セキュリティインシデントを乗り越えるために行ったマルチアカウントでの取り組みについて / AWS multi-account approach in Classi

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ୈೋճ"84ϚϧνΞΧ΢ϯτࣄྫࡇΓ ηΩϡϦςΟΠϯγσϯτΛ৐Γӽ͑ΔͨΊʹߦͬͨ ϚϧνΞΧ΢ϯτͰͷऔΓ૊Έʹ͍ͭͯ $MBTTJ$PSQ,FOSZP0NJOBNJ

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE $ whoami • ,FOSZP0NJOBNJ !LFOSZPPP • ௚ۙ೥͘Β͍͸#$αʔϏεΛத৺ʹ%#"ɺαʔό αΠυΤϯδχΞɺ43&Λܦݧɻ
• $MBTTJʹ43&ͱͯ͠δϣΠϯɻ • ͜͜਺೥͸ΠϯϑϥηΩϡϦςΟྖҬΛத৺ʹۀ຿Λ ߦ͍ͬͯΔɻ

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE About Classi ʮ$MBTTJʯ͸ڭҭݱ৔Λࢧԉ͢Δ Ϋϥ΢υαʔϏε • શࠃͷߴߍͷˋ௒͕ಋೖ • ߴߍੜͷਓʹਓ͕ར༻ •
ར༻ऀ਺ສਓ௒ • ઌੜɺੜెɺอޢऀ͕ܨ͕Δ ֶशࢧԉϓϥοτϑΥʔϜ

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ࿩͞ͳ͍͜ͱ • ೥݄ɺ݄ͷߴෛՙʹΑΔΞΫηεো֐ঢ়ଶʹؔ͢ΔऔΓ૊Έʹ͍ͭͯ • ͪ͜Βʹ͍ͭͯ͸ԼهΛ͝ཡ͍ͩ͘͞ • $MBTTJ։ൃऀϒϩά IUUQTUFDIDMBTTJKQ
• %FWFMPQFST4VNNJU

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE [PR] Developers Summit 2021 IUUQTFWFOUTIPFJTIBKQEFWTVNJTFTTJPO

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE Agenda • ηΩϡϦςΟΠϯγσϯτ • ઓུͱධՁ • "84ΞΧ΢ϯτ؅ཧ • *%ͱΞΫηε؅ཧ
• ΨʔυϨʔϧ • ࠓޙ

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ηΩϡϦςΟΠϯγσϯτʹ͍ͭͯ 4VO 4BU ֎෦ͷ߈ܸऀ͔Βෆਖ਼ΞΫηεΛड͚αʔϏεఀࢭ αʔϏε͸਺࣌ؒޙʹ෮چͰ͖ͨ΋ͷͷϢʔβʔ৘ใྲྀग़ͷՄೳੑΛ֬ೝ ͢΂ͯͷϢʔβʔͷύεϫʔυมߋ͕׬ྃ
֎෦αΠτʹͯɺྲྀग़ͨ͠ݸਓ৘ใͷ࿙ӮΛ֬ೝ ΠϯϑϥɺΞϓϦέʔγϣϯͱ΋ʹൈຊతͳηΩϡϦςΟͷݟ௚͠Λ࣮ࢪ

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ઓུͱධՁ • શମͷઓུ • "848FMM"SDIJUFDUFE'SBNFXPSL4FDVSJUZ1JMMBS • "84ΞΧ΢ϯτ؅ཧͷઓུ • #FTU1SBDUJDFTGPS0SHBOJ[BUJPOBM6OJUTXJUI"840SHBOJ[BUJPOT
• ηΩϡϦςΟධՁ • "84ϓϩϑΣογϣφϧαʔϏεͷηΩϡϦςΟධՁ

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE Classi Organizations -Before- 0SHBOJ[BUJPOT 3PPU 1SPEVDUJPOΞΧ΢ϯτ ؅ཧΞΧ΢ϯτ "[VSF"% #BTUJPOΞΧ΢ϯτ
։ൃ༻ΞΧ΢ϯτ ࿈ܞαʔϏε༻ 1SPEVDUJPOΞΧ΢ϯτ 4XJUDI3PMF -PH*O

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ໰୊఺ • 064$1Λར༻͍ͯ͠ͳ͍ • 1SPEVDUJPOΞΧ΢ϯτ͕0SHBOJ[BUJPOͷ؅ཧΞΧ΢ϯτͱͯ͠ઃఆ • ࠷΋ݫີʹ؅ཧ͍ͨ͠͸ͣͷΞΧ΢ϯτ͕؅ཧͰ͖ͳ͍ • #BTUJPOΞΧ΢ϯτ͸ɺ։ൃऀ͕4BOECPY؀ڥͱͯ͠΋ར༻
• 1SPEVDUJPOΞΧ΢ϯτ΁ϩάΠϯ͢ΔݩͷΞΧ΢ϯτ͕ηΩϡΞͰ͸ͳ͍

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ΍ͬͨ͜ͱ • ؅ཧΞΧ΢ϯτͷ੾Γସ͑ • ؅ཧΞΧ΢ϯτΛ৽ن࡞੒ • طଘΞΧ΢ϯτ͸چ૊৫Λ཭୤ɺ՝ۚपΓͷઃఆΛ௥Ճ͠৽૊৫΁Ҡಈ େมʜ
• 0SHBOJ[BUJPOTಋೖ࣌͸৽نʹ؅ཧΞΧ΢ϯτΛ࡞Γ·͠ΐ͏ʂ • 06ઃܭͱ഑ஔ • ʮ#FTU1SBDUJDFTGPS0SHBOJ[BUJPOBM6OJUTXJUI"840SHBOJ[BUJPOTʯ

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE Classi Organizations -After- 0SHBOJ[BUJPOT 'PVOEBUJPOBM@06 8PSLMPBET@06 1SPE@06 4%-$@06 *OGSB@06
.BJOUFOBODF@06 4VTQFOEFE@06 3PPU ϚελʔΞΧ΢ϯτ ܭըϝϯςφϯε༻ ഇغ༧ఆ 1PMJDZ4UBHJOH@06 ηΩϡϦςΟ ϙϦγʔมߋ༻ ֤छϩά 1SPEVDUJPO 4UBHJOH 4BOECPY #FTU1SBDUJDFTGPS0SHBOJ[BUJPOBM6OJUTXJUI"840SHBOJ[BUJPOT IUUQTBXTBNB[PODPNKQCMPHTNUCFTUQSBDUJDFTGPSPSHBOJ[BUJPOBMVOJUTXJUIBXTPSHBOJ[BUJPOT

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE Organiztional Units 06 ༻్ 'PVOEBUJPOBM@06 1SPE4%-$ͷϫʔΫϩʔυͱڞ௨ج൫Λ಺แ͢Δ06 8PSLMPBET@06 1SPE4%-$ͷϫʔΫϩʔυΛ಺แ͢Δ06 1SPE@06
ຊ൪ΞΧ΢ϯτͷΈΛ಺แ͢Δ06 4%-$@06 4UBHJOH΍%FWɺ4BOECPYͳͲΛ಺แ͢Δ06 *OGSB@06 ڞ௨ج൫ ϩάू໿ΞΧ΢ϯτ΍ηΩϡϦςΟ؂ࠪΞΧ΢ϯτ Λ಺แ͢Δ06 1PMJDZ4UBHJOH@06 ૊৫ߏ଄ͷมߋ΍4$1ͷมߋͳͲͷݕূͰར༻͢Δ06 .BJOUFOBODF@06 ؂ࠪܥػೳͷϝϯςφϯεͳͲɺҰ࣌తʹ4$1Λҳ୤͢Δ࡞ۀΛߦ͏৔߹ʹར༻͢Δ06 4VTQFOEFE@06 ഇغ༧ఆͷ"84ΞΧ΢ϯτΛ಺แ͢Δ06

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE IDͱΞΫηε؅ཧ -Before- 0SHBOJ[BUJPOT 3PPU 1SPEVDUJPOΞΧ΢ϯτ ؅ཧΞΧ΢ϯτ "[VSF"% #BTUJPOΞΧ΢ϯτ ։ൃ༻ΞΧ΢ϯτ
࿈ܞαʔϏε༻ 1SPEVDUJPOΞΧ΢ϯτ 4XJUDI3PMF -PH*O Ϛωδϝϯτίϯιʔϧར༻ ֤"84ΞΧ΢ϯτͰݸผʹΞΫηεΩʔΛൃߦ

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE IDͱΞΫηε؅ཧ -Before- • ։ൃऀ޲͚ʹҎԼͷ௨ΓͰΞΫηεํ๏Λఏڙ • ϚωδϝϯτίϯιʔϧͰͷར༻ • ϩάΠϯํ๏(4VJUFͱ4".-࿈ܞ •
#BTUJPOΞΧ΢ϯτΛܦͯɺ࡞ۀ͍ͨ͠ΞΧ΢ϯτʹ4XJUDI3PMF͢Δ • ϓϩάϥϜΞΫηεͰͷར༻ • ֤"84ΞΧ΢ϯτͰݸผʹΞΫηεΩʔΛൃߦ

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ໰୊఺ • 3PMFͱΞΫηεΩʔͷ؅ཧ • ผʑʹ؅ཧΛߦ͏ඞཁ͕͋Γ൥ࡶ • ΞΫηεΩʔ؅ཧ • ӬଓతͳΞΫηεΩʔͷ؅ཧ͕ར༻ऀ೚ͤ
• 4XJUDI3PMFͷηΩϡϦςΟ • աڈɺεΠονઌ3PMFͷ1SJODJQBMઃఆϛεʹΑΓ૝ఆͯ͠ͳ͍ݖݶͰೖΓ์୊ʹ ͳ͍ͬͯͨ͜ͱ͕͋ͬͨ

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ΍ͬͨ͜ͱ • ϩʔΧϧϚγϯͷରࡦ • BXTMBCTHJUTFDSFUTಋೖ • ΞΫηεΩʔͳͲͷػີ৘ใͷ(JUϦϙδτϦ΁ͷίϛοτΛ๷͙

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ΍ͬͨ͜ͱ • "84ଆͷରࡦ • "84440΁ͷҠߦ • ݄ʹ5PLZP3FHJPOͰϩʔϯνͨ͠λΠϛϯάͰҠߦ • "[VSF"%ͱ௚઀࿈ܞ͢Δ͜ͱͰΞΧ΢ϯτ؅ཧ͕γϯϓϧʹ
• ΞΫηεΩʔͷ؅ཧ΋ෆཁʹ ˞4BB4޲͚ͷ΋ͷ͸আ͘

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE AWS SSO 0SHBOJ[BUJPOT 'PVOEBUJPOBM@06 8PSLMPBET@06 1SPE@06 4%-$@06 *OGSB@06 .BJOUFOBODF@06
4VTQFOEFE@06 3PPU ϚελʔΞΧ΢ϯτ ܭըϝϯςφϯε༻ ഇغ༧ఆ 1PMJDZ4UBHJOH@06 ηΩϡϦςΟ ϙϦγʔมߋ༻ ֤छϩά 1SPEVDUJPO 4UBHJOH 4BOECPY "[VSF"% Ϛωδϝϯτίϯιʔϧ ΞΫηεΩʔ "844JOHMF4JHO0O ֤ΞΧ΢ϯτ΁ϩάΠϯ

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE AWS SSO Ҡߦ࣌ͷτϥϒϧ • ࣄ৅ • 4XJUDI3PMF࣌୅ͷ؅ཧऀ༻3PMFΛ࡟আͨ͠ͱ͜ΖɺαʔϏεͰར༻͍ͯ͠ Δ$.,͕ӾཡɺมߋෆՄೳʹͳͬͯ͠·ͬͨ •
"ENJOJTUSBUPSݖݶϢʔβʔͰ΋SPPUͰ΋Ͳ͏ʹ΋Ͱ͖ͳ͍ • ݪҼ • ࡟আͨ͠؅ཧऀ3PMFͷΈ͕ΩʔϙϦγʔͱͯ͠ࢦఆ͞Ε͍ͯͨͨΊɺ࡟আ͠ ͨ࣌఺Ͱ؅ཧऀෆࡏͷΩʔʹͳΔ

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE AWS SSO Ҡߦ࣌ͷτϥϒϧ • ରԠ • "84ͷαϙʔτ΁໰͍߹ΘͤɺҰ࣌తͳϢʔβʔΛ࡞੒ɺ1VU,FZ1PMJDZݖݶ Λ෇༩ͯ͠΋Β͍ݩͷΩʔϙϦγʔΛ෮׆ͤ͞Δ͜ͱͰ෮چͨ͠ •
ͨͩ͠ɺ࡞ۀλΠϛϯάͳͲίϯτϩʔϧͰ͖ͳ͍ཁૉ΋͋ΔͷͰɺΩʔϙϦ γʔͷ؅ཧऀͱͯ͠ෳ਺ͷ6TFS΋͘͠͸3PMFΛ෇༩͓ͯ͘͠ͷ͕Φεεϝ

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ༧๷తΨʔυϨʔϧ • 4$1ͷྫ • ෆ࢖༻Ϧʔδϣϯͷ੍ݶ • ؂ࠪܥૢ࡞ͷ੍ݶ • ؀ڥಛ༗ͷ੍ݶ
ॏཁૢ࡞ͳͲ • શૢ࡞ͷېࢭ • FUD

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE Organizational Units and SCP 06 ༻్ 4$1 'PVOEBUJPOBM@06 1SPE4%-$ͷϫʔΫϩʔυͱڞ௨ج൫Λ಺แ͢Δ06
Ϧʔδϣϯ੍ݶɺ؂ࠪܥૢ࡞ͷ੍ݶ 8PSLMPBET@06 1SPE4%-$ͷϫʔΫϩʔυΛ಺แ͢Δ06 ։ൃऀ޲͚ͷ੍ݶ 1SPE@06 ຊ൪ΞΧ΢ϯτͷΈΛ಺แ͢Δ06 ؀ڥಛ༗ͷ੍ݶ 4%-$@06 4UBHJOH΍%FWɺ4BOECPYͳͲΛ಺แ͢Δ06 ؀ڥಛ༗ͷ੍ݶ *OGSB@06 ڞ௨ج൫ ϩάू໿ΞΧ΢ϯτ΍ηΩϡϦςΟ؂ࠪΞΧ΢ϯτ Λ಺แ͢Δ06 ؀ڥಛ༗ͷ੍ݶ 1PMJDZ4UBHJOH@06 ૊৫ߏ଄ͷมߋ΍4$1ͷมߋͳͲͷݕূͰར༻͢Δ06 ݕূ಺༰ʹΑͬͯ౎౓มߋ .BJOUFOBODF@06 ؂ࠪܥػೳͷϝϯςφϯεͳͲɺҰ࣌తʹ4$1Λҳ୤͢Δ࡞ۀΛߦ͏৔߹ʹར༻͢Δ06 ϝϯς಺༰ʹΑͬͯ౎౓มߋ 4VTQFOEFE@06 ഇغ༧ఆͷ"84ΞΧ΢ϯτΛ಺แ͢Δ06 શૢ࡞Λېࢭ

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE Organizational Units and SCP 0SHBOJ[BUJPOT 'PVOEBUJPOBM@06 8PSLMPBET@06 1SPE@06 4%-$@06
*OGSB@06 .BJOUFOBODF@06 4VTQFOEFE@06 3PPU ϚελʔΞΧ΢ϯτ ܭըϝϯςφϯε༻ ഇغ༧ఆ 1PMJDZ4UBHJOH@06 ηΩϡϦςΟ ϙϦγʔมߋ༻ ֤छϩά 1SPEVDUJPO 4UBHJOH 4BOECPY Ϧʔδϣϯ੍ݶ ؂ࠪܥૢ࡞ͷ੍ݶ ։ൃऀ޲͚ͷ੍ݶ 1SPEʹ͓͚Δ ॏཁૢ࡞ͷ੍ݶ ڞ௨ج൫ಛ༗ͷ੍ݶ ౎౓มߋ ౎౓มߋ શૢ࡞ͷېࢭ

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ൃݟతΨʔυϨʔϧ • $MPVE5SBJMΑΔಛఆૢ࡞ͷ؂ࢹ • $POpH • (VBSE%VUZ • 4FDVSJUZ)VC
• 5SVTUFE"EWJTPS ݕ஌ͨ͠಺༰ͷϑΟϧλϦϯάʹؔͯ͠͸ɺνϡʔχϯάΛਐΊ͍ͯΔ

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ൃݟతΨʔυϨʔϧ αʔϏε໊ 0SHBOJ[BUJPOTରԠ ϝϯόʔ΁ͷҕ೚ ϝϯόʔͷࣗಈ༗ޮԽ ิ଍ $POpH ˓ ˓
✕ $MPVE'PSNBUJPO4UBDL4FUTΛར༻ͯ͠ɺ ϝϯόʔΞΧ΢ϯτͷ༗ޮԽΛࣗಈͰ࣮ࢪ (VBSE%VUZ ˓ ˓ ˓ 4FDVSJUZ)VC ˓ ˓ ˓ ·ͨɺൃݟతΨʔυϨʔϧͰར༻͢ΔҎԼͷαʔϏεʹؔͯ͠ɺ $POpH͚ͩ͸ࣗಈ༗ޮԽ͕Ͱ͖ͳ͔ͬͨͨΊ$'O4UBDL4FUTΛར༻͍ͯ͠Δ ૣ͘0SHBOJ[BUJPOTͱͷεϜʔζͳ౷߹͕࣮ݱͯ͠΄͍͠

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ࠓޙ • ൃݟతΨʔυϨʔϧͷνϡʔχϯά • $POpH3VMFTͷνϡʔχϯά • (VBSE%VUZ4FDVSJUZ)VCͷݕ஌಺༰ͷਫ਼ࠪ • ϩΪϯάͱϞχλϦϯάͷڧԽ
• 4*&.ͷಋೖ 4*&.PO"NB[PO&4Λݕ౼த • ΠϯγσϯτϨεϙϯεͷڧԽ • )BSEFOJOHΠϕϯτ΁ͷࢀՃɺݚम

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ·ͱΊ • ΠϯγσϯτҎ߱ɺϚϧνΞΧ΢ϯτߏ੒Λ׆͔ͨ͠ܗͰରࡦΛ͢͢Ί͖ͯͨ • "84440Λར༻͢Δ͜ͱͰΞΧ΢ϯτ؅ཧίετ͕Լ͕ΓηΩϡΞʹͳͬͨ • ༧๷తɺൃݟతΨʔυϨʔϧͷಋೖͰΑΓηΩϡΞʹͳͬͨ ϚϧνΞΧ΢ϯτΛಋೖͯ͠ηΩϡΞͳ؀ڥΛखʹೖΕΑ͏

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ʘɹ8F"SF)JSJOHɹʗ IUUQTDPSQDMBTTJKQDBSFFST

$PQZSJHIU$MBTTJ$PSQ"MMSJHIUTSFTFSWFE ͓ΘΓ

セキュリティインシデントを乗り越えるために行ったマルチアカウントでの取り組みについて / AWS multi-account approach in Classi

セキュリティインシデントを乗り越えるために行ったマルチアカウントでの取り組みについて / AWS multi-account approach in Classi

Other Decks in Technology

Featured

Transcript