Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
[JAWS-UG Osaka]セキュリティ、ネットワークまわりのちょいテク
Search
maru1981
February 06, 2020
Technology
0
1.9k
[JAWS-UG Osaka]セキュリティ、ネットワークまわりのちょいテク
maru1981
February 06, 2020
Tweet
Share
More Decks by maru1981
See All by maru1981
re:Growth2023 OSAKA 「Amazon ElastiCache Serverless」のご紹介
maru1981
0
14k
データ分析のためのAWS Well-Architected -Data Analytics Lens-
maru1981
0
1.5k
「データレイク」という言葉だけ知ってる人がAWS Lake Formationをはじめてみる/DevelopersIO2021 DECADE Try AWS Lake Formation for the first time
maru1981
0
1.8k
AWS環境見直しの第一歩「AWS請求代行サービス」のご紹介/Classmethod Members
maru1981
0
900
AWSではじめるBlockchain/[DevelopersIO 2019 in OSAKA]Blockchain starting with AWS
maru1981
0
1.6k
AWSではじめるBlockchain/Blockchain starting with AWS
maru1981
0
1.2k
[HIGOBASHI.AWS] #9 re:Invent 2018 の新サービス紹介(AWSインフラ編)
maru1981
0
790
[HIGOBASHI.AWS] #6 CloudFront を使ってみよう!/ Let's use CloudFront
maru1981
0
1.4k
Other Decks in Technology
See All in Technology
技術広報経験0のEMがエンジニアブランディングをはじめてみた
coconala_engineer
1
130
生成AIの不確実性と向き合うためのオブジェクト指向設計
tkikuchi1002
2
660
8週連続ウェビナー_イチから学ぶFivetran
cmsuzu
0
160
大規模なアジャイル開発の現場と技術負債 / Technical Debt
yoshiitaka
20
4k
KubeCon EU: Unlocking new Platform Experiences with Open Interfaces
salaboy
1
370
オブジェクト指向宗教史
tanakahisateru
13
12k
匠MethodとRDRAとICONIXとDDDで実現する一気通貫オブジェクト指向開発
haru860
4
2k
技術広報として2023年度に頑張ったこと / What we did well in FY2023 as a DevRel
pauli
5
460
期待しすぎずに取り組む両面 TypeScript
shozawa
2
290
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
7
100k
SREsのためのSRE定着ガイド
netmarkjp
10
1.6k
Tohoku.Tech #1 「EC-CUBE/AWSの構築をChatGPTに相談してみました」by テンダ
jun2882
0
140
Featured
See All Featured
Fireside Chat
paigeccino
19
2.6k
The Language of Interfaces
destraynor
150
23k
No one is an island. Learnings from fostering a developers community.
thoeni
14
2k
Automating Front-end Workflow
addyosmani
1353
200k
Raft: Consensus for Rubyists
vanstee
130
6.2k
Rebuilding a faster, lazier Slack
samanthasiow
72
8.2k
Stop Working from a Prison Cell
hatefulcrawdad
265
19k
GraphQLの誤解/rethinking-graphql
sonatard
48
9.1k
Code Reviewing Like a Champion
maltzj
512
39k
Writing Fast Ruby
sferik
619
59k
The Invisible Customer
myddelton
114
12k
Building Applications with DynamoDB
mza
88
5.6k
Transcript
ηΩϡϦςΟɺωοτϫʔΫ ·ΘΓͷͪΐ͍ςΫ Marumo Atsushi
KBXTVH KBXTVHPTBLB
εϥΠυޙͰೖख͢Δ͜ͱ͕ग़དྷ·͢ͷͰ ൃදதͷ༰ΛϝϞ͢Δඞཁ͋Γ·ͤΜɻ ࣸਅࡱӨΛ͢Δ߹ ϑϥογϡɾγϟολʔԻ͕ग़ͳ͍Α͏ʹྀ͍ͩ͘͝͞ Attention
ࣗݾհ ؙໟಞ࢙ Ϋϥεϝιουגࣜձࣾ "84ࣄۀຊ෦ίϯαϧςΟϯά෦ ιϦϡʔγϣϯΞʔΩςΫτ ʢϚϧϞΞπγʣ "84ೝఆࢿ֨ף ͖ͳ"84αʔϏε w
$MPVE'SPOU w 5SBOTJU(BUFXBZ w .BOBHFE#MPDLDIBJO
݄ؒສ17ΛތΔٕज़ϒϩά%FWFMPQFST*0
݄ؒສ17ΛތΔٕज़ϒϩά%FWFMPQFST*0 ௨ࢉ ຊʂ ؒ ຊʂ ݄ؒ ຊʂ
None
80ਓ 736ຊ
ຊͷςʔϚ "84ͷηΩϡϦςΟɺωοτϫʔΫ ·ΘΓͷʮͪΐ͍ςΫʯ
ຊͷςʔϚ ࢸۃͷϒϩάهࣄΛఴ͑ͯ ʢৄࡉͳઆ໌ল͘ͷͰؾʹͳͬͨͷΛޙ͔Βख़ಡʣ
Security & Network
ͪΐ͍ςΫ̍ ؆୯ʹઃఆͰ͖Δ "84ͷൃݟత౷੍
͜Ε͚ͩͬͱ͍ͯཉ͍͠"84αʔϏε̐બ w"84$MPVE5SBJM w"NB[PO(VBSE%VUZ w"84$POpH w4*"."DDFTT"OBMZ[FS
$MPVE5SBJM w"84ͷ"1*ʹର͢Δૢ࡞ϩά w"84ΞΧϯτʹରͯ͠ʮ୭͕ʯʮ͍ͭʯʮԿΛ͔ͨ͠ʯ wશϦʔδϣϯͰ༗ޮԽʢίϯιʔϧͰ؆୯ʹઃఆʣ wϩάੳʹ"UIFOB$MPVE8BUDI-PHT*OTJHIUT wҟৗͳ"1*ίʔϧ$MPVE5SBJM*OTJHIUTͰݕग़
$MPVE5SBJM*OTJHIUT w௨ৗͱҟͳΔΞΫςΟϏςΟΛݕग़ wରॻ͖ࠐΈཧΠϕϯτ w ʢॻ͖ࠐΈཧΠϕϯτ͋ͨΓʣ https://dev.classmethod.jp/cloud/aws/aws-cloudtrail-announces-cloudtrail-insights/
(VBSE%VUZ w͓ʹ&$ͱ*".ΞΧϯτؔ࿈ͷൃݟత౷੍ w"84ʹ͓͚Δෆ৹ͳΞΫςΟϏςΟΛݕ w$MPVE5SBJMFWFOUMPHT w71$'MPX-PHT w%/4MPHT wશϦʔδϣϯͰ༗ޮԽ https://dev.classmethod.jp/cloud/aws/set-guardduty-all-region/
(VBSE%VUZʢ͜͜ͷΞοϓσʔτɹɹʣ w߈ܸऀʹՃ୲ͯ͠ͳ͍͔ https://dev.classmethod.jp/cloud/aws/guardduty-devect-new-findings-of-dos-attack/ w"ENJOͳͲͷಛݖΛׂΓͯΑ͏ͱ ͯ͠ͳ͍͔ https://dev.classmethod.jp/cloud/aws/guardduty-can-now-detect-privilege-escalation/ wݕग़݁ՌͰഁغ͞ΕΔ https://dev.classmethod.jp/cloud/aws/guardduty-supports-exporting-findings-to-an- amazon-s3-bucket/
Ͱ͓ߴ͍ΜͰ͠ΐɾɾɾʁ wίεύ࠷ڧ w71$ϑϩʔϩάͱ%/4ϩάੳɹ(#ʙ w$MPVE5SBJMΠϕϯτੳɹ Πϕϯτʙ wฐࣾͰཧΞΧϯτͷҎ্͕"84ར༻අͷҎԼ wҎ্ͷΞΧϯτ͕"84ར༻අͷҎԼ
ͦΕͰෆ҆ͱ͍͏ͳΒ wؒͷແྉτϥΠΞϧͰ࣮ࡍͷར༻අΛ֬ೝ
"84$POpH w"84ϦιʔεͷมߋཤྺΛه wλΠϜϥΠϯͰมߋ༰͕֬ೝͰ͖Δ
͓҆͘ͳΓ·ͨ͠ w݄Ҏ߱ɺैྔ՝ۚϞσϧʹมߋ wධՁ͋ͨΓʙ https://dev.classmethod.jp/cloud/aws/recommend-config-rules-for-all-user/
ඇ४ڌϦιʔεΛࣗಈम෮Ͱ͖ΔΑ͏ʹͳΓ·ͨ͠ w44."VUPNBUJPOͱ࿈ܞͨࣗ͠ಈम෮ wैདྷ$MPVE8BUDI&WFOUTˠ-BNCEBͷ࡞ΓࠐΈ https://dev.classmethod.jp/cloud/aws/auto-recovery-restricted-ssh-without-lambda/
4*"."DDFTT"OBMZ[FS w֎෦ϓϦϯγύϧ͔ΒΞΫηεՄೳͳϦιʔε͕ର wજࡏతͳϦεΫΛஅʢ߈ܸΛݕग़͢ΔͷͰͳ͍ʣ wαϙʔτ͞ΕΔϦιʔε w4όέοτ w*".ϩʔϧ w,.4Ωʔ w-BNCEBؔͱ-BNCEBϨΠϠʔ w424Ωϡʔ
4*"."DDFTT"OBMZ[FS wແྉͰར༻Մೳʂ
શϦʔδϣϯͰ༗ޮԽͯ͠͠·͓͏ https://dev.classmethod.jp/cloud/aws/create-analyzer-all-region/ wશϦʔδϣϯͰ༗ޮʹ͢Δ w4"DDFTT"OBMZ[FS*"."DDFTT"OBMZ[FSΛ༗ޮԽʹ͢Δͱར༻Ͱ͖·͢
͓Εͳ͘ ݕग़͢Δ͚ͩͰຬ͠ͳ͍Ͱɻ ௨ͪΌΜͱΓ·͠ΐ͏ɻ
ͪΐ͍ςΫ̎ ؆୯ʹνΣοΫͰ͖Δ ηΩϡϦςΟɾίϯϓϥΠΞϯε
ίϯϓϥΠΞϯεɿ$*4#FODINBSL w$*4-JOVY"QBDIFͳͲ༷ʑͳηΩϡϦςΟج४Λ࡞ ͍ͯ͠Δஂମ w$*4"84'PVOEBUJPOT#FODINBSLͱͯ͠"84ͷηΩϡ ϦςΟνΣοΫͷ۩ମతͳ߲Λఆٛ wฐࣾఏڙͷηΩϡϦςΟνΣοΫπʔϧ ʰJOTJHIUXBUDIʱͰແྉஅՄೳ
*OTJHIUXBUDI wʮখ͞ͳൃݟΛେ͖ͳ҆৺ʹʯΛίϯηϓτʹ"84ڥ Λஅ͠ϨϙʔτΛग़ྗ͢Δπʔϧ https://insightwatch.io/
ͨ͘͞ΜͷܯࠂͰͨΜ͚Ͳɾɾɾ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen2/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen3/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen4/
ͪΐ͍ςΫ̏ ήʔτܕ͔Β ΨʔυϨʔϧܕ
ैདྷͷηΩϡϦςΟͷߟ͑ํ w࠷ۙɺ"84͕ൃ৴ͯ͠Δϝοηʔδ wैདྷͷηΩϡϦςΟήʔτΩʔύత w·ͣϒϩοΫ w༰Λ֬ೝ͕ͯ͠ͳ͚Εͱ͓͢ wྲྀΕΛͱΊΔ͜ͱɺϏδωεͷεϐʔυΛಷΒͤΔ
ηΩϡϦςΟͰϏδωεʹ ϒϨʔΩΛ͔͚͍͚ͯͳ͍ ͲΜͳʹεϐʔυΛग़ͯ҆͠શͳ ΨʔυϨʔϧͷΑ͏ͳηΩϡϦςΟΛ
ΨʔυϨʔϧతͳηΩϡϦςΟͱ wΨʔυϨʔϧతͳηΩϡϦςΟΛ࣮ݱ͢ΔҰྫ w"840SHBOJ[BUJPOTͷαʔϏείϯτϩʔϧϙϦγʔ w"84*".1FSNJTTJPOTCPVOEBSZ w1FSNJTTJPOTCPVOEBSZ w௨ৗͷ*".ϙϦγʔʹ"/%݅ΛՃ͑ͯɺڐՄൣғΛ ݶఆ͢ΔϙϦγʔ wڥքൣғͳ͔Ͱࣗ༝ʹͤͯ͋͛͞Δ
1FSNJTTJPOTCPVOEBSZ wઃఆΛؒҧ͑Δͱ͍ΖΜͳݖݶΛ ࣦ͏ͷͰઃఆ৻ॏʹ https://dev.classmethod.jp/cloud/aws/iam-permissions-boundary/
w*".ϙϦγʔγϡϛϨʔλʹରԠ͠·ͨ͠ wࣄલʹγϛϡϨʔγϣϯͰӨڹൣғΛ֬ೝ ҆͝৺͍ͩ͘͞ https://dev.classmethod.jp/cloud/aws/iam-policy-simulator-now-simulates-permissions-boundary/
ͪΐ͍ςΫ̐ *.%4ͷ ηΩϡϦςΟڧԽ
*.%4ʢΠϯελϯεϝλσʔλαʔϏεʣ w&$Πϯελϯεϝλσʔλ wʹ)551ϦΫΤετ༷ͯ͠ʑͳϝλ σʔλʹΞΫηεͰ͖Δ w*".ϩʔϧ͜ͷϝλσʔλ͔ΒΫϨσϯγϟϧΛऔಘ w8"'ͳͲͷެ։αʔόʹ͋Δ੬ऑੑͱΈ߹Θͤͯɺෆਖ਼ ʹ&$ͷϝλσʔλ͔ΒΫϨσϯγϟϧΛऔಘ͠ѱ༻͢Δ ͜ͱ͕Մೳ
ࣄނࣄྫ ʰpiyologʱɿhttps://piyolog.hatenadiary.jp/entry/2019/08/06/062154
*.%4W https://dev.classmethod.jp/cloud/aws/ec2-imdsv2-release/ w7ͷΞΫηεʹ5PLFO͕ඞཁ w7ΛແޮԽͰ͖ΔʢσϑΥϧτซ༻ʣ wϝλσʔλαʔϏεࣗମΛແޮԽͰ͖ΔɹʜFUD
͋ΘͤͯಡΈ͍ͨ ʰಙؙߒͷهʱɿhttps://blog.tokumaru.org/2019/12/defense-ssrf-amazon-ec2-imdsv2.html w*.%4W443'߈ܸͷࠜຊతͳղܾͰͳ͍ w͕ɺ443'߈ܸͷ؇ࡦͱͯ͠ҰఆͷޮՌظͰ͖Δ
ͪΐ͍ςΫ̑ ͏͔ͬΓ࿙ӮΛࢭ
HJUTFDSFUTͬͯ·͔͢ʁ w"84ΞΫηεΩʔͷ࿙ӮͰҰ൪ଟ͍ύλʔϯ wHJUDPNNJUʹIPPL͢ΔػೳΛ༗ޮʹ͠ͱ͚ɺΞΫηε ΩʔγʔΫϨοτΩʔͷύλʔϯΛݕग़ɾ્ࢭͯ͘͠ΕΔ https://dev.classmethod.jp/cloud/aws/startup-git-secrets/
͋ΘͤͯಡΈ͍ͨ w*".ͷجຊ࠷খݖݶ w։ൃݕূຊ൪ڥͷڥͷϝϦοτɺσϝϦοτ https://dev.classmethod.jp/cloud/aws/account-and-vpc-dividing-pattern/
ͪΐ͍ςΫ̒ ֎෦ͱͷτϥϑΟοΫΛ ΠϯϥΠϯࠪ
*OHSFTTSPVUF w*(8ɺ7(8ʹϧʔτ ςʔϒϧͷઃఆ͕Մೳ wૹ৴ઌ71$ͷ $*%3ൣғͷΈ w*%4*14ΞϓϥΠΞϯ εͷϦμΠϨΫτ Λγϯϓϧʹ࣮
͋ΘͤͯಡΈ͍ͨ https://dev.classmethod.jp/cloud/aws/what-is-vpc-ingress-routing/
71$ؒτϥϑΟοΫͷΠϯϥΠϯࠪʢ5(8ʣ https://www.slideshare.net/AmazonWebServicesJapan/20191113-aws-black-belt-online-seminar-aws-transit-gateway?ref=https://aws.amazon.com/jp/blogs/news/webinar-bb-aws-transit-gateway-2019/
·ͱΊ
·ͱΊ wൃݟత౷੍ͷ̐αʔϏεઃఆ͠Α͏ʢ௨·ͰΔʣ wʮ*OTJHIUXBUDIʯͰίϯϓϥΠΞϯεΛνΣοΫ wڥքൣғʢΨʔυϨʔϧʣͷͳ͔Ͱࣗ༝Λߴ͘ w*.%4͕ѱ༻͞ΕΔ͜ͱ͓ͬͯ͘ wΞΫηεΩʔHJUDPNNJUͰ͖ͳ͍Α͏ʹ͢Δ wΠϯϥΠϯࠪΛγϯϓϧʹߏங
͜Ε͚֮ͩ͑ͯؼͬͯ΄͍͠ɺͪΐ͍ςΫ ͍͍ͩͨͷ͜ͱ %FWFMPQFST*0ʹॻ͍ͯΔ
None