Dome9で始めるAWSセキュリティリスク管理.pdf

Slide 1

Slide 1 text

%PNFͰ࢝ΊΔ "84ηΩϡϦςΟϦεΫ؅ཧ "84ࣄۀຊ෦ɹίϯαϧςΟϯά෦ ొஃऀࢢాળٱ

Slide 2

Slide 2 text

ࣗݾ঺հ ● ࢢాળٱ ● AWSࣄۀຊ෦ ίϯαϧςΟϯά෦ ○ ιϦϡʔγϣϯΞʔΩςΫτ ● େࡕΦϑΟεॴଐ ● ޷͖ͳAWSαʔϏε ○ AWS IoTܥαʔϏεɹ ɹ

Slide 3

Slide 3 text

εϥΠυ͸ޙͰೖख͢Δ͜ͱ͕ग़དྷ·͢ͷͰ ൃදதͷ಺༰ΛϝϞ͢Δඞཁ͸͋Γ·ͤΜɻ ࣸਅࡱӨΛ͢Δ৔߹͸ ϑϥογϡɾγϟολʔԻ͕ग़ͳ͍Α͏ʹ͝഑ྀ͍ͩ͘͞

Slide 4

Slide 4 text

ຊ೔ͷ಺༰ • Dome9ͱ͸ʁ • Dome9ͷ3ͭͷಛ௃ • Network Security • Security Groupͷ؅ཧ • IAM Safety • ڧԽ͞ΕͨIAM • Complicence & Governance • ηΩϡϦςΟϑϨʔϜϫʔΫʹ४ڌͨ͠ηΩϡϦςΟΨόφϯε • ·ͱΊ

Slide 5

Slide 5 text

͓࿩͠ͳ͍͜ͱ • AWSͷηΩϡϦςΟαʔϏεͷઆ໌ • GuardDutyɺWAFˍShieldɺKMSɺCogniteɺInspectorɺMacieͳͲ • AWSͷηΩϡϦςΟαʔϏεΛۦ࢖ͨ͠ηΩϡϦςΟରԠํ๏ • ֤छαʔϏεͷ׆༻ํ๏ • ͦͷଞͷAWSରԠSaaSͷઆ໌ • Trend MicroࣾͷDeep SecurityͳͲ

Slide 6

Slide 6 text

6 ੹೚ڞ༗Ϟσϧ

Slide 7

Slide 7 text

7 AWSͷ੹೚ڞ༗Ϟσϧ “બ୒ͨ͠ AWS Ϋϥ΢υͷαʔϏεʹԠͯ͡ҟͳ Γ·͢ɻબ୒ʹΑͬͯɺηΩϡϦςΟʹؔ͢Δ੹ ೚ͷҰ؀ͱ͓ͯ͠٬༷͕࣮ߦ͢Δߏ੒࡞ۀͷྔ͕ ܾఆ͞Ε·͢ɻ” “ఏڙ͞ΕΔ͢΂ͯͷαʔϏεΛ࣮ߦ͢ΔΠϯϑ ϥετϥΫνϟͷอޢʹ͍ͭͯ੹೚Λ࣋ͪ·͢ɻ ͜ͷΠϯϑϥετϥΫνϟ͸ϋʔυ΢ΣΞɺι ϑτ΢ΣΞɺωοτϫʔΩϯάɺAWSΫϥ΢υ ͷαʔϏεΛ࣮ߦ͢ΔࢪઃͰߏ੒͞Ε·͢ɻ”

Slide 8

Slide 8 text

2020೥·Ͱʹى͜ΔηΩϡϦςΟࣄނͷ95%  ͕ϢʔβىҼͱݴΘΕ͍ͯ·͢ɻ

Slide 9

Slide 9 text

9 Dome9ͱ͸

Slide 10

Slide 10 text

Dome9ͱ͸ • ΠεϥΤϧൃͷΫϥ΢υηΩϡϦςΟελʔτΞοϓ • 2018೥ʹνΣοΫɾϙΠϯτ͕ࣾങऩ • ࠃ಺Ͱ͸ιϑτόϯΫ͕ಠ઎తʹऔΓѻ͍ • AWS, Azure, GCPʹରԠ

Slide 11

Slide 11 text

11 Dome9ͷಛ௃ͱػೳ

Slide 12

Slide 12 text

12 Dome9ͷಛ௃ Assess(ධՁ) • ωοτϫʔΫɾτϙϩδʔͷϏδϡΞϥΠζ • ϛείϯϑΟά΍ڴҖͷੋਖ਼ Contorl(੍ޚ) • ϕετϓϥΫςΟεͷڧ੍ • ະೝূͳมߋͷ๷ࢭ • ίϯϓϥΠΞϯεඪ४ʹै͏ Remediate(ੋਖ਼) • ϙϦγʔઃఆʹΑΔ໰୊఺ͷमਖ਼ • Ϋϥ΢υ؀ڥͷΞΫςΟϒͳϓϩςΫτ

Slide 13

Slide 13 text

13 แׅతͳΫϥ΢υηΩϡϦςΟͷఏڙ - 3ͭͷػೳ Network Security • Security GroupͷՄࢹԽ • ૬ޓతͳڐՄϧʔϧͷՄࢹԽ • Security Groupͷ౷੍ • ڐՄ͞Ε͍ͯͳ͍มߋͷ੾Γ໭͠ IAM Safety • ڧԽ͞ΕͨIAMϓϩςΫγϣϯ • ࣌ݶతͳಛݖͷ෇༩ Complience & Governance • αϙʔτ͍ͯ͠ΔηΩϡϦςΟϑϨʔϜϫʔΫͷϧʔϧηοτͰAWS؀ڥΛධՁ • NISTɺCISɺPCI-DSSͳͲ • ಠࣗʹఆٛՄೳ

Slide 14

Slide 14 text

14 Network Security

Slide 15

Slide 15 text

15 Security Group؅ཧ Security GroupͷՄࢹԽ • Ͳ͔͜ΒͲ͜΁௨৴͕ڐՄ͞Ε͍ͯΔͷ͔ʁ • ͲͷϦιʔε͕ؔ࿈͍͍ͮͯΔͷ͔ʁ • EC2΍RDSͳͲϦιʔεଆ͔Β͔͠ݟ͑ͳ͍ • άϧʔϓಉ࢜ͷؔ܎ੑ͕೺Ѳͮ͠Β͍ • ෼͔Γ΍͘͢ՄࢹԽ͞Εͨ΋ͷ͕ཉ͍͠

Slide 16

Slide 16 text

16 αϯϓϧߏ੒ αϯϓϧߏ੒ͷSecurityGroupߏ੒ΛՄࢹԽ

Slide 17

Slide 17 text

17 αϯϓϧߏ੒ͷSecurity Group Application Load Balancer • HTTP : 0.0.0.0/0 BastionʢEC2ʣ • SSH : 203.0.113.4/32ʢ։ൃڌ఺ʣ WebʢEC2ʣ • HTTP : Application Load Balancer (Security Group) • SSH : Bastion (Security Group) DBʢRDSʣ • MySQL : Web (Security Group)

Slide 18

Slide 18 text

18 ClarityʹΑΔՄࢹԽ • ࣗಈతʹϨΠϠʔ෼ׂදࣔ • ֎෦κʔϯɿ֎෦ωοτϫʔΫ/ϗετ • DMZɿInternet͔ΒΞΫηεՄೳͳηΩϡϦςΟάϧʔϓ • Ұ෦Φʔϓϯɿಛఆͷ֎෦ωοτϫʔΫ/ϗετ͔ΒΞΫηεՄೳ • ಺෦κʔϯɿVPC಺ͷϦιʔε͔ΒΞΫηεՄೳ ( άϧʔϓ಺ͷ਺ࣈ͸ؔ࿈Ϧιʔε਺ʣ

Slide 19

Slide 19 text

19 ϋΠϥΠτදࣔ • ηΩϡϦςΟάϧʔϓผʹΞΫηεڐՄઃఆΛϋΠϥΠτදࣔ • SourceɿΦϨϯδ৭ • Targetɿਫ৭ • ը໘ӈଆʹৄࡉදࣔ • ϧʔϧ಺༰ͷৄࡉʢΠϯό΢ϯυ/Ξ΢τό΢ϯυʣ • ιʔεɺλʔήοτɺλά

Slide 20

Slide 20 text

20 ؔ࿈Ϧιʔεͷදࣔ • bastion-sgͷ৔߹ • Sourceɿڌ఺IP͔ΒͷΞΫηεΛڐՄʢΦϨϯδ৭ʣ • Targetɿweb-ec2-sg΁ͷΞΫηεΛڐՄʢਫ৭ʣ

Slide 21

Slide 21 text

21 ؔ࿈Ϧιʔεͷදࣔ • web-ec2-sgͷ৔߹ • Sourceɿalb-sgɺbastion-sg͔ΒͷΞΫηεΛڐՄ • Targetɿrds-sg

Slide 22

Slide 22 text

22 αϯϓϧྫ

Slide 23

Slide 23 text

23 Tamper Protection Dynamic Access

Slide 24

Slide 24 text

24 Tamper Protection Dynamic Access

Slide 25

Slide 25 text

25 Security Groupͷ՝୊ ՝୊ • ۓٸ࡞ۀͰҰ࣌తʹSSH΍RDPͷΞΫηεΛڐՄ • ࡞ۀޙʹ໭ͭ͢΋Γ͚ͩͬͨͲ๨Ε͍ͯͨ • ఆظతͳݟ௚͠ͷͱ͖ʹʮͳͥڐՄ͞Ε͍ͯΔʯͷ͔෼͔Βͳ͍ • ϧʔϧͷίϝϯτ͚ͩͰ͸؅ཧ͖͠Εͳ͍

Slide 26

Slide 26 text

26 Tampler Protection Dome9Λܦ༝͠ͳ͍ηΩϡϦςΟάϧʔϓͷվ͟Μ(Tamper)Λ๷ࢭ(Protect) • มߋ͍ͨ͠৔߹͸ɺDome9͔Βมߋ࡞ۀΛ࣮ࢪ • Tamper Protectionͷ༗ޮԽ୯Ґ͸άϧʔϓ • ʮFull-Protectionʯ͕༗ޮʹͳ͍ͬͯΔ͜ͱ

Slide 27

Slide 27 text

27 Tampler Protectionͷಈ࡞ཤྺ Dome9ͷHistory͔ΒΠϕϯτΛ֬ೝՄೳ

Slide 28

Slide 28 text

28 Tampler Protectionͷಈ࡞ཤྺͷৄࡉ

Slide 29

Slide 29 text

29 Tampler ProtectionΛCloudTrailͰัଊ ಉ࣌ࠁʹʮRevokeSecurityGroupIngressʯͷΠϕϯτൃੜ

Slide 30

Slide 30 text

30 Dome9͔ΒSecurity GroupΛมߋ ର৅ϧʔϧͰʮEDITʯΛΫϦοΫ

Slide 31

Slide 31 text

31 Dome9͔ΒSecurity GroupΛมߋ - SOURCEͷ௥Ճ 1.ʮ+ADD SOURCEʯΛΫϦοΫ 2. ܗࣜΛબ୒ • IP CIDR or DNS Name • IP LIST (Customer managed) • IP LIST (Dome9 managed) • AWS Security Group • AWS Peered VPC

Slide 32

Slide 32 text

32 Dome9͔ΒSecurity GroupΛมߋ - DNSͰSOURCEΛࢦఆ͢Δͱɾɾɾ ࢼ͠ʹʮDNS NameʯΛબ୒ͯ͠ʮwww.yahoo.co.jpʯΛڐՄର৅ʹͯ͠Έͨ

Slide 33

Slide 33 text

33 DNSͷਖ਼Ҿ͖݁ՌΛࣗಈొ࿥ • ʮwww.yahoo.co.jpʯͷਖ਼Ҿ͖݁ՌͷIPͰࣗಈొ࿥ • ໊લղܾͷIP͕มΘͬͯ΋௥ैͯ͠ϧʔϧΛมߋ

Slide 34

Slide 34 text

34 AWS Configͷར༻ AWSͷαʔϏε͚ͩͰ΍ͬͯΈΔ • AWS Config ͷར༻ • Config RulesͰΞΫγϣϯͷࢦఆ • ྫɿηΩϡϦςΟάϧʔϓ͕ແ੍ݶڐՄͷSSHΛෆڐՄʹ͢Δ • શ͘ಉ͜͡ͱΛ΍ΔͳΒΧελϜϧʔϧΛࣗ࡞ • Dome9Ͱ΍Δ৔߹͸ɺॳظಋೖɺ؅ཧɺӡ༻͕༰қʹͳΔͷͰτϨʔυΦϑ https://dev.classmethod.jp/cloud/aws/auto-recovery-restricted-ssh-without-lambda/ https://dev.classmethod.jp/cloud/aws/automate-aws-config-remediation-action/

Slide 35

Slide 35 text

35 Tamper Protectionͷ·ͱΊ Tamper Protection • Dome9 Λܦ༝͠ͳ͍Seurity Groupͷมߋʢվ͟ΜʣΛ๷ࢭ͢Δ • Dome9͔Βมߋͨ͠ϧʔϧ͸΋ͱʹ໭͞ΕΔ͜ͱ͸ແ͍ • Dome9্Ͱͷมߋ΋Historyʹ࢒Δ

Slide 36

Slide 36 text

36 Tamper Protection Dynamic Access

Slide 37

Slide 37 text

37 Dynamic Access ηΩϡϦςΟάϧʔϓʹҰ࣌తͳΞΫηεڐՄϧʔϧΛ௥Ճ • ର৅ͷάϧʔϓ/ϧʔϧʹରͯ͠Ұ࣌తͳΞΫηεڐՄΛ௥Ճ ڐՄ͞ΕΔIP • Dome9ʹΞΫηε͍ͯ͠ΔIP͕ڐՄର৅ • Dome9Ҏ֎ͷϝϯόʔ͔ΒͷΞΫηεΛڐՄͤ͞Δ͜ͱ΋Մೳ • ট଴ϝϯόʔ͕ڐՄϦϯΫΛΫϦοΫͨ͠IPͰڐՄ͞ΕΔ

Slide 38

Slide 38 text

38 Dynamic Access • Dome9ʹΞΫηε͍ͯ͠ΔIPΛڐՄ(x.x.x.x) • ϝʔϧதͷট଴ΞΫςΟϕʔγϣϯͷϦϯΫΛΫϦοΫͨ͠IPͰڐՄ(y.y.y.y) ট଴ϝʔϧ

Slide 39

Slide 39 text

39 Dynamic Accessͷར༻ํ๏ • ର৅άϧʔϓͰڐՄΛ௥Ճ͍ͨ͠ϧʔϧʹʮGET ACESSʯ • ڐՄ͢ΔظؒΛબ୒ՄೳʢσϑΥϧτ1࣌ؒʣ • ௥Ճϧʔϧ͕࡟আ͞ΕΔ·Ͱͷ࣌ؒ

Slide 40

Slide 40 text

40 Dynamic Accessͷར༻ - Send Invitation Send Invitaion Dome9Ҏ֎ͷϝϯόʔ͔ΒͷΞΫηεΛڐՄ • ট଴ͷ༗ޮظݶ • ڐՄ͢Δ࣌ؒ • ϝʔϧΞυϨε • ௥ՃϢʔβͷΞυϨε • ࣗ෼ͷΞυϨε • ΞΫςΟϕʔγϣϯϦϯΫੜ੒ͷΈ

Slide 41

Slide 41 text

41 Dynamic AccessͷϢʔβট଴ ট଴ϝʔϧ • ϝʔϧதͷϦϯΫΛΫϦοΫͯ͠ɺ  ট଴ΛΞΫςΟϕʔγϣϯ • ઀ଓΛڐՄ͍ͨ͠Ϛγϯ্ͰΞΫςΟ  ϕʔγϣϯΛ࣮ࢪ

Slide 42

Slide 42 text

42 ট଴݁Ռ ϦϯΫΫϦοΫޙͷදࣔ • ڐՄͨ͠άϧʔϓͱαʔϏε • ڐՄͨ͠IPͱ࣌ؒ

Slide 43

Slide 43 text

43 Dynamic Access - ༗ޮͳLeaseͷ؅ཧ • ʮҰ࣌తʹ௥Ճ͍ͯ͠ΔΞΫηεڐՄʯͷҰཡදࣔ • ࣌ؒຬྃલʹࣦޮͤ͞Δ͜ͱ΋Մೳ • ট଴࣌ͷIPؒҧ͍΍ະঝೝͷট଴ΛʮPending invitationʯ͔Β࡟আՄೳ

Slide 44

Slide 44 text

44 Network Security·ͱΊ Tamper Protection • Dome9 Λܦ༝͠ͳ͍Seurity GroupͷมߋΛ๷ࢭ͢Δ • Dome9͔Βมߋͨ͠ϧʔϧ͸΋ͱʹ໭͞ΕΔ͜ͱ͸ແ͍ • Dome9্Ͱͷมߋ΋Historyʹ࢒Δ Dynamic Access • ηΩϡϦςΟάϧʔϓʹҰ࣌తͳڐՄϧʔϧΛ௥ՃͰ͖Δ • ࢦఆ࣌ؒܦաޙʹ௥Ճϧʔϧ͸ࣗಈ࡟আͰɺҰ࣌తͳ௥Ճͷ໭͠๨ΕΛ๷ࢭ • มߋ͸Historyʹ࢒Δ

Slide 45

Slide 45 text

45 IAM Safety

Slide 46

Slide 46 text

46 IAM Safety IAM Report

Slide 47

Slide 47 text

47 IAM؅ཧͷ՝୊ IAM؅ཧ͸೉͍͠ • ৗʹඞཁͰ͸ͳ͍ݖݶΛҰ࣌తʹڐՄ͍ͨ͠ • ౎౓ɺมߋ࡞ۀΛ͢Δͷ͸࡞ۀϛε΋͋Γආ͚͍ͨ • ؅ཧऀͱͯਓؒ • Systems ManagerͳͲΛۦ࢖ͯࣗ͠ಈԽ͸Մೳ • AutomationυΩϡϝϯτͷ࡞੒ͳͲࣄલ४උ͕ඞཁ  https://dev.classmethod.jp/cloud/aws/workflow-to-add-temporary-privilege-by-ssm-automation/

Slide 48

Slide 48 text

48 IAM Safetyͷ࢓૊Έ Ұ࣌తʹࣄલఆٛͨ͠ಛݖΛ෇༩͢Δ͜ͱ͕Ͱ͖Δ - ݖݶͷঢ֨ • ฏ࣌͸੍ݶ͍ͨ͠಺༰Λ·ͱΊͨϙϦγʔΛIAM GroupͷϙϦγʔʹઃఆ • ϙϦγʔ͸Dome9্ͰGUIͰ࡞੒Մೳ • GUIૢ࡞ͰJSONͷϙϦγʔΛੜ੒ • Dome9ଆͰςϯϓϨʔτ΋༻ҙ • อޢର৅ͷIAM User/RoleΛબ୒ͯ͠อޢ • อޢ͢Δͱ֘౰ͷIAM User্͕هͷGroupʹॴଐʢ੍ݶϙϦγʔͷద༻ʣ • IAM Roleͷ৔߹͸੍ݶϙϦγʔ͕Ξλον • ಛݖΛ෇༩ʢঢ֨ʣ͍ͤͨ͞ͱ͖ʹɺ੍ݶϙϦγʔ͕σλον͞ΕΔ • ࢦఆ͕࣌ؒܦաޙʹࣗಈతʹ੍ݶϙϦγʔ͕Ξλονʢ߱֨ʣ

Slide 49

Slide 49 text

49 IAM Safetyͷ࢓૊Έ • ੍ݶɿDome9อޢର৅ͷIAMʹ੍ݶϙϦγʔΞλον • ߱֨ɿDome9อޢର৅ͷIAMʹ੍ݶϙϦγʔΞλον • ঢ֨ɿ੍ݶϙϦγʔΛσλον

Slide 50

Slide 50 text

50 IAM Safety - ঢ֨ઃఆ ద༻͍ͨ͠IAM UserΛDome9্͔Βબ୒ • Լه͸ʮdome9-test2ʯʮdome9-test3ʯͷIAM UserΛબ୒

Slide 51

Slide 51 text

51 IAM Safety - ঢ֨ઃఆ อޢର৅ʹ͸伴ϚʔΫ

Slide 52

Slide 52 text

52 IAM Safety - ฏ࣌ͷIAMઃఆ Dome9ͷ੍ݶϙϦγʔ͕ద༻͞Ε͍ͯΔʢ֘౰άϧʔϓʹೖ͍ͬͯΔʣ

Slide 53

Slide 53 text

53 IAM Safety - ঢ֨ͷ࣮ߦ ঢ͓֨ͯ͘͠ظؒʢ30෼ɺ1࣌ؒɺ2࣌ؒʣΛࢦఆՄೳ

Slide 54

Slide 54 text

54 IAM Safety - ঢ֨ͷঢ়گ֬ೝ • ঢ֨தͷ΋ͷΛ֬ೝՄೳ • ظݶલʹঢ֨Λதஅ͢Δ͜ͱ΋Մೳ

Slide 55

Slide 55 text

55 IAM Safety - ϞόΠϧΞϓϦ • ϞόΠϧΞϓϦ͔Βঢ֨ɾऔΓফ͠ɾઃఆ͕Մೳ ʻঢ֨ʼ ʻઃఆʼ ʻऔΓফ͠ / ظݶ֬ೝʼ

Slide 56

Slide 56 text

56 IAM Safety IAM Report

Slide 57

Slide 57 text

57 IAMϨϙʔτ Policy ReportʢϙϦγʔϨϙʔτʣ • Dome9Ͱ؅ཧ͢ΔAWSΞΧ΢ϯτશͯͷIAM Entityͷ૊Έ߹ΘͤΛҰཡදࣔ • ࡞੒ࡁΈͷIAM User/Roleͷݖݶ΍αʔϏεछผͰநग़Մೳ Credential Reportʢೝূ৘ใϨϙʔτʣ • IAM Userͷೝূ৘ใΛநग़ • ίϯιʔϧαΠϯΠϯͷύεϫʔυ͕༗ޮͳϢʔβ • ͦͷύεϫʔυͷར༻ཤྺ ͳͲ

Slide 58

Slide 58 text

58 ϙϦγʔϨϙʔτ ϑΟϧλϦϯάྫɿKinesis data firehoseʹʮPutRecordʯͰ͖ΔEntity

Slide 59

Slide 59 text

59 ϑΟϧλϦϯάઃఆͷ׆༻ ϑΟϧλϦϯάઃఆ͸อଘͯ͠࠶ར༻͕Մೳ

Slide 60

Slide 60 text

60 ϑΟϧλϦϯάઃఆͷ׆༻ อଘͨ͠ϑΟϧλϦϯάΛ࠶ར༻

Slide 61

Slide 61 text

61 ೝূ৘ใϨϙʔτ ϑΟϧλϦϯάྫɿʮcmichidaʯͱ͍͏ΞΧ΢ϯτͰʮαΠϯΠϯύεϫʔυ͕༗ޮʯ

Slide 62

Slide 62 text

62 Compliance & Governance

Slide 63

Slide 63 text

63 ܧଓతͳηΩϡϦςΟνΣοΫ ҧ൓߲໨ͷࣗಈతͳվળ - Remediation

Slide 64

Slide 64 text

64 ܧଓతͳηΩϡϦςΟνΣοΫ ՝୊ • ४ڌ͢΂͖ηΩϡϦςΟج४ͷҡ͕࣋೉͍͠ • ४ڌ͢΂͖ηΩϡϦςΟج४ͷҡ࣋Λ୲อ͢Δ࢓૊Έ͕ແ͍ • ΞΧ΢ϯτʹΑͬͯηΩϡϦςΟج४͕ҟͳΔ • CISɺPCI-DSSɺNISTɺSOC2ɺHIPPAɾɾɾ

Slide 65

Slide 65 text

65 Dome9͕ରԠ͍ͯ͠ΔηΩϡϦςΟϑϨʔϜϫʔΫʢೝূʣ • Dome9͸نఆ/ಠࣗఆٛͷධՁϧʔϧͰ֤AWSΞΧ΢ϯτΛධՁՄೳ • ෳ਺ͷୈࡾऀೝূΛϕʔεʹͨ͠ϧʔϧηοτ • CIS • NIST 800-53 • PCI-DSS 3.2 • HIPPA • GDPR • ISO27001 • SOC2

Slide 66

Slide 66 text

66 ϧʔϧηοτ • ೝূʹԠͨ͡ϧʔϧ͕·ͱ·ͬͨϧʔϧηοτ • ֤ϧʔϧ͸GSLͱ͍͏ಠࣗݴޠͰఆٛ

Slide 67

Slide 67 text

67 GSLͱ͍͏Dome9ͷಠࣗݴޠ ྫɿAWS Kinesis Server data at rest has server side encryption ྫɿEnsure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389) ྫɿEnsure IAM policies are attached only to groups or roles Kinesis should have encrypted=true SecurityGroup should not have inboundRules with [scope = '0.0.0.0/0' and port<=3389 and portTo>=3389] IamUser where not (name regexMatch /^$/i ) should have managedPolicies isEmpty() and inlinePolicies isEmpty()

Slide 68

Slide 68 text

68 ܧଓతͳηΩϡϦςΟνΣοΫ ܧଓతͳνΣοΫͷઃఆ • νΣοΫ͍ͨ͠AWSΞΧ΢ϯτΛબ୒ • ϧʔϧηοτ͔ΒνΣοΫ͍ͨ͠ೝূͷηοτΛબ୒ • ௨஌ઌΛઃఆ

Slide 69

Slide 69 text

69 ܧଓతͳηΩϡϦςΟνΣοΫ - ઃఆ ʮADD POLICYʯΛΫϦοΫ

Slide 70

Slide 70 text

70 ܧଓతͳηΩϡϦςΟνΣοΫ - ઃఆ νΣοΫ͍ͨ͠ΞΧ΢ϯτΛબ୒

Slide 71

Slide 71 text

71 ܧଓతͳηΩϡϦςΟνΣοΫ - ઃఆ ϧʔϧηοτΛબ୒ ʢ͜͜Ͱ͸AWS PCI-DSS 3.2ʣ

Slide 72

Slide 72 text

72 ܧଓతͳηΩϡϦςΟνΣοΫ - ઃఆ ௨஌ઌΛઃఆ • νΣοΫ݁Ռͷ௨஌ • ௨஌ઌΞυϨεͷઃఆ • ௨஌εέδϡʔϧͷઃఆ • Ϩϙʔτछྨ • Summary, Detailed, CSV͋ • ௨஌ઃఆ͸ࣄલ࡞੒ or  ͜ͷ΢Οβʔυதʹ࡞੒Մೳ

Slide 73

Slide 73 text

73 ܧଓతͳηΩϡϦςΟνΣοΫ - ઃఆ ධՁ͕࣮ߦ͞ΕΔͱࢦఆͨ࣌ؒ͠ʹϝʔϧͰ Ϩϙʔτ͕ಧ͖·͢ • είΞ஋ • લճͷείΞ஋΋දࣔ • Failedͷ߲໨ΛҰཡදࣔ • ৭ͰFailedͷਂࠁ౓Λ෼ྨදࣔ

Slide 74

Slide 74 text

74 ܧଓతͳηΩϡϦςΟνΣοΫ ҧ൓߲໨ͷࣗಈతͳվળ - Remediation

Slide 75

Slide 75 text

75 ҧ൓߲໨ͷࣗಈతͳվળ - Remediation ఆظతͳνΣοΫ࣌ʹҧ൓߲໨͕͋Ε͹ࣗಈతʹઃఆΛमਖ਼ • ϕʔλఏڙʢ2019೥10݄10೔ݱࡏʣ • Cloud-botsʹΑΔमਖ਼ΞΫγϣϯ • CloudFormationͰσϓϩΠ • ϚϧνΞΧ΢ϯτʹରԠ • ୭Ͱ΋ར༻Մೳ

Slide 76

Slide 76 text

76 cloud-bots͸୭Ͱ΋ར༻Մೳ https://github.com/dome9/cloud-bots

Slide 77

Slide 77 text

77 Cloud-botsͷΞʔΩςΫνϟ

Slide 78

Slide 78 text

78 Cloud-botsͷΞʔΩςΫνϟ • Dome9͕ఆظνΣοΫ࣮ߦ • ҧ൓߲໨͕͋Ε͹SNSτϐοΫʹύϒϦογϡ • LambdaͰࢦఆͷվળΞΫγϣϯΛ࣮ߦ • ݁ՌΛࢦఆͷσϓϩΠ࣌ͷࢦఆΞυϨεʹ௨஌

Slide 79

Slide 79 text

79 Remediationͷ࡞੒ • RulesetɿʮϙϦγʔʯͰࢦఆͨ͠ϧʔϧ  ηοτͰҧ൓߲໨͕͋Ε͹ͦͷϧʔϧ  ηοτʹରԠͨ͠मਖ਼ΞΫγϣϯ͕࣮ߦ  ͞Ε·͢ • Remediate by Ruleɿमਖ਼ΞΫγϣϯΛ  ࣮ߦ͍߲ͨ͠໨ͷࢦఆ • Remediate by Cloud Accountɿର৅ͷAWS  ΞΧ΢ϯτΛࢦఆ • Remediate by EntityɿΞΫγϣϯର৅ͷ  ࢦఆ • Cloud BotsɿCloud-botsͰ࣮ࢪ͢ΔΞΫ  γϣϯͷࢦఆ • Commentɿίϝϯτ

Slide 80

Slide 80 text

80 Cloud BotͰͰ͖Δ͜ͱ • ami_set_to_private • cloudtrail_enable • cloudtrail_send_to_cloudwatch • cloudwatch_create_metric_filter • config_enable • ec2_attach_instance_role • ec2_create_snapshot • ec2_release_eips • ec2_quarantine_instance • ec2_stop_instance • ec2_terminate_instance • ec2_update_instance_role • iam_role_attach_policy • iam_user_attach_policy • iam_quarantine_role • iam_quarantine_user • iam_turn_on_password_policy • iam_user_force_password_change • igw_delete • kms_enable_rotation • mark_for_stop_ec2_resource • rds_quarantine_instance • s3_delete_acls • s3_delete_permissions • s3_enable_encryption • s3_enable_logging • s3_enable_versioning • sg_delete • sg_rules_delete • sg_single_rule_delete • tag_ec2_resource • vpc_turn_on_flow_logs

Slide 81

Slide 81 text

81 Botsͷ঺հ sg_single_rule_delete • ηΩϡϦςΟάϧʔϓͷҰͭͷϧʔϧΛ࡟আ͢Δ • ࢦఆ߲໨ • splitɿ࡟আޙʹϧʔϧΛ෼ׂ͢Δ͔Ͳ͏͔ • protocolɿϓϩτίϧ • scopeɿϙʔτൣғ • directionɿ௨৴ͷ޲͖ • portɿϙʔτ

Slide 82

Slide 82 text

82 Botsͷ঺հ sg_single_rule_delete • ࢦఆ߲໨ɿsplit • طଘϧʔϧͰ֘౰ϙʔτ͕ʮΑΓେ͖ͳϙʔτൣғʯͰઃఆ͞Ε͍ͯͨ৔߹ʹɺ ࡟আ͍ͨ͠ϙʔτΛআ͍ͨෳ਺ͷϧʔϧʹ෼ׂ ϧʔϧAɿ[ ڐՄϙʔτɿ1 - 30 ] SSHϙʔτɿ22 ͷڐՄΛ࡟আ͍ͨ͠ SSHϙʔτɿ22 ͷڐՄΛ࡟আ ϧʔϧBɿ[ ڐՄϙʔτɿ1 - 21 ] ϧʔϧCɿ[ ڐՄϙʔτɿ23 - 30 ] →

Slide 83

Slide 83 text

83 ఆظνΣοΫͷ࣮ߦ ఆظνΣοΫͷ࣮ߦ࣌ʹRemediation΋࣮ߦ • ʮධՁཤྺʯΑΓνΣοΫ༗ແͱཤྺΛ֬ೝ

Slide 84

Slide 84 text

84 Remediationͷϝʔϧ௨஌ • ʮRemediationOutputʯͱ͍͏໊݅ͷϝʔϧ

Slide 85

Slide 85 text

85 Remediationͷϝʔϧ௨஌ྫ • ʮRemediationOutputʯͱ͍͏໊݅ͷϝʔϧ { "ReportTime": "2019-10-03T05:30:37.559Z", "Account id": "xxxxxxxxxxxxxx", "findingKey": "xxxxxxxxxxxxxxxxx", "Rules violations found": [ { "Rule": "Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22)", "ID": "sg-xxxxxxxxxxxxxxxxx", "Name": "dome9-test-sg", "Remediation": "sg_single_rule_delete", "Execution status": "passed", "Bot message": "Split matching for the port to be remediated is set to False. If the port is contained within a larger scope, it will be skipped.\nThe protocol to be removed is TCP\nScope to be removed found: 0.0.0.0/0 \nThe rule to be removed is going to be for inbound traffic\nPort to be removed: 22 \nMatching rule found that is going to be deleted. Protocol:TCP Direction:inbound Port: 22 Scope:0.0.0.0/0\nSecurity Group rule from port 22 to port 22 successfully removed\n" } ] }

Slide 86

Slide 86 text

86 BotsͷCloudTrailʹΑΔัଊ • Ϣʔβ໊ɿDome9CloudBots • ࣌ࠁ͸ఆظνΣοΫʢ02:30ʣΑΓλΠϜϥά͕͋Δ • ࣮ߦ͞Εͨͷ͸02:45ͱͳ͍ͬͯΔ

Slide 87

Slide 87 text

87 Dome9Λ࢖͍ͬͯͳͯ͘΋CloudBots͸ར༻Մೳ ࢦఆϑΥʔϚοτͷϝοηʔδΛSNSτϐοΫʹύϒϦογϡ͢Ε͹OK • Dome9͕CloudBotsʹύϒϦογϡ͢Δϝοηʔδͱಉ͡Ͱ͋Ε͹Α͍ ͜ͷ෦෼

Slide 88

Slide 88 text

88 Dome9Λ࢖ΘͣʹCloudBotsΛ׆༻ Trusted Advisorͱͷ૊Έ߹Θͤ • Trusted Advisor͕ʮUnrestricted AccessʯͰRedΛݕग़ • CloudWatch EventsͰLambda͔ΒϝοηʔδΛCloudBotsʹύϒϦογϡ

Slide 89

Slide 89 text

89 CloudBotsʹૹΔϝοηʔδϑΥʔϚοτ • id • AWSΞΧ΢ϯτID • accountNumber • AWSΞΧ΢ϯτID • entity • վળΞΫγϣϯͷର৅Ϧιʔε { "reportTime": "2018-03-20T05:40:42.043Z", "rule": { "name": "", "complianceTags": "AUTO: " }, "status": "Failed", "account": { "id": "************" }, "entity": { "accountNumber": "************", "id": "i-*****************", "name": "************", "region": "us_west_2", } }

Slide 90

Slide 90 text

90 ·ͱΊ

Slide 91

Slide 91 text

91 ·ͱΊ ηΩϡϦςΟͷϦεΫͷൃݟɺ༧๷ɺ؅ཧ • ωοτϫʔΫͷՄࢹԽ • SecurityGroupͷՄࢹԽʹΑΔ௨৴ܦ࿏ͷՄࢹԽ • ෆ༻ҙͳมߋͷ཈੍ͱҰ࣌తͳมߋ࡞ۀʹΑΔϦεΫͷ౷੍ ୈࡾऀͷϙϦγʔʹجͮ͘؂ࠪͱҡ࣋ • ୈࡾऀͷϙϦγʔ४ڌͷϧʔϧηοτʹΑΔηΩϡϦςΟνΣοΫ • ܧଓతͳνΣοΫͱࣗಈम෮ʹΑΔηΩϡϦςΟϨϕϧͷҡ࣋ ෳ਺ΞΧ΢ϯτͷҰݩ؅ཧ • Dome9ͰҰݩతʹνΣοΫɺ؅ཧɺվળɺϨϙʔςΟϯάΛ࣮ࢪ • ҟͳΔηΩϡϦςΟج४ͷෳ਺ΞΧ΢ϯτΛ༰қʹ؅ཧՄೳ