Upgrade to Pro — share decks privately, control downloads, hide ads and more …

セキュリティインシデントを乗り越えるために行ったマルチアカウントでの取り組みについて / ...

kenryooo
February 09, 2021

セキュリティインシデントを乗り越えるために行ったマルチアカウントでの取り組みについて / AWS multi-account approach in Classi

2021/02/09開催「第二回 AWSマルチアカウント事例祭り」での発表資料です。

kenryooo

February 09, 2021
Tweet

Other Decks in Technology

Transcript

  1. $PQZSJHIU˜$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ΍ͬͨ͜ͱ • ؅ཧΞΧ΢ϯτͷ੾Γସ͑ • ؅ཧΞΧ΢ϯτΛ৽ن࡞੒ • طଘΞΧ΢ϯτ͸چ૊৫Λ཭୤ɺ՝ۚपΓͷઃఆΛ௥Ճ͠৽૊৫΁Ҡಈ େมʜ 

    • 0SHBOJ[BUJPOTಋೖ࣌͸৽نʹ؅ཧΞΧ΢ϯτΛ࡞Γ·͠ΐ͏ʂ • 06ઃܭͱ഑ஔ • ʮ#FTU1SBDUJDFTGPS0SHBOJ[BUJPOBM6OJUTXJUI"840SHBOJ[BUJPOTʯ
  2. $PQZSJHIU˜$MBTTJ$PSQ"MMSJHIUTSFTFSWFE Classi Organizations -After- 0SHBOJ[BUJPOT 'PVOEBUJPOBM@06 8PSLMPBET@06 1SPE@06 4%-$@06 *OGSB@06

    .BJOUFOBODF@06 4VTQFOEFE@06 3PPU ϚελʔΞΧ΢ϯτ ܭըϝϯςφϯε༻ ഇغ༧ఆ 1PMJDZ4UBHJOH@06 ηΩϡϦςΟ ϙϦγʔมߋ༻ ֤छϩά 1SPEVDUJPO 4UBHJOH 4BOECPY #FTU1SBDUJDFTGPS0SHBOJ[BUJPOBM6OJUTXJUI"840SHBOJ[BUJPOT IUUQTBXTBNB[PODPNKQCMPHTNUCFTUQSBDUJDFTGPSPSHBOJ[BUJPOBMVOJUTXJUIBXTPSHBOJ[BUJPOT
  3. $PQZSJHIU˜$MBTTJ$PSQ"MMSJHIUTSFTFSWFE Organiztional Units 06 ༻్ 'PVOEBUJPOBM@06 1SPE4%-$ͷϫʔΫϩʔυͱڞ௨ج൫Λ಺แ͢Δ06 8PSLMPBET@06 1SPE4%-$ͷϫʔΫϩʔυΛ಺แ͢Δ06 1SPE@06

    ຊ൪ΞΧ΢ϯτͷΈΛ಺แ͢Δ06 4%-$@06 4UBHJOH΍%FWɺ4BOECPYͳͲΛ಺แ͢Δ06 *OGSB@06 ڞ௨ج൫ ϩάू໿ΞΧ΢ϯτ΍ηΩϡϦςΟ؂ࠪΞΧ΢ϯτ Λ಺แ͢Δ06 1PMJDZ4UBHJOH@06 ૊৫ߏ଄ͷมߋ΍4$1ͷมߋͳͲͷݕূͰར༻͢Δ06 .BJOUFOBODF@06 ؂ࠪܥػೳͷϝϯςφϯεͳͲɺҰ࣌తʹ4$1Λҳ୤͢Δ࡞ۀΛߦ͏৔߹ʹར༻͢Δ06 4VTQFOEFE@06 ഇغ༧ఆͷ"84ΞΧ΢ϯτΛ಺แ͢Δ06
  4. $PQZSJHIU˜$MBTTJ$PSQ"MMSJHIUTSFTFSWFE IDͱΞΫηε؅ཧ -Before- 0SHBOJ[BUJPOT 3PPU 1SPEVDUJPOΞΧ΢ϯτ ؅ཧΞΧ΢ϯτ "[VSF"% #BTUJPOΞΧ΢ϯτ ։ൃ༻ΞΧ΢ϯτ

    ࿈ܞαʔϏε༻ 1SPEVDUJPOΞΧ΢ϯτ 4XJUDI3PMF -PH*O Ϛωδϝϯτίϯιʔϧར༻ ֤"84ΞΧ΢ϯτͰݸผʹΞΫηεΩʔΛൃߦ
  5. $PQZSJHIU˜$MBTTJ$PSQ"MMSJHIUTSFTFSWFE IDͱΞΫηε؅ཧ -Before- • ։ൃऀ޲͚ʹҎԼͷ௨ΓͰΞΫηεํ๏Λఏڙ • ϚωδϝϯτίϯιʔϧͰͷར༻ • ϩάΠϯํ๏(4VJUFͱ4".-࿈ܞ •

    #BTUJPOΞΧ΢ϯτΛܦͯɺ࡞ۀ͍ͨ͠ΞΧ΢ϯτʹ4XJUDI3PMF͢Δ • ϓϩάϥϜΞΫηεͰͷར༻ • ֤"84ΞΧ΢ϯτͰݸผʹΞΫηεΩʔΛൃߦ
  6. $PQZSJHIU˜$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ໰୊఺ • 3PMFͱΞΫηεΩʔͷ؅ཧ • ผʑʹ؅ཧΛߦ͏ඞཁ͕͋Γ൥ࡶ • ΞΫηεΩʔ؅ཧ • ӬଓతͳΞΫηεΩʔͷ؅ཧ͕ར༻ऀ೚ͤ

    • 4XJUDI3PMFͷηΩϡϦςΟ • աڈɺεΠονઌ3PMFͷ1SJODJQBMઃఆϛεʹΑΓ૝ఆͯ͠ͳ͍ݖݶͰೖΓ์୊ʹ ͳ͍ͬͯͨ͜ͱ͕͋ͬͨ
  7. $PQZSJHIU˜$MBTTJ$PSQ"MMSJHIUTSFTFSWFE AWS SSO 0SHBOJ[BUJPOT 'PVOEBUJPOBM@06 8PSLMPBET@06 1SPE@06 4%-$@06 *OGSB@06 .BJOUFOBODF@06

    4VTQFOEFE@06 3PPU ϚελʔΞΧ΢ϯτ ܭըϝϯςφϯε༻ ഇغ༧ఆ 1PMJDZ4UBHJOH@06 ηΩϡϦςΟ ϙϦγʔมߋ༻ ֤छϩά 1SPEVDUJPO 4UBHJOH 4BOECPY "[VSF"% Ϛωδϝϯτίϯιʔϧ ΞΫηεΩʔ "844JOHMF4JHO0O ֤ΞΧ΢ϯτ΁ϩάΠϯ
  8. $PQZSJHIU˜$MBTTJ$PSQ"MMSJHIUTSFTFSWFE AWS SSO Ҡߦ࣌ͷτϥϒϧ • ࣄ৅ • 4XJUDI3PMF࣌୅ͷ؅ཧऀ༻3PMFΛ࡟আͨ͠ͱ͜ΖɺαʔϏεͰར༻͍ͯ͠ Δ$.,͕ӾཡɺมߋෆՄೳʹͳͬͯ͠·ͬͨ •

    "ENJOJTUSBUPSݖݶϢʔβʔͰ΋SPPUͰ΋Ͳ͏ʹ΋Ͱ͖ͳ͍ • ݪҼ • ࡟আͨ͠؅ཧऀ3PMFͷΈ͕ΩʔϙϦγʔͱͯ͠ࢦఆ͞Ε͍ͯͨͨΊɺ࡟আ͠ ͨ࣌఺Ͱ؅ཧऀෆࡏͷΩʔʹͳΔ
  9. $PQZSJHIU˜$MBTTJ$PSQ"MMSJHIUTSFTFSWFE Organizational Units and SCP 06 ༻్ 4$1 'PVOEBUJPOBM@06 1SPE4%-$ͷϫʔΫϩʔυͱڞ௨ج൫Λ಺แ͢Δ06

    Ϧʔδϣϯ੍ݶɺ؂ࠪܥૢ࡞ͷ੍ݶ 8PSLMPBET@06 1SPE4%-$ͷϫʔΫϩʔυΛ಺แ͢Δ06 ։ൃऀ޲͚ͷ੍ݶ 1SPE@06 ຊ൪ΞΧ΢ϯτͷΈΛ಺แ͢Δ06 ؀ڥಛ༗ͷ੍ݶ 4%-$@06 4UBHJOH΍%FWɺ4BOECPYͳͲΛ಺แ͢Δ06 ؀ڥಛ༗ͷ੍ݶ *OGSB@06 ڞ௨ج൫ ϩάू໿ΞΧ΢ϯτ΍ηΩϡϦςΟ؂ࠪΞΧ΢ϯτ Λ಺แ͢Δ06 ؀ڥಛ༗ͷ੍ݶ 1PMJDZ4UBHJOH@06 ૊৫ߏ଄ͷมߋ΍4$1ͷมߋͳͲͷݕূͰར༻͢Δ06 ݕূ಺༰ʹΑͬͯ౎౓มߋ .BJOUFOBODF@06 ؂ࠪܥػೳͷϝϯςφϯεͳͲɺҰ࣌తʹ4$1Λҳ୤͢Δ࡞ۀΛߦ͏৔߹ʹར༻͢Δ06 ϝϯς಺༰ʹΑͬͯ౎౓มߋ 4VTQFOEFE@06 ഇغ༧ఆͷ"84ΞΧ΢ϯτΛ಺แ͢Δ06 શૢ࡞Λېࢭ
  10. $PQZSJHIU˜$MBTTJ$PSQ"MMSJHIUTSFTFSWFE Organizational Units and SCP 0SHBOJ[BUJPOT 'PVOEBUJPOBM@06 8PSLMPBET@06 1SPE@06 4%-$@06

    *OGSB@06 .BJOUFOBODF@06 4VTQFOEFE@06 3PPU ϚελʔΞΧ΢ϯτ ܭըϝϯςφϯε༻ ഇغ༧ఆ 1PMJDZ4UBHJOH@06 ηΩϡϦςΟ ϙϦγʔมߋ༻ ֤छϩά 1SPEVDUJPO 4UBHJOH 4BOECPY Ϧʔδϣϯ੍ݶ ؂ࠪܥૢ࡞ͷ੍ݶ ։ൃऀ޲͚ͷ੍ݶ 1SPEʹ͓͚Δ ॏཁૢ࡞ͷ੍ݶ ڞ௨ج൫ಛ༗ͷ੍ݶ ౎౓มߋ ౎౓มߋ શૢ࡞ͷېࢭ
  11. $PQZSJHIU˜$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ൃݟతΨʔυϨʔϧ αʔϏε໊ 0SHBOJ[BUJPOTରԠ ϝϯόʔ΁ͷҕ೚ ϝϯόʔͷࣗಈ༗ޮԽ ิ଍ $POpH ˓ ˓

    ✕ $MPVE'PSNBUJPO4UBDL4FUTΛར༻ͯ͠ɺ ϝϯόʔΞΧ΢ϯτͷ༗ޮԽΛࣗಈͰ࣮ࢪ (VBSE%VUZ ˓ ˓ ˓  4FDVSJUZ)VC ˓ ˓ ˓  ·ͨɺൃݟతΨʔυϨʔϧͰར༻͢ΔҎԼͷαʔϏεʹؔͯ͠ɺ $POpH͚ͩ͸ࣗಈ༗ޮԽ͕Ͱ͖ͳ͔ͬͨͨΊ$'O4UBDL4FUTΛར༻͍ͯ͠Δ ૣ͘0SHBOJ[BUJPOTͱͷεϜʔζͳ౷߹͕࣮ݱͯ͠΄͍͠