[JAWS-UG Osaka]セキュリティ、ネットワークまわりのちょいテク

ηΩϡϦςΟɺωοτϫʔΫ ·ΘΓͷͪΐ͍ςΫ Marumo Atsushi

KBXTVH KBXTVHPTBLB

εϥΠυ͸ޙͰೖख͢Δ͜ͱ͕ग़དྷ·͢ͷͰ ൃදதͷ಺༰ΛϝϞ͢Δඞཁ͸͋Γ·ͤΜɻ ࣸਅࡱӨΛ͢Δ৔߹͸ ϑϥογϡɾγϟολʔԻ͕ग़ͳ͍Α͏ʹ͝഑ྀ͍ͩ͘͞ Attention

ࣗݾ঺հ ؙໟಞ࢙ Ϋϥεϝιουגࣜձࣾ "84ࣄۀຊ෦ίϯαϧςΟϯά෦ ιϦϡʔγϣϯΞʔΩςΫτ ʢϚϧϞΞπγʣ "84ೝఆࢿ֨ף ޷͖ͳ"84αʔϏε w
$MPVE'SPOU w 5SBOTJU(BUFXBZ w .BOBHFE#MPDLDIBJO

݄ؒສ17ΛތΔٕज़ϒϩά%FWFMPQFST*0

݄ؒສ17ΛތΔٕज़ϒϩά%FWFMPQFST*0 ௨ࢉ ຊʂ ೥ؒ ຊʂ ݄ؒ ຊʂ

80ਓ 736ຊ

ຊ೔ͷςʔϚ "84ͷηΩϡϦςΟɺωοτϫʔΫ ·ΘΓͷʮͪΐ͍ςΫʯ

ຊ೔ͷςʔϚ ࢸۃͷϒϩάهࣄΛఴ͑ͯ ʢৄࡉͳઆ໌͸ল͘ͷͰؾʹͳͬͨ΋ͷΛޙ͔Βख़ಡʣ

Security & Network

ͪΐ͍ςΫ̍ ؆୯ʹઃఆͰ͖Δ "84ͷൃݟత౷੍

͜Ε͚ͩ͸΍ͬͱ͍ͯཉ͍͠"84αʔϏε̐બ w"84$MPVE5SBJM w"NB[PO(VBSE%VUZ w"84$POpH w4*"."DDFTT"OBMZ[FS

$MPVE5SBJM w"84ͷ"1*ʹର͢Δૢ࡞ϩά w"84ΞΧ΢ϯτʹରͯ͠ʮ୭͕ʯʮ͍ͭʯʮԿΛ͔ͨ͠ʯ wશϦʔδϣϯͰ༗ޮԽʢίϯιʔϧͰ؆୯ʹઃఆʣ wϩά෼ੳʹ͸"UIFOB΍$MPVE8BUDI-PHT*OTJHIUT wҟৗͳ"1*ίʔϧ͸$MPVE5SBJM*OTJHIUTͰݕग़

$MPVE5SBJM*OTJHIUT w௨ৗͱҟͳΔΞΫςΟϏςΟΛݕग़ wର৅͸ॻ͖ࠐΈ؅ཧΠϕϯτ w ʢॻ͖ࠐΈ؅ཧΠϕϯτ͋ͨΓʣ https://dev.classmethod.jp/cloud/aws/aws-cloudtrail-announces-cloudtrail-insights/

(VBSE%VUZ w͓΋ʹ&$ͱ*".ΞΧ΢ϯτؔ࿈ͷൃݟత౷੍ w"84ʹ͓͚Δෆ৹ͳΞΫςΟϏςΟΛݕ஌ w$MPVE5SBJMFWFOUMPHT w71$'MPX-PHT w%/4MPHT wશϦʔδϣϯͰ༗ޮԽ https://dev.classmethod.jp/cloud/aws/set-guardduty-all-region/

(VBSE%VUZʢ͜͜೥ͷΞοϓσʔτɹɹʣ w߈ܸऀʹՃ୲ͯ͠ͳ͍͔ https://dev.classmethod.jp/cloud/aws/guardduty-devect-new-findings-of-dos-attack/ w"ENJOͳͲͷಛݖΛׂΓ౰ͯΑ͏ͱ ͯ͠ͳ͍͔ https://dev.classmethod.jp/cloud/aws/guardduty-can-now-detect-privilege-escalation/ wݕग़݁Ռ͸೔Ͱഁغ͞ΕΔ https://dev.classmethod.jp/cloud/aws/guardduty-supports-exporting-findings-to-an- amazon-s3-bucket/

Ͱ΋͓ߴ͍ΜͰ͠ΐɾɾɾʁ wίεύ࠷ڧ w71$ϑϩʔϩάͱ%/4ϩά෼ੳɹ(#ʙ w$MPVE5SBJMΠϕϯτ෼ੳɹ Πϕϯτʙ wฐࣾͰ؅ཧΞΧ΢ϯτͷҎ্͕"84ར༻අͷҎԼ wҎ্ͷΞΧ΢ϯτ͕"84ར༻අͷҎԼ

ͦΕͰ΋ෆ҆ͱ͍͏ͳΒ͹ w೔ؒͷແྉτϥΠΞϧͰ࣮ࡍͷར༻අΛ֬ೝ

"84$POpH w"84ϦιʔεͷมߋཤྺΛه࿥ wλΠϜϥΠϯͰมߋ಺༰͕֬ೝͰ͖Δ

͓҆͘ͳΓ·ͨ͠ w೥݄೔Ҏ߱ɺैྔ՝ۚϞσϧʹมߋ wධՁ͋ͨΓʙ https://dev.classmethod.jp/cloud/aws/recommend-conﬁg-rules-for-all-user/

ඇ४ڌϦιʔεΛࣗಈम෮Ͱ͖ΔΑ͏ʹͳΓ·ͨ͠ w44."VUPNBUJPOͱ࿈ܞͨࣗ͠ಈम෮ wैདྷ͸$MPVE8BUDI&WFOUTˠ-BNCEBͷ࡞ΓࠐΈ https://dev.classmethod.jp/cloud/aws/auto-recovery-restricted-ssh-without-lambda/

4*"."DDFTT"OBMZ[FS w֎෦ϓϦϯγύϧ͔ΒΞΫηεՄೳͳϦιʔε͕ର৅ wજࡏతͳϦεΫΛ൑அʢ߈ܸΛݕग़͢Δ΋ͷͰ͸ͳ͍ʣ wαϙʔτ͞ΕΔϦιʔε w4όέοτ w*".ϩʔϧ w,.4Ωʔ w-BNCEBؔ਺ͱ-BNCEBϨΠϠʔ w424Ωϡʔ

4*"."DDFTT"OBMZ[FS wແྉͰར༻Մೳʂ

શϦʔδϣϯͰ༗ޮԽͯ͠͠·͓͏ https://dev.classmethod.jp/cloud/aws/create-analyzer-all-region/ wશϦʔδϣϯͰ༗ޮʹ͢Δ w4"DDFTT"OBMZ[FS͸*"."DDFTT"OBMZ[FSΛ༗ޮԽʹ͢Δͱར༻Ͱ͖·͢

͓๨Εͳ͘ ݕग़͢Δ͚ͩͰຬ଍͠ͳ͍Ͱɻ ௨஌΋ͪΌΜͱ΍Γ·͠ΐ͏ɻ

ͪΐ͍ςΫ̎ ؆୯ʹνΣοΫͰ͖Δ ηΩϡϦςΟɾίϯϓϥΠΞϯε

ίϯϓϥΠΞϯεɿ$*4#FODINBSL w$*4͸-JOVY΍"QBDIFͳͲ༷ʑͳηΩϡϦςΟج४Λ࡞ ੒͍ͯ͠Δஂମ w$*4"84'PVOEBUJPOT#FODINBSLͱͯ͠"84ͷηΩϡ ϦςΟνΣοΫͷ۩ମతͳ߲໨Λఆٛ wฐࣾఏڙͷηΩϡϦςΟνΣοΫπʔϧ  ʰJOTJHIUXBUDIʱͰແྉ਍அՄೳ

*OTJHIUXBUDI wʮখ͞ͳൃݟΛେ͖ͳ҆৺ʹʯΛίϯηϓτʹ"84؀ڥ Λ਍அ͠ϨϙʔτΛग़ྗ͢Δπʔϧ https://insightwatch.io/

ͨ͘͞ΜͷܯࠂͰͨΜ΍͚Ͳɾɾɾ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen2/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen3/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen4/

ͪΐ͍ςΫ̏ ήʔτܕ͔Β ΨʔυϨʔϧܕ΁

ैདྷͷηΩϡϦςΟͷߟ͑ํ w࠷ۙɺ"84͕ൃ৴ͯ͠Δϝοηʔδ wैདྷͷηΩϡϦςΟ͸ήʔτΩʔύత w·ͣ͸ϒϩοΫ w಺༰Λ֬ೝͯ͠໰୊͕ͳ͚Ε͹ͱ͓͢ wྲྀΕΛͱΊΔ͜ͱ͸ɺϏδωεͷεϐʔυΛಷΒͤΔ

ηΩϡϦςΟͰϏδωεʹ ϒϨʔΩΛ͔͚ͯ͸͍͚ͳ͍ ͲΜͳʹεϐʔυΛग़ͯ͠΋҆શͳ ΨʔυϨʔϧͷΑ͏ͳηΩϡϦςΟΛ

ΨʔυϨʔϧతͳηΩϡϦςΟͱ͸ wΨʔυϨʔϧతͳηΩϡϦςΟΛ࣮ݱ͢ΔҰྫ w"840SHBOJ[BUJPOTͷαʔϏείϯτϩʔϧϙϦγʔ w"84*".1FSNJTTJPOTCPVOEBSZ w1FSNJTTJPOTCPVOEBSZ w௨ৗͷ*".ϙϦγʔʹ"/%৚݅ΛՃ͑ͯɺڐՄൣғΛ ݶఆ͢ΔϙϦγʔ wڥքൣғͳ͔Ͱࣗ༝ʹͤͯ͋͛͞Δ

1FSNJTTJPOTCPVOEBSZ wઃఆΛؒҧ͑Δͱ͍ΖΜͳݖݶΛ  ࣦ͏ͷͰઃఆ͸৻ॏʹ https://dev.classmethod.jp/cloud/aws/iam-permissions-boundary/

w*".ϙϦγʔγϡϛϨʔλʹରԠ͠·ͨ͠ wࣄલʹγϛϡϨʔγϣϯͰӨڹൣғΛ֬ೝ ҆͝৺͍ͩ͘͞ https://dev.classmethod.jp/cloud/aws/iam-policy-simulator-now-simulates-permissions-boundary/

ͪΐ͍ςΫ̐ *.%4ͷ ηΩϡϦςΟڧԽ

*.%4ʢΠϯελϯεϝλσʔλαʔϏεʣ w&$Πϯελϯεϝλσʔλ wʹ)551ϦΫΤετ༷ͯ͠ʑͳϝλ σʔλʹΞΫηεͰ͖Δ w*".ϩʔϧ͸͜ͷϝλσʔλ͔ΒΫϨσϯγϟϧΛऔಘ w8"'ͳͲͷެ։αʔόʹ͋Δ੬ऑੑͱ૊Έ߹Θͤͯɺෆਖ਼ ʹ&$ͷϝλσʔλ͔ΒΫϨσϯγϟϧΛऔಘ͠ѱ༻͢Δ ͜ͱ͕Մೳ

ࣄނࣄྫ ʰpiyologʱɿhttps://piyolog.hatenadiary.jp/entry/2019/08/06/062154

*.%4W https://dev.classmethod.jp/cloud/aws/ec2-imdsv2-release/ w7΁ͷΞΫηεʹ͸5PLFO͕ඞཁ w7ΛແޮԽͰ͖ΔʢσϑΥϧτ͸ซ༻ʣ wϝλσʔλαʔϏεࣗମΛແޮԽ΋Ͱ͖ΔɹʜFUD

͋ΘͤͯಡΈ͍ͨ ʰಙؙߒͷ೔هʱɿhttps://blog.tokumaru.org/2019/12/defense-ssrf-amazon-ec2-imdsv2.html w*.%4W͸443'߈ܸͷࠜຊతͳղܾͰ͸ͳ͍ w͕ɺ443'߈ܸͷ؇࿨ࡦͱͯ͠ҰఆͷޮՌ͸ظ଴Ͱ͖Δ

ͪΐ͍ςΫ̑ ͏͔ͬΓ࿙ӮΛ๷ࢭ

HJUTFDSFUT࢖ͬͯ·͔͢ʁ w"84ΞΫηεΩʔͷ࿙ӮͰҰ൪ଟ͍ύλʔϯ wHJUDPNNJUʹIPPL͢ΔػೳΛ༗ޮʹ͠ͱ͚͹ɺΞΫηε Ωʔ΍γʔΫϨοτΩʔͷύλʔϯΛݕग़ɾ્ࢭͯ͘͠ΕΔ https://dev.classmethod.jp/cloud/aws/startup-git-secrets/

͋ΘͤͯಡΈ͍ͨ w*".ͷجຊ͸࠷খݖݶ w։ൃݕূຊ൪؀ڥͷ؀ڥ෼཭ͷϝϦοτɺσϝϦοτ https://dev.classmethod.jp/cloud/aws/account-and-vpc-dividing-pattern/

ͪΐ͍ςΫ̒ ֎෦ͱͷτϥϑΟοΫΛ ΠϯϥΠϯ؂ࠪ

*OHSFTTSPVUF w*(8ɺ7(8ʹϧʔτ ςʔϒϧͷઃఆ͕Մೳ wૹ৴ઌ͸71$ͷ $*%3ൣғͷΈ w*%4*14ΞϓϥΠΞϯ ε੡඼΁ͷϦμΠϨΫτ Λγϯϓϧʹ࣮૷

͋ΘͤͯಡΈ͍ͨ https://dev.classmethod.jp/cloud/aws/what-is-vpc-ingress-routing/

71$ؒτϥϑΟοΫͷΠϯϥΠϯ؂ࠪʢ5(8ʣ https://www.slideshare.net/AmazonWebServicesJapan/20191113-aws-black-belt-online-seminar-aws-transit-gateway?ref=https://aws.amazon.com/jp/blogs/news/webinar-bb-aws-transit-gateway-2019/

·ͱΊ

·ͱΊ wൃݟత౷੍ͷ̐αʔϏε͸ઃఆ͠Α͏ʢ௨஌·Ͱ΍Δʣ wʮ*OTJHIUXBUDIʯͰίϯϓϥΠΞϯεΛνΣοΫ wڥքൣғʢΨʔυϨʔϧʣͷͳ͔Ͱࣗ༝౓Λߴ͘ w*.%4͕ѱ༻͞ΕΔ͜ͱ΋஌͓ͬͯ͘ wΞΫηεΩʔ͸HJUDPNNJUͰ͖ͳ͍Α͏ʹ͢Δ wΠϯϥΠϯ؂ࠪΛγϯϓϧʹߏங

͜Ε͚ͩ͸֮͑ͯؼͬͯ΄͍͠ɺͪΐ͍ςΫ ͍͍ͩͨͷ͜ͱ͸ %FWFMPQFST*0ʹॻ͍ͯΔ

[JAWS-UG Osaka]セキュリティ、ネットワークまわりのちょいテク

[JAWS-UG Osaka]セキュリティ、ネットワークまわりのちょいテク

More Decks by maru1981

Other Decks in Technology

Featured

Transcript