AWSだ! Google Cloudだ! Azureだ! 認証連携だ！

Transcript

1. @ken5scal, 2024/05/22 AWSͩ! Google Cloudͩ! Azureͩ! ೝূ࿈ܞͩʂ

2. Πϯτϩ

3. - ϚϧνΫϥ΢υͷར༻Λආ͚ΒΕͳ͘ͳΓɺٱ͍͠ - ϚϧνΫϥ΢υԼͰͷϫʔΫϩʔυؒͷॲཧ΋̍ͭͰ͋Δ - ͦͷॲཧͷલఏͱͯ͠ೝূ͕ॏཁͰ͋Δ - ͦͷ͋ͱͷೝূख๏ͷબ୒ͱ࣮૷ͷแׅతͳϦεΫରԠʹ͍ͭͯɺ ϊ΢ϋ΢ͷڞ༗ -

   ͦΕʹ൐͏ٞ࿦ͷ׆ൃԽ٩(Ň•̀ω•́Ň)و - ౰ࣾ΁ͷڵຯΛ͋͛Δ ࠓ೔ͷ໨త

4. - ॴଐ - ࡾҪ෺࢈σδλϧɾΞηοτϚωδϝϯτ - ίʔϙϨʔτγεςϜ෦ - LayerX Fintechࣄۀ෦ʢˢʹग़޲ʣ -

   ݸਓ׆ಈ - िؒχϡʔεϨʔλʔɺPodCastɺಉਓࢽ - དྷྺ - SIer > ࢿ࢈؅ཧɾՈܭ฽ɾձܭSP > ূ݊ձࣾ > ݱ ৬ @ken5scal χϡʔεϨλʔ: https://ken5scal.notion.site/54bda4932da14add9e9911ab3e9a6e5c podcast: https://open.spotify.com/show/73sFeKzUIkSYfCZWVBNO70
5. None
6. None

7. k8s౳ͷCNCFϓϩμΫτΛ࢖͏ن໛ʹ ͳΕ͍ͯͳ͍ͷͰɺجຊɺ ϚωʔδυɾαʔϏεʹཔΔ

8. - ࣗ෼͕ରԠͨ͜͠ͱ͋ΔϚϧνΫϥ΢υϢʔεέʔε - ূ݊αʔϏε΍ࢿ࢈ӡ༻ͷ͓٬༷޲͚๏ఆா฽ͷGDriveϑΝΠϧ؅ཧ - ۚ༥αʔϏεʹ͓͚ΔϩάɾΠϕϯτͷू໿ - Entra ID (AzureAD)ͷIaCత؅ཧ

   - AWS্ͷσʔλΛBigQueryج൫΁సૹ - ্هରԠதʹ;ͱࢥͬͨ͜ͱ͕͋Δ ࠓ೔ͷഎܠ

9. AWS <-> AzureADؒͷworkload Identityೝূ https://docs.aws.amazon.com/cognito/latest/developerguide/authentication- fl ow.html - ~2022/10 -

   Long Lived Secrets

10. AWS <-> AzureADؒͷworkload Identityೝূ - ~2022/10 - Long Lived Secrets

11. AWS <-> AzureADؒͷworkload Identityೝূ https://docs.aws.amazon.com/cognito/latest/developerguide/authentication- fl ow.html - 2022/10~ -

    Short Lived

12. AWS <-> AzureADؒͷworkload Identityೝূ

13. # header { "kid": "ap-northeast-15", "typ": "JWS", "alg": "RS512" }

    # Payload { "sub": “ap-northeast-1:{Cognito Pool ID಺ͷIdentity ID}”, "aud": “ap-northeast-1:{Cognito Pool Provider ID}“, "amr": [ "authenticated", “{Cognito Pool ID಺ͷIdentity໊}”, "{Cognito Pool ID಺ͷIdentity໊}:ap-northeast-1:{Pol Provider ID}:${Developer ID}” ], "iss": "https://cognito-identity.amazonaws.com", "https://cognito-identity.amazonaws.com/identity-pool-arn": “arn:aws:cognito-identity:ap- northeast-1:${AWS Account ID}:identitypool/ap-northeast-1:${Pool ID}”, "exp": 1716244163, "iat": 1716243263 } 13

14. AWS <-> AzureADؒͷworkload Identityೝূ https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation

15. ```shell $ aws cognito-identity get-open-id-token-for-developer-identity --identity-pool-id ap- northeast-1:${POOL ID} --logins

    “${USER NAME}=${Developer Identifiers}” ``` ```Go func getOpenIdToken(ctx context.Context, awsConfig aws.Config) (*cognitoidentity.GetOpenIdTokenForDeveloperIdentityOutput, error) { svc := cognitoidentity.NewFromConfig(awsConfig) input := &cognitoidentity.GetOpenIdTokenForDeveloperIdentityInput{ IdentityPoolId: aws.String(os.Getenv("COGNITO_IDENTITY_POOL_ID")), Logins: map[string]string{ os.Getenv(“USER NAME"): os.Getenv(“Developer Identity”), }, } return svc.GetOpenIdTokenForDeveloperIdentity(ctx, input) } ``` 15

16. ```shell $ aws cognito-identity get-open-id-token-for-developer-identity --identity-pool-id ap- northeast-1:${POOL ID} --logins

    “${USER NAME}=${Developer Identifiers}” ``` ```Go func getOpenIdToken(ctx context.Context, awsConfig aws.Config) (*cognitoidentity.GetOpenIdTokenForDeveloperIdentityOutput, error) { svc := cognitoidentity.NewFromConfig(awsConfig) input := &cognitoidentity.GetOpenIdTokenForDeveloperIdentityInput{ IdentityPoolId: aws.String(os.Getenv("COGNITO_IDENTITY_POOL_ID")), Logins: map[string]string{ os.Getenv(“USER NAME"): os.Getenv(“Developer Identity”), }, } return svc.GetOpenIdTokenForDeveloperIdentity(ctx, input) } ``` 16 cognito- identity:GetOpenIdTokenForDeveloperIdentity ͑͋͞Ε͹ɺಉҰAWS޶͔Β͸೚ҙʹ࣮ߦՄೳɻ ϦιʔεϙϦγʔ΋͔͚ΒΕͳ͍ɻ

17. - ͦ͜·Ͱߟྀ͢Δ͔ʁ - ؂ࠪϩάಡΈऔΓͳΒNo - σΟϨΫτϦɾΦϒδΣΫ τ΍ݖݶͷWriteɾҰ෦Read ͸Yes ϫʔΫϩʔυͳΓ͢·͠ϦεΫ

18. AWS -> GCP -> GWS

19. AWS -> GCP -> GWS

20. - ͜͜਺೥Ͱɺshort-lived token͕҆શͰ͋Δ͜ͱΛલ ఏͱͨ͠ϫʔΫϩʔυ࿈ܞΛ࣮૷͖͕ͯͨ͠ɺͦͷલ ఏ͕ਖ਼͔Assured͔ͨͬͨ͠ - ຊ౰ʹshort-lived͚͕ͩ҆શੑͷཁ݅ͳͷ͔ʁ - ΑΓแׅతʹݟΔ΂͖Ͱ͸ʁ ࠓ೔ͷഎܠ

21. - ઃఆɾߏ੒࡞ۀ΋ؚΊɺೝূϓϩηεΛՄࢹԽ͢Δ - ϢʔεέʔεͷཁٻϨϕϧΛܾΊΔ - ཁٻϨϕϧͱ࣮૷ͷΪϟοϓʹ͍ͭͯɺڴҖϞσϧΛڵ͢ - ڴҖʹԠͨ͡ରԠɾରࡦΛܾΊΔ TL;DR

22. - ΠϯτϩμΫγϣϯ - ϚϧνΫϥ΢υ࣌୅ - ೝূ - ϦεΫධՁͱڴҖϞσϦϯά - ·ͱΊ

    ΞδΣϯμ

23. ϚϧνΫϥ΢υ࣌୅

24. - ʮෳ਺ͷϫʔΫϩʔυʹରͯ͠ෳ਺ͷύϒϦοΫ Ϋϥ΢υ ϕϯμʔ͕ఏڙ ͢ΔΫϥ΢υ ίϯϐϡʔςΟϯά αʔϏεΛ࢖༻͢Δ͜ͱΛࢦ͠·͢ʯ - By https://cloud.google.com/learn/what-is-multicloud

    - 2006: - AWS(β), Google Apps for Your Domain(ݱGoogle Workspaces)ొ৔ - 2024: - Azure, GC, AWS, Oracle, Cloud fl are…. ϚϧνΫϥ΢υɹͱ͸

25. - શͯΛमΊɺӡ༻͢Δʹ͸ଟେͳίετ͕ඞཁ - ౷੍ͷ؍఺Ͱ͸ɺ୯ҰͷϓϩόΠμʹد͍ͤͨͱ͜Ζ… - ͔͠͠ɺϓϥοτϑΥʔϜͷൃలͱͱ΋ʹɺಛఆϢʔεέʔ εʹಛఆϓϥοτϑΥʔϜΛબ୒͢Δʮݸผ࠷దԽʯ΋গͳ ͘ͳ͍Α͏ʹݟ͑Δ Ϋϥ΢υϓϥοτϑΥʔϜͷଟ༷Խ

26. - ϦεΫ෼ࢄ - ಛఆͷػೳɾαʔϏεͰͷ༏Ґੑ - શମͰͷޮ཰ੑɾ੔߹ੑ - ࣄۀͷن໛ WhyϚϧνΫϥ΢υ

27. - όοΫΞοϓػೳɾσʔλͷ෼ࢄ - ϕϯμʔϩοΫΠϯ౳ͷϓϩόΠμʔϦεΫରԠ WhyϚϧνΫϥ΢υ - ϦεΫ෼ࢄ

28. - ͢ͰʹσϑΝΫτͳαʔϏε͕͋Δ৔߹ - ൺֱత৽͍ٕ͠ज़ίϯηϓτʹ͓͚Δαϙʔτͷ༗ແ - Con fi dential ComputingɺLLM -

    ৽͍͠ϢʔεέʔεΛ࣮૷͢Δࡍͷαϙʔτͷ༗ແ - Google Workspacesͷ؂ࠪϩάʹ͓͚ΔBigQueryͰͷσʔλ෼ੳ - App Runner͕ͳ͍ͱ͖ɾ͋Δ͍͸ग़ͨͱ͖ͷGC Cloud Run WhyϚϧνΫϥ΢υ-ಛఆͷػೳ - αʔϏεͰͷ༏Ґੑ

29. - ֤छαʔϏεͷϩάɾΠϕϯτͷอ؅ - σʔλ෼ੳ࣌ʹ͓͚ΔσʔλͷҰݩԽ - ίϯτϩʔϧϓϨʔϯͷӡ༻ - ϓϥοτϑΥʔϜҠߦ׬ྃ·Ͱͷฒߦӡ༻ WhyϚϧνΫϥ΢υ -

    ಛఆྖҬͰͷશମ࠷దԽ

30. - اۀ಺Ͱ΋ෳ਺ࣄۀΛߦ͍ͬͯΔ৔߹͸ɺͦͷ୯Ґ΍ೳྗ ʹ͋Θͤͨબ୒͕߹ཧతʹͳΔ͜ͱ΋͋Δ - ങऩ౳ʹΑΓͦ͏ͳΔ͜ͱ΋͋Δ WhyϚϧνΫϥ΢υ - اۀɾࣄۀͷن໛

31. - ౷੍ɾηΩϡϦςΟͷ෼ࢄ - ෳࡶੑͷ૿Ճ - ૬ޓӡ༻ੑ - ϕϯμʔ؅ཧ ϚϧνΫϥ΢υͷϦεΫ

32. - ౷੍ɾηΩϡϦςΟͷ෼ࢄ - ৭ʑ͋Δ͕ಛʹʮೝূʯ - ෳࡶੑͷ૿Ճ - ૬ޓӡ༻ੑ - ϕϯμʔ؅ཧ

    ϚϧνΫϥ΢υͷϦεΫ

33. - ਓؒʹΑΔೝূ - ͪ͜Β͸SAMLͱ͔OIDCͰ৭ʑ͋Δ - ඇਓؒతʁͳೝূ - Cloud workload: -

    ʮA logical bundle of software and data that is present in, and processed by, a cloud computing technologyʯ - https://csrc.nist.gov/glossary/term/cloud_workload - AWSͰ͸ɺEC2ɺLambdaɺApp RunnerɺECS Service౳ - ࠓճ͸ͪ͜Β ೝূͷதͰϫʔΫϩʔυ

34. - ࣌୅͸ϚϧνΫϥ΢υ΁ - ϚϧνΫϥ΢υͱͳΔঢ়گ͸૿͑ͨ - ආ͚Δܾఆɾ੹೚Λෛ͑Δཱ৔ʹ͋Ε͹࿩͸ผ - ͦͷͨΊͷೝূʹ͍ͭͯޠΔ ·ͱΊ

35. ೝূͱ͸

36. ೝূ (Authentication) - Ϧιʔε΁ͷΞΫηεલͷඞཁ৚݅ͱͯ͠ɺϢʔ βʔɺϓϩηεɺσόΠε౳ͷ౰ਓͰ͋Δ͔ͷ ݕূΛ͢Δ͜ͱ

37. - ͋Μ·ΓେࣄͰ͸ͳ͍ͷͰɺ௚༁͔Β௚ͯ͠·ͤΜ͕ɺ - AAL1: - ཁٻऀ͕ՃೖऀͷΞΧ΢ϯτʹඥ෇͚ΒΕͨೝূثΛ੍ޚ͍ͯ͠Δ͜ͱʹରͯ͋͠Δఔ౓ͷอূΛఏڙ͠·͢ɻ AAL1Ͱ͸ɺ޿ൣͳೝূٕज़Λ࢖༻ͯ͠ɺγϯάϧϑΝΫλʔ·ͨ͸ϚϧνϑΝΫλʔೝূͷ͍ͣΕ͔Λཁٻ͠· ͢ɻೝূͷ੒ޭʹ͸ɺཁٻऀ͕҆શͳೝূϓϩτίϧΛ௨ͯ͡ɺೝূثͷॴ࣋ͱ੍ޚΛূ໌͢Δඞཁ͕͋Γ·͢. - AAL

    2: - ཁٻऀ͕ՃೖऀͷΞΧ΢ϯτʹඥ෇͚ΒΕͨೝূثΛ੍ޚ͍ͯ͠Δ͜ͱʹରͯ͠ߴ͍৴པΛఏڙ͠·͢ɻೝূͷ ੒ޭʹ͸ɺ҆શͳೝূϓϩτίϧΛ௨ͯ͡ɺҟͳΔ2ͭͷೝূཁૉͷॴ࣋ͱ੍ޚΛূ໌͢Δඞཁ͕͋Γ·͢ɻ AAL2͓ΑͼͦΕҎ্Ͱ͸ɺঝೝ͞Εͨ҉߸ٕज़͕ඞཁͰ͢ɻ - AAL 3: - ཁٻऀ͕ՃೖऀͷΞΧ΢ϯτʹඥ෇͚ΒΕͨೝূثΛ੍ޚ͍ͯ͠Δ͜ͱʹରͯ͠ඇৗʹߴ͍৴པΛఏڙ͠·͢ɻ AAL3ͷೝূ͸ɺ҉߸ϓϩτίϧΛ௨ͨ͡伴ͷॴ࣋ͷূ໌ʹج͍͍ͮͯ·͢ɻAAL3ͷೝূʹ͸ɺϋʔυ΢ΣΞϕʔ εͷೝূثͱɺݕূऀͳΓ͢·͠଱ੑΛఏڙ͢Δೝূث͕ඞཁͰ͢ɻಉ͡σόΠε͕͜ΕΒͷཁ݅Λ྆ํຬͨ͢ ͜ͱ΋ՄೳͰ͢ɻAAL3Ͱೝূ͢ΔͨΊʹ͸ɺཁٻऀ͕҆શͳೝূϓϩτίϧΛ௨ͯ͡ɺ2ͭͷҟͳΔೝূཁૉͷ ॴ࣋ͱ੍ޚΛূ໌͢Δඞཁ͕͋Γ·͢ɻঝೝ͞Εͨ҉߸ٕज़͕ඞཁͰ͢ ೝূͷڧ౓ʢAuthenticator Assurance Levelʣ

38. Requirement AAL1 AAL2 AAL3 Permitted authenticator types Memorized Secret; Look-up

    Secret; Out-of-Band; SF OTP Device; MF OTP Device; SF Crypto Software; SF Crypto Device; MF Crypto Software; MF OTP Device; MF Crypto Software; MF Crypto Device; or Memorized Secret plus: • Look-up Secret • Out-of-Band • SF OTP Device • SF Crypto Software MF Crypto Device; SF Crypto Device plus Memorized Secret; SF OTP Device plus MF Crypto Device or Software; SF OTP Device plus SF Crypto Software plus Memorized Secret Reauthentication 30 days 12 hours or 30 minutes inactivity; MAY use one authentication factor 12 hours or 15 minutes inactivity; SHALL use both authentication factors Security controls SP 800-53 Low Baseline (or equivalent) SP 800-53 Moderate Baseline (or equivalent) SP 800-53 High Baseline (or equivalent) Veri fi er- impersonation resistance
 Not required Not required Required Veri fi er-compromise resistance Not required Not required Required Replay resistance Not required Required Required Authentication intent Not required Recommended Required https://pages.nist.gov/800-63-3/sp800-63b.html#sec4

39. - ೝূ৘ใ΍౰ਓ৘ใΛҟ ͳΔωοτϫʔΫ܈ʹ఻ ୡ͢Δ͜ͱ ೝূ࿈ܞʢFederationʣ

40. - FAL1: - Ճೖऀ͕RP(Relying Party)ʹରͯ͠Bearer AssetionΛड͚औΔ͜ͱΛڐՄ͠·͢ɻ͜ͷ Assertion͸ɺঝೝ͞Εͨ҉߸ٕज़Λ࢖༻ͯ͠IdPʹΑͬͯॺ໊͞Ε·͢ɻ - FAL2: -

    Ξαʔγϣϯ͕ঝೝ͞Εͨ҉߸ٕज़Λ࢖༻ͯ͠҉߸Խ͞ΕɺRP͚͕ͩͦΕΛ෮߸Ͱ͖ΔΑ͏ʹ ͢Δཁ݅Λ௥Ճ͠·͢ - FAL3: - Ճೖऀ͕ɺΞαʔγϣϯࣗମʹՃ͑ͯɺΞαʔγϣϯ಺Ͱࢀর͞ΕΔ҉߸伴ͷॴ࣋ূ໌Λఏࣔ ͢Δ͜ͱΛཁٻ͠·͢ɻ͜ͷΞαʔγϣϯ͸ɺIdPʹΑͬͯॺ໊͞ΕɺೝՄ͞Εͨ҉߸ٕज़Λ࢖ ༻ͯ͠RPʹରͯ͠҉߸Խ͞Ε·͢ɻ ೝূ࿈ܞͷڧ౓ʢFederation Assurance Levelʣ

41. ೝূ࿈ܞͷڧ౓ Requirement FAL1 FAL2 FAL3 Assetion Type Bearer Bearer Holder

    of key Signing Not required Signed by IdP Signed by IdP Encryption Not required Encrypted Encrypted

42. - ೝূͱೝূ࿈ܞͷఆٛ - ͦΕͧΕͷڧ౓ͱཁҼ - ϢʔεέʔεʹԠͨ͡Ϩϕϧબ୒ʢϦεΫରԠʣ͕ॏཁ ·ͱΊ

43. ϦεΫධՁͱ ڴҖϞσϦϯά

44. ೝূ - A-1: Assertion Manufacture or Modi fi cation -

    A-2: Theft - A-3: Duplication - A-4: Eavesdropping - A-5: Of fl ine Cracking - A-6: Side Channel Attack - A-7: Phishing or Pharming - A-8: Social engineering - A-9: Online Guessing - A-10: Endpoint Compromise - A-11: Unauthorized Binding ڴҖ https://pages.nist.gov/800-63-3/sp800-63b.html#sec8 ೝূ࿈ܞ - F-1: Assertion Manufacture or Modi fi cation - F-2: Assertion Disclosure - F-3: Assertion Repudiation by the IdP - F-4: Assertion Repudiation by the Subscriber - F-5: Assertion Redirect - F-6: Assertion Reuse - F-7: Assertion Substitution

45. AWS -> AzureAD έʔεᶃ

46. ͲΕ͙Β͍ͷϨϕϧΛٻΊΒΕΔ͔ʢϦεΫධՁʣ - ຌྫɹɹɹ: ϦεΫߴۀ຿ - ɹɹɹɹɹ: ϦεΫ௿ۀ຿

47. ```shell $ aws cognito-identity get-open-id-token-for-developer-identity --identity-pool-id ap- northeast-1:${POOL ID} --logins

    “${USER NAME}=${Developer Identifiers}” ``` ```Go func getOpenIdToken(ctx context.Context, awsConfig aws.Config) (*cognitoidentity.GetOpenIdTokenForDeveloperIdentityOutput, error) { svc := cognitoidentity.NewFromConfig(awsConfig) input := &cognitoidentity.GetOpenIdTokenForDeveloperIdentityInput{ IdentityPoolId: aws.String(os.Getenv("COGNITO_IDENTITY_POOL_ID")), Logins: map[string]string{ os.Getenv(“USER NAME"): os.Getenv(“Developer Identity”), }, } return svc.GetOpenIdTokenForDeveloperIdentity(ctx, input) } ``` 47 cognito- identity:GetOpenIdTokenForDeveloperIdentity ͑͋͞Ε͹ɺಉҰAWS޶͔Β͸೚ҙʹ࣮ߦՄೳɻ ϦιʔεϙϦγʔ΋͔͚ΒΕͳ͍ɻ

48. Requirement AAL1 AAL2 AAL3 Permitted authenticator types Memorized Secret; Look-up

    Secret; Out-of-Band; SF OTP Device; MF OTP Device; SF Crypto Software; SF Crypto Device; MF Crypto Software; MF OTP Device; MF Crypto Software; MF Crypto Device; or Memorized Secret plus: • Look-up Secret • Out-of-Band • SF OTP Device • SF Crypto Software MF Crypto Device; SF Crypto Device plus Memorized Secret; SF OTP Device plus MF Crypto Device or Software; SF OTP Device plus SF Crypto Software plus Memorized Secret Reauthentication 30 days 12 hours or 30 minutes inactivity; MAY use one authentication factor 12 hours or 15 minutes inactivity; SHALL use both authentication factors Security controls SP 800-53 Low Baseline (or equivalent) SP 800-53 Moderate Baseline (or equivalent) SP 800-53 High Baseline (or equivalent) Veri fi er- impersonation resistance
 Not required Not required Required Veri fi er-compromise resistance Not required Not required Required Replay resistance Not required Required Required Authentication intent Not required Recommended Required https://pages.nist.gov/800-63-3/sp800-63b.html#sec4

49. ೝূ࿈ܞͷڧ౓ Requirement FAL1 FAL2 FAL3 Assetion Type Bearer Bearer Holder

    of key Signing Not required Signed by IdP Signed by IdP Encryption Not required Encrypted Encrypted

50. - ௿ϦεΫۀ຿Ͱ͋Ε͹໰୊ͳ͍ - ߴϦεΫۀ຿Ͱ͋Ε͹Ϩϕϧཁ݅Λຬͨ͞ͳ͍ - ຬͨͤͳ͍ϦεΫΛ୅ସखஈͳͲʹΑΓ௿ݮɺ͋Δ͍͸ ड༰͢Δඞཁ͕͋Δ - AAL, FAL૒ํͰͷରࡦΛཁ͢Δ

    - ۩ମతʹͲ͜Λʁ ݁Ռ

51. ෆ଍ͨ͠ߏ੒(≒ηΩϡϦςΟϗʔϧʣͱ͠ɺͦ͜Λ͚ͭΔڴҖʹରԠ CloudTrailͰσʔλΠϕϯτΛ༗ޮʹ͠ GetDeveloperIdentityTokenΠϕϯτΛ ୟ͘RoleΛ؂ࢹ
 ʢʴLambdaΛVPC഑Լʹ͓͍ͯsource IPΛ؂ ࢹʣ LambdaΛVPC഑Լʹ͓͍ͯsource IPΛ؂ࢹ

52. AWS -> AzureAD έʔεᶄ

53. ͲΕ͙Β͍ͷϨϕϧΛٻΊΒΕΔ͔ʢϦεΫධՁʣ - ຌྫɹɹɹ: ϦεΫߴۀ຿ - ɹɹɹɹɹ: ϦεΫ௿ۀ຿

54. Requirement AAL1 AAL2 AAL3 Permitted authenticator types Memorized Secret; Look-up

    Secret; Out-of-Band; SF OTP Device; MF OTP Device; SF Crypto Software; SF Crypto Device; MF Crypto Software; MF OTP Device; MF Crypto Software; MF Crypto Device; or Memorized Secret plus: • Look-up Secret • Out-of-Band • SF OTP Device • SF Crypto Software MF Crypto Device; SF Crypto Device plus Memorized Secret; SF OTP Device plus MF Crypto Device or Software; SF OTP Device plus SF Crypto Software plus Memorized Secret Reauthentication 30 days 12 hours or 30 minutes inactivity; MAY use one authentication factor 12 hours or 15 minutes inactivity; SHALL use both authentication factors Security controls SP 800-53 Low Baseline (or equivalent) SP 800-53 Moderate Baseline (or equivalent) SP 800-53 High Baseline (or equivalent) Veri fi er- impersonation resistance
 Not required Not required Required Veri fi er-compromise resistance Not required Not required Required Replay resistance Not required Required Required Authentication intent Not required Recommended Required https://pages.nist.gov/800-63-3/sp800-63b.html#sec4

55. - ௿ϦεΫۀ຿Ͱ͋Ε͹໰୊ͳ͍ - ߴϦεΫۀ຿Ͱ͋Ε͹Ϩϕϧཁ݅Λຬͨ͞ͳ͍ - ຬͨͤͳ͍ϦεΫΛ୅ସखஈͳͲʹΑΓ௿ݮɺ͋Δ͍͸ ड༰͢Δඞཁ͕͋Δ - AAL, FAL૒ํͰͷରࡦΛཁ͢Δ

    - ۩ମతʹͲ͜Λʁ ݁Ռ

56. ෆ଍ͨ͠ߏ੒(≒ηΩϡϦςΟϗʔϧʣͱ͠ɺͦ͜Λ͚ͭΔڴҖʹରԠ - LambdaΛVPC഑Լʹ͓͍ͯɺGraph APIΛୟ ͘source IPΛ؂ࢹ - ݖݶͷ࠷খԽ - CredentialൃߦͷΠϕϯτ؂ࢹ

57. AWS -> GCP -> GWS

58. AWS -> GCP -> GWS ೚ҙͷϢʔβʔʹ ImpersonateͰ͖Δ…

59. ͲΕ͙Β͍ͷϨϕϧΛٻΊΒΕΔ͔ʢϦεΫධՁʣ - ຌྫɹɹɹ: ϦεΫߴۀ຿

60. Requirement AAL1 AAL2 AAL3 Permitted authenticator types Memorized Secret; Look-up

    Secret; Out-of-Band; SF OTP Device; MF OTP Device; SF Crypto Software; SF Crypto Device; MF Crypto Software; MF OTP Device; MF Crypto Software; MF Crypto Device; or Memorized Secret plus: • Look-up Secret • Out-of-Band • SF OTP Device • SF Crypto Software MF Crypto Device; SF Crypto Device plus Memorized Secret; SF OTP Device plus MF Crypto Device or Software; SF OTP Device plus SF Crypto Software plus Memorized Secret Reauthentication 30 days 12 hours or 30 minutes inactivity; MAY use one authentication factor 12 hours or 15 minutes inactivity; SHALL use both authentication factors Security controls SP 800-53 Low Baseline (or equivalent) SP 800-53 Moderate Baseline (or equivalent) SP 800-53 High Baseline (or equivalent) Veri fi er- impersonation resistance
 Not required Not required Required Veri fi er-compromise resistance Not required Not required Required Replay resistance Not required Required Required Authentication intent Not required Recommended Required https://pages.nist.gov/800-63-3/sp800-63b.html#sec4

61. ೝূ࿈ܞͷڧ౓ Requirement FAL1 FAL2 FAL3 Assetion Type Bearer Bearer Holder

    of key Signing Not required Signed by IdP Signed by IdP Encryption Not required Encrypted Encrypted ಉ͡Google಺ͩ͠

62. - Ϩϕϧཁ݅Λຬ͍ͨͯ͠Δ - ೚ҙͷGWSʹϢʔβʔʹImpersonateͰ͖Δͷ͸ ΍͹͍͔Βɺݖݶείʔϓ͸࠷খԽ͢Δ͢Δඞཁ ͕͋Δʢຊൃදͷର৅֎ʣ ݁Ռ

63. ෆ଍ͨ͠ߏ੒(≒ηΩϡϦςΟϗʔϧʣͱ͠ɺͦ͜Λ͚ͭΔڴҖʹରԠ ೚ҙͷϢʔβʔʹ ImpersonateͰ͖Δ… GWS؂ࠪϩά͔Βɺ” Delegate”Πϕ ϯτͷ؂ࢹ OAuth2.0 Scopeͷ࠷খԽ ઐ༻Ϣʔβʔͷ༻ҙͱ؂ࢹ

64. - Short lived token୯ମͰ҆શੑ͕ܾ·ΔΘ͚Ͱ ͸ͳ͍ - ൃߦϓϩηε΍੍ݶͳͲΛཧղ͠Α͏ - ϫʔΫϩʔυؒͷΞΫηεͰɺReplay Resistanceཁ݅౳ʹΑΔߴ͍ϋʔυϧͰɺͳ͔

    ͳ͔AALΛຬͨ͢ͷ͕೉͍͠ɻFAL΋ಉ༷ - ͱ͸͍͑ɺϦεΫ༧๷͕Ͱ͖ͳ͍ͷ΋͋ΔɻͲ ͏͢Δ͔ʁ ·ͱΊ

65. ·ͱΊ

66. LayerX Fintechࣄۀ෦ ͸xxxΤϯδχΞΛ ઈࢍ࠾༻தͰ͢ʂ https://open.talentio.com/r/1/c/layerx/pages/87524 DM (X): @ken5scal