AWSからのメール読んでいますか？

Transcript

1. AWSからのメール読んでますか？
   ヒロヤマ ユタカ
   

   View Slide

2. 氏名
   廣山 豊
   所属＆役割
   アイレット株式会社
   クラウドインテグレーション事業部副事業部長
   情報管理責任者、PCI DSS管理責任者
   トピック
   2020 Japan APN AWS Ambassador
   AWS * 8, GCP * 5, Azure * 1, 情報処理安全確
   保支援士、その他の認定資格を保有
   好きなAWSサービス
   AWS Support
   

   View Slide

3. このセッションの
   目的
   AWSからのメールの重要性を知ってもらい、
   ユーザーが痛い目に会う機会を減らす
   

   View Slide

4. 何故、メールが
   届けられるのか？
   警報
   仕様変更
   料金改定
   

   View Slide

5. メールタイトルからの
   分類
   Abuse系
   対応要求系
   その他
   

   View Slide

6. • Your AWS Abuse Report [XXXXXXXXXXX] [AWS ID XXXXXXXXXXXX]
   Abuse系
   

   View Slide

7. Abuse系
   外部へ攻撃している疑い
   放っておくと…
   • アカウント停止
   • 損害賠償の請求
   

   View Slide

8. メール件名
   Your AWS Abuse Report [XXXXXXXXXXX] [AWS ID XXXXXXXXXXXX]
   Hello,
   We've received a report(s) that your AWS resource(s)
   AWS ID: XXXXXXXXXXXX Region: xx-yy-# EC2 Instance Id: i- XXXXXXXXXXXX
   [XX.XX.XX.XX]
   has been implicated in activity that resembles the sending of spam or unsolicited email.
   Sending spam or unsolicited email is forbidden by the AWS Acceptable Use Policy
   (https://aws.amazon.com/aup/). We've included the original report below for your review.
   Please take action to stop the reported activity and reply directly to this email with details
   

   View Slide

9. メール件名
   Your AWS Abuse Report [XXXXXXXXXXX] [AWS ID XXXXXXXXXXXX]
   Hello,
   We've received a report(s) that your AWS resource(s)
   AWS ID: XXXXXXXXXXXX Region: xx-yy-# EC2 Instance Id: i- XXXXXXXXXXXX
   [XX.XX.XX.XX]
   has been implicated in activity that resembles the sending of spam or unsolicited email.
   Sending spam or unsolicited email is forbidden by the AWS Acceptable Use Policy
   (https://aws.amazon.com/aup/). We've included the original report below for your review.
   Please take action to stop the reported activity and reply directly to this email with details
   このインスタンスからスパムと思われるメールが送られて
   いるっぽいよ。
   AWSの利用ポリシーに反するので止めてね。
   止めたら返信して教えてね。
   もし身に覚えがないなら、外部からの乗っ取り操作かも
   …
   対応方法のリンクを貼っておくね。
   

   View Slide

10. • Action Required: Irregular activity in your AWS account: XXXXXXXXXXXX
    • Action Required: Your AWS account XXXXXXXXXXX is compromised
    • [Action Required]: Your AWS Storage Gateway VM will be deprecated on January 1, 2022. Please migrate
    to a new gateway VM.
    • [ACTION REQUIRED]EECS Deprecation of Managed Policy
    • [Action Requested] AWS X-Ray Tracing Permissions Not Enabled for AWS Step Functions State Machines
    • [Action Required] Red Hat Enterprise Linux 6 Extended Lifecycle phase begins December 1, 2020
    • [Action Needed] – Update Firewall settings to allow access to expanded IP address ranges for Amazon
    WorkSpaces.
    • Action Required: Upcoming changes for Chromium based browsers affecting ELB
    • [ACTION MAY BE REQUIRED] Amazon Connect launches new domain, connect.aws, starting November 6,
    2020
    対応要求系
    

    View Slide

11. 利用中バージョンの終了
    IAMポリシーの細分化
    クレデンシャル流出の疑い
    放っておくと…
    • 情報漏洩、アカウント不正利用による高額請求
    • サービスの停止
    対応要求系
    

    View Slide

12. メール件名
    Action Required: Your AWS account XXXXXXXXXXX is compromised
    Dear AWS customer,
    Your AWS Account is compromised! Please review the following notice and take
    immediate action to secure your account. We have also opened an outbound Support
    Case if you have any additional questions or concerns regarding this notice.
    Your security is important to us. We have become aware that the AWS Access Key AKI~
    (belonging to IAM user ”xxxxx“) along with the corresponding Secret Key is publicly
    available online at https://github.com/具体的なファイル.
    This poses a security risk to your account and other users, could lead to excessive charges
    from unauthorized activity or abuse, and violates the AWS Customer Agreement.
    

    View Slide

13. メール件名
    Action Required: Your AWS account XXXXXXXXXXX is compromised
    Dear AWS customer,
    Your AWS Account is compromised! Please review the following notice and take
    immediate action to secure your account. We have also opened an outbound Support
    Case if you have any additional questions or concerns regarding this notice.
    Your security is important to us. We have become aware that the AWS Access Key AKI~
    (belonging to IAM user ”xxxxx“) along with the corresponding Secret Key is publicly
    available online at https://github.com/具体的なファイル.
    This poses a security risk to your account and other users, could lead to excessive charges
    from unauthorized activity or abuse, and violates the AWS Customer Agreement.
    アカウントが漏洩してるよ！
    以下の内容を読んで対応してね。
    キーはオンライン上の〜で公開されているよ。
    フォローアップのため、AWSからサポートチケットも切っ
    ておいたよ。
    ２４時間以内に対応しないとアカウント止めるかもよ。
    濡れ衣の場合はすぐにサポートケースで返信してね。
    

    View Slide

14. メール件名
    Action Required: Irregular activity in your AWS account: XXXXXXXXXXXX
    Dear AWS customer,
    Your AWS Account may be compromised! Please review the following notice and take
    immediate action to secure your account. We have also opened an outbound Support
    Case if you have any additional questions or concerns regarding this notice.
    Your security is important to us. We have detected
    abnormal activity in your AWS account that matches the pattern of unauthorized access.
    This activity is related to your AWS Access Key AKI~ (belonging to IAM user ”xxxx"), which
    may indicate that this access key and the corresponding secret key are compromised.
    

    View Slide

15. メール件名
    Action Required: Irregular activity in your AWS account: XXXXXXXXXXXX
    Dear AWS customer,
    Your AWS Account may be compromised! Please review the following notice and take
    immediate action to secure your account. We have also opened an outbound Support
    Case if you have any additional questions or concerns regarding this notice.
    Your security is important to us. We have detected
    abnormal activity in your AWS account that matches the pattern of unauthorized access.
    This activity is related to your AWS Access Key AKI~ (belonging to IAM user ”xxxx"), which
    may indicate that this access key and the corresponding secret key are compromised.
    アカウントが漏洩してるかも！
    以下の内容を読んで対応してね。
    不審なリソースが作られていないか、
    全リージョンで確認して削除してね。
    全部のキーもローテートしてね。
    ２４時間以内に対応しないとアカウント止めるかもよ。
    濡れ衣の場合はすぐにサポートケースで返信してね。
    

    View Slide

16. その他
    • AWS RoboMaker End of Life Support Notice [AWS Account: XXXXXXXXXXXX]
    • AWS Lambda managed policies deprecation notice
    • AWS Marketplace Price Change Notification
    • Automatic patches available for Amazon Aurora with PostgreSQL Compatibility
    • Notification of Amazon S3 buckets configured for public access
    • WorkSpaces Streaming Protocol is Generally Available for Production Use
    • Notification on changes to the names of finding types in AWS Security Hub
    • Amazon DocumentDB to update default engine version to 4.0.0
    • CloudTrail Managed Policy Scope Down
    • [Important Notification] Advice for customers using ECS to deal with newly introduced Docker Hub rate
    limits
    

    View Slide

17. セキュリティ脆弱性
    AWS側メンテナンス作業
    値段変更
    その他
    

    View Slide

18. メール件名
    CloudTrail Managed Policy Scope Down [AWS Account: XXXXXXXXXXX]
    Hello,
    On November 30, 2020, CloudTrail’s current access policy (AWSCloudTrailAccessPolicy)
    will be deprecated and replaced with a new version (AWSCloudTrail_FullAccess), which
    has a reduced permission set.
    The current AWSCloudTrailAccessPolicy will continue to work for existing accounts;
    however, once the replacement occurs, it will not be able to be attached to new IAM
    principals. For accounts with AWSCloudTrailAccessPolicy, no customer action is required
    as these accounts will still have this policy attached; accounts without
    AWSCloudTrailAccessPolicy will not be able to view this policy for attachment after it is
    deprecated. These changes are intended to constrain the scope of CloudTrail’s full
    

    View Slide

19. メール件名
    CloudTrail Managed Policy Scope Down [AWS Account: XXXXXXXXXXX]
    Hello,
    On November 30, 2020, CloudTrail’s current access policy (AWSCloudTrailAccessPolicy)
    will be deprecated and replaced with a new version (AWSCloudTrail_FullAccess), which
    has a reduced permission set.
    The current AWSCloudTrailAccessPolicy will continue to work for existing accounts;
    however, once the replacement occurs, it will not be able to be attached to new IAM
    principals. For accounts with AWSCloudTrailAccessPolicy, no customer action is required
    as these accounts will still have this policy attached; accounts without
    AWSCloudTrailAccessPolicy will not be able to view this policy for attachment after it is
    deprecated. These changes are intended to constrain the scope of CloudTrail’s full
    CloudTrailのポリシーをより権限を絞った新しいバージョ
    ンに変更するね。
    古いものもそのまま使えるけど、一度外しちゃうと新しい
    バージョンしか使えないよ。
    

    View Slide

20. どう対策する？
    まずは読む
    ツール化
    ベンダーに運用
    委託
    

    View Slide

21. 読むことで以下のよう
    な副次的効果！
    ・英語力向上
    ・資格対策
    まずは読む
    ツール化
    ベンダーに
    運用委託
    

    View Slide

22. フォーカスにおすすめ
    のワード
    ・Abuse
    ・Action Require
    ・Reminder
    ※揺らぎに注意！
    まずは読む
    ツール化
    ベンダーに
    運用委託
    

    View Slide

23. View Slide

24. 以下の場合は特に推奨
    ・運用担当部門がない
    ・運用担当部門はある
    が、AWSノウハウ少な
    い
    まずは読む
    ツール化
    ベンダーに
    運用委託
    

    View Slide

25. まとめ
    

    View Slide

26. View Slide