Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
[JAWS-UG Osaka]セキュリティ、ネットワークまわりのちょいテク
Search
maru1981
February 06, 2020
Technology
0
2.1k
[JAWS-UG Osaka]セキュリティ、ネットワークまわりのちょいテク
maru1981
February 06, 2020
Tweet
Share
More Decks by maru1981
See All by maru1981
re:Growth2023 OSAKA 「Amazon ElastiCache Serverless」のご紹介
maru1981
0
25k
データ分析のためのAWS Well-Architected -Data Analytics Lens-
maru1981
0
1.9k
「データレイク」という言葉だけ知ってる人がAWS Lake Formationをはじめてみる/DevelopersIO2021 DECADE Try AWS Lake Formation for the first time
maru1981
1
2.3k
AWS環境見直しの第一歩「AWS請求代行サービス」のご紹介/Classmethod Members
maru1981
0
1k
AWSではじめるBlockchain/[DevelopersIO 2019 in OSAKA]Blockchain starting with AWS
maru1981
0
1.9k
AWSではじめるBlockchain/Blockchain starting with AWS
maru1981
0
1.4k
[HIGOBASHI.AWS] #9 re:Invent 2018 の新サービス紹介(AWSインフラ編)
maru1981
0
980
[HIGOBASHI.AWS] #6 CloudFront を使ってみよう!/ Let's use CloudFront
maru1981
0
1.5k
Other Decks in Technology
See All in Technology
会社を支える Pythonという言語戦略 ~なぜPythonを主要言語にしているのか?~
curekoshimizu
3
670
dbtとAIエージェントを組み合わせて見えたデータ調査の新しい形
10xinc
0
200
ブラウザのAPIで Nintendo Switch用の特殊なゲーム用コントローラーを体験型コンテンツに / IoTLT @ストラタシス・ジャパン
you
PRO
0
130
プロダクト開発と社内データ活用での、BI×AIの現在地 / Data_Findy
sansan_randd
0
130
スタートアップの現場で実践しているテストマネジメント #jasst_kyushu
makky_tyuyan
0
130
Dify on AWS 環境構築手順
yosse95ai
0
130
OTEPsで知るOpenTelemetryの未来 / Observability Conference Tokyo 2025
arthur1
0
250
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
14
82k
ソースを読む時の思考プロセスの例-MkDocs
sat
PRO
1
170
あなたの知らない Linuxカーネル脆弱性の世界
recruitengineers
PRO
3
160
Linux カーネルが支えるコンテナの仕組み / LF Japan Community Days 2025 Osaka
tenforward
1
130
Open Table Format (OTF) が必要になった背景とその機能 (2025.10.28)
simosako
2
200
Featured
See All Featured
The Invisible Side of Design
smashingmag
302
51k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.6k
Intergalactic Javascript Robots from Outer Space
tanoku
272
27k
Building a Scalable Design System with Sketch
lauravandoore
463
33k
For a Future-Friendly Web
brad_frost
180
10k
VelocityConf: Rendering Performance Case Studies
addyosmani
333
24k
BBQ
matthewcrist
89
9.9k
It's Worth the Effort
3n
187
28k
Building Better People: How to give real-time feedback that sticks.
wjessup
369
20k
Producing Creativity
orderedlist
PRO
347
40k
Building Applications with DynamoDB
mza
96
6.7k
Principles of Awesome APIs and How to Build Them.
keavy
127
17k
Transcript
ηΩϡϦςΟɺωοτϫʔΫ ·ΘΓͷͪΐ͍ςΫ Marumo Atsushi
KBXTVH KBXTVHPTBLB
εϥΠυޙͰೖख͢Δ͜ͱ͕ग़དྷ·͢ͷͰ ൃදதͷ༰ΛϝϞ͢Δඞཁ͋Γ·ͤΜɻ ࣸਅࡱӨΛ͢Δ߹ ϑϥογϡɾγϟολʔԻ͕ग़ͳ͍Α͏ʹྀ͍ͩ͘͝͞ Attention
ࣗݾհ ؙໟಞ࢙ Ϋϥεϝιουגࣜձࣾ "84ࣄۀຊ෦ίϯαϧςΟϯά෦ ιϦϡʔγϣϯΞʔΩςΫτ ʢϚϧϞΞπγʣ "84ೝఆࢿ֨ף ͖ͳ"84αʔϏε w
$MPVE'SPOU w 5SBOTJU(BUFXBZ w .BOBHFE#MPDLDIBJO
݄ؒສ17ΛތΔٕज़ϒϩά%FWFMPQFST*0
݄ؒສ17ΛތΔٕज़ϒϩά%FWFMPQFST*0 ௨ࢉ ຊʂ ؒ ຊʂ ݄ؒ ຊʂ
None
80ਓ 736ຊ
ຊͷςʔϚ "84ͷηΩϡϦςΟɺωοτϫʔΫ ·ΘΓͷʮͪΐ͍ςΫʯ
ຊͷςʔϚ ࢸۃͷϒϩάهࣄΛఴ͑ͯ ʢৄࡉͳઆ໌ল͘ͷͰؾʹͳͬͨͷΛޙ͔Βख़ಡʣ
Security & Network
ͪΐ͍ςΫ̍ ؆୯ʹઃఆͰ͖Δ "84ͷൃݟత౷੍
͜Ε͚ͩͬͱ͍ͯཉ͍͠"84αʔϏε̐બ w"84$MPVE5SBJM w"NB[PO(VBSE%VUZ w"84$POpH w4*"."DDFTT"OBMZ[FS
$MPVE5SBJM w"84ͷ"1*ʹର͢Δૢ࡞ϩά w"84ΞΧϯτʹରͯ͠ʮ୭͕ʯʮ͍ͭʯʮԿΛ͔ͨ͠ʯ wશϦʔδϣϯͰ༗ޮԽʢίϯιʔϧͰ؆୯ʹઃఆʣ wϩάੳʹ"UIFOB$MPVE8BUDI-PHT*OTJHIUT wҟৗͳ"1*ίʔϧ$MPVE5SBJM*OTJHIUTͰݕग़
$MPVE5SBJM*OTJHIUT w௨ৗͱҟͳΔΞΫςΟϏςΟΛݕग़ wରॻ͖ࠐΈཧΠϕϯτ w ʢॻ͖ࠐΈཧΠϕϯτ͋ͨΓʣ https://dev.classmethod.jp/cloud/aws/aws-cloudtrail-announces-cloudtrail-insights/
(VBSE%VUZ w͓ʹ&$ͱ*".ΞΧϯτؔ࿈ͷൃݟత౷੍ w"84ʹ͓͚Δෆ৹ͳΞΫςΟϏςΟΛݕ w$MPVE5SBJMFWFOUMPHT w71$'MPX-PHT w%/4MPHT wશϦʔδϣϯͰ༗ޮԽ https://dev.classmethod.jp/cloud/aws/set-guardduty-all-region/
(VBSE%VUZʢ͜͜ͷΞοϓσʔτɹɹʣ w߈ܸऀʹՃ୲ͯ͠ͳ͍͔ https://dev.classmethod.jp/cloud/aws/guardduty-devect-new-findings-of-dos-attack/ w"ENJOͳͲͷಛݖΛׂΓͯΑ͏ͱ ͯ͠ͳ͍͔ https://dev.classmethod.jp/cloud/aws/guardduty-can-now-detect-privilege-escalation/ wݕग़݁ՌͰഁغ͞ΕΔ https://dev.classmethod.jp/cloud/aws/guardduty-supports-exporting-findings-to-an- amazon-s3-bucket/
Ͱ͓ߴ͍ΜͰ͠ΐɾɾɾʁ wίεύ࠷ڧ w71$ϑϩʔϩάͱ%/4ϩάੳɹ(#ʙ w$MPVE5SBJMΠϕϯτੳɹ Πϕϯτʙ wฐࣾͰཧΞΧϯτͷҎ্͕"84ར༻අͷҎԼ wҎ্ͷΞΧϯτ͕"84ར༻අͷҎԼ
ͦΕͰෆ҆ͱ͍͏ͳΒ wؒͷແྉτϥΠΞϧͰ࣮ࡍͷར༻අΛ֬ೝ
"84$POpH w"84ϦιʔεͷมߋཤྺΛه wλΠϜϥΠϯͰมߋ༰͕֬ೝͰ͖Δ
͓҆͘ͳΓ·ͨ͠ w݄Ҏ߱ɺैྔ՝ۚϞσϧʹมߋ wධՁ͋ͨΓʙ https://dev.classmethod.jp/cloud/aws/recommend-config-rules-for-all-user/
ඇ४ڌϦιʔεΛࣗಈम෮Ͱ͖ΔΑ͏ʹͳΓ·ͨ͠ w44."VUPNBUJPOͱ࿈ܞͨࣗ͠ಈम෮ wैདྷ$MPVE8BUDI&WFOUTˠ-BNCEBͷ࡞ΓࠐΈ https://dev.classmethod.jp/cloud/aws/auto-recovery-restricted-ssh-without-lambda/
4*"."DDFTT"OBMZ[FS w֎෦ϓϦϯγύϧ͔ΒΞΫηεՄೳͳϦιʔε͕ର wજࡏతͳϦεΫΛஅʢ߈ܸΛݕग़͢ΔͷͰͳ͍ʣ wαϙʔτ͞ΕΔϦιʔε w4όέοτ w*".ϩʔϧ w,.4Ωʔ w-BNCEBؔͱ-BNCEBϨΠϠʔ w424Ωϡʔ
4*"."DDFTT"OBMZ[FS wແྉͰར༻Մೳʂ
શϦʔδϣϯͰ༗ޮԽͯ͠͠·͓͏ https://dev.classmethod.jp/cloud/aws/create-analyzer-all-region/ wશϦʔδϣϯͰ༗ޮʹ͢Δ w4"DDFTT"OBMZ[FS*"."DDFTT"OBMZ[FSΛ༗ޮԽʹ͢Δͱར༻Ͱ͖·͢
͓Εͳ͘ ݕग़͢Δ͚ͩͰຬ͠ͳ͍Ͱɻ ௨ͪΌΜͱΓ·͠ΐ͏ɻ
ͪΐ͍ςΫ̎ ؆୯ʹνΣοΫͰ͖Δ ηΩϡϦςΟɾίϯϓϥΠΞϯε
ίϯϓϥΠΞϯεɿ$*4#FODINBSL w$*4-JOVY"QBDIFͳͲ༷ʑͳηΩϡϦςΟج४Λ࡞ ͍ͯ͠Δஂମ w$*4"84'PVOEBUJPOT#FODINBSLͱͯ͠"84ͷηΩϡ ϦςΟνΣοΫͷ۩ମతͳ߲Λఆٛ wฐࣾఏڙͷηΩϡϦςΟνΣοΫπʔϧ ʰJOTJHIUXBUDIʱͰແྉஅՄೳ
*OTJHIUXBUDI wʮখ͞ͳൃݟΛେ͖ͳ҆৺ʹʯΛίϯηϓτʹ"84ڥ Λஅ͠ϨϙʔτΛग़ྗ͢Δπʔϧ https://insightwatch.io/
ͨ͘͞ΜͷܯࠂͰͨΜ͚Ͳɾɾɾ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen2/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen3/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen4/
ͪΐ͍ςΫ̏ ήʔτܕ͔Β ΨʔυϨʔϧܕ
ैདྷͷηΩϡϦςΟͷߟ͑ํ w࠷ۙɺ"84͕ൃ৴ͯ͠Δϝοηʔδ wैདྷͷηΩϡϦςΟήʔτΩʔύత w·ͣϒϩοΫ w༰Λ֬ೝ͕ͯ͠ͳ͚Εͱ͓͢ wྲྀΕΛͱΊΔ͜ͱɺϏδωεͷεϐʔυΛಷΒͤΔ
ηΩϡϦςΟͰϏδωεʹ ϒϨʔΩΛ͔͚͍͚ͯͳ͍ ͲΜͳʹεϐʔυΛग़ͯ҆͠શͳ ΨʔυϨʔϧͷΑ͏ͳηΩϡϦςΟΛ
ΨʔυϨʔϧతͳηΩϡϦςΟͱ wΨʔυϨʔϧతͳηΩϡϦςΟΛ࣮ݱ͢ΔҰྫ w"840SHBOJ[BUJPOTͷαʔϏείϯτϩʔϧϙϦγʔ w"84*".1FSNJTTJPOTCPVOEBSZ w1FSNJTTJPOTCPVOEBSZ w௨ৗͷ*".ϙϦγʔʹ"/%݅ΛՃ͑ͯɺڐՄൣғΛ ݶఆ͢ΔϙϦγʔ wڥքൣғͳ͔Ͱࣗ༝ʹͤͯ͋͛͞Δ
1FSNJTTJPOTCPVOEBSZ wઃఆΛؒҧ͑Δͱ͍ΖΜͳݖݶΛ ࣦ͏ͷͰઃఆ৻ॏʹ https://dev.classmethod.jp/cloud/aws/iam-permissions-boundary/
w*".ϙϦγʔγϡϛϨʔλʹରԠ͠·ͨ͠ wࣄલʹγϛϡϨʔγϣϯͰӨڹൣғΛ֬ೝ ҆͝৺͍ͩ͘͞ https://dev.classmethod.jp/cloud/aws/iam-policy-simulator-now-simulates-permissions-boundary/
ͪΐ͍ςΫ̐ *.%4ͷ ηΩϡϦςΟڧԽ
*.%4ʢΠϯελϯεϝλσʔλαʔϏεʣ w&$Πϯελϯεϝλσʔλ wʹ)551ϦΫΤετ༷ͯ͠ʑͳϝλ σʔλʹΞΫηεͰ͖Δ w*".ϩʔϧ͜ͷϝλσʔλ͔ΒΫϨσϯγϟϧΛऔಘ w8"'ͳͲͷެ։αʔόʹ͋Δ੬ऑੑͱΈ߹Θͤͯɺෆਖ਼ ʹ&$ͷϝλσʔλ͔ΒΫϨσϯγϟϧΛऔಘ͠ѱ༻͢Δ ͜ͱ͕Մೳ
ࣄނࣄྫ ʰpiyologʱɿhttps://piyolog.hatenadiary.jp/entry/2019/08/06/062154
*.%4W https://dev.classmethod.jp/cloud/aws/ec2-imdsv2-release/ w7ͷΞΫηεʹ5PLFO͕ඞཁ w7ΛແޮԽͰ͖ΔʢσϑΥϧτซ༻ʣ wϝλσʔλαʔϏεࣗମΛແޮԽͰ͖ΔɹʜFUD
͋ΘͤͯಡΈ͍ͨ ʰಙؙߒͷهʱɿhttps://blog.tokumaru.org/2019/12/defense-ssrf-amazon-ec2-imdsv2.html w*.%4W443'߈ܸͷࠜຊతͳղܾͰͳ͍ w͕ɺ443'߈ܸͷ؇ࡦͱͯ͠ҰఆͷޮՌظͰ͖Δ
ͪΐ͍ςΫ̑ ͏͔ͬΓ࿙ӮΛࢭ
HJUTFDSFUTͬͯ·͔͢ʁ w"84ΞΫηεΩʔͷ࿙ӮͰҰ൪ଟ͍ύλʔϯ wHJUDPNNJUʹIPPL͢ΔػೳΛ༗ޮʹ͠ͱ͚ɺΞΫηε ΩʔγʔΫϨοτΩʔͷύλʔϯΛݕग़ɾ્ࢭͯ͘͠ΕΔ https://dev.classmethod.jp/cloud/aws/startup-git-secrets/
͋ΘͤͯಡΈ͍ͨ w*".ͷجຊ࠷খݖݶ w։ൃݕূຊ൪ڥͷڥͷϝϦοτɺσϝϦοτ https://dev.classmethod.jp/cloud/aws/account-and-vpc-dividing-pattern/
ͪΐ͍ςΫ̒ ֎෦ͱͷτϥϑΟοΫΛ ΠϯϥΠϯࠪ
*OHSFTTSPVUF w*(8ɺ7(8ʹϧʔτ ςʔϒϧͷઃఆ͕Մೳ wૹ৴ઌ71$ͷ $*%3ൣғͷΈ w*%4*14ΞϓϥΠΞϯ εͷϦμΠϨΫτ Λγϯϓϧʹ࣮
͋ΘͤͯಡΈ͍ͨ https://dev.classmethod.jp/cloud/aws/what-is-vpc-ingress-routing/
71$ؒτϥϑΟοΫͷΠϯϥΠϯࠪʢ5(8ʣ https://www.slideshare.net/AmazonWebServicesJapan/20191113-aws-black-belt-online-seminar-aws-transit-gateway?ref=https://aws.amazon.com/jp/blogs/news/webinar-bb-aws-transit-gateway-2019/
·ͱΊ
·ͱΊ wൃݟత౷੍ͷ̐αʔϏεઃఆ͠Α͏ʢ௨·ͰΔʣ wʮ*OTJHIUXBUDIʯͰίϯϓϥΠΞϯεΛνΣοΫ wڥքൣғʢΨʔυϨʔϧʣͷͳ͔Ͱࣗ༝Λߴ͘ w*.%4͕ѱ༻͞ΕΔ͜ͱ͓ͬͯ͘ wΞΫηεΩʔHJUDPNNJUͰ͖ͳ͍Α͏ʹ͢Δ wΠϯϥΠϯࠪΛγϯϓϧʹߏங
͜Ε͚֮ͩ͑ͯؼͬͯ΄͍͠ɺͪΐ͍ςΫ ͍͍ͩͨͷ͜ͱ %FWFMPQFST*0ʹॻ͍ͯΔ
None