セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub

Slide 1

Slide 1 text

ηΩϡϦςΟ୲౰ऀ͔Βݟͨ re:Invent ͱ AWS Security Hub Hokuto Hoshi Head of Infrastructure, Cookpad Inc. [email protected]

Slide 2

Slide 2 text

੕ ๺ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ  ΠϯϑϥετϥΫνϟʔ෦ ෦௕  ݉ ίʔϙϨʔτΤϯδχΞϦϯά෦  ݉ ؂ࠪҕһձ ؂ࠪิॿऀ • SRE, ηΩϡϦςΟΤϯδχΞ • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional) • AWS ར༻ྺ͸8೥͘Β͍

Slide 3

Slide 3 text

https://kanny.me/

Slide 4

Slide 4 text

ΠϯϑϥετϥΫνϟʔ෦ • શαʔϏε͕ར༻͢ΔΠϯϑϥ؀ڥͮ͘Γ • SRE (Site Reliability Engineering) άϧʔϓ • σʔλج൫άϧʔϓ • ηΩϡϦςΟάϧʔϓ

Slide 5

Slide 5 text

ηΩϡϦςΟάϧʔϓ • 3໊ • αʔϏε΍ࣾ಺γεςϜͳͲձࣾʹ͓͚Δ͋ΒΏΔ৘ใηΩϡϦ ςΟରࡦ΍ͦͷӡ༻ʹैࣄ • γεςϜͷઃܭ΍ߏஙɺ࣮ࡍͷӡ༻·Ͱߦ͏

Slide 6

Slide 6 text

Full-AWS since 2011 ~1,400 EC2 instances 200+ ECS Services Over 3 regions 15,000+ requests/sec

Slide 7

Slide 7 text

re:Invent ͱࣗ෼ • 2013೥͔Βຖ೥ࢀՃ • 2012೥͸·ֶͩੜόΠτͩͬͨ • 2017Ͱొஃ • ػցֶशϫʔΫϩʔυΛίϯςφͰ࣮ߦ͢Δ࿩ • ࠓ೥Ͱ6ճ໨ • ϥεϕΨε͸7ճ໨

Slide 8

Slide 8 text

ΫοΫύουͱ re:Invent • 2012೥͔Βຖ೥ෳ਺໊ࢀՃ • ΠϯϑϥܥͰ͸ͳ͘αʔϏε։ൃऀͷࢀՃऀΛ૿΍͍ͯ͠Δ • ࠓ೥͸ࢀՃऀͷ8ׂҎ্

Slide 9

Slide 9 text

ηΩϡϦςΟܥηογϣϯ, ϫʔΫγϣοϓ • ຖ೥͕ͩେྔ • ΑΓߴ౓ͳτϐοΫʹߦ͘΄Ͳ “ίʔυΛॻ͍ͯࣗ෼ͨͪͰ࡞͍ͬͯ͘” ΋ͷ͕ଟ͍ • AWS ηΩϡϦςΟαʔϏεͷ঺հ͚ͩͰͳ͘ AWS αʔϏεΛ࢖ͬͯΑΓྑ͍ηΩϡϦςΟγ εςϜΛͭ͘Δ • ࣗ෼ͷ෼໺Ҏ֎ͷϫʔΫγϣοϓͳͲʹग़͍ͯΔΤϯδχΞ΋ଟ͍ • ηΩϡϦςΟΤϯδχΞ͕ DynamoDB ઃܭͷϫʔΫγϣοϓʹग़͍ͯΔͳͲ • εϥΠυ΍ಈը͸ެ։͞Ε͍ͯ·͢

Slide 10

Slide 10 text

Security Jam • AWS ্ͰηΩϡϦςΟରࡦ΍ΠϯγσϯτϨεϙϯεΛମݧͯ͠ ͍͘Πϕϯτ • ָͦ͠͏ͳͷʹຖճ GameDay ͱඃͬͯ͠·͍  ࢀՃͰ͖͍ͯͳ͍… (ಉ྅ᐌָ͔ͬͨ͘͠ͱͷ͜ͱ) • ೔ຊͰ΍Δ͔ GameDay ͱ࣌ؒΛͣΒ͍ͯͩ͘͠͞!!!

Slide 11

Slide 11 text

Expo • ηΩϡϦςΟ੡඼ͷϓϩόΠμ͸೥ʑ૿Ճ͍ͯ͠Δ • ࠓ೥͸ίϯςφηΩϡϦςΟ͕ଟ͔ͬͨҹ৅ • SIEM, ΠϕϯτϚωδϝϯτͳͲ΋

Slide 12

Slide 12 text

ࠓ೥ͷൃද • ͍Ζ͍Ζ͋Γ·ͨ͠Ͷ • ML, IoT, Robot ͳͲ΋͋Γͭͭݎ࣮ͳྖҬʹ΋େྔϦϦʔε

Slide 13

Slide 13 text

ൃද (ηΩϡϦςΟ) https://aws.amazon.com/jp/new/reinvent/

Slide 14

Slide 14 text

ηΩϡϦςΟͷൃදগͳ͘ͳ͍ʁʁʁ • ௚઀ηΩϡϦςΟΛλʔήοτʹͨ͠΋ͷ͸͔֬ʹগͳ͍ • ͕ɺηΩϡϦςΟγεςϜͷߏஙͳͲʹ࢖͑Δ΋ͷ͸ͨ͘͞Μ • “ηΩϡϦςΟ” λά͕͍ͭͨαʔϏε͚͕ͩ  AWS ηΩϡϦςΟͰ͸ͳ͍

Slide 15

Slide 15 text

https://speakerdeck.com/mizutani/security-log-search

Slide 16

Slide 16 text

ηΩϡϦςΟγεςϜʹ࢖͑Δ or ࢖͑ͦ͏ͳ ϦϦʔεͱײ૝Λ঺հ (ݸਓͷݟղͰ͢)

Slide 17

Slide 17 text

CloudWatch Logs Insights • CW Logs ͷϩάʹର͠ߜΓࠐΈ΍ूܭɺ෼ੳ͕Մೳʹ • JSON ͳͲʹ΋ରԠͰ͖Δ • ৽όοΫΤϯυʹΑΔര଎ݕࡧ • େྔͷϩάσʔλʹରͯ͠΋਺ഒҎ্଎͍ (࣮ࡍʹ࢖ͬͯ·͢) • γεςϜϩά΍ΞΫηεϩάͳͲͷετϨʔδͱͯ͠༗ྗީิʹ • ͨͩ͠Ձ֨͸ཁ֬ೝ

Slide 18

Slide 18 text

S3 Object Lock • S3 Object ΛҰఆ or ແظݶͰ্ॻ͖/࡟আͰ͖ͳ͘ͳΔػೳ • ࠷ڧͷϞʔυͰ͸ root account Ͱ͢Β࡟আෆೳʹ • MFA Delete ʹ୅ΘΔબ୒ࢶʹͳΔ • ֤छॏཁϩάͷอ࣋ʹར༻Մೳ • ޡരʹ͸஫ҙ

Slide 19

Slide 19 text

S3 Glacier ͷػೳڧԽ • ໊শมߋͱಉ࣌ʹ৭ʑग़ͨ • S3 Glacier ετϨʔδΫϥε΁ͷ௚ૹ • ΫϩεϦʔδϣϯϨϓϦέʔγϣϯͷ Glacier ରԠ • ෮ݩ௨஌ɺ෮ݩ଎౓Ξοϓ • S3 Glacier Deep Archive • ͔͞Έ͕ͪͳηΩϡϦςΟؔ࿈ϩάͷ௕ظόοΫΞοϓʹ࢖͑Δ • ΫοΫύουͰ΋ Lifecycle Ͱ Glacier ૹΓʹ͍ͯ͠·͢

Slide 20

Slide 20 text

S3 Intelligent Tiering • S3 Standard ͱ Standard-IA (௿ස౓) ΛࣗಈͰߦ͖དྷͰ͖Δ • Athena ͳͲΛϩάݕࡧʹ࢖͍ͬͯΔέʔεͰ͸ศར • ϑϧεΩϟϯ͢Δͱҙຯ͕ͳ͘ͳΔͷͰϢʔεέʔε΍ઃܭ͕େࣄ

Slide 21

Slide 21 text

KMS Custom Key Store • KMS ͷΩʔετΞͱͯ͠ CloudHSM ͕࢖͑ΔΑ͏ʹ • ߟ͑ΒΕΔ༻్ • Ͳ͏ͯ͠΋ΩʔετΞΛ෼཭͢Δඞཁ͕͋Δ • KMS Λ௨ͯ͠Ͱͳ͘ CloudHSM ଆ͔Β௚઀伴ͷ؂ࠪΛ͍ͨ͠ • զʑʹ͸ར༻༻్͕ͳ͍Ͱ͢…

Slide 22

Slide 22 text

AWS Control Tower • લͷൃදͰઆ໌͕͋ͬͨͷͰجຊઆ໌͸লུ • େྔΞΧ΢ϯτΛ؅ཧ͢Δ؀ڥԼͰ͸͔ͳΓศརͦ͏ • ΧδϡΞϧʹ AWS ΞΧ΢ϯτΛ࡞Γ΍͘͢ͳΔ

Slide 23

Slide 23 text

AWS Security Hub • લͷൃදͰઆ໌͕͋ͬͨͷͰجຊઆ໌͸লུ • ΋͏গ͠۷ΓԼ͛ͯɺͲͷΑ͏ʹ׆༻͍͔ͨ͠Λ࿩͠·͢

Slide 24

Slide 24 text

ηΩϡϦςΟγεςϜͷجຊํ਑ • ༷ʑͳιϑτ΢ΣΞ΍αʔϏεΛηϯαʔͱͯ͠࢖͏ • ηϯαʔ͔Βͷϩά΍ΞϥʔτΛू໿ͯ͠؅ཧ͢Δ • ͦΕͧΕͷ؅ཧίϯιʔϧʹϩάΠϯͯ͠…ͱ͍͏ͷ͸  ࢖ΘΕͳ͍γεςϜΛੜΉ͚ͩͳͷͰ΍ΊΔ • ຊ౰ʹඞཁͳ൑அʹूதͰ͖Δ࢓૊ΈΛͭ͘Δ (ࣗಈԽ)

Slide 25

Slide 25 text

ΞʔΩςΫνϟ֓ཁ ύʔτ෼͚ ϩάϑΝΠϧઃஔͷ ΠϕϯτΛݕग़ Lambda Lambda Lambda Kinesis Stream S3 S3 Athena ϧʔϧΛ༻͍ͨ Ξϥʔτͷݕ஌ Ξϥʔτͷൃใ ϩάͷม׵ EC2 Elasticsearch Service ߴ଎ͰΠϯλϥΫςΟϒͳ ୹ظతϩάͷݕࡧ ௕ظؒʹΘͨΔ ϩάͷݕࡧ GHE PagerDuty Slack Ξϥʔτͷൃใɾ؅ཧ Ξϥʔτͷௐࠪ EC2 instances ͦͷଞϓϩμΫτ Kinesis Stream Kinesis Stream ϩάऩूύʔτ ϩάॲཧύʔτ Ξϥʔτॲཧύʔτ CloudWatch Logs/ Event, GuardDuty, CloudTrail

Slide 26

Slide 26 text

֓ཁ • ༷ʑͳϑΥʔϚοτͷϩά΍ΞϥʔτΛ S3 ʹऩू • AWS αʔϏεͱͯ͠͸ GuardDuty ͳͲΛར༻ • ऩूͨ͠ϩάɾΞϥʔτΛਖ਼نԽͯ͠ Graylog / S3 ʹ౤ೖ • Ωϟονͨ͠Ξϥʔτ͸ਖ਼نԽͯ͠ GitHub (Enterprise) ʹىථ • ՄೳͳݶΓͷॳظௐࠪΛࣗಈͰߦ͏ • PagerDuty, Slack ΁ͷൃใ΋ߦ͏

Slide 27

Slide 27 text

͞Βʹվળ͍ͨ͠ϙΠϯτ • Ξϥʔτͷਖ਼نԽ͕ͪΐͬͱେม (ࣗ෼ͨͪͰ࡞Δ) • ΞϥʔτࣗମͷूܭɺՄࢹԽ • ࣗಈԽΛߋʹਐΊΔ • ௐࠪɺରԠ • ௕ظతͳ෼ੳ

Slide 28

Slide 28 text

Ξϥʔτਖ਼نԽ • ରԠ͍ͯ͠ΔαʔϏεͰ͋Ε͹ਖ਼نԽෆཁ • ଞγεςϜʹΞϥʔτΛॻ͖ࠐΈ͍ͨ৔߹΋ Security Hub ΛڬΉ͜ͱͰ ॲཧΛڞ௨ԽͰ͖Δ • Ξϥʔτʹ͍ͭͯ͸ “ͱΓ͋͑ͣ Security Hub ʹಥͬࠐΉ” ͜ͱ͕  Ͱ͖ΔΑ͏ʹͳΔ • ࠓޙ৽نʹηΩϡϦςΟαʔϏε͕ग़͖ͯͯ΋ૉૣ͘౷߹Ͱ͖Δ

Slide 29

Slide 29 text

Amazon Security Finding Format • ηΩϡϦςΟΞϥʔτʹٻΊΒΕͦ͏ͳ߲໨͸Ұ௨ΓΧόʔ • EC2 Πϯελϯε ͳͲ AWS ݻ༗ͷϑΟʔϧυ΋༻ҙ • ࠓͷஈ֊Ͱ͸ AWS ಺ϦιʔεΛओʹ૝ఆ͍ͯ͠ΔΑ͏ʹݟ͑Δ • ΋͏ͪΐͬͱ৭ʑͳϦιʔεʹରͯ͠࢖͑Δͱ͏Ε͍͠… • ৄࡉ͸ Security Hub ͷυΩϡϝϯτΛࢀর

Slide 30

Slide 30 text

ूܭɺՄࢹԽ • Insights Ͱ͋Δఔ౓Մೳ • Findings ΛϑΟϧλͨ݁͠Ռ (Group by ͳͲ΋Մೳ) • άϥϑ΋ΧελϜͰ͖ͨΒخ͍͚͠Ͳɻɻ • ௕ظతʹոͦ͠͏ͳϦιʔεΛݟ͚ͭΔͷʹ΋༗ޮ

Slide 31

Slide 31 text

ࣗಈԽ • CW Events ʹΠϕϯτΛૹ৴Ͱ͖Δ • Finding, Insights, Standards • Lambda function ΍ Step Function ΛݺͿ͜ͱ͕Ͱ͖Δ • ϩάऩूͱඥ෇͚, Ϩϐϡςʔγϣϯௐࠪ, ݕମௐࠪ,   Πϯελϯε΁ͷίϚϯυൃߦͳͲͳΜͰ΋͋Γ

Slide 32

Slide 32 text

ͦͷଞͷྑ͍ػೳ • ϚϧνΞΧ΢ϯτରԠ • Control Tower Ͱ৽ن࡞੒࣌ʹશηΩϡϦςΟαʔϏε༗ޮԽ + Security Hub ΁ͷૹ৴͕Ͱ͖ΔΑ͏ʹͳΔͱ͏Ε͍͠ • ηΩϡϦςΟඪ४ͷνΣοΫ • ࣮ମ͸ Conﬁg Rules ͷू߹ମ (ݱࡏ͸ CIS AWS foundation benchmark ͷΈ) • ͜Ε΋ΧελϜ͕࡞ΕΔͱྑ͍

Slide 33

Slide 33 text

ͦͷଞ͜͏ͳͬͯ͘ΕΔͱخ͍͠ • Findings ͦͷ΋ͷͷΞοϓσʔτ (ଐੑͷ௥ՃͳͲ) • ࣗಈԽʹΑΔௐࠪ݁ՌͳͲΛ෇Ճ͓͖͍ͯͨ͠ (ݱঢ়ςΩετͷΈ) • Πϕϯτ؅ཧπʔϧͱͷ࿈ܞ • ͋Δ͍͸ Security Hub ࣗ਎͕؅ཧπʔϧʹͳΔ • ୲౰ऀɺௐࠪঢ়گɺݟղɺetc • AWS WAF ࿈ܞ • Ξϥʔτ͕͔ͳΓଟ͘ͳΔ͸ͣͳͷͰɺͦͷ··දࣔ͸ͯ͠΄͘͠ͳ͍͕…

Slide 34

Slide 34 text

·ͱΊ

Slide 35

Slide 35 text

ࠓճͷൃදʹ͍ͭͯ • ͙͢ʹ࢖͑Δ΋ͷ΋ଟ͘ྑ͔ͬͨͱࢥ͏ • ηΩϡϦςΟʹ௚઀ϑΥʔΧεͨ͠΋ͷ͸ଟ͘͸ͳ͍͕ɺ  ηΩϡϦςΟʹ׆͔͢͜ͱ͕Ͱ͖ΔαʔϏε΍ػೳ͕ग़͍ͯΔ • Control Tower, Security Hub ΋ੵۃతʹར༻͍ͨ͠

Slide 36

Slide 36 text

͜Ε͔Βͷ AWS ηΩϡϦςΟ • (طʹͦ͏ͳ͍ͬͯΔ͕) ಛఆͷαʔϏε΍ιϑτ΢ΣΞΛ  ࢖͏͚ͩͰͳ͘ɺ޿͍ࢹ఺ͰηΩϡϦςΟγεςϜΛઃܭ࣮ͯ͠૷͢Δ • AWS ͕ఏڙ͍ͯ͠ΔύʔπʹΑͬͯ࡞Γ΍͍͢؀ڥ͸͋Δ • ͦ͏͍ͬͨ΋ͷ͕ఏڙ͞Ε͍ͯΔͱࢥ͏͠ɺ͍ͯͬͯ͠΄͍͠

Slide 37

Slide 37 text

Slide 38

Slide 38 text

࣍ੈ୅ͷηΩϡϦςΟ؀ڥΛҰॹʹͭ͘Δ  ΤϯδχΞΛืू͍ͯ͠·͢ https://cookpad.jobs/

Slide 39

Slide 39 text

Fin.