Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWSからのメール読んでいますか?

 AWSからのメール読んでいますか?

2021/3/20 JAWSUG登壇資料

AWSを利用していると、アカウントのメールアドレス宛に様々な連絡が届きます。
それらの中には、セキュリティ上危険な状態にあることをお知らせするものであったり、リソースの変更作業を行わないとサービスが止まってしまうようなものもあります。

一般的に見られる特に注意をようするものの紹介から、非常に多くのアカウントを取り扱う弊社の運用において、昨年受け取ったメールのうち、気になった通知をいくつかピックアップしてご紹介します。

また、それらのメールとどう向き合うべきかを、簡単にお話しさせていただければと思います。

E6201f99a57023746913ecdc99261aeb?s=128

Yutaka Hiroyama

March 20, 2021
Tweet

Transcript

  1. AWSからのメール読んでますか? ヒロヤマ ユタカ

  2. 氏名 廣山 豊 所属&役割 アイレット株式会社 クラウドインテグレーション事業部副事業部長 情報管理責任者、PCI DSS管理責任者 トピック 2020

    Japan APN AWS Ambassador AWS * 8, GCP * 5, Azure * 1, 情報処理安全確 保支援士、その他の認定資格を保有 好きなAWSサービス AWS Support
  3. このセッションの 目的 AWSからのメールの重要性を知ってもらい、 ユーザーが痛い目に会う機会を減らす

  4. 何故、メールが 届けられるのか? 警報 仕様変更 料金改定

  5. メールタイトルからの 分類 Abuse系 対応要求系 その他

  6. • Your AWS Abuse Report [XXXXXXXXXXX] [AWS ID XXXXXXXXXXXX] Abuse系

  7. Abuse系 外部へ攻撃している疑い 放っておくと… • アカウント停止 • 損害賠償の請求

  8. メール件名 Your AWS Abuse Report [XXXXXXXXXXX] [AWS ID XXXXXXXXXXXX] Hello,

    We've received a report(s) that your AWS resource(s) AWS ID: XXXXXXXXXXXX Region: xx-yy-# EC2 Instance Id: i- XXXXXXXXXXXX [XX.XX.XX.XX] has been implicated in activity that resembles the sending of spam or unsolicited email. Sending spam or unsolicited email is forbidden by the AWS Acceptable Use Policy (https://aws.amazon.com/aup/). We've included the original report below for your review. Please take action to stop the reported activity and reply directly to this email with details
  9. メール件名 Your AWS Abuse Report [XXXXXXXXXXX] [AWS ID XXXXXXXXXXXX] Hello,

    We've received a report(s) that your AWS resource(s) AWS ID: XXXXXXXXXXXX Region: xx-yy-# EC2 Instance Id: i- XXXXXXXXXXXX [XX.XX.XX.XX] has been implicated in activity that resembles the sending of spam or unsolicited email. Sending spam or unsolicited email is forbidden by the AWS Acceptable Use Policy (https://aws.amazon.com/aup/). We've included the original report below for your review. Please take action to stop the reported activity and reply directly to this email with details このインスタンスからスパムと思われるメールが送られて いるっぽいよ。 AWSの利用ポリシーに反するので止めてね。 止めたら返信して教えてね。 もし身に覚えがないなら、外部からの乗っ取り操作かも … 対応方法のリンクを貼っておくね。
  10. • Action Required: Irregular activity in your AWS account: XXXXXXXXXXXX

    • Action Required: Your AWS account XXXXXXXXXXX is compromised • [Action Required]: Your AWS Storage Gateway VM will be deprecated on January 1, 2022. Please migrate to a new gateway VM. • [ACTION REQUIRED]EECS Deprecation of Managed Policy • [Action Requested] AWS X-Ray Tracing Permissions Not Enabled for AWS Step Functions State Machines • [Action Required] Red Hat Enterprise Linux 6 Extended Lifecycle phase begins December 1, 2020 • [Action Needed] – Update Firewall settings to allow access to expanded IP address ranges for Amazon WorkSpaces. • Action Required: Upcoming changes for Chromium based browsers affecting ELB • [ACTION MAY BE REQUIRED] Amazon Connect launches new domain, connect.aws, starting November 6, 2020 対応要求系
  11. 利用中バージョンの終了 IAMポリシーの細分化 クレデンシャル流出の疑い 放っておくと… • 情報漏洩、アカウント不正利用による高額請求 • サービスの停止 対応要求系

  12. メール件名 Action Required: Your AWS account XXXXXXXXXXX is compromised Dear

    AWS customer, Your AWS Account is compromised! Please review the following notice and take immediate action to secure your account. We have also opened an outbound Support Case if you have any additional questions or concerns regarding this notice. Your security is important to us. We have become aware that the AWS Access Key AKI~ (belonging to IAM user ”xxxxx“) along with the corresponding Secret Key is publicly available online at https://github.com/具体的なファイル. This poses a security risk to your account and other users, could lead to excessive charges from unauthorized activity or abuse, and violates the AWS Customer Agreement.
  13. メール件名 Action Required: Your AWS account XXXXXXXXXXX is compromised Dear

    AWS customer, Your AWS Account is compromised! Please review the following notice and take immediate action to secure your account. We have also opened an outbound Support Case if you have any additional questions or concerns regarding this notice. Your security is important to us. We have become aware that the AWS Access Key AKI~ (belonging to IAM user ”xxxxx“) along with the corresponding Secret Key is publicly available online at https://github.com/具体的なファイル. This poses a security risk to your account and other users, could lead to excessive charges from unauthorized activity or abuse, and violates the AWS Customer Agreement. アカウントが漏洩してるよ! 以下の内容を読んで対応してね。 キーはオンライン上の〜で公開されているよ。 フォローアップのため、AWSからサポートチケットも切っ ておいたよ。 24時間以内に対応しないとアカウント止めるかもよ。 濡れ衣の場合はすぐにサポートケースで返信してね。
  14. メール件名 Action Required: Irregular activity in your AWS account: XXXXXXXXXXXX

    Dear AWS customer, Your AWS Account may be compromised! Please review the following notice and take immediate action to secure your account. We have also opened an outbound Support Case if you have any additional questions or concerns regarding this notice. Your security is important to us. We have detected abnormal activity in your AWS account that matches the pattern of unauthorized access. This activity is related to your AWS Access Key AKI~ (belonging to IAM user ”xxxx"), which may indicate that this access key and the corresponding secret key are compromised.
  15. メール件名 Action Required: Irregular activity in your AWS account: XXXXXXXXXXXX

    Dear AWS customer, Your AWS Account may be compromised! Please review the following notice and take immediate action to secure your account. We have also opened an outbound Support Case if you have any additional questions or concerns regarding this notice. Your security is important to us. We have detected abnormal activity in your AWS account that matches the pattern of unauthorized access. This activity is related to your AWS Access Key AKI~ (belonging to IAM user ”xxxx"), which may indicate that this access key and the corresponding secret key are compromised. アカウントが漏洩してるかも! 以下の内容を読んで対応してね。 不審なリソースが作られていないか、 全リージョンで確認して削除してね。 全部のキーもローテートしてね。 24時間以内に対応しないとアカウント止めるかもよ。 濡れ衣の場合はすぐにサポートケースで返信してね。
  16. その他 • AWS RoboMaker End of Life Support Notice [AWS

    Account: XXXXXXXXXXXX] • AWS Lambda managed policies deprecation notice • AWS Marketplace Price Change Notification • Automatic patches available for Amazon Aurora with PostgreSQL Compatibility • Notification of Amazon S3 buckets configured for public access • WorkSpaces Streaming Protocol is Generally Available for Production Use • Notification on changes to the names of finding types in AWS Security Hub • Amazon DocumentDB to update default engine version to 4.0.0 • CloudTrail Managed Policy Scope Down • [Important Notification] Advice for customers using ECS to deal with newly introduced Docker Hub rate limits
  17. セキュリティ脆弱性 AWS側メンテナンス作業 値段変更 その他

  18. メール件名 CloudTrail Managed Policy Scope Down [AWS Account: XXXXXXXXXXX] Hello,

    On November 30, 2020, CloudTrail’s current access policy (AWSCloudTrailAccessPolicy) will be deprecated and replaced with a new version (AWSCloudTrail_FullAccess), which has a reduced permission set. The current AWSCloudTrailAccessPolicy will continue to work for existing accounts; however, once the replacement occurs, it will not be able to be attached to new IAM principals. For accounts with AWSCloudTrailAccessPolicy, no customer action is required as these accounts will still have this policy attached; accounts without AWSCloudTrailAccessPolicy will not be able to view this policy for attachment after it is deprecated. These changes are intended to constrain the scope of CloudTrail’s full
  19. メール件名 CloudTrail Managed Policy Scope Down [AWS Account: XXXXXXXXXXX] Hello,

    On November 30, 2020, CloudTrail’s current access policy (AWSCloudTrailAccessPolicy) will be deprecated and replaced with a new version (AWSCloudTrail_FullAccess), which has a reduced permission set. The current AWSCloudTrailAccessPolicy will continue to work for existing accounts; however, once the replacement occurs, it will not be able to be attached to new IAM principals. For accounts with AWSCloudTrailAccessPolicy, no customer action is required as these accounts will still have this policy attached; accounts without AWSCloudTrailAccessPolicy will not be able to view this policy for attachment after it is deprecated. These changes are intended to constrain the scope of CloudTrail’s full CloudTrailのポリシーをより権限を絞った新しいバージョ ンに変更するね。 古いものもそのまま使えるけど、一度外しちゃうと新しい バージョンしか使えないよ。
  20. どう対策する? まずは読む ツール化 ベンダーに運用 委託

  21. 読むことで以下のよう な副次的効果! ・英語力向上 ・資格対策 まずは読む ツール化 ベンダーに 運用委託

  22. フォーカスにおすすめ のワード ・Abuse ・Action Require ・Reminder ※揺らぎに注意! まずは読む ツール化 ベンダーに

    運用委託
  23. None
  24. 以下の場合は特に推奨 ・運用担当部門がない ・運用担当部門はある が、AWSノウハウ少な い まずは読む ツール化 ベンダーに 運用委託

  25. まとめ

  26. None