Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWSを使う上で意識しておきたい、クラウドセキュリティ超入門(駆け足版)

 AWSを使う上で意識しておきたい、クラウドセキュリティ超入門(駆け足版)

セキュリティ・キャンプ 2022 / 企業セッション

Keisuke Mori

August 10, 2022
Tweet

More Decks by Keisuke Mori

Other Decks in Technology

Transcript

  1. ੹೚ڞ༗Ϟσϧ ηΩϡϦςΟͱίϯϓϥΠΞϯε͸ "84ͱ͓٬༷ͷؒͰڞ༗͞ΕΔ੹೚Ͱ͢ɻ͜ͷ ڞ༗Ϟσϧ͸ɺ"84͕ϗετΦϖϨʔςΟϯάγεςϜͱԾ૝ԽϨΠϠʔ͔Βɺαʔ Ϗε͕ӡ༻͞Ε͍ͯΔࢪઃͷ෺ཧతͳηΩϡϦςΟʹࢸΔ·ͰͷཁૉΛ "84͕ӡ༻ɺ ؅ཧɺ͓Αͼ੍ޚ͢Δ͜ͱ͔Βɺ͓٬༷ͷӡ༻্ͷෛ୲Λܰݮ͢ΔͨΊʹ໾ཱͪ·͢ɻ ͓٬༷ʹ͸ɺήετΦϖϨʔςΟϯάγεςϜ ߋ৽ͱηΩϡϦςΟύονΛؚΉ ɺ

    ͦͷଞͷؔ࿈ΞϓϦέʔγϣϯιϑτ΢ΣΞɺ͓Αͼ "84͕ఏڙ͢ΔηΩϡϦςΟ άϧʔϓϑΝΠΞ΢Υʔϧͷઃఆʹର͢Δ੹೚ͱ؅ཧΛ୲͍͖ͬͯͨͩ·͢ɻ࢖༻͢Δ αʔϏεɺͦΕΒͷαʔϏεͷ *5؀ڥ΁ͷ౷߹ɺ͓Αͼద༻͞ΕΔ๏཯ͱن੍ʹΑͬ ͯ੹೚͕ҟͳΔͨΊɺ͓٬༷͸બ୒ͨ͠αʔϏεΛ৻ॏʹݕ౼͢Δඞཁ͕͋Γ·͢ɻ· ͨɺ͜ͷ੹೚ڞ༗Ϟσϧͷੑ࣭ʹΑͬͯॊೈੑ͕ಘΒΕɺ͓٬༷͕σϓϩΠΛ౷੍Ͱ͖ ·͢ɻҎԼͷਤʹࣔ͢Α͏ʹɺ͜ͷ੹೚ͷ૬ҧ͸௨ৗΫϥ΢υ lͷz ηΩϡϦςΟɺ͓ ΑͼΫϥ΢υ lʹ͓͚Δz ηΩϡϦςΟͱݺ͹Ε·͢ɻ https://aws.amazon.com/jp/compliance/shared-responsibility-model/
  2. ੹೚ڞ༗Ϟσϧ ηΩϡϦςΟͱίϯϓϥΠΞϯε͸ "84ͱ͓٬༷ͷؒͰڞ༗͞ΕΔ੹೚Ͱ͢ɻ͜ͷ ڞ༗Ϟσϧ͸ɺ"84͕ϗετΦϖϨʔςΟϯάγεςϜͱԾ૝ԽϨΠϠʔ͔Βɺαʔ Ϗε͕ӡ༻͞Ε͍ͯΔࢪઃͷ෺ཧతͳηΩϡϦςΟʹࢸΔ·ͰͷཁૉΛ "84͕ӡ༻ɺ ؅ཧɺ͓Αͼ੍ޚ͢Δ͜ͱ͔Βɺ͓٬༷ͷӡ༻্ͷෛ୲Λܰݮ͢ΔͨΊʹ໾ཱͪ·͢ɻ ͓٬༷ʹ͸ɺήετΦϖϨʔςΟϯάγεςϜ ߋ৽ͱηΩϡϦςΟύονΛؚΉ ɺ

    ͦͷଞͷؔ࿈ΞϓϦέʔγϣϯιϑτ΢ΣΞɺ͓Αͼ "84͕ఏڙ͢ΔηΩϡϦςΟ άϧʔϓϑΝΠΞ΢Υʔϧͷઃఆʹର͢Δ੹೚ͱ؅ཧΛ୲͍͖ͬͯͨͩ·͢ɻ࢖༻͢Δ αʔϏεɺͦΕΒͷαʔϏεͷ *5؀ڥ΁ͷ౷߹ɺ͓Αͼద༻͞ΕΔ๏཯ͱن੍ʹΑͬ ͯ੹೚͕ҟͳΔͨΊɺ͓٬༷͸બ୒ͨ͠αʔϏεΛ৻ॏʹݕ౼͢Δඞཁ͕͋Γ·͢ɻ· ͨɺ͜ͷ੹೚ڞ༗Ϟσϧͷੑ࣭ʹΑͬͯॊೈੑ͕ಘΒΕɺ͓٬༷͕σϓϩΠΛ౷੍Ͱ͖ ·͢ɻҎԼͷਤʹࣔ͢Α͏ʹɺ͜ͷ੹೚ͷ૬ҧ͸௨ৗΫϥ΢υ lͷz ηΩϡϦςΟɺ͓ ΑͼΫϥ΢υ lʹ͓͚Δz ηΩϡϦςΟͱݺ͹Ε·͢ɻ https://aws.amazon.com/jp/compliance/shared-responsibility-model/ 🤔
  3. ؂ࠪϩά Α͋͘Δ࿩ 1$*%44 ཁ݅ γεςϜίϯϙʔωϯτ͓ΑͼΧʔυձһσʔλ΁ͷ͢΂ͯͷΞΫηεΛ ϩάʹه࿥͠ɺ؂ࢹ͢Δ͜ͱ ɾ ҟৗ΍ٙΘ͍͠׆ಈͷݕग़͓ΑͼɺΠϕϯτͷϑΥϨϯδοΫ෼ੳΛ αϙʔτ͢ΔͨΊʹɺ؂ࠪϩά͕࣮૷͞Ε͍ͯΔɻ ɾ

    ؂ࠪϩά͸ɺഁյ΍ෆਖ਼ͳվ͟Μ͔Βอޢ͞Ε͍ͯΔɻ ɾ ؂ࠪϩά͸ɺҟৗ·ͨ͸ٙΘ͍͠׆ಈΛಛఆ͢ΔͨΊʹϨϏϡʔ͞ΕΔɻ ɾ ؂ࠪϩάͷཤྺ͸อ࣋͞Εɺ෼ੳʹར༻Ͱ͖Δɻ ɾ ॏཁͳηΩϡϦςΟ؅ཧγεςϜͷো֐Λਝ଎ʹݕ஌͠ɺใࠂ͠ɺରԠ͢Δɻ https://www.pcisecuritystandards.org/document_library/?category=pcidss&document=pci_dss
  4. ؂ࠪϩά Α͋͘Δ࿩ 1$*%44 ཁ݅ γεςϜίϯϙʔωϯτ͓ΑͼΧʔυձһσʔλ΁ͷ͢΂ͯͷΞΫηεΛ ϩάʹه࿥͠ɺ؂ࢹ͢Δ͜ͱ ɾ ҟৗ΍ٙΘ͍͠׆ಈͷݕग़͓ΑͼɺΠϕϯτͷϑΥϨϯδοΫ෼ੳΛ αϙʔτ͢ΔͨΊʹɺ؂ࠪϩά͕࣮૷͞Ε͍ͯΔɻ ɾ

    ؂ࠪϩά͸ɺഁյ΍ෆਖ਼ͳվ͟Μ͔Βอޢ͞Ε͍ͯΔɻ ɾ ؂ࠪϩά͸ɺҟৗ·ͨ͸ٙΘ͍͠׆ಈΛಛఆ͢ΔͨΊʹϨϏϡʔ͞ΕΔɻ ɾ ؂ࠪϩάͷཤྺ͸อ࣋͞Εɺ෼ੳʹར༻Ͱ͖Δɻ ɾ ॏཁͳηΩϡϦςΟ؅ཧγεςϜͷো֐Λਝ଎ʹݕ஌͠ɺใࠂ͠ɺରԠ͢Δɻ https://www.pcisecuritystandards.org/document_library/?category=pcidss&document=pci_dss શ෦อ࣋ͨ͠Β"84ͷίετ๲Ε্͕Γ·ͤΜ͔ 🤔
  5. ϩάͷίεύྑ͍อଘํ๏ ༧श ֤αʔϏεͷ໾ׂ CloudWatch Logs Kinesis Firehose S3 ιʔεʹ͔͔ΘΒͣ͢΂ͯͷϩάΛΠϕϯτͷͭͷҰ؏ͨ͠ྲྀΕͱͯ࣌ؒ͠ॱʹݟΔ ͜ͱ͕Ͱ͖ɺΫΤϦ΍ιʔτɺಛఆͷϑΟʔϧυΛج४ʹͨ͠άϧʔϓԽɺ

    μογϡϘʔυͰͷϩάσʔλͷՄࢹԽ͕Մೳ ετϦʔϜσʔλΛड͚ΔαʔϏεɻ ड͚औͬͨετϦʔϜΛɺ4΍ 3FE4IJGUɺ0QFO4FBSDIͳͲͷσʔλετΞ΍ ෼ੳπʔϧʹ഑৴͢Δɻ ΦϒδΣΫτετϨʔδαʔϏεɻ֨ೲՄೳͳσʔλͷ૯ྔͱΦϒδΣΫτͷ਺͸ແ੍ ݶͳͷͰɺ༰ྔΛؾʹͤͣσʔλΛಥͬࠐΜͰ͓͚Δɻ ετϨʔδΫϥεʢޙड़ʣΛௐ੔͢Δ͜ͱͰɺ௕ظอଘͷࡍͷίετ࠷దԽ͕Մೳɻ
  6. ϩάͷίεύྑ͍อଘํ๏ Database Computing Security Service CloudWatch Logs Kinesis Firehose S3

    S3 Glacier αʔόʔ΍σʔλϕʔεɺηΩϡϦςΟ؂ࠪαʔϏεͷϩάΛอ؅ ΞϓϦέʔγϣϯαʔόʔ΍ɺσʔλϕʔεͷϩά͸ $MPVE8BUDI-PHTʹू໿ɻ Ұ෦ͷ؂ࠪܥͷϩά͸ 4ʹ௚઀ૹΒΕΔɻ
  7. ϩάͷίεύྑ͍อଘํ๏ Database Computing Security Service CloudWatch Logs Kinesis Firehose S3

    S3 Glacier $MPVE8BUDI-PHT͔Β4ʢετϨʔδʣʹϩάσʔλΛΤΫεϙʔτ Կ͔͋ͬͨͱ͖Ҏ֎ʹݟͳ͍Α͏ͳաڈͷϩά͸ อ؅ίετ͕͍҆ͱ͜Ζʹஔ͍͓͖͍ͯͨɻ ˞ίετͷݟੵ΋Γ͸ࣄલʹͪΌΜͱ΍Δ͜ͱ
  8. ϩάͷίεύྑ͍อଘํ๏ Database Computing Security Service CloudWatch Logs Kinesis Firehose S3

    S3 Glacier ӬଓԽʹదͨ͠ετϨʔδΫϥε΁ͷมߋʢίετ࡟ݮʣ 4 ɾ64%(#ʢ࠷ॳͷ 5#݄ʣ 4(MBDJFS'MFYJCMF3FUSJFWBM ɾऔΓग़͠ʹίετ͕͔͔Δ͕ɺอ؅ίετ͕௿͍ ɾ64%(#