Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security by builders - セキュリティ監視をクラウドで「つくる」 / Se...

Avatar for Hokuto Hoshi Hokuto Hoshi
September 25, 2019
Technology
7
2.7k

Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders

Avatar for Hokuto Hoshi

Hokuto Hoshi

September 25, 2019
Tweet

More Decks by Hokuto Hoshi

See All by Hokuto Hoshi
開発も運用もビジネス部門も! クラウドで実現する「つらくない」統制とセキュリティ / Effortless Governance and Security Enabled by the Cloud
Avatar for Hokuto Hoshi kanny
4
3.7k
転生CISOサバイバル・ガイド / CISO Career Transition Survival Guide
Avatar for Hokuto Hoshi kanny
4
2.2k
Connecting organisation with Technology
Avatar for Hokuto Hoshi kanny
0
300
Why Slack - 5 years of Cookpad with Slack
Avatar for Hokuto Hoshi kanny
0
130
セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub
Avatar for Hokuto Hoshi kanny
2
4.3k
自由でセキュアな環境のつくりかた / Building free and secure cloud environment
Avatar for Hokuto Hoshi kanny
1
5k
事例でわかる、AWS 運用を支える
サポート活用方法と
エンタープライズサポートという選択 / AWS Enterprise Support and Cookpad
Avatar for Hokuto Hoshi kanny
2
2.5k
AWS で加速する機械学習 / Accelerate Machine Learning with AWS
Avatar for Hokuto Hoshi kanny
1
1k
クックパッドのログをいい感じにしているアーキテクチャ / Logging architecture at Cookpad
Avatar for Hokuto Hoshi kanny
23
15k

Other Decks in Technology

See All in Technology
Vision Language Modelと自動運転AIの最前線_20250730
Avatar for Yu Yamaguchi yuyamaguchi
3
1.2k
S3 Glacier のデータを Athena からクエリしようとしたらどうなるのか/try-to-query-s3-glacier-from-athena
Avatar for emi emiki
0
200
【CEDEC2025】『ウマ娘 プリティーダービー』における映像制作のさらなる高品質化へ!~ 豊富な素材出力と制作フローの改善を実現するツールについて~
Avatar for Cygames cygames
PRO
0
240
Kiroから考える AIコーディングツールの潮流
Avatar for Oikon oikon48
4
680
僕たちが「開発しやすさ」を求め 模索し続けたアーキテクチャ #アーキテクチャ勉強会_findy
Avatar for 弁護士ドットコム bengo4com
0
2.1k
Amazon Qで2Dゲームを作成してみた
Avatar for Siromi siromi
0
120
SRE新規立ち上げ! Hubbleインフラのこれまでと展望
Avatar for Katsuya Fujii katsuya0515
0
170
製造業の課題解決に向けた機械学習の活用と、製造業特化LLM開発への挑戦
Avatar for knt44kw knt44kw
0
160
ロールが細分化された組織でSREと協働するインフラエンジニアは何をするか? / SRE Lounge #18
Avatar for Hajime KOSHIRO kossykinto
0
200
ビジネス文書に特化した基盤モデル開発 / SaaSxML_Session_2
Avatar for Sansan R&D sansan_randd
0
270
o11yツールを乗り換えた話
Avatar for tak0x00 tak0x00
2
510
Claude Codeは仕様駆動の夢を見ない
Avatar for Gota gotalab555
23
5.6k

Featured

See All Featured
How GitHub (no longer) Works
Avatar for Zach Holman holman
314
140k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
357
30k
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
49
14k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
50
5.5k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
231
18k
The Pragmatic Product Professional
Avatar for Laura Van Doore lauravandoore
36
6.8k
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
328
39k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
44
2.4k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
51
3.4k
Code Review Best Practice
Avatar for Trisha Gee trishagee
69
19k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
2.7k
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
271
21k

Transcript

  1. Security by builders ηΩϡϦςΟ؂ࢹΛΫϥ΢υͰʮͭ͘Δʯ Hokuto Hoshi VP of Technology, Cookpad

    Inc. hokuto@cookpad.com

  2. ੕ ๺ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ VP of

    Technology
 ؂ࠪҕһձ ؂ࠪิॿऀ • શࣾԣஅͰͷ৘ใηΩϡϦςΟϦʔυ΋΍͍ͬͯ·͢ • Site Reliability & Security Engineer • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional) • 2013೥৽ଔೖࣾ, AWS ར༻ྺ͸9೥͘Β͍
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None

  17. ΫοΫύουͱ AWS • 2011೥ʹ׬શҠߦ • 2ͭͷϦʔδϣϯΛओʹར༻ • 400 Ҏ্ͷ ECS

    αʔϏε͕ EC2 Spot Πϯελϯε্ͰՔಇ • શͯͷϢʔβ޲͚αʔϏε͸͜͜Ͱಈ͍͍ͯΔ

  18. ΫοΫύουͱΫϥ΢υ • ࣾ಺γεςϜ΋΄΅શ͕ͯ AWS ্·ͨ͸ SaaS ͱͯ͠Քಇ • ࣗલӡ༻ΛۃྗݮΒ͢ߏ੒ •

    ΦϑΟεʹ͋Δ΋ͷ͸ωοτϫʔΫػثͷΈ

  19. ΫοΫύουʹ͓͚Δ ৘ใηΩϡϦςΟͷҙຯ

  20. Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹ৘ใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ

  21. Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹ৘ใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ • A. ඞཁ͔ͭෆՄܽͰ͢

  22. ʮຖ೔ͷྉཧʯͱ৘ใηΩϡϦςΟ • Ϩγϐσʔλɺࣸਅɺίϝϯτɺϩάɺ༷ʑͳσʔλ • ৯ࣄ͸ਓؒͷੜ׆ͱີ઀ʹඥͮ͘ • μΠΤοτ΍ಛఆͷපؾͳͲϓϥΠόγʹؔΘΔ৘ใ΋ • ΑΓ਎ۙʹ࢖͍͚ͬͯͨͩΔαʔϏεͰ͋Γଓ͚ΔͨΊʹ
 ৴པΛಘͯ৘ใΛ༬͔Γɺ੹೚ΛՌͨ͢͜ͱ͕ॏཁ

  23. कΔ΂͖ΤϦΞ • શࣾࢹ఺ʹཱͬͨରࡦ͕ॏཁ • Ϣʔβ޲͚αʔϏε • ࣾ಺γεςϜ • ৘ใͷऔΓѻ͍ํͳͲϧʔϧ΍ӡ༻ •

    ͋ΒΏΔηΩϡϦςΟ՝୊ʹνʔϜͱͯ͠ରԠ

  24. ࣮ࡍͷରࡦ΍ӡ༻

  25. جຊతͳߟ͑ํ • ϧʔϧ΍ΦϖϨʔγϣϯͰͳٕ͘ज़΍࢓૊ΈͰकΔ • ૿Ճ͠ଓ͚ΔτϥϑΟοΫʹରԠͰ͖ͳ͍ • ਓؒ͸ඞͣϛεΛ͢Δ • Ϋϥ΢υͱͷ੹೚ڥքΛೝࣝɺ೚ͤΔͱ͜Ζ͸೚ͤΔ •

    ๷ޚ100%Ͱͳ͘ “Կ͕ى͖͔ͨΘ͔Δ” ঢ়ଶΛ໨ࢦ͢

  26. ๷ޚ100%Ͱ͸ͳ͍ཧ༝ • ʮ׬શͳ๷ޚʯ͸ଘࡏ͠ͳ͍ • ׬શʹ͚ۙͮΔ΄ͲίϯϑϦΫτ͕ى͖΍͍͢ • ๷ޚਫ਼౓Λ1%্͛Δίετ > ݕ஌ਫ਼౓Λ্͛Δίετ •

    ૯߹֨ಆٕͱͯ͠औΓ૊Ή

  27. ηΩϡϦςΟγεςϜͷઃܭํ਑ • ๷ޚ͢ΔͨΊͷ࢓૊Έ΍ϩΪϯάγεςϜ: ηϯαʔ • ηϯαʔ͔ΒσʔλΛूΊɺ؂ࢹɾ෼ੳ͢Δ ๷ޚ ݕ஌ ରԠ

  28. ηϯαʔ • AWS ͷηΩϡϦςΟαʔϏε • Amazon CloudTrail, Amazon GuardDuty, AWS

    WAF, etc • ηΩϡϦςΟ੡඼ • IDS, EDR, ίϯςφΠϝʔδεΩϟϯ, NGFW, etc • ͋ΒΏΔϩά • ΞΫηεϩά, OS ͷϩά, ΦϑΟεεΠʔτͷϩά, etc

  29. ௚໘͢Δ໰୊ • ऩू͢Δϩάͷྲྀྔ΍छྨ͕ଟ͗͢Δ • τϥϑΟοΫ΍औΓࠐΉγεςϜͷ૿Ճ • ίετ૿ʹ௚݁ • ࢢൢͷ SIEM

    ΍ SaaS ͷඅ༻͸ओʹετϨʔδʹ͔͔Δ • ͦͷͨΊʹϩάͷྔΛߜΔͷ͸ຊ຤స౗ • ෼ੳ࣌ʹ͸͡ΊͯϑΟϧλ͞ΕΔ΂͖

  30. OSS ͷྗΛआΓΔ • Graylog: ϩάϚωδϝϯτͷͨΊͷ OSS • ϩάͷશจݕࡧɺՄࢹԽɺΞϥʔςΟϯάͳͲ͕Մೳ • ਫฏεέʔϧ͢Δઃܭʹͳ͍ͬͯΔ

    • Elasticsearch ͕όοΫΤϯυ • Amazon Elasticsearch Service Ͱলྗӡ༻

  31. Graylog ͷల։ ϩά EC2 Instances Network Load Balancer Elasticsearch Service

    Graylog
 Instance Security Engineer ෼ੳ Application
 Load Balancer

  32. ΑΓͨ͘͞ΜͷϩάΛऔΓࠐΉͨΊʹ • ϩάͷૹΓઌ͕τϥϑΟοΫΛड͚͖Εͳ͘ͳΔ • όοΫΤϯυʹٻΊΒΕΔՄ༻ੑ΋ඇৗʹߴ͘ͳΔ • શͯͷϩά͸ Amazon S3 ʹҰ౓อଘ͔ͯ͠Βॲཧ

    • ߴՄ༻Ͱεέʔϧ͢Δ෼ࢄετϨʔδ • όοϑΝΛઃ͚Δ͜ͱͰߏ੒ΛॊೈʹͰ͖Δ • อଘͨ͠ϑΝΠϧΛ AWS Lambda Ͱલॲཧͯ͠ Graylog ΁֨ೲ

  33. ϩάอ࣋ظؒͷ໰୊ • ΦϯϥΠϯετϨʔδ͸௿ϨΠςϯγ, ߴίετ (Elasticsearch) • શͯͷϩάΛΦϯϥΠϯʹ͓ͯ͘͠ඞཁ͸ͳ͍ • Ұఆظؒܦͬͨϩά͸ Graylog

    ͔Β࡟আͯ͠ S3 ͷΈͰอ࣋ • ඞཁͳࡍ͸ Amazon Athena ͔ΒΫΤϦՄೳ • ௿ίετ͔ͭे෼ߴ଎ʹݕࡧɾ෼ੳͰ͖Δ

  34. εέʔϧ͢ΔΞʔΩςΫνϟ΁ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis
 Firehose

    Lambda Function S3 Bucket Athena Graylog ΁ EC2 Instances Lambda Function

  35. εέʔϧ͢ΔΞʔΩςΫνϟ΁ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis
 Firehose

    Lambda Function S3 Bucket Athena Graylog ΁ EC2 Instances Lambda Function ηϯαʔ ू໿ ஝ੵɾอ࣋ ؂ࢹɾ෼ੳ

  36. ϩάͷ෼ੳɾݕ஌ • ݕ஌γεςϜΛ AWS Lambda Λ࢖࣮ͬͯ૷ • ࣗಈԽ, লྗԽͷ࣮ݱ •

    ίʔυهड़ͰಘΒΕΔॊೈੑɺอकੑͷ޲্ɺଐਓੑͷഉআ • ૿Ճ͠ଓ͚Δϩάʹର͢ΔεέʔϥϏϦςΟΛಘΔ

  37. https://speakerdeck.com/mizutani/techconf2019-mizutani

  38. ໰୊ʹରͯ͠ • ऩू͢Δϩάͷྲྀྔ΍छྨ͕ଟ͗͢Δ • εέʔϧՄೳͳΞʔΩςΫνϟʹΑͬͯड͚ࢭΊΒΕΔΑ͏ʹ • ίετ૿ʹ௚݁ • ΑΓ҆ՁͳετϨʔδΛ࢖͑ΔΞʔΩςΫνϟͷ࠾༻ •

    ࣗಈԽɺϚωʔδυαʔϏεར༻Ͱӡ༻΋লྗԽ

  39. ݱࡏͷঢ়گ • ࣾ಺֎ͷ༷ʑͳγεςϜͷϩάΛऩूɺ෼ੳ • Ұ೔͋ͨΓ 140GB Ҏ্ͷϩάΛॲཧ • Ұൠతͳϩά؅ཧ੡඼ͱൺֱͯ͠ 1/4

    ҎԼͷίετ • 2໊Ͱӡ༻

  40. Security by builders:
 ͜Ε͔ΒͷϢʔβاۀͷηΩϡϦςΟ

  41. ʮηΩϡϦςΟରࡦʯ͸౰ͨΓલʹͳͬͨ • ߈ܸ͸ΑΓ༰қʹɺΑΓ೔ৗతʹ • ͲΜͳαΠζͷ૊৫΋ηΩϡϦςΟΛؾʹ͍ͯ͠Δ • ηΩϡϦςΟͷͨΊͷ੡඼΍αʔϏε͸૿Ճ͠ଓ͚͍ͯΔ

  42. ʮങͬͯઃஔʯ͚ͩͰ͸ෆे෼ • ର৅ʹ߹Θͤͨߴ౓ͳ߈ܸ • e.g.) Web ΞϓϦέʔγϣϯʹର͢Δ߈ܸ, ඪతܕ߈ܸ • ʮίϯςΩετʯͷ࣮૷͸౰ࣄऀʹ͔͠Ͱ͖ͳ͍

    • ըҰతͳ๷ޚ͚ͩͰͳ͘γεςϜ΍؀ڥʹ߹Θͤͨݕ஌ɾରԠ • e.g.) ΞϓϦέʔγϣϯϩάͷ෼ੳ, ࣾ಺γεςϜͱͷ࿈ܞ

  43. σʔλऩूͱݕ஌ • ࿈ܞͷ伴͸σʔλ (ϩά, Ξϥʔτ, etc) • ηΩϡϦςΟ੡඼͚ͩͰͳ͍σʔλͷऩूͱ෼ੳ͕ඞཁ͕ͩ… • ӡ༻ʹਓख΋ۚમίετ΋͔͔Δ

    • τϥϑΟοΫ૿ՃʹΑΓ͞Βʹ૿େ • ӡ༻ऀʹ΋࢖͍΍͘͢εέʔϧ͢Δ࢓૊Έͮ͘Γ͕ෆՄܽ

  44. Ϋϥ΢υͰηΩϡϦςΟΛʮͭ͘Δʯ • αʔϏε΍૊৫ͷίϯςΩετΛηΩϡϦςΟγεςϜʹؚΊΔ • ϚωʔδυαʔϏεΛར༻ͭͭ͠औΓ૊Ή΂͖ՕॴʹऔΓ૊Ή • AWS Λ࢖ͬͨηΩϡϦςΟͷՄೳੑ • εέʔϥϒϧͳσʔλॲཧج൫

    (S3, Athena, Kinesis, EMR, Redshift..) • ҟৗݕ஌ͷ࣮૷ (SageMaker, Forecast) • ࣮ੈքͷηΩϡϦςΟ (IoT, Kinesis Video Streams, Rekognition)

  45. Ͳ͏ͭ͘Δ͔: ʮࢭΊΔʯ͚ͩͰ͸଍Γͳ͍ • ʮ׬શͳ๷ޚʯʹۙͮ͘΄ͲίϯϑϦΫτ͕ى͖Δ • ΞϓϦέʔγϣϯͷػೳ΍Ϗδωεͦͷ΋ͷͱিಥ͢Δ • ʮ๷ޚʯ͚ͩͰ͸कΓ͖Δ͜ͱ͕Ͱ͖ͳ͍ • Ϗδωεͷ଎౓Λอͪͳ͕ΒʮकΔʯʹ͸Ͳ͏͢Ε͹ྑ͍ʁ

    • ʮͭ͘ΔਓʯΛ્֐͠ͳ͍࢓૊Έʹ͢Δඞཁ͕͋Δ

  46. ʮήʔτΩʔύʔʯ͔ΒʮΨʔυϨʔϧʯ΁ • ʮͭ͘ΔਓʯΛޙԡ͢͠ΔηΩϡϦςΟ • ͱΓ͋͑ͣࢭΊΔͷͰ͸ͳ͘Կ͔͋ͬͨͱ͖ʹकͬͯ͘ΕΔ • ϩάج൫͸ͦͷ࢓૊ΈͷҰͭ

  47. ΨʔυϨʔϧͷྫ • ϝΠϯ؀ڥͱಉ౳ͷηΩϡϦςΟϨϕϧΛ֬อ͠ͳ͕Β
 ࣗ༝ʹ࢖͑Δ AWS ΞΧ΢ϯτΛ։์ • ։ൃऀ޲͚ΞΧ΢ϯτ (ࣗ༝ʹར༻Ͱ͖ΔΞΧ΢ϯτ) •

    ةݥͳ API ΛࢭΊΔ, ؂ࢹ (IAM, CloudTrail), ةݥͳઃఆΛ௨஌ (Config) • νʔϜ͝ͱͷΞΧ΢ϯτ (ಛʹࣗ༝ͳ؀ڥ͕ඞཁͳ৔߹) • ηοτΞοϓ࣌ʹ CloudTrail, GuardDuty, Config ͳͲΛల։ • ؂ࢹ͸ϩάج൫ʹू໿ͯ͠ߦ͏

  48. ʮͭ͘Δྗʯ͕ॏཁ • ੈքͷηΩϡϦςΟνʔϜ΋औΓ૊Έ࢝Ί͍ͯΔ • “Builder” ͱͯ͠ͷྗ • ࢖͏ٕज़Λબͼɺઃܭ͠ɺίʔυΛॻ͖ɺ૊৫΍ϓϩηεʹ
 ηΩϡϦςΟΛ૊ΈࠐΉ •

    ʮͭ͘ΔʯͨΊͷෑډ͸Լ͕Γଓ͚͍ͯΔ • ίϯϙʔωϯτͱͯ͠࢖͑ΔαʔϏε͸೔ʑ૿͍͑ͯΔ

  49. https://unsplash.com/photos/1eFgYRwYctg

  50. ϏδωεΛՃ଎Ͱ͖ΔηΩϡϦςΟ΁ • ͪΌΜͱػೳ͢ΔʮΨʔυϨʔϧʯͷԼͰ • ҆৺ͯ͠શ଎ྗΛग़ͤΔ؀ڥͮ͘Γ

  51. Security for builders, by builders

  52. We’re hiring • ʮຖ೔ͷྉཧΛָ͠Έʹ͢ΔʯͨΊͷηΩϡϦςΟΛ
 Ұॹʹͭ͘Γ·ͤΜ͔ʁ https://cookpad.jobs/

  53. Fin.