8 responsive app with Gemini and RubyLLM
palladius
0
120
Bill One 開発エンジニア 紹介資料
sansan33
PRO
4
12k
AI技術トレンド勉強会 #1MCPの基礎と実務での応用
nisei_k
1
210
Featured
See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.5k
Building a Modern Day E-commerce SEO Strategy
aleyda
41
7.3k
Embracing the Ebb and Flow
colly
86
4.7k
A Tale of Four Properties
chriscoyier
159
23k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
Reflections from 52 weeks, 52 projects
jeffersonlam
351
20k
Unsuck your backbone
ammeep
671
58k
Art, The Web, and Tiny UX
lynnandtonic
299
21k
Build your cross-platform service in a week with App Engine
jlugia
231
18k
The Language of Interfaces
destraynor
158
25k
Music & Morning Musume
bryan
46
6.6k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
780
Transcript
Security by builders ηΩϡϦςΟࢹΛΫϥυͰʮͭ͘Δʯ Hokuto Hoshi VP of Technology, Cookpad
Inc.
[email protected]
ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ VP of
Technology ࠪҕһձ ࠪิॿऀ • શࣾԣஅͰͷใηΩϡϦςΟϦʔυ͍ͬͯ·͢ • Site Reliability & Security Engineer • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional) • 2013৽ଔೖࣾ, AWS ར༻ྺ9͘Β͍
None
None
None
None
None
None
None
None
None
None
None
None
None
None
ΫοΫύουͱ AWS • 2011ʹશҠߦ • 2ͭͷϦʔδϣϯΛओʹར༻ • 400 Ҏ্ͷ ECS
αʔϏε͕ EC2 Spot Πϯελϯε্ͰՔಇ • શͯͷϢʔβ͚αʔϏε͜͜Ͱಈ͍͍ͯΔ
ΫοΫύουͱΫϥυ • ࣾγεςϜ΄΅શ͕ͯ AWS ্·ͨ SaaS ͱͯ͠Քಇ • ࣗલӡ༻ΛۃྗݮΒ͢ߏ •
ΦϑΟεʹ͋ΔͷωοτϫʔΫػثͷΈ
ΫοΫύουʹ͓͚Δ ใηΩϡϦςΟͷҙຯ
Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ
Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ • A. ඞཁ͔ͭෆՄܽͰ͢
ʮຖͷྉཧʯͱใηΩϡϦςΟ • Ϩγϐσʔλɺࣸਅɺίϝϯτɺϩάɺ༷ʑͳσʔλ • ৯ࣄਓؒͷੜ׆ͱີʹඥͮ͘ • μΠΤοτಛఆͷපؾͳͲϓϥΠόγʹؔΘΔใ • ΑΓۙʹ͍͚ͬͯͨͩΔαʔϏεͰ͋Γଓ͚ΔͨΊʹ ৴པΛಘͯใΛ༬͔ΓɺΛՌͨ͢͜ͱ͕ॏཁ
कΔ͖ΤϦΞ • શࣾࢹʹཱͬͨରࡦ͕ॏཁ • Ϣʔβ͚αʔϏε • ࣾγεςϜ • ใͷऔΓѻ͍ํͳͲϧʔϧӡ༻ •
͋ΒΏΔηΩϡϦςΟ՝ʹνʔϜͱͯ͠ରԠ
࣮ࡍͷରࡦӡ༻
جຊతͳߟ͑ํ • ϧʔϧΦϖϨʔγϣϯͰͳٕ͘ज़ΈͰकΔ • ૿Ճ͠ଓ͚ΔτϥϑΟοΫʹରԠͰ͖ͳ͍ • ਓؒඞͣϛεΛ͢Δ • ΫϥυͱͷڥքΛೝࣝɺͤΔͱ͜ΖͤΔ •
ޚ100%Ͱͳ͘ “Կ͕ى͖͔ͨΘ͔Δ” ঢ়ଶΛࢦ͢
ޚ100%Ͱͳ͍ཧ༝ • ʮશͳޚʯଘࡏ͠ͳ͍ • શʹ͚ۙͮΔ΄ͲίϯϑϦΫτ͕ى͖͍͢ • ޚਫ਼Λ1%্͛Δίετ > ݕਫ਼Λ্͛Δίετ •
૯߹֨ಆٕͱͯ͠औΓΉ
ηΩϡϦςΟγεςϜͷઃܭํ • ޚ͢ΔͨΊͷΈϩΪϯάγεςϜ: ηϯαʔ • ηϯαʔ͔ΒσʔλΛूΊɺࢹɾੳ͢Δ ޚ ݕ ରԠ
ηϯαʔ • AWS ͷηΩϡϦςΟαʔϏε • Amazon CloudTrail, Amazon GuardDuty, AWS
WAF, etc • ηΩϡϦςΟ • IDS, EDR, ίϯςφΠϝʔδεΩϟϯ, NGFW, etc • ͋ΒΏΔϩά • ΞΫηεϩά, OS ͷϩά, ΦϑΟεεΠʔτͷϩά, etc
໘͢Δ • ऩू͢Δϩάͷྲྀྔछྨ͕ଟ͗͢Δ • τϥϑΟοΫऔΓࠐΉγεςϜͷ૿Ճ • ίετ૿ʹ݁ • ࢢൢͷ SIEM
SaaS ͷඅ༻ओʹετϨʔδʹ͔͔Δ • ͦͷͨΊʹϩάͷྔΛߜΔͷຊస • ੳ࣌ʹ͡ΊͯϑΟϧλ͞ΕΔ͖
OSS ͷྗΛआΓΔ • Graylog: ϩάϚωδϝϯτͷͨΊͷ OSS • ϩάͷશจݕࡧɺՄࢹԽɺΞϥʔςΟϯάͳͲ͕Մೳ • ਫฏεέʔϧ͢Δઃܭʹͳ͍ͬͯΔ
• Elasticsearch ͕όοΫΤϯυ • Amazon Elasticsearch Service Ͱলྗӡ༻
Graylog ͷల։ ϩά EC2 Instances Network Load Balancer Elasticsearch Service
Graylog Instance Security Engineer ੳ Application Load Balancer
ΑΓͨ͘͞ΜͷϩάΛऔΓࠐΉͨΊʹ • ϩάͷૹΓઌ͕τϥϑΟοΫΛड͚͖Εͳ͘ͳΔ • όοΫΤϯυʹٻΊΒΕΔՄ༻ੑඇৗʹߴ͘ͳΔ • શͯͷϩά Amazon S3 ʹҰอଘ͔ͯ͠Βॲཧ
• ߴՄ༻Ͱεέʔϧ͢ΔࢄετϨʔδ • όοϑΝΛઃ͚Δ͜ͱͰߏΛॊೈʹͰ͖Δ • อଘͨ͠ϑΝΠϧΛ AWS Lambda Ͱલॲཧͯ͠ Graylog ֨ೲ
ϩάอ࣋ظؒͷ • ΦϯϥΠϯετϨʔδϨΠςϯγ, ߴίετ (Elasticsearch) • શͯͷϩάΛΦϯϥΠϯʹ͓ͯ͘͠ඞཁͳ͍ • Ұఆظؒܦͬͨϩά Graylog
͔Βআͯ͠ S3 ͷΈͰอ࣋ • ඞཁͳࡍ Amazon Athena ͔ΒΫΤϦՄೳ • ίετ͔ͭेߴʹݕࡧɾੳͰ͖Δ
εέʔϧ͢ΔΞʔΩςΫνϟ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis Firehose
Lambda Function S3 Bucket Athena Graylog EC2 Instances Lambda Function
εέʔϧ͢ΔΞʔΩςΫνϟ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis Firehose
Lambda Function S3 Bucket Athena Graylog EC2 Instances Lambda Function ηϯαʔ ू ੵɾอ࣋ ࢹɾੳ
ϩάͷੳɾݕ • ݕγεςϜΛ AWS Lambda Λ࣮ͬͯ • ࣗಈԽ, লྗԽͷ࣮ݱ •
ίʔυهड़ͰಘΒΕΔॊೈੑɺอकੑͷ্ɺଐਓੑͷഉআ • ૿Ճ͠ଓ͚Δϩάʹର͢ΔεέʔϥϏϦςΟΛಘΔ
https://speakerdeck.com/mizutani/techconf2019-mizutani
ʹରͯ͠ • ऩू͢Δϩάͷྲྀྔछྨ͕ଟ͗͢Δ • εέʔϧՄೳͳΞʔΩςΫνϟʹΑͬͯड͚ࢭΊΒΕΔΑ͏ʹ • ίετ૿ʹ݁ • ΑΓ҆ՁͳετϨʔδΛ͑ΔΞʔΩςΫνϟͷ࠾༻ •
ࣗಈԽɺϚωʔδυαʔϏεར༻Ͱӡ༻লྗԽ
ݱࡏͷঢ়گ • ࣾ֎ͷ༷ʑͳγεςϜͷϩάΛऩूɺੳ • Ұ͋ͨΓ 140GB Ҏ্ͷϩάΛॲཧ • Ұൠతͳϩάཧͱൺֱͯ͠ 1/4
ҎԼͷίετ • 2໊Ͱӡ༻
Security by builders: ͜Ε͔ΒͷϢʔβاۀͷηΩϡϦςΟ
ʮηΩϡϦςΟରࡦʯͨΓલʹͳͬͨ • ߈ܸΑΓ༰қʹɺΑΓৗతʹ • ͲΜͳαΠζͷ৫ηΩϡϦςΟΛؾʹ͍ͯ͠Δ • ηΩϡϦςΟͷͨΊͷαʔϏε૿Ճ͠ଓ͚͍ͯΔ
ʮങͬͯઃஔʯ͚ͩͰෆे • ରʹ߹Θͤͨߴͳ߈ܸ • e.g.) Web ΞϓϦέʔγϣϯʹର͢Δ߈ܸ, ඪతܕ߈ܸ • ʮίϯςΩετʯͷ࣮ࣄऀʹ͔͠Ͱ͖ͳ͍
• ըҰతͳޚ͚ͩͰͳ͘γεςϜڥʹ߹ΘͤͨݕɾରԠ • e.g.) ΞϓϦέʔγϣϯϩάͷੳ, ࣾγεςϜͱͷ࿈ܞ
σʔλऩूͱݕ • ࿈ܞͷ伴σʔλ (ϩά, Ξϥʔτ, etc) • ηΩϡϦςΟ͚ͩͰͳ͍σʔλͷऩूͱੳ͕ඞཁ͕ͩ… • ӡ༻ʹਓखۚમίετ͔͔Δ
• τϥϑΟοΫ૿ՃʹΑΓ͞Βʹ૿େ • ӡ༻ऀʹ͍͘͢εέʔϧ͢ΔΈͮ͘Γ͕ෆՄܽ
ΫϥυͰηΩϡϦςΟΛʮͭ͘Δʯ • αʔϏε৫ͷίϯςΩετΛηΩϡϦςΟγεςϜʹؚΊΔ • ϚωʔδυαʔϏεΛར༻ͭͭ͠औΓΉ͖ՕॴʹऔΓΉ • AWS ΛͬͨηΩϡϦςΟͷՄೳੑ • εέʔϥϒϧͳσʔλॲཧج൫
(S3, Athena, Kinesis, EMR, Redshift..) • ҟৗݕͷ࣮ (SageMaker, Forecast) • ࣮ੈքͷηΩϡϦςΟ (IoT, Kinesis Video Streams, Rekognition)
Ͳ͏ͭ͘Δ͔: ʮࢭΊΔʯ͚ͩͰΓͳ͍ • ʮશͳޚʯʹۙͮ͘΄ͲίϯϑϦΫτ͕ى͖Δ • ΞϓϦέʔγϣϯͷػೳϏδωεͦͷͷͱিಥ͢Δ • ʮޚʯ͚ͩͰकΓ͖Δ͜ͱ͕Ͱ͖ͳ͍ • ϏδωεͷΛอͪͳ͕ΒʮकΔʯʹͲ͏͢Εྑ͍ʁ
• ʮͭ͘ΔਓʯΛ્͠ͳ͍Έʹ͢Δඞཁ͕͋Δ
ʮήʔτΩʔύʔʯ͔ΒʮΨʔυϨʔϧʯ • ʮͭ͘ΔਓʯΛޙԡ͢͠ΔηΩϡϦςΟ • ͱΓ͋͑ͣࢭΊΔͷͰͳ͘Կ͔͋ͬͨͱ͖ʹकͬͯ͘ΕΔ • ϩάج൫ͦͷΈͷҰͭ
ΨʔυϨʔϧͷྫ • ϝΠϯڥͱಉͷηΩϡϦςΟϨϕϧΛ֬อ͠ͳ͕Β ࣗ༝ʹ͑Δ AWS ΞΧϯτΛ։์ • ։ൃऀ͚ΞΧϯτ (ࣗ༝ʹར༻Ͱ͖ΔΞΧϯτ) •
ةݥͳ API ΛࢭΊΔ, ࢹ (IAM, CloudTrail), ةݥͳઃఆΛ௨ (Config) • νʔϜ͝ͱͷΞΧϯτ (ಛʹࣗ༝ͳڥ͕ඞཁͳ߹) • ηοτΞοϓ࣌ʹ CloudTrail, GuardDuty, Config ͳͲΛల։ • ࢹϩάج൫ʹूͯ͠ߦ͏
ʮͭ͘Δྗʯ͕ॏཁ • ੈքͷηΩϡϦςΟνʔϜऔΓΈ࢝Ί͍ͯΔ • “Builder” ͱͯ͠ͷྗ • ͏ٕज़Λબͼɺઃܭ͠ɺίʔυΛॻ͖ɺ৫ϓϩηεʹ ηΩϡϦςΟΛΈࠐΉ •
ʮͭ͘ΔʯͨΊͷෑډԼ͕Γଓ͚͍ͯΔ • ίϯϙʔωϯτͱͯ͑͠ΔαʔϏεʑ૿͍͑ͯΔ
https://unsplash.com/photos/1eFgYRwYctg
ϏδωεΛՃͰ͖ΔηΩϡϦςΟ • ͪΌΜͱػೳ͢ΔʮΨʔυϨʔϧʯͷԼͰ • ҆৺ͯ͠શྗΛग़ͤΔڥͮ͘Γ
Security for builders, by builders
We’re hiring • ʮຖͷྉཧΛָ͠Έʹ͢ΔʯͨΊͷηΩϡϦςΟΛ Ұॹʹͭ͘Γ·ͤΜ͔ʁ https://cookpad.jobs/
Fin.