Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
[JAWS-UG Osaka]セキュリティ、ネットワークまわりのちょいテク
Search
maru1981
February 06, 2020
Technology
0
2.1k
[JAWS-UG Osaka]セキュリティ、ネットワークまわりのちょいテク
maru1981
February 06, 2020
Tweet
Share
More Decks by maru1981
See All by maru1981
re:Growth2023 OSAKA 「Amazon ElastiCache Serverless」のご紹介
maru1981
0
25k
データ分析のためのAWS Well-Architected -Data Analytics Lens-
maru1981
0
1.9k
「データレイク」という言葉だけ知ってる人がAWS Lake Formationをはじめてみる/DevelopersIO2021 DECADE Try AWS Lake Formation for the first time
maru1981
1
2.3k
AWS環境見直しの第一歩「AWS請求代行サービス」のご紹介/Classmethod Members
maru1981
0
1k
AWSではじめるBlockchain/[DevelopersIO 2019 in OSAKA]Blockchain starting with AWS
maru1981
0
1.9k
AWSではじめるBlockchain/Blockchain starting with AWS
maru1981
0
1.4k
[HIGOBASHI.AWS] #9 re:Invent 2018 の新サービス紹介(AWSインフラ編)
maru1981
0
980
[HIGOBASHI.AWS] #6 CloudFront を使ってみよう!/ Let's use CloudFront
maru1981
0
1.5k
Other Decks in Technology
See All in Technology
SOTA競争から人間を超える画像認識へ
shinya7y
0
220
個人でデジタル庁の デザインシステムをVue.jsで 作っている話
nishiharatsubasa
3
5k
物体検出モデルでシイタケの収穫時期を自動判定してみた。 #devio2025
lamaglama39
0
280
「タコピーの原罪」から学ぶ間違った”支援” / the bad support of Takopii
piyonakajima
0
140
ViteとTypeScriptのProject Referencesで 大規模モノレポのUIカタログのリリースサイクルを高速化する
shuta13
3
200
SRE × マネジメントレイヤーが挑戦した組織・会社のオブザーバビリティ改革 ― ビジネス価値と信頼性を両立するリアルな挑戦
coconala_engineer
0
210
オブザーバビリティと育てた ID管理・認証認可基盤の歩み / The Journey of an ID Management, Authentication, and Authorization Platform Nurtured with Observability
kaminashi
1
630
Building a cloud native business on open source
lizrice
0
180
OpenTelemetry が拡げる Gemini CLI の可観測性
phaya72
2
2.2k
JSConf JPのwebsiteをGatsbyからNext.jsに移行した話 - Next.jsの多言語静的サイトと課題
leko
2
180
[VPoE Global Summit] サービスレベル目標による信頼性への投資最適化
satos
0
240
Wasmの気になる最新情報
askua
0
190
Featured
See All Featured
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
46
2.5k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
35
3.2k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Context Engineering - Making Every Token Count
addyosmani
8
300
We Have a Design System, Now What?
morganepeng
53
7.8k
The Power of CSS Pseudo Elements
geoffreycrofte
80
6k
GitHub's CSS Performance
jonrohan
1032
470k
Designing Experiences People Love
moore
142
24k
How to Think Like a Performance Engineer
csswizardry
27
2.1k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.5k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
34
2.3k
Transcript
ηΩϡϦςΟɺωοτϫʔΫ ·ΘΓͷͪΐ͍ςΫ Marumo Atsushi
KBXTVH KBXTVHPTBLB
εϥΠυޙͰೖख͢Δ͜ͱ͕ग़དྷ·͢ͷͰ ൃදதͷ༰ΛϝϞ͢Δඞཁ͋Γ·ͤΜɻ ࣸਅࡱӨΛ͢Δ߹ ϑϥογϡɾγϟολʔԻ͕ग़ͳ͍Α͏ʹྀ͍ͩ͘͝͞ Attention
ࣗݾհ ؙໟಞ࢙ Ϋϥεϝιουגࣜձࣾ "84ࣄۀຊ෦ίϯαϧςΟϯά෦ ιϦϡʔγϣϯΞʔΩςΫτ ʢϚϧϞΞπγʣ "84ೝఆࢿ֨ף ͖ͳ"84αʔϏε w
$MPVE'SPOU w 5SBOTJU(BUFXBZ w .BOBHFE#MPDLDIBJO
݄ؒສ17ΛތΔٕज़ϒϩά%FWFMPQFST*0
݄ؒສ17ΛތΔٕज़ϒϩά%FWFMPQFST*0 ௨ࢉ ຊʂ ؒ ຊʂ ݄ؒ ຊʂ
None
80ਓ 736ຊ
ຊͷςʔϚ "84ͷηΩϡϦςΟɺωοτϫʔΫ ·ΘΓͷʮͪΐ͍ςΫʯ
ຊͷςʔϚ ࢸۃͷϒϩάهࣄΛఴ͑ͯ ʢৄࡉͳઆ໌ল͘ͷͰؾʹͳͬͨͷΛޙ͔Βख़ಡʣ
Security & Network
ͪΐ͍ςΫ̍ ؆୯ʹઃఆͰ͖Δ "84ͷൃݟత౷੍
͜Ε͚ͩͬͱ͍ͯཉ͍͠"84αʔϏε̐બ w"84$MPVE5SBJM w"NB[PO(VBSE%VUZ w"84$POpH w4*"."DDFTT"OBMZ[FS
$MPVE5SBJM w"84ͷ"1*ʹର͢Δૢ࡞ϩά w"84ΞΧϯτʹରͯ͠ʮ୭͕ʯʮ͍ͭʯʮԿΛ͔ͨ͠ʯ wશϦʔδϣϯͰ༗ޮԽʢίϯιʔϧͰ؆୯ʹઃఆʣ wϩάੳʹ"UIFOB$MPVE8BUDI-PHT*OTJHIUT wҟৗͳ"1*ίʔϧ$MPVE5SBJM*OTJHIUTͰݕग़
$MPVE5SBJM*OTJHIUT w௨ৗͱҟͳΔΞΫςΟϏςΟΛݕग़ wରॻ͖ࠐΈཧΠϕϯτ w ʢॻ͖ࠐΈཧΠϕϯτ͋ͨΓʣ https://dev.classmethod.jp/cloud/aws/aws-cloudtrail-announces-cloudtrail-insights/
(VBSE%VUZ w͓ʹ&$ͱ*".ΞΧϯτؔ࿈ͷൃݟత౷੍ w"84ʹ͓͚Δෆ৹ͳΞΫςΟϏςΟΛݕ w$MPVE5SBJMFWFOUMPHT w71$'MPX-PHT w%/4MPHT wશϦʔδϣϯͰ༗ޮԽ https://dev.classmethod.jp/cloud/aws/set-guardduty-all-region/
(VBSE%VUZʢ͜͜ͷΞοϓσʔτɹɹʣ w߈ܸऀʹՃ୲ͯ͠ͳ͍͔ https://dev.classmethod.jp/cloud/aws/guardduty-devect-new-findings-of-dos-attack/ w"ENJOͳͲͷಛݖΛׂΓͯΑ͏ͱ ͯ͠ͳ͍͔ https://dev.classmethod.jp/cloud/aws/guardduty-can-now-detect-privilege-escalation/ wݕग़݁ՌͰഁغ͞ΕΔ https://dev.classmethod.jp/cloud/aws/guardduty-supports-exporting-findings-to-an- amazon-s3-bucket/
Ͱ͓ߴ͍ΜͰ͠ΐɾɾɾʁ wίεύ࠷ڧ w71$ϑϩʔϩάͱ%/4ϩάੳɹ(#ʙ w$MPVE5SBJMΠϕϯτੳɹ Πϕϯτʙ wฐࣾͰཧΞΧϯτͷҎ্͕"84ར༻අͷҎԼ wҎ্ͷΞΧϯτ͕"84ར༻අͷҎԼ
ͦΕͰෆ҆ͱ͍͏ͳΒ wؒͷແྉτϥΠΞϧͰ࣮ࡍͷར༻අΛ֬ೝ
"84$POpH w"84ϦιʔεͷมߋཤྺΛه wλΠϜϥΠϯͰมߋ༰͕֬ೝͰ͖Δ
͓҆͘ͳΓ·ͨ͠ w݄Ҏ߱ɺैྔ՝ۚϞσϧʹมߋ wධՁ͋ͨΓʙ https://dev.classmethod.jp/cloud/aws/recommend-config-rules-for-all-user/
ඇ४ڌϦιʔεΛࣗಈम෮Ͱ͖ΔΑ͏ʹͳΓ·ͨ͠ w44."VUPNBUJPOͱ࿈ܞͨࣗ͠ಈम෮ wैདྷ$MPVE8BUDI&WFOUTˠ-BNCEBͷ࡞ΓࠐΈ https://dev.classmethod.jp/cloud/aws/auto-recovery-restricted-ssh-without-lambda/
4*"."DDFTT"OBMZ[FS w֎෦ϓϦϯγύϧ͔ΒΞΫηεՄೳͳϦιʔε͕ର wજࡏతͳϦεΫΛஅʢ߈ܸΛݕग़͢ΔͷͰͳ͍ʣ wαϙʔτ͞ΕΔϦιʔε w4όέοτ w*".ϩʔϧ w,.4Ωʔ w-BNCEBؔͱ-BNCEBϨΠϠʔ w424Ωϡʔ
4*"."DDFTT"OBMZ[FS wແྉͰར༻Մೳʂ
શϦʔδϣϯͰ༗ޮԽͯ͠͠·͓͏ https://dev.classmethod.jp/cloud/aws/create-analyzer-all-region/ wશϦʔδϣϯͰ༗ޮʹ͢Δ w4"DDFTT"OBMZ[FS*"."DDFTT"OBMZ[FSΛ༗ޮԽʹ͢Δͱར༻Ͱ͖·͢
͓Εͳ͘ ݕग़͢Δ͚ͩͰຬ͠ͳ͍Ͱɻ ௨ͪΌΜͱΓ·͠ΐ͏ɻ
ͪΐ͍ςΫ̎ ؆୯ʹνΣοΫͰ͖Δ ηΩϡϦςΟɾίϯϓϥΠΞϯε
ίϯϓϥΠΞϯεɿ$*4#FODINBSL w$*4-JOVY"QBDIFͳͲ༷ʑͳηΩϡϦςΟج४Λ࡞ ͍ͯ͠Δஂମ w$*4"84'PVOEBUJPOT#FODINBSLͱͯ͠"84ͷηΩϡ ϦςΟνΣοΫͷ۩ମతͳ߲Λఆٛ wฐࣾఏڙͷηΩϡϦςΟνΣοΫπʔϧ ʰJOTJHIUXBUDIʱͰແྉஅՄೳ
*OTJHIUXBUDI wʮখ͞ͳൃݟΛେ͖ͳ҆৺ʹʯΛίϯηϓτʹ"84ڥ Λஅ͠ϨϙʔτΛग़ྗ͢Δπʔϧ https://insightwatch.io/
ͨ͘͞ΜͷܯࠂͰͨΜ͚Ͳɾɾɾ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen2/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen3/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen4/
ͪΐ͍ςΫ̏ ήʔτܕ͔Β ΨʔυϨʔϧܕ
ैདྷͷηΩϡϦςΟͷߟ͑ํ w࠷ۙɺ"84͕ൃ৴ͯ͠Δϝοηʔδ wैདྷͷηΩϡϦςΟήʔτΩʔύత w·ͣϒϩοΫ w༰Λ֬ೝ͕ͯ͠ͳ͚Εͱ͓͢ wྲྀΕΛͱΊΔ͜ͱɺϏδωεͷεϐʔυΛಷΒͤΔ
ηΩϡϦςΟͰϏδωεʹ ϒϨʔΩΛ͔͚͍͚ͯͳ͍ ͲΜͳʹεϐʔυΛग़ͯ҆͠શͳ ΨʔυϨʔϧͷΑ͏ͳηΩϡϦςΟΛ
ΨʔυϨʔϧతͳηΩϡϦςΟͱ wΨʔυϨʔϧతͳηΩϡϦςΟΛ࣮ݱ͢ΔҰྫ w"840SHBOJ[BUJPOTͷαʔϏείϯτϩʔϧϙϦγʔ w"84*".1FSNJTTJPOTCPVOEBSZ w1FSNJTTJPOTCPVOEBSZ w௨ৗͷ*".ϙϦγʔʹ"/%݅ΛՃ͑ͯɺڐՄൣғΛ ݶఆ͢ΔϙϦγʔ wڥքൣғͳ͔Ͱࣗ༝ʹͤͯ͋͛͞Δ
1FSNJTTJPOTCPVOEBSZ wઃఆΛؒҧ͑Δͱ͍ΖΜͳݖݶΛ ࣦ͏ͷͰઃఆ৻ॏʹ https://dev.classmethod.jp/cloud/aws/iam-permissions-boundary/
w*".ϙϦγʔγϡϛϨʔλʹରԠ͠·ͨ͠ wࣄલʹγϛϡϨʔγϣϯͰӨڹൣғΛ֬ೝ ҆͝৺͍ͩ͘͞ https://dev.classmethod.jp/cloud/aws/iam-policy-simulator-now-simulates-permissions-boundary/
ͪΐ͍ςΫ̐ *.%4ͷ ηΩϡϦςΟڧԽ
*.%4ʢΠϯελϯεϝλσʔλαʔϏεʣ w&$Πϯελϯεϝλσʔλ wʹ)551ϦΫΤετ༷ͯ͠ʑͳϝλ σʔλʹΞΫηεͰ͖Δ w*".ϩʔϧ͜ͷϝλσʔλ͔ΒΫϨσϯγϟϧΛऔಘ w8"'ͳͲͷެ։αʔόʹ͋Δ੬ऑੑͱΈ߹Θͤͯɺෆਖ਼ ʹ&$ͷϝλσʔλ͔ΒΫϨσϯγϟϧΛऔಘ͠ѱ༻͢Δ ͜ͱ͕Մೳ
ࣄނࣄྫ ʰpiyologʱɿhttps://piyolog.hatenadiary.jp/entry/2019/08/06/062154
*.%4W https://dev.classmethod.jp/cloud/aws/ec2-imdsv2-release/ w7ͷΞΫηεʹ5PLFO͕ඞཁ w7ΛແޮԽͰ͖ΔʢσϑΥϧτซ༻ʣ wϝλσʔλαʔϏεࣗମΛແޮԽͰ͖ΔɹʜFUD
͋ΘͤͯಡΈ͍ͨ ʰಙؙߒͷهʱɿhttps://blog.tokumaru.org/2019/12/defense-ssrf-amazon-ec2-imdsv2.html w*.%4W443'߈ܸͷࠜຊతͳղܾͰͳ͍ w͕ɺ443'߈ܸͷ؇ࡦͱͯ͠ҰఆͷޮՌظͰ͖Δ
ͪΐ͍ςΫ̑ ͏͔ͬΓ࿙ӮΛࢭ
HJUTFDSFUTͬͯ·͔͢ʁ w"84ΞΫηεΩʔͷ࿙ӮͰҰ൪ଟ͍ύλʔϯ wHJUDPNNJUʹIPPL͢ΔػೳΛ༗ޮʹ͠ͱ͚ɺΞΫηε ΩʔγʔΫϨοτΩʔͷύλʔϯΛݕग़ɾ્ࢭͯ͘͠ΕΔ https://dev.classmethod.jp/cloud/aws/startup-git-secrets/
͋ΘͤͯಡΈ͍ͨ w*".ͷجຊ࠷খݖݶ w։ൃݕূຊ൪ڥͷڥͷϝϦοτɺσϝϦοτ https://dev.classmethod.jp/cloud/aws/account-and-vpc-dividing-pattern/
ͪΐ͍ςΫ̒ ֎෦ͱͷτϥϑΟοΫΛ ΠϯϥΠϯࠪ
*OHSFTTSPVUF w*(8ɺ7(8ʹϧʔτ ςʔϒϧͷઃఆ͕Մೳ wૹ৴ઌ71$ͷ $*%3ൣғͷΈ w*%4*14ΞϓϥΠΞϯ εͷϦμΠϨΫτ Λγϯϓϧʹ࣮
͋ΘͤͯಡΈ͍ͨ https://dev.classmethod.jp/cloud/aws/what-is-vpc-ingress-routing/
71$ؒτϥϑΟοΫͷΠϯϥΠϯࠪʢ5(8ʣ https://www.slideshare.net/AmazonWebServicesJapan/20191113-aws-black-belt-online-seminar-aws-transit-gateway?ref=https://aws.amazon.com/jp/blogs/news/webinar-bb-aws-transit-gateway-2019/
·ͱΊ
·ͱΊ wൃݟత౷੍ͷ̐αʔϏεઃఆ͠Α͏ʢ௨·ͰΔʣ wʮ*OTJHIUXBUDIʯͰίϯϓϥΠΞϯεΛνΣοΫ wڥքൣғʢΨʔυϨʔϧʣͷͳ͔Ͱࣗ༝Λߴ͘ w*.%4͕ѱ༻͞ΕΔ͜ͱ͓ͬͯ͘ wΞΫηεΩʔHJUDPNNJUͰ͖ͳ͍Α͏ʹ͢Δ wΠϯϥΠϯࠪΛγϯϓϧʹߏங
͜Ε͚֮ͩ͑ͯؼͬͯ΄͍͠ɺͪΐ͍ςΫ ͍͍ͩͨͷ͜ͱ %FWFMPQFST*0ʹॻ͍ͯΔ
None