Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
[JAWS-UG Osaka]セキュリティ、ネットワークまわりのちょいテク
Search
maru1981
February 06, 2020
Technology
0
2.1k
[JAWS-UG Osaka]セキュリティ、ネットワークまわりのちょいテク
maru1981
February 06, 2020
Tweet
Share
More Decks by maru1981
See All by maru1981
re:Growth2023 OSAKA 「Amazon ElastiCache Serverless」のご紹介
maru1981
0
25k
データ分析のためのAWS Well-Architected -Data Analytics Lens-
maru1981
0
1.9k
「データレイク」という言葉だけ知ってる人がAWS Lake Formationをはじめてみる/DevelopersIO2021 DECADE Try AWS Lake Formation for the first time
maru1981
1
2.3k
AWS環境見直しの第一歩「AWS請求代行サービス」のご紹介/Classmethod Members
maru1981
0
1k
AWSではじめるBlockchain/[DevelopersIO 2019 in OSAKA]Blockchain starting with AWS
maru1981
0
1.9k
AWSではじめるBlockchain/Blockchain starting with AWS
maru1981
0
1.4k
[HIGOBASHI.AWS] #9 re:Invent 2018 の新サービス紹介(AWSインフラ編)
maru1981
0
970
[HIGOBASHI.AWS] #6 CloudFront を使ってみよう!/ Let's use CloudFront
maru1981
0
1.5k
Other Decks in Technology
See All in Technology
Shirankedo NOCで見えてきたeduroam/OpenRoaming運用ノウハウと課題 - BAKUCHIKU BANBAN #2
marokiki
0
110
BirdCLEF+2025 Noir 5位解法紹介
myso
0
190
GopherCon Tour 概略
logica0419
2
180
空間を設計する力を考える / 20251004 Naoki Takahashi
shift_evolve
PRO
3
330
Goに育てられ開発者向けセキュリティ事業を立ち上げた僕が今向き合う、AI × セキュリティの最前線 / Go Conference 2025
flatt_security
0
350
OpenAI gpt-oss ファインチューニング入門
kmotohas
2
940
SREとソフトウェア開発者の合同チームはどのようにS3のコストを削減したか?
muziyoshiz
1
100
SOC2取得の全体像
shonansurvivors
1
370
バイブコーディングと継続的デプロイメント
nwiizo
2
410
それでも私はContextに値を詰めたい | Go Conference 2025 / go conference 2025 fill context
budougumi0617
4
1.2k
ZOZOのAI活用実践〜社内基盤からサービス応用まで〜
zozotech
PRO
0
160
職種別ミートアップで社内から盛り上げる アウトプット文化の醸成と関係強化/ #DevRelKaigi
nishiuma
2
130
Featured
See All Featured
The Cost Of JavaScript in 2023
addyosmani
53
9k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
19
1.2k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
9
850
Unsuck your backbone
ammeep
671
58k
Context Engineering - Making Every Token Count
addyosmani
5
180
GitHub's CSS Performance
jonrohan
1032
460k
Designing for humans not robots
tammielis
254
25k
KATA
mclloyd
32
15k
Speed Design
sergeychernyshev
32
1.1k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
How GitHub (no longer) Works
holman
315
140k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Transcript
ηΩϡϦςΟɺωοτϫʔΫ ·ΘΓͷͪΐ͍ςΫ Marumo Atsushi
KBXTVH KBXTVHPTBLB
εϥΠυޙͰೖख͢Δ͜ͱ͕ग़དྷ·͢ͷͰ ൃදதͷ༰ΛϝϞ͢Δඞཁ͋Γ·ͤΜɻ ࣸਅࡱӨΛ͢Δ߹ ϑϥογϡɾγϟολʔԻ͕ग़ͳ͍Α͏ʹྀ͍ͩ͘͝͞ Attention
ࣗݾհ ؙໟಞ࢙ Ϋϥεϝιουגࣜձࣾ "84ࣄۀຊ෦ίϯαϧςΟϯά෦ ιϦϡʔγϣϯΞʔΩςΫτ ʢϚϧϞΞπγʣ "84ೝఆࢿ֨ף ͖ͳ"84αʔϏε w
$MPVE'SPOU w 5SBOTJU(BUFXBZ w .BOBHFE#MPDLDIBJO
݄ؒສ17ΛތΔٕज़ϒϩά%FWFMPQFST*0
݄ؒສ17ΛތΔٕज़ϒϩά%FWFMPQFST*0 ௨ࢉ ຊʂ ؒ ຊʂ ݄ؒ ຊʂ
None
80ਓ 736ຊ
ຊͷςʔϚ "84ͷηΩϡϦςΟɺωοτϫʔΫ ·ΘΓͷʮͪΐ͍ςΫʯ
ຊͷςʔϚ ࢸۃͷϒϩάهࣄΛఴ͑ͯ ʢৄࡉͳઆ໌ল͘ͷͰؾʹͳͬͨͷΛޙ͔Βख़ಡʣ
Security & Network
ͪΐ͍ςΫ̍ ؆୯ʹઃఆͰ͖Δ "84ͷൃݟత౷੍
͜Ε͚ͩͬͱ͍ͯཉ͍͠"84αʔϏε̐બ w"84$MPVE5SBJM w"NB[PO(VBSE%VUZ w"84$POpH w4*"."DDFTT"OBMZ[FS
$MPVE5SBJM w"84ͷ"1*ʹର͢Δૢ࡞ϩά w"84ΞΧϯτʹରͯ͠ʮ୭͕ʯʮ͍ͭʯʮԿΛ͔ͨ͠ʯ wશϦʔδϣϯͰ༗ޮԽʢίϯιʔϧͰ؆୯ʹઃఆʣ wϩάੳʹ"UIFOB$MPVE8BUDI-PHT*OTJHIUT wҟৗͳ"1*ίʔϧ$MPVE5SBJM*OTJHIUTͰݕग़
$MPVE5SBJM*OTJHIUT w௨ৗͱҟͳΔΞΫςΟϏςΟΛݕग़ wରॻ͖ࠐΈཧΠϕϯτ w ʢॻ͖ࠐΈཧΠϕϯτ͋ͨΓʣ https://dev.classmethod.jp/cloud/aws/aws-cloudtrail-announces-cloudtrail-insights/
(VBSE%VUZ w͓ʹ&$ͱ*".ΞΧϯτؔ࿈ͷൃݟత౷੍ w"84ʹ͓͚Δෆ৹ͳΞΫςΟϏςΟΛݕ w$MPVE5SBJMFWFOUMPHT w71$'MPX-PHT w%/4MPHT wશϦʔδϣϯͰ༗ޮԽ https://dev.classmethod.jp/cloud/aws/set-guardduty-all-region/
(VBSE%VUZʢ͜͜ͷΞοϓσʔτɹɹʣ w߈ܸऀʹՃ୲ͯ͠ͳ͍͔ https://dev.classmethod.jp/cloud/aws/guardduty-devect-new-findings-of-dos-attack/ w"ENJOͳͲͷಛݖΛׂΓͯΑ͏ͱ ͯ͠ͳ͍͔ https://dev.classmethod.jp/cloud/aws/guardduty-can-now-detect-privilege-escalation/ wݕग़݁ՌͰഁغ͞ΕΔ https://dev.classmethod.jp/cloud/aws/guardduty-supports-exporting-findings-to-an- amazon-s3-bucket/
Ͱ͓ߴ͍ΜͰ͠ΐɾɾɾʁ wίεύ࠷ڧ w71$ϑϩʔϩάͱ%/4ϩάੳɹ(#ʙ w$MPVE5SBJMΠϕϯτੳɹ Πϕϯτʙ wฐࣾͰཧΞΧϯτͷҎ্͕"84ར༻අͷҎԼ wҎ্ͷΞΧϯτ͕"84ར༻අͷҎԼ
ͦΕͰෆ҆ͱ͍͏ͳΒ wؒͷແྉτϥΠΞϧͰ࣮ࡍͷར༻අΛ֬ೝ
"84$POpH w"84ϦιʔεͷมߋཤྺΛه wλΠϜϥΠϯͰมߋ༰͕֬ೝͰ͖Δ
͓҆͘ͳΓ·ͨ͠ w݄Ҏ߱ɺैྔ՝ۚϞσϧʹมߋ wධՁ͋ͨΓʙ https://dev.classmethod.jp/cloud/aws/recommend-config-rules-for-all-user/
ඇ४ڌϦιʔεΛࣗಈम෮Ͱ͖ΔΑ͏ʹͳΓ·ͨ͠ w44."VUPNBUJPOͱ࿈ܞͨࣗ͠ಈम෮ wैདྷ$MPVE8BUDI&WFOUTˠ-BNCEBͷ࡞ΓࠐΈ https://dev.classmethod.jp/cloud/aws/auto-recovery-restricted-ssh-without-lambda/
4*"."DDFTT"OBMZ[FS w֎෦ϓϦϯγύϧ͔ΒΞΫηεՄೳͳϦιʔε͕ର wજࡏతͳϦεΫΛஅʢ߈ܸΛݕग़͢ΔͷͰͳ͍ʣ wαϙʔτ͞ΕΔϦιʔε w4όέοτ w*".ϩʔϧ w,.4Ωʔ w-BNCEBؔͱ-BNCEBϨΠϠʔ w424Ωϡʔ
4*"."DDFTT"OBMZ[FS wແྉͰར༻Մೳʂ
શϦʔδϣϯͰ༗ޮԽͯ͠͠·͓͏ https://dev.classmethod.jp/cloud/aws/create-analyzer-all-region/ wશϦʔδϣϯͰ༗ޮʹ͢Δ w4"DDFTT"OBMZ[FS*"."DDFTT"OBMZ[FSΛ༗ޮԽʹ͢Δͱར༻Ͱ͖·͢
͓Εͳ͘ ݕग़͢Δ͚ͩͰຬ͠ͳ͍Ͱɻ ௨ͪΌΜͱΓ·͠ΐ͏ɻ
ͪΐ͍ςΫ̎ ؆୯ʹνΣοΫͰ͖Δ ηΩϡϦςΟɾίϯϓϥΠΞϯε
ίϯϓϥΠΞϯεɿ$*4#FODINBSL w$*4-JOVY"QBDIFͳͲ༷ʑͳηΩϡϦςΟج४Λ࡞ ͍ͯ͠Δஂମ w$*4"84'PVOEBUJPOT#FODINBSLͱͯ͠"84ͷηΩϡ ϦςΟνΣοΫͷ۩ମతͳ߲Λఆٛ wฐࣾఏڙͷηΩϡϦςΟνΣοΫπʔϧ ʰJOTJHIUXBUDIʱͰແྉஅՄೳ
*OTJHIUXBUDI wʮখ͞ͳൃݟΛେ͖ͳ҆৺ʹʯΛίϯηϓτʹ"84ڥ Λஅ͠ϨϙʔτΛग़ྗ͢Δπʔϧ https://insightwatch.io/
ͨ͘͞ΜͷܯࠂͰͨΜ͚Ͳɾɾɾ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen2/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen3/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen4/
ͪΐ͍ςΫ̏ ήʔτܕ͔Β ΨʔυϨʔϧܕ
ैདྷͷηΩϡϦςΟͷߟ͑ํ w࠷ۙɺ"84͕ൃ৴ͯ͠Δϝοηʔδ wैདྷͷηΩϡϦςΟήʔτΩʔύత w·ͣϒϩοΫ w༰Λ֬ೝ͕ͯ͠ͳ͚Εͱ͓͢ wྲྀΕΛͱΊΔ͜ͱɺϏδωεͷεϐʔυΛಷΒͤΔ
ηΩϡϦςΟͰϏδωεʹ ϒϨʔΩΛ͔͚͍͚ͯͳ͍ ͲΜͳʹεϐʔυΛग़ͯ҆͠શͳ ΨʔυϨʔϧͷΑ͏ͳηΩϡϦςΟΛ
ΨʔυϨʔϧతͳηΩϡϦςΟͱ wΨʔυϨʔϧతͳηΩϡϦςΟΛ࣮ݱ͢ΔҰྫ w"840SHBOJ[BUJPOTͷαʔϏείϯτϩʔϧϙϦγʔ w"84*".1FSNJTTJPOTCPVOEBSZ w1FSNJTTJPOTCPVOEBSZ w௨ৗͷ*".ϙϦγʔʹ"/%݅ΛՃ͑ͯɺڐՄൣғΛ ݶఆ͢ΔϙϦγʔ wڥքൣғͳ͔Ͱࣗ༝ʹͤͯ͋͛͞Δ
1FSNJTTJPOTCPVOEBSZ wઃఆΛؒҧ͑Δͱ͍ΖΜͳݖݶΛ ࣦ͏ͷͰઃఆ৻ॏʹ https://dev.classmethod.jp/cloud/aws/iam-permissions-boundary/
w*".ϙϦγʔγϡϛϨʔλʹରԠ͠·ͨ͠ wࣄલʹγϛϡϨʔγϣϯͰӨڹൣғΛ֬ೝ ҆͝৺͍ͩ͘͞ https://dev.classmethod.jp/cloud/aws/iam-policy-simulator-now-simulates-permissions-boundary/
ͪΐ͍ςΫ̐ *.%4ͷ ηΩϡϦςΟڧԽ
*.%4ʢΠϯελϯεϝλσʔλαʔϏεʣ w&$Πϯελϯεϝλσʔλ wʹ)551ϦΫΤετ༷ͯ͠ʑͳϝλ σʔλʹΞΫηεͰ͖Δ w*".ϩʔϧ͜ͷϝλσʔλ͔ΒΫϨσϯγϟϧΛऔಘ w8"'ͳͲͷެ։αʔόʹ͋Δ੬ऑੑͱΈ߹Θͤͯɺෆਖ਼ ʹ&$ͷϝλσʔλ͔ΒΫϨσϯγϟϧΛऔಘ͠ѱ༻͢Δ ͜ͱ͕Մೳ
ࣄނࣄྫ ʰpiyologʱɿhttps://piyolog.hatenadiary.jp/entry/2019/08/06/062154
*.%4W https://dev.classmethod.jp/cloud/aws/ec2-imdsv2-release/ w7ͷΞΫηεʹ5PLFO͕ඞཁ w7ΛແޮԽͰ͖ΔʢσϑΥϧτซ༻ʣ wϝλσʔλαʔϏεࣗମΛແޮԽͰ͖ΔɹʜFUD
͋ΘͤͯಡΈ͍ͨ ʰಙؙߒͷهʱɿhttps://blog.tokumaru.org/2019/12/defense-ssrf-amazon-ec2-imdsv2.html w*.%4W443'߈ܸͷࠜຊతͳղܾͰͳ͍ w͕ɺ443'߈ܸͷ؇ࡦͱͯ͠ҰఆͷޮՌظͰ͖Δ
ͪΐ͍ςΫ̑ ͏͔ͬΓ࿙ӮΛࢭ
HJUTFDSFUTͬͯ·͔͢ʁ w"84ΞΫηεΩʔͷ࿙ӮͰҰ൪ଟ͍ύλʔϯ wHJUDPNNJUʹIPPL͢ΔػೳΛ༗ޮʹ͠ͱ͚ɺΞΫηε ΩʔγʔΫϨοτΩʔͷύλʔϯΛݕग़ɾ્ࢭͯ͘͠ΕΔ https://dev.classmethod.jp/cloud/aws/startup-git-secrets/
͋ΘͤͯಡΈ͍ͨ w*".ͷجຊ࠷খݖݶ w։ൃݕূຊ൪ڥͷڥͷϝϦοτɺσϝϦοτ https://dev.classmethod.jp/cloud/aws/account-and-vpc-dividing-pattern/
ͪΐ͍ςΫ̒ ֎෦ͱͷτϥϑΟοΫΛ ΠϯϥΠϯࠪ
*OHSFTTSPVUF w*(8ɺ7(8ʹϧʔτ ςʔϒϧͷઃఆ͕Մೳ wૹ৴ઌ71$ͷ $*%3ൣғͷΈ w*%4*14ΞϓϥΠΞϯ εͷϦμΠϨΫτ Λγϯϓϧʹ࣮
͋ΘͤͯಡΈ͍ͨ https://dev.classmethod.jp/cloud/aws/what-is-vpc-ingress-routing/
71$ؒτϥϑΟοΫͷΠϯϥΠϯࠪʢ5(8ʣ https://www.slideshare.net/AmazonWebServicesJapan/20191113-aws-black-belt-online-seminar-aws-transit-gateway?ref=https://aws.amazon.com/jp/blogs/news/webinar-bb-aws-transit-gateway-2019/
·ͱΊ
·ͱΊ wൃݟత౷੍ͷ̐αʔϏεઃఆ͠Α͏ʢ௨·ͰΔʣ wʮ*OTJHIUXBUDIʯͰίϯϓϥΠΞϯεΛνΣοΫ wڥքൣғʢΨʔυϨʔϧʣͷͳ͔Ͱࣗ༝Λߴ͘ w*.%4͕ѱ༻͞ΕΔ͜ͱ͓ͬͯ͘ wΞΫηεΩʔHJUDPNNJUͰ͖ͳ͍Α͏ʹ͢Δ wΠϯϥΠϯࠪΛγϯϓϧʹߏங
͜Ε͚֮ͩ͑ͯؼͬͯ΄͍͠ɺͪΐ͍ςΫ ͍͍ͩͨͷ͜ͱ %FWFMPQFST*0ʹॻ͍ͯΔ
None