How do you reinforce yourself ? AWS re:Inforce 2019 re:Cap @ July 30th Ryo Nakamaru, SUPINF Inc.

தؙ ྑ @pottava - SUPINF ͱ͍͏डୗ։ൃӡ༻ձࣾͰΤϯδχΞͯ͠·͢ - ւ֎ΧϯϑΝϨϯε͸೥ 2 ճఔ౓ - ӳޠ͸ͣͬͱ೰Έͷछ Profile

SUPINF Inc !3 ※ Mac ͷࣙॻΑΓҾ༻

SUPINF Inc !4 ※ Mac ͷࣙॻΑΓҾ༻ ηΩϡϦςΟ ؔ܎ͳ͍ͷ͔ɾɾ

SUPINF Inc 5 re:Inforce Ͳ͏ͩͬͨͷ

SUPINF Inc 6 ࠷ͬߴͰͨ͠ɻ ΄Μͱָ͔ͬͨ͠

SUPINF Inc 7 ɾԿ͕࠷ߴͩͬͨͷ͔ recap ɾདྷ೥ώϡʔετϯʹ޲͚ͯ

SUPINF Inc ࠷ߴͩͬͨ͜ͱ

SUPINF Inc ࠷ߴͦͷɹ (AWS ͷ) ॏཁ֓೦ͷཧղ͕ਂ·Δ 9 1: ໨ࢦ͢΂͖͸ɺϏδωεͷΞδϦςΟ ͱ Ψόφϯε Λ ཱ྆͢Δ ͜ͱ https://www.youtube.com/watch?v=2t-VkWt0rKk

SUPINF Inc 10 ͦͷͨΊʹ͸ɺΨʔυϨʔϧ ͱ ϥϯσΟϯάκʔϯ ͑͋͞Ε͹͍͍ɻ ͋ͱ͸ϓϩδΣΫτνʔϜʹɺࣗ༝ʹ૸ΒͤΑ͏ʂ https://www.youtube.com/watch?v=2t-VkWt0rKk

SUPINF Inc 11 ग़య: ϏϧμʔʹඞཁͳηΩϡϦςΟ͸ʮ໳൪ʯͰ͸ͳ͘ʮΨʔυϨʔϧʯ https://weekly.ascii.jp/elem/000/000/425/425592/

SUPINF Inc 12 ֓೦Λ࠲ֶͰֶΜͩΒ

SUPINF Inc 13 ໰. AWS ͰͷΨʔυϨʔϧ࣮૷ͱͯ͠ɺاۀͷηΩϡϦςΟϙϦγʔΛ ʮAWS Organizations ͷ SCPʯ΍ʮIAM ͷ Permissions Boundaryʯͷ ซ༻Ͱ࣮ݱͰ͖ͦ͏Ͱ͢ɻ͋ͳͨͳΒɺͲͷΑ͏ʹ࣮૷͠·͔͢ʁ

SUPINF Inc 14 https://identity-round-robin.awssecworkshops.com/permission-boundaries/presentation.pdf ೤͍͏ͪʹɺϫʔΫγϣοϓͰమ͕ଧͯΔɻʢΘ͔Βͳ͍͜ͱ͕Θ͔Δʣ

SUPINF Inc AWS ΧϯϑΝϨϯεͷ͓͢͢Ί 15 • ηογϣϯΑΓ΋ϫʔΫγϣοϓ ε ‣ ࡢࠓɺ΄ͱΜͲͷηογϣϯ͸ YouTube Ͱެ։͞Ε·͢ ‣ Ϣʔβࣄྫ ΍ ೤͍ؾ࣋ͪΛݺͼى͍ͨ͜͠ ৔߹͸ผ ‣ ਓؾ ϫʔΫγϣοϓ͙͢ຒ·Δ ͷͰ஫ҙʂʂ • ηογϣϯΑΓ΋ϒʔεΛ·ΘΖ͏

SUPINF Inc ࠷ߴͦͷɹ ະདྷͷ࿩͕Ͱ͖Δ / ະདྷ͕Έ͑Δ 16 2: AWS ύʔτφʔاۀ͸͋ΔҙຯɺAWS ΑΓଟগઌߦ͍ͯ͠Δ͔΋ʁʁ

SUPINF Inc 17 ʮ͔ͨ͠ʹ͜Ε͸ۀ຿ָ͕ʹͳΔ ʯ ʮ͜ͷػೳɺAWS དྷ೥͖ͩͯͦ͠͏ʯ

SUPINF Inc 18 ͑ʁ೔ຊʹ୅ཧళͳ͍ͷʁ ࢖ͬͯΈ͍ͨΜ͚ͩͲʁ·ͣ͸͓ࢼ͠Ͱɻ ͍͍Αɺ͡Ό͋དྷि NDA ݁ͼͭͭ ΧϯϑΝϨϯείʔϧͰઆ໌ͤͯ͞ʂ ϒʔεͰͷΑ͋͘ΔྲྀΕ

SUPINF Inc 19 ͓΋͠Ζ͍ 2 ࣾΛ͝঺հ

SUPINF Inc 20

SUPINF Inc Aporeto 21 • Identity-based access control ε ‣ ΦϯϓϨ͔ΒΫϥ΢υͰͷαʔόʔϨε·ͰɻϋΠϒϦου΋ɻ ‣ ಛఆͷϥϕϧ͕͍ͭͨϦιʔεʹͷΈΞΫηεΛڐՄ ‣ γϛϡϨʔγϣϯ / ݕূ / ຊ൪ར༻ͷ҆৺εςοϓ • ωοτϫʔΫͷ؂ࢹͱڧ੍ ε ‣ ϗετʹΠϯετʔϧ͢Δ Enforcer ͕શ௨৴Λ೺Ѳɾ੍ޚ ‣ ՄࢹԽ΍τϨʔε͕ Web UI ͔Β͔ΜͨΜʹ

SUPINF Inc 22 Ϋϥ΢υ࣌୅ͷΨόφϯεɾɾʁ → ΄΅΄΅ AWS ͷ֓೦ͷԆ௕ ɹʢ͍͍ҙຯͰͶɻ૬ੑΑͦ͞͏ʣ

SUPINF Inc 23 AWS re:Inforce 2019: Governance for the Cloud Age (DEM12-R1) https://youtu.be/y3WmHnavuN8

SUPINF Inc དྷ೥ͷώϡʔετϯ Ͱ΋ָ͠ΉͨΊʹ

SUPINF Inc 25 ϫʔΫγϣοϓࢀՃ΍ AWS ͷதͷਓ΁ ࣭໰͍ͨ͠ɺ࿩Λཧղ͍ͨ͠

SUPINF Inc Tips ͦͷɹ ࣄલʹ४උ͢Δ 26 1: • AWS ͷւ֎ΧϯϑΝϨϯε҆͘͸ͳ͍໰୊ ‣ ೔ຊͰ΋Θ͔Δ͜ͱ͸ ௐ΂͍ͯ͘ ‣ Security Specialty ͱ SA Pro ΋ͬͯͯ΋Α͏΍͘ Hello Worldʁ • ϒʔεΛճΔ ‣ ࣗ෼ͷࣄۀͱࠔ͍ͬͯΔϙΠϯτΛ ӳޠͰ આ໌ͯ͠ΈΔ ‣ ࿩Λฉ͍ͯΈ͍ͨ SaaS ʹࣄલʹΞϙΛͱͬͯΈΔ

SUPINF Inc Tips ͦͷɹ ೔ຊʹ͍Δ͍͋ͩʹਓ຺Λ޿͛Δ 27 2: • ࠓ೔͸νϟϯεͰ͢ ‣ AWS Japan ͞Μ͔Βͷ৘ใൃ৴ΛੵۃతʹऔΓʹ ‣ ͢Ͱʹ࣮ફ͍ͯ͠Δਓ͔Β΍ΓํΛฉ͍ͯ͠·͏ • ݱ஍ ‣ Ϙον൧ͷϦεΫ ‣ ঺հͰΞϙ͕ೖΔͱ΍͸Γɺձ͍΍͍͢ʢ͋ͨΓ·͑ʣ

SUPINF Inc 28 ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ :) ࢀߟɿ • AWS re:Inforce 2019: Using AWS Control Tower to Govern Multi- Account AWS Environments (GRC313-R) https://www.youtube.com/ watch?v=2t-VkWt0rKk • ϏϧμʔʹඞཁͳηΩϡϦςΟ͸ʮ໳൪ʯͰ͸ͳ͘ʮΨʔυϨʔϧʯ - िץΞεΩʔ https://weekly.ascii.jp/elem/000/000/425/425592/ • Identity Round Robin Workshop Permissions Boundaries https:// identity-round-robin.awssecworkshops.com/permission-boundaries/ presentation.pdf • Aporeto https://www.aporeto.com • Turbot https://turbot.com

SUPINF

Our Works ϏδωεΤϦΞͷ͝঺հ ্ྲྀϑΣʔζ͔ΒɺԼྲྀϑΣʔζ ·Ͱ ͢΂ͯड͚Δࣄ͕ՄೳͰ͢ɻ SES ฐࣾͰߏஙޙ͸΋ͪΖΜɺطʹՔ ಇ͍ͯ͠ΔαʔϏεʹ͍ͭͯ΋ αϙʔτ͠·͢ɻ MSP ओʹӦۀಉߦͱͯ͠ͷɹ ٕज़తͳαϙʔτΛ͍ͯ͠·͢ɻ Sales Support ॳظߏஙͷࢼࢉ෦෼͚ͩͰ͸ͳ͘ αʔόʔҠߦɾϓϩάϥϜҠߦ΋ ରԠ͠·͢ɻ POC PMOʹ܎Δ෦෼͸΋ͪΖΜͷ͜ ͱɺࣾ಺εΩϧΛߴΊ͍ͨͱݴͬ ͨߨश΋ߦ͍ͬͯ·͢ɻ Consulting

(C) SUPINF Inc., All Rights Reserved. < CONFIDENTIAL > "84ϚωʔδυαʔϏεΛ౷߹͢Δ͜ͱͰ֦ுੑ ٴͼӡ༻ੑೳͷߴ͍γεςϜΛ࣮ݱ $PHOJUPɺ"1*(BUFXBZʹΑΔೝূج൫ 424ɺ-BNCEBɺ"84#BUDIΛ ૊Έ߹Θͤͨ൚༻δϣϒ؅ཧγεςϜ ΦϯϓϨϛεͱͷϋΠϒϦου؀ڥ ฐࣾ୲౰ΤϦΞ ⾣طଘۀ຿γεςϜͷ3&45"1*Խ ⾣ϓϥοτϑΥʔϜͷઃܭ ߏங Ϛϧνςφϯτ / SaaS ܕ - API ϓϥοτϑΥʔϜ

Kubernetes ʹΑΔϋΠϒϦουػցֶश؀ڥ (C) SUPINF Inc., All Rights Reserved. < CONFIDENTIAL > ΦϯϓϨϛε༏ઌɺࣾ಺γεςϜͱͷ౷߹ %PDLFSϨδετϦϑΝΠϧετϨʔδ͸ΦϯϓϨ ηΩϡϦςΟϨϕϧʹԠͨ͡ϑΝΠϧసૹ੍ޚ %(9LTࣾ಺ೝূγεςϜ౷߹ֶशج൫ "1*ͳͲΛ௨ͨ݁͡Ռ΍Ϧιʔεঢ়ଶͷՄࢹԽ εέʔϧઌͱͯ͠"84ͷ(16αʔόʔΛར༻ ,VCFSOFUFTͷϊʔυͱͯ͠%9ઌͷΫϥ΢υΛ ฐࣾ୲౰ΤϦΞ ⾣Πϯϑϥͷઃܭ ߏங corporate data center AWS cloud ֶशΫϥελ ֶशΫϥελ & ΦϯϓϨϛε؀ڥ ߴੑೳετϨʔδ

౦ژ౎ौ୩۠ौ୩2-11-5 03-6427-6517 https://www.facebook.com/supinf/ @supinf_pr CONTACT US And thank you for your time