devio2022-sharr - Speaker Deck

devio2022-sharr

by Sugikane Shin

Slide 1

Slide 1 text

"84ࣄۀຊ෦ίϯαϧςΟϯά෦ɹਿۚɹ৾ ηΩϡϦςΟӡ༻ͷࣗಈԽʹʂ "844FDVSJUZ)VCࣗಈम෮ιϦϡʔγϣϯ

Slide 2

Slide 2 text

໨࣍ "844FDVSJUZ)VCͱ͸ "844FDVSJUZ)VCࣗಈम෮ιϦϡʔγϣϯͷ঺հ ྑ͍ͱ͜Ζ ಋೖํ๏ म෮ΞΫγϣϯͷ࣮ߦ τϥϒϧγϡʔςΟϯά ΧελϚΠζํ๏

Slide 3

Slide 3 text

஫ҙࣄ߲ ࠓճઆ໌͢Δ಺༰͸ "844FDVSJUZ)VCࣗಈम෮ιϦϡʔγϣϯͷ όʔδϣϯΛର৅

Slide 4

Slide 4 text

"844FDVSJUZ)VCͱ͸ ηΩϡϦςΟͷϕετϓϥΫςΟεͷνΣοΫΛߦ͍ɺ   ΞϥʔτΛू໿͠ɺࣗಈम෮ΛՄೳʹ͢Δ   Ϋϥ΢υηΩϡϦςΟମ੍؅ཧαʔϏε Ҿ༻ɿIUUQTBXTBNB[PODPNKQTFDVSJUZIVC

Slide 5

Slide 5 text

"844FDVSJUZ)VCͷը໘

Slide 6

Slide 6 text

"844FDVSJUZ)VCͷը໘

Slide 7

Slide 7 text

ར༻ՄೳͳηΩϡϦςΟج४ ɾ"84جૅηΩϡϦςΟͷϕετϓϥΫςΟεW ɾ$*4"84'PVOEBUJPOT#FODINBSLW ɾ1$*%44W

Slide 8

Slide 8 text

ίϯτϩʔϧͱ͸ ಛఆͷϦιʔεʹର͢ΔηΩϡϦςΟνΣοΫ߲໨ ͨͱ͑͹ʜ ɾ<&$>͢΂ͯͷ71$Ͱ71$ϑϩʔϩάه࿥Λ ༗ޮʹ͢Δඞཁ͕͋Γ·͢ ɾ<*".>ະ࢖༻ͷ*".Ϣʔβʔೝূ৘ใ͸ ࡟আ͢Δඞཁ͕͋Γ·͢ ɾ<3%4>3%4εφοϓγϣοτ͸ ϓϥΠϕʔτͰ͋Δඞཁ͕͋Γ·͢

Slide 9

Slide 9 text

ίϯτϩʔϧͷ਺ ηΩϡϦςΟج४͝ͱʹෳ਺ͷίϯτϩʔϧ͕ଘࡏ͢Δ

Slide 10

Slide 10 text

ࣗಈम෮Λ࣮૷͢Δʹ͸ "NB[PO&WFOU#SJEHFͱ૊Έ߹ΘͤΔ

Slide 11

Slide 11 text

ࣗಈम෮Λ࣮૷͢Δʹ͸ "NB[PO&WFOU#SJEHFͱ૊Έ߹ΘͤΔ ઃܭͲ͏͠Α͏ ؆୯ʹ࣮૷͍ͨ͠

Slide 12

Slide 12 text

"844FDVSJUZ)VC ࣗಈम෮ιϦϡʔγϣϯͷ঺հ

Slide 13

Slide 13 text

"844FDVSJUZ)VCࣗಈम෮ιϦϡʔγϣϯͱ͸ ͋Β͔͡Ίఆٛ͞Εͨ ରԠɾम෮ΞΫγϣϯΛ࣮ߦ͢ΔΞυΦϯ ˞ຊηογϣϯͰ͸WΛϕʔεʹઆ໌

Slide 14

Slide 14 text

ͲͷΑ͏ͳϦιʔε͕࡞ΒΕΔ͔ ෳ਺ͷ"84αʔϏεͱ૊Έ߹Θͤ Ҿ༻ɿIUUQTBXTBNB[PODPNTPMVUJPOTJNQMFNFOUBUJPOTBXTTFDVSJUZIVCBVUPNBUFESFTQPOTFBOESFNFEJBUJPO

Slide 15

Slide 15 text

ࣗಈम෮ιϦϡʔγϣϯͷྑ͍ͱ͜Ζ ɾ"844FDVSJUZ)VCͱ౷߹͍ͯ͠Δ ɾϫϯΫϦοΫͰΫϩεΞΧ΢ϯτͷम෮͕Ͱ͖Δ ɾम෮ͷϓϨΠϒοΫ͕͋Β͔͡Ί༻ҙ͞Ε͍ͯΔ ɾࣗಈम෮͕Ͱ͖Δ

Slide 16

Slide 16 text

"844FDVSJUZ)VCͱ౷߹͍ͯ͠Δ ࣗಈम෮ιϦϡʔγϣϯΛಋೖ͍ͯ͠ͳ͍ঢ়ଶ

Slide 17

Slide 17 text

"844FDVSJUZ)VCͱ౷߹͍ͯ͠Δ ࣗಈम෮ιϦϡʔγϣϯಋೖޙ

Slide 18

Slide 18 text

ϫϯΫϦοΫͰΫϩεΞΧ΢ϯτͷम෮͕Ͱ͖Δ ؅ཧΞΧ΢ϯτ͔ΒϝϯόʔΞΧ΢ϯτʹम෮ࢦྩ

Slide 19

Slide 19 text

म෮ͷϓϨΠϒοΫ͕͋Β͔͡Ί༻ҙ͞Ε͍ͯΔ "844ZTUFNT.BOBHFSͷυΩϡϝϯτ͔Β֬ೝՄೳ

Slide 20

Slide 20 text

म෮ͷϓϨΠϒοΫ͕͋Β͔͡Ί༻ҙ͞Ε͍ͯΔ υΩϡϝϯτͷίϯςϯπʹॲཧ಺༰͕هࡌ

Slide 21

Slide 21 text

ࣗಈम෮͕Ͱ͖Δ &WFOU#SJEHFϧʔϧ༗ޮԽͰࣗಈम෮0O

Slide 22

Slide 22 text

"844FDVSJUZ)VC ࣗಈम෮ιϦϡʔγϣϯͷಋೖํ๏

Slide 23

Slide 23 text

ࣗಈम෮ιϦϡʔγϣϯͷಋೖํ๏ ͭͷ$MPVE'PSNBUJPOελοΫΛ࡞੒͢Δ͚ͩ ࢀߟϦϯΫʢγϯάϧΞΧ΢ϯτ༻खॱʣɿhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/deployment.html ɹɹɹɹɹʢϚϧνΞΧ΢ϯτ༻खॱʣɿhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/deployment-stackset.html

Slide 24

Slide 24 text

ࣗಈम෮ιϦϡʔγϣϯͷϚϧνΞΧ΢ϯτಋೖ $MPVE'PSNBUJPO4UBDL4FUTΛར༻͢Δ Ҿ༻ɿIUUQTEPDTBXTBNB[PODPNFO@VTTPMVUJPOTMBUFTUBVUPNBUFETFDVSJUZSFTQPOTFPOBXTEFQMPZNFOUTUBDLTFUIUNMTUFQTUBDLTFU

Slide 25

Slide 25 text

ࣗಈम෮ιϦϡʔγϣϯͷϚϧνϦʔδϣϯల։ $MPVE'PSNBUJPO4UBDL4FUTͷΦϓγϣϯͰઃఆ

Slide 26

Slide 26 text

աڈόʔδϣϯ͔ΒͷΞοϓάϨʔυํ๏ όʔδϣϯʹΑͬͯҟͳΔ ɾόʔδϣϯະຬͷ৔߹ ɹιϦϡʔγϣϯͷΞϯΠϯετʔϧ ɹιϦϡʔγϣϯͷΠϯετʔϧ   ɹɹ˞όʔδϣϯҎ߱ͷ৔߹͸Πϯετʔϧ࣌ͷύϥϝʔλʔ ɹɹɹ6TFFYJTUJOH0SDIFTUSBUPS-PH(SPVQΛ:FTʹ͢Δ ࢀߟϦϯΫɿhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/update-the-solution.html ɹɹɹɹɹɹhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/uninstall-the-solution.html

Slide 27

Slide 27 text

աڈόʔδϣϯ͔ΒͷΞοϓάϨʔυํ๏ ɾόʔδϣϯҎ߱ͷ৔߹ ɹˠಋೖ͍ͯ͠Δ$MPVE'PSNBUJPOελοΫΛߋ৽ ɹ؅ཧΞΧ΢ϯτ༻$MPVE'PSNBUJPOελοΫΛߋ৽ ɹϝϯόʔΞΧ΢ϯτ্ͷύʔϛογϣϯߋ৽ ɹϝϯόʔΞΧ΢ϯτ༻$MPVE'PSNBUJPOελοΫΛߋ৽ ࢀߟϦϯΫɿhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/update-the-solution.html

Slide 28

Slide 28 text

म෮ΞΫγϣϯͷ࣮ߦ

Slide 29

Slide 29 text

छྨͷम෮ΞΫγϣϯ खಈम෮ PS ࣗಈम෮

Slide 30

Slide 30 text

खಈम෮ म෮ର৅ΛબͼʮΞΫγϣϯʯˠʮ3FNFEJBUFXJUI4)"33ʯ

Slide 31

Slide 31 text

ࣗಈम෮ &WFOU#SJEHFϧʔϧ༗ޮԽͰࣗಈम෮0O

Slide 32

Slide 32 text

म෮ޙͷ4FDVSJUZ)VC΁ͷ݁Ռ൓ө ϫʔΫϑϩʔɿ3&40-7&%ʹมߋ͞ΕΔ ίϯϓϥΠΞϯεͷεςʔλεɿ͠͹Βͯ͘͠൓ө͞ΕΔ

Slide 33

Slide 33 text

म෮಺༰Λ஌Γ͍ͨ ɾϓϨΠϒοΫҰཡ https://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on- aws/playbooks-1.html ɾ44.υΩϡϝϯτ͔Βम෮಺༰Λ֬ೝͰ͖Δ

Slide 34

Slide 34 text

म෮಺༰Λ஌Γ͍ͨʢݕࡧྫʣ 4)"33&OBCMF"VUP4DBMJOH(SPVQ&-#)FBMUI$IFDLͷྫ Ҿ༻ɿIUUQTEPDTBXTBNB[PODPNFO@VTTPMVUJPOTMBUFTUBVUPNBUFETFDVSJUZSFTQPOTFPOBXTQMBZCPPLTIUNM

Slide 35

Slide 35 text

म෮಺༰Λ஌Γ͍ͨʢݕࡧྫʣ ʮ"VUP4DBMJOHʯͰݕࡧͯ͠ΈΔ

Slide 36

Slide 36 text

म෮಺༰Λ஌Γ͍ͨʢݕࡧྫʣ υΩϡϝϯτͷઆ໌λϒ͔Βॲཧ֓ཁΛ֬ೝ

Slide 37

Slide 37 text

τϥϒϧγϡʔςΟϯά

Slide 38

Slide 38 text

ओͳϩά $MPVE8BUDIϩάάϧʔϓ͔Β֬ೝ ɹɾ404)"33 ɹɹˠ"844ZTUFNT.BOBHFSʹΑΔम෮݁Ռ   ɹɾ404)"330SDIFTUSBUPS ɹɹˠ"844UFQ'VODUJPOTͷ࣮ߦ݁Ռ

Slide 39

Slide 39 text

ଞʹ΋֬ೝͨ͠ํ͕ྑ͍ͱ͜Ζ ɾ4ZTUFNT.BOBHFS"VUPNBUJPOίϯιʔϧ ɾ4UFQ'VODUJPOTίϯιʔϧ ɾ-BNCEBͷίϯιʔϧ

Slide 40

Slide 40 text

τϥϒϧͱରॲྫ <τϥϒϧ> ࣗಈम෮ιϦϡʔγϣϯͷ$MPVE'PSNBUJPOελοΫ ࡞੒Ͱɺ$MPVE8BUDIϩάάϧʔϓ͕طʹଘࡏ͍ͯ͠Δ Τϥʔ <ରॲํ๏> $MPVE'PSNBUJPOελοΫ࡞੒࣌ͷύϥϝʔλͰ ϩάάϧʔϓͷ࠶ར༻ΛZFTʹ͢Δ

Slide 41

Slide 41 text

τϥϒϧͱରॲྫ <τϥϒϧ> म෮ΞΫγϣϯΛ࣮ߦ͕ͨ͠Կ΋ઃఆมߋ͞Εͳ͍ɻ <ରॲํ๏> ର৅ͷίϯτϩʔϧ͕म෮ର৅͔Λ֬ೝ͢Δɻम෮ର৅ ͷ৔߹͸ϩά΍ίϯιʔϧͰঢ়گΛ֬ೝ͢Δɻ   म෮ϓϨΠϒοΫҰཡ   https://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on- aws/playbooks-1.html

Slide 42

Slide 42 text

௨஌ઃఆ "NB[PO4/4ʣ 4/4τϐοΫ໊ɿ404)"33@5PQJD ௨஌ϝοηʔδྫ ɹɾ3FNFEJBUJPO queued for control   in account ɹɾ3FNFEJBUJPO failed for control   in account ɹɾ remediation was successfully invoke via AWS Systems Manager   in account

Slide 43

Slide 43 text

௨஌಺༰ͷྫʢϝʔϧʣ { "severity": "INFO", "message": "22ca9bc8-0000-4c3e-8bf9-e6dba09a95ec: Remediation succeeded for AFSBP control EC2.2 in account 123456789012: See Automation Execution output for details (AwsEc2SecurityGroup sg-xxxxxxxx)”, " fi nding": { " fi nding_id": "19f9612c-0000-49ed-ab63-254e35a4b1aa", " fi nding_description": "This AWS control checks that the default security group of a VPC does not allow inbound or outbound traf fi c.", "standard_name": "aws-foundational-security-best-practices", "standard_version": "1.0.0", "standard_control": "EC2.2", "title": "EC2.2 The VPC default security group should not allow inbound and outbound traf fi c", "region": "ap-northeast-1", "account": “123456789012", " fi nding_arn": “arn:aws:securityhub:ap-northeast-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/ EC2.2/ fi nding/19f9612c-0000-49ed-ab63-254e35a4b1aa" } }

Slide 44

Slide 44 text

ΧελϚΠζํ๏

Slide 45

Slide 45 text

ΧελϚΠζɿ৽͍͠म෮ͷ௥Ճ म෮ 3VOCPPL ௥Ճͷ࢖͍Ͳ͜Ζ ɾ৽͘͠௥Ճ͞Εͨίϯτϩʔϧ༻ ɾιϦϡʔγϣϯͰम෮ॲཧ͕ఏڙ͞Ε͍ͯͳ͍ ɹίϯτϩʔϧ༻

Slide 46

Slide 46 text

3VOCPPL௥Ճखॱ "844ZTUFNT.BOBHFS"VUPNBUJPO༻ͷ   3VOCPPLʢ%PDVNFOUʣ࡞੒ *".ϩʔϧͷ࡞੒

Slide 47

Slide 47 text

3VOCPPL࡞੒ํ๏ʢҰൠతͳํ๏ʣ "844ZTUFNT.BOBHFSͷυΩϡϝϯτ͔Β "VUPNBUJPO༻ͷυΩϡϝϯτΛ௥Ճ

Slide 48

Slide 48 text

3VOCPPL࡞੒ํ๏ʢΑΓָͳํ๏ʣ ͔Β࡞ΔΑΓυΩϡϝϯτͷΫϩʔϯ࡞੒ͷํ͕͓खܰ

Slide 49

Slide 49 text

3VOCPPL࡞੒ɿ໊લΛ͚ͭΔ υΩϡϝϯτ໊ͷ໋໊نଇ͋Γ 4)"33ηΩϡϦςΟج४@ηΩϡϦςΟج४ͷόʔδϣϯ@ίϯτϩʔϧ

Slide 50

Slide 50 text

3VOCPPL࡞੒ɿೖྗύϥϝʔλઃఆ ೖྗύϥϝʔλʹ'JOEJOHͱ"VUPNBUJPO"TTVNF3PMF ͕ඞཁ

Slide 51

Slide 51 text

3VOCPPL࡞੒ɿॲཧεςοϓهड़ εςοϓ໊ɿʻ೚ҙͷ໊લʼ ΞΫγϣϯλΠϓɿʻ೚ҙͷૢ࡞ʼ ɹˠࠓճ͸ྫͱͯ͠ ɹɹεςοϓ໊ɿ4FOE4/4 ɹɹΞΫγϣϯλΠϓɿ"84"1*ΞΫγϣϯΛݺͼग़࣮ͯ͠ߦ ࢀߟϦϯΫʢΞΫγϣϯλΠϓҰཡʣɿhttps://docs.aws.amazon.com/ja_jp/systems-manager/latest/userguide/automation-actions.html

Slide 52

Slide 52 text

3VOCPPL࡞੒ɿݺͼग़͢"84"1*ͷઃఆ ࣮ߦ͍ͨ͠ॲཧΛهड़͢Δ ࢀߟϦϯΫʢ໊લۭؒͷҰཡʣɿhttps://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/index.html

Slide 53

Slide 53 text

*".ϩʔϧ࡞੒ɿ*".ϩʔϧͷ࡞੒ طଘͷ*".ϩʔϧ 40Ͱ࢝·Δ΋ͷ Λࢀߟʹ࡞੒ *".ϩʔϧ໊ʹ໋໊نଇ͋Γ 403FNFEJBUFηΩϡϦςΟج४ηΩϡϦςΟج४ͷόʔδϣϯίϯτϩʔϧ ɹˠྫɿ403FNFEJBUF"'4#1&$

Slide 54

Slide 54 text

*".ϩʔϧ࡞੒ɿ*".ϩʔϧͷઃఆ <ࢀߟ>৴པϙϦγʔͷ"TTVNF3PMFͷڐՄʹ   ɹɹɹҎԼͷϩʔϧηογϣϯϓϦϯγύϧΛ௥Ճ BSOBXTTUT"DDPVOU*%BTTVNFESPMF404)"330SDIFTUSBUPS "ENJO404)"33FYFD"VUPNBUJPO { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam:::role/SO0111-SHARR-Orchestrator-Member", "arn:aws:sts:::assumed-role/SO0111-SHARR-Orchestrator-Admin/SO0111-SHARR-execAutomation" ] }, "Action": "sts:AssumeRole" }

Slide 55

Slide 55 text

࡞੒׬ྃɺࢼ͠ʹ࣮ߦ खಈम෮Λ࣮ߦ

Slide 56

Slide 56 text

Ͳ͜Ͱࣦഊͨ͠ͷ͔௥੻ɿ4UFQ'VODUJPOT 4UFQ'VODUJPOTͷεςʔτϚγϯ ʮ404)"330SDIFTUSBUPSʯΛ֬ೝ

Slide 57

Slide 57 text

Ͳ͜Ͱࣦഊͨ͠ͷ͔௥੻ɿ4ZTUFNT.BOBHFS 4ZTUFNT.BOBHFSͷࣗಈԽʢΦʔτϝʔγϣϯʣͷ ࣮ߦϩάΛ֬ೝ

Slide 58

Slide 58 text

ͲͷεςοϓͰࣦഊ͔ͨ͠ εςʔλε͕ࣦഊͱͳ͍ͬͯΔεςοϓ*%Λબ୒͢Δ

Slide 59

Slide 59 text

ର৅εςοϓͷΤϥʔ಺༰Λ֬ೝ ࣦഊͷৄࡉ͔ΒɺݪҼΛ֬ೝ͢Δ

Slide 60

Slide 60 text

·ͱΊ ɾ"844FDVSJUZ)VCࣗಈम෮ιϦϡʔγϣϯ ɹɹྑ͍ͱ͜Ζɿͭͷྑ͍ͱ͜Ζ ɹɹಋೖํ๏ɿछྨͷ$MPVE'PSNBUJPOελοΫ࡞੒ ɹɹ࢖͍ํɿखಈम෮ͱࣗಈम෮ɺम෮಺༰ͷ֬ೝํ๏ ɹɹτϥϒϧγϡʔςΟϯάɿϩάͱίϯιʔϧͷ֬ೝ ɹɹΧελϚΠζɿ৽͍͠म෮ͷ௥Ճ ɹ

Slide 61

Slide 61 text

No content