Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWSからのメール読んでいますか?

 AWSからのメール読んでいますか?

2021/3/20 JAWSUG登壇資料

AWSを利用していると、アカウントのメールアドレス宛に様々な連絡が届きます。
それらの中には、セキュリティ上危険な状態にあることをお知らせするものであったり、リソースの変更作業を行わないとサービスが止まってしまうようなものもあります。

一般的に見られる特に注意をようするものの紹介から、非常に多くのアカウントを取り扱う弊社の運用において、昨年受け取ったメールのうち、気になった通知をいくつかピックアップしてご紹介します。

また、それらのメールとどう向き合うべきかを、簡単にお話しさせていただければと思います。

Yutaka Hiroyama

March 20, 2021
Tweet

More Decks by Yutaka Hiroyama

Other Decks in Technology

Transcript

  1. 氏名 廣山 豊 所属&役割 アイレット株式会社 クラウドインテグレーション事業部副事業部長 情報管理責任者、PCI DSS管理責任者 トピック 2020

    Japan APN AWS Ambassador AWS * 8, GCP * 5, Azure * 1, 情報処理安全確 保支援士、その他の認定資格を保有 好きなAWSサービス AWS Support
  2. メール件名 Your AWS Abuse Report [XXXXXXXXXXX] [AWS ID XXXXXXXXXXXX] Hello,

    We've received a report(s) that your AWS resource(s) AWS ID: XXXXXXXXXXXX Region: xx-yy-# EC2 Instance Id: i- XXXXXXXXXXXX [XX.XX.XX.XX] has been implicated in activity that resembles the sending of spam or unsolicited email. Sending spam or unsolicited email is forbidden by the AWS Acceptable Use Policy (https://aws.amazon.com/aup/). We've included the original report below for your review. Please take action to stop the reported activity and reply directly to this email with details
  3. メール件名 Your AWS Abuse Report [XXXXXXXXXXX] [AWS ID XXXXXXXXXXXX] Hello,

    We've received a report(s) that your AWS resource(s) AWS ID: XXXXXXXXXXXX Region: xx-yy-# EC2 Instance Id: i- XXXXXXXXXXXX [XX.XX.XX.XX] has been implicated in activity that resembles the sending of spam or unsolicited email. Sending spam or unsolicited email is forbidden by the AWS Acceptable Use Policy (https://aws.amazon.com/aup/). We've included the original report below for your review. Please take action to stop the reported activity and reply directly to this email with details このインスタンスからスパムと思われるメールが送られて いるっぽいよ。 AWSの利用ポリシーに反するので止めてね。 止めたら返信して教えてね。 もし身に覚えがないなら、外部からの乗っ取り操作かも … 対応方法のリンクを貼っておくね。
  4. • Action Required: Irregular activity in your AWS account: XXXXXXXXXXXX

    • Action Required: Your AWS account XXXXXXXXXXX is compromised • [Action Required]: Your AWS Storage Gateway VM will be deprecated on January 1, 2022. Please migrate to a new gateway VM. • [ACTION REQUIRED]EECS Deprecation of Managed Policy • [Action Requested] AWS X-Ray Tracing Permissions Not Enabled for AWS Step Functions State Machines • [Action Required] Red Hat Enterprise Linux 6 Extended Lifecycle phase begins December 1, 2020 • [Action Needed] – Update Firewall settings to allow access to expanded IP address ranges for Amazon WorkSpaces. • Action Required: Upcoming changes for Chromium based browsers affecting ELB • [ACTION MAY BE REQUIRED] Amazon Connect launches new domain, connect.aws, starting November 6, 2020 対応要求系
  5. メール件名 Action Required: Your AWS account XXXXXXXXXXX is compromised Dear

    AWS customer, Your AWS Account is compromised! Please review the following notice and take immediate action to secure your account. We have also opened an outbound Support Case if you have any additional questions or concerns regarding this notice. Your security is important to us. We have become aware that the AWS Access Key AKI~ (belonging to IAM user ”xxxxx“) along with the corresponding Secret Key is publicly available online at https://github.com/具体的なファイル. This poses a security risk to your account and other users, could lead to excessive charges from unauthorized activity or abuse, and violates the AWS Customer Agreement.
  6. メール件名 Action Required: Your AWS account XXXXXXXXXXX is compromised Dear

    AWS customer, Your AWS Account is compromised! Please review the following notice and take immediate action to secure your account. We have also opened an outbound Support Case if you have any additional questions or concerns regarding this notice. Your security is important to us. We have become aware that the AWS Access Key AKI~ (belonging to IAM user ”xxxxx“) along with the corresponding Secret Key is publicly available online at https://github.com/具体的なファイル. This poses a security risk to your account and other users, could lead to excessive charges from unauthorized activity or abuse, and violates the AWS Customer Agreement. アカウントが漏洩してるよ! 以下の内容を読んで対応してね。 キーはオンライン上の〜で公開されているよ。 フォローアップのため、AWSからサポートチケットも切っ ておいたよ。 24時間以内に対応しないとアカウント止めるかもよ。 濡れ衣の場合はすぐにサポートケースで返信してね。
  7. メール件名 Action Required: Irregular activity in your AWS account: XXXXXXXXXXXX

    Dear AWS customer, Your AWS Account may be compromised! Please review the following notice and take immediate action to secure your account. We have also opened an outbound Support Case if you have any additional questions or concerns regarding this notice. Your security is important to us. We have detected abnormal activity in your AWS account that matches the pattern of unauthorized access. This activity is related to your AWS Access Key AKI~ (belonging to IAM user ”xxxx"), which may indicate that this access key and the corresponding secret key are compromised.
  8. メール件名 Action Required: Irregular activity in your AWS account: XXXXXXXXXXXX

    Dear AWS customer, Your AWS Account may be compromised! Please review the following notice and take immediate action to secure your account. We have also opened an outbound Support Case if you have any additional questions or concerns regarding this notice. Your security is important to us. We have detected abnormal activity in your AWS account that matches the pattern of unauthorized access. This activity is related to your AWS Access Key AKI~ (belonging to IAM user ”xxxx"), which may indicate that this access key and the corresponding secret key are compromised. アカウントが漏洩してるかも! 以下の内容を読んで対応してね。 不審なリソースが作られていないか、 全リージョンで確認して削除してね。 全部のキーもローテートしてね。 24時間以内に対応しないとアカウント止めるかもよ。 濡れ衣の場合はすぐにサポートケースで返信してね。
  9. その他 • AWS RoboMaker End of Life Support Notice [AWS

    Account: XXXXXXXXXXXX] • AWS Lambda managed policies deprecation notice • AWS Marketplace Price Change Notification • Automatic patches available for Amazon Aurora with PostgreSQL Compatibility • Notification of Amazon S3 buckets configured for public access • WorkSpaces Streaming Protocol is Generally Available for Production Use • Notification on changes to the names of finding types in AWS Security Hub • Amazon DocumentDB to update default engine version to 4.0.0 • CloudTrail Managed Policy Scope Down • [Important Notification] Advice for customers using ECS to deal with newly introduced Docker Hub rate limits
  10. メール件名 CloudTrail Managed Policy Scope Down [AWS Account: XXXXXXXXXXX] Hello,

    On November 30, 2020, CloudTrail’s current access policy (AWSCloudTrailAccessPolicy) will be deprecated and replaced with a new version (AWSCloudTrail_FullAccess), which has a reduced permission set. The current AWSCloudTrailAccessPolicy will continue to work for existing accounts; however, once the replacement occurs, it will not be able to be attached to new IAM principals. For accounts with AWSCloudTrailAccessPolicy, no customer action is required as these accounts will still have this policy attached; accounts without AWSCloudTrailAccessPolicy will not be able to view this policy for attachment after it is deprecated. These changes are intended to constrain the scope of CloudTrail’s full
  11. メール件名 CloudTrail Managed Policy Scope Down [AWS Account: XXXXXXXXXXX] Hello,

    On November 30, 2020, CloudTrail’s current access policy (AWSCloudTrailAccessPolicy) will be deprecated and replaced with a new version (AWSCloudTrail_FullAccess), which has a reduced permission set. The current AWSCloudTrailAccessPolicy will continue to work for existing accounts; however, once the replacement occurs, it will not be able to be attached to new IAM principals. For accounts with AWSCloudTrailAccessPolicy, no customer action is required as these accounts will still have this policy attached; accounts without AWSCloudTrailAccessPolicy will not be able to view this policy for attachment after it is deprecated. These changes are intended to constrain the scope of CloudTrail’s full CloudTrailのポリシーをより権限を絞った新しいバージョ ンに変更するね。 古いものもそのまま使えるけど、一度外しちゃうと新しい バージョンしか使えないよ。