Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWSからのメール読んでいますか?

 AWSからのメール読んでいますか?

2021/3/20 JAWSUG登壇資料

AWSを利用していると、アカウントのメールアドレス宛に様々な連絡が届きます。
それらの中には、セキュリティ上危険な状態にあることをお知らせするものであったり、リソースの変更作業を行わないとサービスが止まってしまうようなものもあります。

一般的に見られる特に注意をようするものの紹介から、非常に多くのアカウントを取り扱う弊社の運用において、昨年受け取ったメールのうち、気になった通知をいくつかピックアップしてご紹介します。

また、それらのメールとどう向き合うべきかを、簡単にお話しさせていただければと思います。

Yutaka Hiroyama

March 20, 2021
Tweet

More Decks by Yutaka Hiroyama

Other Decks in Technology

Transcript

  1. AWSからのメール読んでますか?
    ヒロヤマ ユタカ

    View Slide

  2. 氏名
    廣山 豊
    所属&役割
    アイレット株式会社
    クラウドインテグレーション事業部副事業部長
    情報管理責任者、PCI DSS管理責任者
    トピック
    2020 Japan APN AWS Ambassador
    AWS * 8, GCP * 5, Azure * 1, 情報処理安全確
    保支援士、その他の認定資格を保有
    好きなAWSサービス
    AWS Support

    View Slide

  3. このセッションの
    目的
    AWSからのメールの重要性を知ってもらい、
    ユーザーが痛い目に会う機会を減らす

    View Slide

  4. 何故、メールが
    届けられるのか?
    警報
    仕様変更
    料金改定

    View Slide

  5. メールタイトルからの
    分類
    Abuse系
    対応要求系
    その他

    View Slide

  6. • Your AWS Abuse Report [XXXXXXXXXXX] [AWS ID XXXXXXXXXXXX]
    Abuse系

    View Slide

  7. Abuse系
    外部へ攻撃している疑い
    放っておくと…
    • アカウント停止
    • 損害賠償の請求

    View Slide

  8. メール件名
    Your AWS Abuse Report [XXXXXXXXXXX] [AWS ID XXXXXXXXXXXX]
    Hello,
    We've received a report(s) that your AWS resource(s)
    AWS ID: XXXXXXXXXXXX Region: xx-yy-# EC2 Instance Id: i- XXXXXXXXXXXX
    [XX.XX.XX.XX]
    has been implicated in activity that resembles the sending of spam or unsolicited email.
    Sending spam or unsolicited email is forbidden by the AWS Acceptable Use Policy
    (https://aws.amazon.com/aup/). We've included the original report below for your review.
    Please take action to stop the reported activity and reply directly to this email with details

    View Slide

  9. メール件名
    Your AWS Abuse Report [XXXXXXXXXXX] [AWS ID XXXXXXXXXXXX]
    Hello,
    We've received a report(s) that your AWS resource(s)
    AWS ID: XXXXXXXXXXXX Region: xx-yy-# EC2 Instance Id: i- XXXXXXXXXXXX
    [XX.XX.XX.XX]
    has been implicated in activity that resembles the sending of spam or unsolicited email.
    Sending spam or unsolicited email is forbidden by the AWS Acceptable Use Policy
    (https://aws.amazon.com/aup/). We've included the original report below for your review.
    Please take action to stop the reported activity and reply directly to this email with details
    このインスタンスからスパムと思われるメールが送られて
    いるっぽいよ。
    AWSの利用ポリシーに反するので止めてね。
    止めたら返信して教えてね。
    もし身に覚えがないなら、外部からの乗っ取り操作かも

    対応方法のリンクを貼っておくね。

    View Slide

  10. • Action Required: Irregular activity in your AWS account: XXXXXXXXXXXX
    • Action Required: Your AWS account XXXXXXXXXXX is compromised
    • [Action Required]: Your AWS Storage Gateway VM will be deprecated on January 1, 2022. Please migrate
    to a new gateway VM.
    • [ACTION REQUIRED]EECS Deprecation of Managed Policy
    • [Action Requested] AWS X-Ray Tracing Permissions Not Enabled for AWS Step Functions State Machines
    • [Action Required] Red Hat Enterprise Linux 6 Extended Lifecycle phase begins December 1, 2020
    • [Action Needed] – Update Firewall settings to allow access to expanded IP address ranges for Amazon
    WorkSpaces.
    • Action Required: Upcoming changes for Chromium based browsers affecting ELB
    • [ACTION MAY BE REQUIRED] Amazon Connect launches new domain, connect.aws, starting November 6,
    2020
    対応要求系

    View Slide

  11. 利用中バージョンの終了
    IAMポリシーの細分化
    クレデンシャル流出の疑い
    放っておくと…
    • 情報漏洩、アカウント不正利用による高額請求
    • サービスの停止
    対応要求系

    View Slide

  12. メール件名
    Action Required: Your AWS account XXXXXXXXXXX is compromised
    Dear AWS customer,
    Your AWS Account is compromised! Please review the following notice and take
    immediate action to secure your account. We have also opened an outbound Support
    Case if you have any additional questions or concerns regarding this notice.
    Your security is important to us. We have become aware that the AWS Access Key AKI~
    (belonging to IAM user ”xxxxx“) along with the corresponding Secret Key is publicly
    available online at https://github.com/具体的なファイル.
    This poses a security risk to your account and other users, could lead to excessive charges
    from unauthorized activity or abuse, and violates the AWS Customer Agreement.

    View Slide

  13. メール件名
    Action Required: Your AWS account XXXXXXXXXXX is compromised
    Dear AWS customer,
    Your AWS Account is compromised! Please review the following notice and take
    immediate action to secure your account. We have also opened an outbound Support
    Case if you have any additional questions or concerns regarding this notice.
    Your security is important to us. We have become aware that the AWS Access Key AKI~
    (belonging to IAM user ”xxxxx“) along with the corresponding Secret Key is publicly
    available online at https://github.com/具体的なファイル.
    This poses a security risk to your account and other users, could lead to excessive charges
    from unauthorized activity or abuse, and violates the AWS Customer Agreement.
    アカウントが漏洩してるよ!
    以下の内容を読んで対応してね。
    キーはオンライン上の〜で公開されているよ。
    フォローアップのため、AWSからサポートチケットも切っ
    ておいたよ。
    24時間以内に対応しないとアカウント止めるかもよ。
    濡れ衣の場合はすぐにサポートケースで返信してね。

    View Slide

  14. メール件名
    Action Required: Irregular activity in your AWS account: XXXXXXXXXXXX
    Dear AWS customer,
    Your AWS Account may be compromised! Please review the following notice and take
    immediate action to secure your account. We have also opened an outbound Support
    Case if you have any additional questions or concerns regarding this notice.
    Your security is important to us. We have detected
    abnormal activity in your AWS account that matches the pattern of unauthorized access.
    This activity is related to your AWS Access Key AKI~ (belonging to IAM user ”xxxx"), which
    may indicate that this access key and the corresponding secret key are compromised.

    View Slide

  15. メール件名
    Action Required: Irregular activity in your AWS account: XXXXXXXXXXXX
    Dear AWS customer,
    Your AWS Account may be compromised! Please review the following notice and take
    immediate action to secure your account. We have also opened an outbound Support
    Case if you have any additional questions or concerns regarding this notice.
    Your security is important to us. We have detected
    abnormal activity in your AWS account that matches the pattern of unauthorized access.
    This activity is related to your AWS Access Key AKI~ (belonging to IAM user ”xxxx"), which
    may indicate that this access key and the corresponding secret key are compromised.
    アカウントが漏洩してるかも!
    以下の内容を読んで対応してね。
    不審なリソースが作られていないか、
    全リージョンで確認して削除してね。
    全部のキーもローテートしてね。
    24時間以内に対応しないとアカウント止めるかもよ。
    濡れ衣の場合はすぐにサポートケースで返信してね。

    View Slide

  16. その他
    • AWS RoboMaker End of Life Support Notice [AWS Account: XXXXXXXXXXXX]
    • AWS Lambda managed policies deprecation notice
    • AWS Marketplace Price Change Notification
    • Automatic patches available for Amazon Aurora with PostgreSQL Compatibility
    • Notification of Amazon S3 buckets configured for public access
    • WorkSpaces Streaming Protocol is Generally Available for Production Use
    • Notification on changes to the names of finding types in AWS Security Hub
    • Amazon DocumentDB to update default engine version to 4.0.0
    • CloudTrail Managed Policy Scope Down
    • [Important Notification] Advice for customers using ECS to deal with newly introduced Docker Hub rate
    limits

    View Slide

  17. セキュリティ脆弱性
    AWS側メンテナンス作業
    値段変更
    その他

    View Slide

  18. メール件名
    CloudTrail Managed Policy Scope Down [AWS Account: XXXXXXXXXXX]
    Hello,
    On November 30, 2020, CloudTrail’s current access policy (AWSCloudTrailAccessPolicy)
    will be deprecated and replaced with a new version (AWSCloudTrail_FullAccess), which
    has a reduced permission set.
    The current AWSCloudTrailAccessPolicy will continue to work for existing accounts;
    however, once the replacement occurs, it will not be able to be attached to new IAM
    principals. For accounts with AWSCloudTrailAccessPolicy, no customer action is required
    as these accounts will still have this policy attached; accounts without
    AWSCloudTrailAccessPolicy will not be able to view this policy for attachment after it is
    deprecated. These changes are intended to constrain the scope of CloudTrail’s full

    View Slide

  19. メール件名
    CloudTrail Managed Policy Scope Down [AWS Account: XXXXXXXXXXX]
    Hello,
    On November 30, 2020, CloudTrail’s current access policy (AWSCloudTrailAccessPolicy)
    will be deprecated and replaced with a new version (AWSCloudTrail_FullAccess), which
    has a reduced permission set.
    The current AWSCloudTrailAccessPolicy will continue to work for existing accounts;
    however, once the replacement occurs, it will not be able to be attached to new IAM
    principals. For accounts with AWSCloudTrailAccessPolicy, no customer action is required
    as these accounts will still have this policy attached; accounts without
    AWSCloudTrailAccessPolicy will not be able to view this policy for attachment after it is
    deprecated. These changes are intended to constrain the scope of CloudTrail’s full
    CloudTrailのポリシーをより権限を絞った新しいバージョ
    ンに変更するね。
    古いものもそのまま使えるけど、一度外しちゃうと新しい
    バージョンしか使えないよ。

    View Slide

  20. どう対策する?
    まずは読む
    ツール化
    ベンダーに運用
    委託

    View Slide

  21. 読むことで以下のよう
    な副次的効果!
    ・英語力向上
    ・資格対策
    まずは読む
    ツール化
    ベンダーに
    運用委託

    View Slide

  22. フォーカスにおすすめ
    のワード
    ・Abuse
    ・Action Require
    ・Reminder
    ※揺らぎに注意!
    まずは読む
    ツール化
    ベンダーに
    運用委託

    View Slide

  23. View Slide

  24. 以下の場合は特に推奨
    ・運用担当部門がない
    ・運用担当部門はある
    が、AWSノウハウ少な

    まずは読む
    ツール化
    ベンダーに
    運用委託

    View Slide

  25. まとめ

    View Slide

  26. View Slide