AWS SECURITY DEATH \m/
 ʙηΩϡ伸༷͔Βͷ͓ࠂ͛ʙ 4FDVSJUZ+"84 େتଟར࠸ ٢ߐॠ ৿Ӭେࢤ

͸͡Ίʹ • ηΩϡ伸༷͔Β͓ࠂ͕͛͋ͬͨͷͰ͓͠Βͤ͠·͢ɻAWSʹ͓͚Δ ωοτϫʔΫͷجຊ͔ΒɺAWS WAF/AWS Shield/AWS Config౳ͷ ηΩϡϦςΟػೳʹ͍ͭͯ΍͞͠Ίʹ঺հ͠·͢ɻ • ͳ͓ɺηΩϡ伸༷ͱ͸ɺ

No content

͸͡Ίʹ • Ͱ͸ͳ͘ɺӡӦϝϯόʔେ஛ըഢʹΑͬͯ߱ྟ͠·ͨ͠

CZେ஛ըഢ

಺༰ • ͔͜͜Β͸ਅ໘໨ʹҎԼ͕୲౰͠·͢ɻ • AWSʹ͓͚ΔωοτϫʔΫͷجຊ → େتଟ • AWS WAF/AWS Shield → ٢ߐ • AWS Config → ৿Ӭ

Security-JAWS • 2016/04 ൃ଍ • ӡӦ͸10ਓ • ୈҰճ͸2016/05։࠵ • هࣄʹ΋͍͖ͯͨͩ͠·ͨ͠
 http://ascii.jp/elem/000/001/164/1164664/ • ܧଓͯ͠ɺ3ϲ݄ʹҰճͷϖʔεͰ։࠵த

Security-JAWS •͜Ε·ͰͷϝΠϯλΠ τϧ • AWSͰͷVPCɾIAMϑϧ׆༻ज़
 ʢϦΫϧʔτςΫϊϩδʔζ ٶ࡚͞Μʣ • ͱ͋Δ਍அһͱAWS ʢऱ࡚͞Μʣ • Managing Privacy and Security Risk 
 ʢFINOVATORS େٱอ͞Μʣ • Ubiquitous Encryption on AWS
 ʢAWS Eugene͞ΜˍPedro͞Μʣ • AWS Compliance Quick Startͷ͝঺հ
 ʢAWSJ দຊ͞Μʣ • CloudHSMͬͯ݁ہͳʹʁ~ϋʔυ΢ΣΞ͕ ඞཁͳΘ͚~ʢAWSJ ُా͞Μʣ • AWS IAMͱOpenAMΛ࿈ܞͯ͠ΞΧ΢ϯτ؅ ཧΛޮ཰Խͯ͠ΈͨɹʢΦʔδε૯ݚ ࢯೄ͞ Μʣ • Amazon InspectorΛิ׬͢Δ - VulsͱOWASP Dependency-CheckΛ૊Έ߹Θͤͯϓϩάϥ ϛϯάݴޠϥΠϒϥϦͷ੬ऑੑεΩϟϯ݁ՌΛ ೔ຊޠԽɺSlack௨஌Ͱ͖ΔΑ͏ʹͯ͠Έͨ
 ʢϑϡʔνϟʔΞʔΩςΫτ ਆށ͞Μʣ • Deep Dive on AWS ShieldʢAWSJ ۅࢁ͞ Μʣ • AWSʹ͓͚ΔWAFಋೖʹ͍ͭͯ 
 ʢNECιϦϡʔγϣϯΠϊϕʔλ ࢁਫ͞Μʣ • WordPress goes Serverless. - ShifterͰ࢝ΊΔ WordPressͷηΩϡΞͳӡ༻ - 
 ʢσδλϧΩϡʔϒ খլ͞Μʣ

Security-JAWS •͜Ε·ͰͷϝΠϯλΠ τϧ • AWSͰͷVPCɾIAMϑϧ׆༻ज़
 ʢϦΫϧʔτςΫϊϩδʔζ ٶ࡚͞Μʣ • ͱ͋Δ਍அһͱAWS ʢऱ࡚͞Μʣ • Managing Privacy and Security Risk 
 ʢFINOVATORS େٱอ͞Μʣ • Ubiquitous Encryption on AWS
 ʢAWS Eugene͞ΜˍPedro͞Μʣ • AWS Compliance Quick Startͷ͝঺հ
 ʢAWSJ দຊ͞Μʣ • CloudHSMͬͯ݁ہͳʹʁ~ϋʔυ΢ΣΞ͕ ඞཁͳΘ͚~ʢAWSJ ُా͞Μʣ • AWS IAMͱOpenAMΛ࿈ܞͯ͠ΞΧ΢ϯτ؅ ཧΛޮ཰Խͯ͠ΈͨɹʢΦʔδε૯ݚ ࢯೄ͞ Μʣ • Amazon InspectorΛิ׬͢Δ - VulsͱOWASP Dependency-CheckΛ૊Έ߹Θͤͯϓϩάϥ ϛϯάݴޠϥΠϒϥϦͷ੬ऑੑεΩϟϯ݁ՌΛ ೔ຊޠԽɺSlack௨஌Ͱ͖ΔΑ͏ʹͯ͠Έͨ
 ʢϑϡʔνϟʔΞʔΩςΫτ ਆށ͞Μʣ • Deep Dive on AWS ShieldʢAWSJ ۅࢁ͞ Μʣ • AWSʹ͓͚ΔWAFಋೖʹ͍ͭͯ 
 ʢNECιϦϡʔγϣϯΠϊϕʔλ ࢁਫ͞Μʣ • WordPress goes Serverless. - ShifterͰ࢝ΊΔ WordPressͷηΩϡΞͳӡ༻ - 
 ʢσδλϧΩϡʔϒ খլ͞Μʣ ͝ొஃ͍͖ͨͩ ͋Γ͕ͱ͏ ͍͟͝·ͨ͠ʂʂ ͝ొஃ͍͖ͨͩ ͋Γ͕ͱ͏ ͍͟͝·ͨ͠ʂʂ

AWS SECURITY DEATH ʘmʗ
 ʙηΩϡ伸༷͔Βͷ͓ࠂ͛ʙ Security-JAWS େتଟ ར࠸ AWSʹ͓͚ΔωοτϫʔΫͷجຊ

ࣗݾ঺հ • େتଟ ར࠸(https://ookita.biz/) • ࢓ࣄɿճઢαʔϏεɾVPNɾF/W͕ઐ໳ͷ
 ωοτϫʔΫΤϯδχΞ • ׆ಈίϛϡχςΟɿ • Security-JAWS ӡӦϝϯόʔ • JAWS-UG ԣ඿ࢧ෦ ӡӦϝϯόʔ • KUSANAGI-UG౦ژ ୅ද

ηΩϡϦςΟઐ໳ࢧ෦ͳͷʹ ԿͰωοτϫʔΫͷ࿩ͳͷʁ • Ϋϥ΢υ͸ωοτϫʔΫͷ޲͜͏ʹ͋Δ
 →ωοτϫʔΫ௒େࣄʂʂ • Ϋϥ΢υͱ͸͍͑ɺωοτϫʔΫͷجૅΛཧղ͍ͯ͠ͳ͍ͱ
 ηΩϡϦςΟΛߟྀͨ͠ద੾ͳγεςϜߏங͕Ͱ͖ͳ͍ͷ͸
 ΦϯϓϨϛεͱมΘΒͳ͍ • ҰํͰΫϥ΢υಠࣗͷ࡞๏΋͋Δ

ࠓճΈͳ͞Μʹ ͓͸ͳ͢͠Δ͜ͱ • AWSʹ͓͚ΔωοτϫʔΫઃܭͷجຊ
 (VPC/ηΩϡϦςΟάϧʔϓ౳) • AWS VPCͱͷηΩϡΞͳ઀ଓ
 (VPN/Direct Connect/֤ࣾαʔϏε౳)

Amazon VPC • ύϒϦοΫΫϥ΢υ্ʹ࿦ཧతʹಠཱͨࣗࣾ͠ઐ༻ͷΫϥ΢υ؀ڥΛ ࡞੒͢Δػೳ • ࠓ͸VPC͕ඪ४ʹ(ੲ͸ҧ͍·ͨ͠)
 ੲͷ໊࢒ɺClassic EC2 AWS cloud RDS DB 
 instance standby 
 (Multi-AZ) Web Server #1 RDS DB instance Web Server #2 Availability Zone #1 Availability Zone #2

Public subnet
 Private subnet • Public subnet
 Πϯλʔωοτʹ௚઀઀ଓՄೳͳαϒ ωοτ(ެ։αʔό͕ஔ͚ΔɺEIPͱͷ ඥ෇͚΋Ͱ͖Δ) • Private subnet
 Πϯλʔωοτ͔Β௚઀઀ଓ͞Εͨ͘ ͳ͍Πϯελϯεʹ࢖༻
 NATήʔτ΢ΣΠΛܦ༝ͯ͠಺ˠ֎ͷ
 Πϯλʔωοτ௨৴͸Մೳ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24

ηΩϡϦςΟάϧʔϓ
 ωοτϫʔΫACL • ηΩϡϦςΟάϧʔϓ
 Πϯελϯεʹରͯ͠ద༻
 εςʔτϑϧ • ωοτϫʔΫACL
 αϒωοτ୯ҐͰͷΞΫηε੍ޚ ʹ࢖༻
 εςʔτϨε AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24

εςʔτϑϧͱεςʔτϨε • ͱͯ΋ݹయతͳ࿩͚ͩͲɺͪΌΜͱઆ໌͠ͳ͍ͱ఻ΘΒͳ͍ Source…203.0.113.100:25284 Destination…198.51.100.100:80 ϙʔτ80൪/઀ଓݩAnyͱ ઃఆ͓͚ͯ͠͹ ໭Γͷ௨৴΋ΑΖͯ͘͘͠͠ΕΔ →εςʔτϑϧ ΫϥΠΞϯτˠαʔόͷϧʔϧͱ αʔόˠΫϥΠΞϯτͷ௨৴ϧʔϧΛ ྆ํ໌ࣔతʹॻ͍͓ͯ͘ඞཁ͕͋Δ →εςʔτϨε ํ޲ ϙʔτϓϩτί ϧ ΞυϨε Մ൱ 0VUˠ*O UDQ "MMPX *Oˠ0VU UDQ "MMPX ํ޲ ϙʔτϓϩτί ϧ ΞυϨε Մ൱ 0VUˠ*O UDQ "MMPX NAT഑ԼͷΫϥΠΞϯτͷ Source Port͸ϋΠϙʔτ (1024ʙ65535)͔Β ϥϯμϜʹઃఆ͞ΕΔ

VPN/Direct Connect • Webαʔό/DBαʔόͷϝϯςφϯε ͸ϓϥΠϕʔτωοτϫʔΫܦ༝Ͱߦ ͍͍ͨ • Πϯλʔωοτʹެ։͠ͳ͍ࣾ಺γε ςϜΛAWSʹஔ͘৔߹ɺࣄۀॴͱ AWSؒͷηΩϡΞͳ௨৴ܦ࿏Λ֬อ͠ ͍ͨ(৔߹ʹΑͬͯ͸඼࣭ΛߴΊ͍ͨ) • طଘͷࣾ಺γεςϜ͕σʔληϯλʔ ʹ͋ΓɺAWSΛطଘγεςϜͷ֦ுϦ ιʔεͱͯ͠࢖༻͢ΔΑ͏ͳ৔߹ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24

VPN/Direct Connect • VPCͷ֤αϒωοτͱ
 Ծ૝ϓϥΠϕʔτήʔτ΢ΣΠΛ
 ઀ଓ • Ϣʔβʔ͸VPNͷઃఆΛߦ͏͔
 Direct Connectͷख഑Λ͢Δ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24 virtual private gateway

VPN • VPNͷ৔߹ɺAWSଆʹ͸
 2ͭͷVPNΤϯυϙΠϯτ͕
 ༻ҙ͞ΕΔ • Ϣʔβʔ͸ɺͦΕͧΕͷ
 VPNΤϯυϙΠϯτͱ
 VPN઀ଓΛߦ͏
 
 
 • ͭ·Γɺ2ͭͷτϯωϧ͕
 ඪ४Ͱඞཁʂ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24 virtual private gateway Customer Gateway

VPN • VPN઀ଓ࣌ͷϧʔςΟϯά
 ʢ1ʣ໌ࣔతʹࢦఆ͢ΔελςΟοΫϧʔ ςΟϯά
 ʢ2ʣBGPʹΑΔμΠφϛοΫϧʔςΟϯά
 ͷͲͪΒ͔Λબ୒ • VPN઀ଓͷରԠػث৘ใ
 FAQʹࡌ͍ͬͯ·͢
 https://aws.amazon.com/jp/vpc/faqs/ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24 virtual private gateway Customer Gateway

Direct Connect • ͓٬༷ڌ఺ͱAWSؒΛઐ༻ઢ઀ଓ • ͓٬༷୐಺ʙ઀ଓϙΠϯτ(Equinix TY2)
 →Ұൠతʹ͸௨৴ΩϟϦΞʹख഑͢Δ • ઀ଓϙΠϯτʙAWS
 →AWS͕ఏڙ

Direct Connect • ෺ཧ઀ଓͱ࿦ཧ઀ଓʹ෼͔ΕΔ • ௨৴ΩϟϦΞʹΑΓαʔϏεܗଶ͸
 ҟͳΔ͕ɺ͓͓·͔ʹ͸ઐ༻ܕͱڞ༻ܕ
 ͕͋Δ

௨৴ࣄۀऀผ
 ιϦϡʔγϣϯϥΠϯφοϓ • TOKAIίϛϡχέʔγϣϯζ
 ͔ͳΓॆ࣮ͨ͠ϥΠϯφοϓ
 ઐ༻ܕɾڞ༻ܕɾϚωʔδυVPNͳͲ
 http://www.broadline.ne.jp/aws/ • Colt(چKVH)
 ଳҬʹΑͬͯVLAN෼͚͕Ͱ͖Δ͔Ͱ͖ͳ͍͔͕ܾ·Δ
 http://asia.colt.net/ja/services/network/ethernet-services/colt- cloud-connectivity-services/#etherxen-aws

௨৴ࣄۀऀผ
 ιϦϡʔγϣϯϥΠϯφοϓ • TOKAIίϛϡχέʔγϣϯζ

௨৴ࣄۀऀผ
 ιϦϡʔγϣϯϥΠϯφοϓ • Colt(چKVH)

௨৴ࣄۀऀผ
 ιϦϡʔγϣϯϥΠϯφοϓ • NTTίϛϡχέʔγϣϯζɾKDDIɾιϑτόϯΫ
 ࣗࣾͷڌ఺ؒωοτϫʔΫαʔϏεͷΦϓγϣϯͱͯ͠ఏڙ
 ڞ༻ܕͰ͋Δ͜ͱ͕ଟͦ͏ͳײ͡ • USENɾNUROɾέΠΦϓςΟίϜ౳
 ࣗࣾͰDirect ConnectͷઃඋΛอ༗͓ͯ͠Βͣ
 αʔϏεϥΠϯφοϓʹ΋༻ҙ͞Ε͍ͯͳ͍௨৴ࣄۀऀͷ৔߹
 ϚωʔδυVPNαʔϏεͷΦϓγϣϯͱͯ͠ఏڙ͞Ε͍ͯΔ͜ͱ͕ଟ ͍

͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠

ࣗݾ঺հ • ٢ߐ ॠ(@Typhon666_death) • ࢓ࣄɿ๭ηΩϡϦςΟઐ໳ձࣾʹͯɺ
 ηΩϡϦςΟΤϯδχΞ/ίϯαϧλϯτ/ΞφϦετ • ׆ಈίϛϡχςΟɿ • Security-JAWS ӡӦϝϯόʔ • JAWS-UG ϥ΢υϩοΫࢧ෦(ඇެࣜ) ӡӦϝϯόʔ • OWASP Japan Promotion Teamϝϯόʔ • AISECjp ӡӦϝϯόʔ • શ೴ΞʔΩςΫνϟएखͷձ ӡӦϝϯόʔ • 2016೥8݄ JAWS-UGϝϯόʔͰॻ͍ͨຊͰ ͸ɺҎԼΛ୲౰ • Glacier • VPCϐΞϦϯάΛ࢖ͬͨݡ͍WAFͷར ༻ํ๏ͱϩά෼ੳΛ୲౰(PDFͷΈ)

DDoS • DDoSಈըʢը૾͸ from China to USAʣ
 https://www.youtube.com/watch?v=1wq6LIjPHkk • DDoS (Distributed Denial of Service)ɿෳ਺ͷNWʹ෼ࢄ͢Δେྔͷίϯϐϡʔλ͕Ұ੪ʹಛఆͷ NW΍ίϯϐϡʔλ΁઀ଓཁٻΛૹग़͠ɺ
 ௨৴༰ྔΛ͋;Εͤͯ͞ػೳΛఀࢭͤͯ͞͠·͏߈ܸ

DDoS • DDoSͷछྨɿ • L3/L4ʢInfrastrutureʣ • L7ʢApplicationʣ • DDoSͷΑ͏ͳେྔͷτϥϑΟοΫʹର͢Δखஈɿ • DDoSରࡦʢैདྷͷରࡦํ๏ͩͱɺ͓ۚΛֻ͚ࣺͯ͗͢ΔՄೳੑ΋͋Δʣ • DDoSΛ͋͑ͯड͚Δʢམͪͯ΋͍͍αΠτͰ͋Ε͹ɺ์ஔ͢Δͷ΋Ұͭʣ

The Forrester Wave™: 
 DDoS Services Providers, Q3 2015 • https://www.forrester.com/report/The+Forrester+Wave+DDoS+Services+Providers+Q3+2015/-/E-RES119802

AWS Shield • AWS Shieldɿ2016/12 re:InventʹͯϦϦʔε • ར༻ํ๏ɿCloudFrontʹͯShield ΦϓγϣϯΛ༗ޮԽ • ߏ੒ɿShieldͷޙΖ͸AWSͰ΋ɺΦϯϓϨͰ΋ରࡦՄೳ • ๷ޚର৅ɿCloudFrontɺELBɺALBɺRoute53 • ؂ࢹɿৗʹϞχλϦϯάͯ͠ϕʔεϥΠϯͷ࡞੒ɺҟৗݕग़ AWS Shield

AWS Shield • ར༻ྉۚɿ • BasicɿແྉͰར༻Մೳ • Advancedɿ1೥ؒͷར༻ίϛοτɺֹ݄$3,000ʴDataTransferFeeɺDRT෇ • අ༻੥ٻɿDDoSΛड͚ͯ΋֘౰௨৴จͷࢧ෷͍͸ෆཁʢBilling Protectionʣ • DRT(DDoS Response Team)ɿWAFͷνϡʔχϯά΍WAFͷϧʔϧ࡞੒(ࣄલঝೝ༗Γ)΋΍Δ • ؙ౤͛͸ବ໨Ͱ͢ɻ • CloudFront͑͞ೖ͍ͬͯΔͳΒɺಋೖ͓͔ͯ͠ͳ͍ख͸ͳ͍ʂ AWS Shield

WAF • WAFɿϨΨγʔͳFW΍IDS/IPSͰ͸๷͙͜ͱ͕Ͱ͖ͳ͍ෆਖ਼ͳ߈ܸ͔Β WebΞϓϦέʔγϣϯΛ๷ޚ͢ΔFW • ಋೖཧ༝ɿWebΞϓϦέʔγϣϯͷ੬ऑੑΛಥ͘߈ܸ΍σʔλ࿙Ӯʹͭ ͳ͕Δ߈ܸΛ๷͙͔ΒɻPCI-DSS 6.6ʹ΋WAFಋೖʹ͍ͭͯ໌ه͞Ε͍ͯΔ
 
 
 1$*%44४ڌΛୡ੒͢ΔͨΊͷ༏ઌతͳΞϓϩʔν
 IUUQTXXXQDJTFDVSJUZTUBOEBSETPSHEPDVNFOUT1SJPSJUJ[FE"QQSPBDIGPS1$*@%44W@KBKQQEG

Apache Struts2 ͷ੬ऑੑ
 (CVE-2017-5638)(S2-045) ౎੫ࢧ෷͍αΠτ͔ΒΧʔυ৘ใສ݅௒͕ྲྀग़͔
 IUUQXXXJUNFEJBDPKQCVTJOFTTBSUJDMFTOFXTIUNM
 
 "QBDIF4USVUTͷ੬ऑੑରࡦʹ͍ͭͯ $7& 4 
 IUUQTXXXJQBHPKQTFDVSJUZDJBESWVMTUSVUTIUNM

Apache Struts2 ͷ੬ऑੑ
 (CVE-2017-5638)(S2-045) 
 ෆਖ਼ΞΫηεʹؔ͢Δ͝ใࠂͱ৘ใྲྀग़ͷ͓࿳ͼ
 IUUQTDPSQHNPQHDPNOFXT@FNIUNM @HB • IPAͷ৘ใެ։Λ΋ͬͯɺਝ଎ʹWAFʹͯःஅΛߦ͍ෆਖ਼ΞΫηεௐࠪΛߦͬͨɻ • ࿙Ӯͨ͜͠ͱ͸·͍ͣ࿩Ͱ͸͋Δ͕ɺਝ଎ͳରԠͷ಺༰ͱͯ͠͸ɺධՁ͞ΕΔ΂͖

AWS WAF • AWS WAFɿ2015/12 ʹ৽͘͠ϦϦʔε͞Εͨػೳ • AWS WAFͰͰ͖Δ͜ͱɿΧελϜϧʔϧʢIPΞυϨε੍ݶ/จࣈྻ੍ݶʣɺ
 SQLI/XSSͱ͍ͬͨجຊతͳWebΞϓϦέʔγϣϯ޲͚ରࡦ͕ՄೳͳWAF • ߏ੒ɿCloudFrontɺELBɺALBʹ࢓ࠐΊΔϚωʔδυWAF • ಋೖɿ؆୯(WAFػೳΛΞλον͢Δ) • ӡ༻ɿෳࡶͳϧʔϧͷӡ༻Λ͠ͳͯ͘΋͍͍
 ʢ㱻ٯʹݴ͍׵͑Ε͹෺଍Γͳ͗͢͞Δɻࡉ͔ʹઃఆ͠ɺνϡʔχϯάΛ͢ΔͱͳΔͱDRTʹґཔ͕ඞਢͱͳ Δʣ • ࢒೦ɿWAFͦͷ΋ͷͷ͖Ίࡉ͔͍ઃఆ͕Ͱ͖ͳ͍ɻϧʔϧΛਖ਼نදݱͰ͔͚ͳ͍ɻ AWS WAF

ߏ੒ൺֱɿAWS WAF vs WAF on AWS 
 vs SaaS WAF vs Cloud WAF ˞ݸਓͷओ؍΋
 ೖͬͯ·͢ ᶃ"84 8"' ᶄ8"'PO "84 ᶅ4BB4 8"' ᶆ$MPVE 8"' උߟ %%P4ಋೖ $'༗ ˕ ˕ ˕ ˕ ᶃᶄᶅᶆ ΄΅ 4IJFMEҰ୒Ͱྑͦ͞͏ %%P4ಋೖ $'ແ ˚ ˚ ̋ʁ ᶄᶅ$'ಋೖʹ੾Γସ͑Δʹ͸গ͠େม
 ᶆ%%P4ରࡦ༗ͳΒಋೖ͸໰୊ͳ͠ 8"'ಋೖ ˕˚ ˚ ̋ ̋ ᶃ$'༗ͳΒ8"'ಋೖ͸؆୯
 ᶃ$'ແͳΒ$'ʹಋೖͷίετ͕͔͔Δ ᶄ8"'ઐ༻71$Λ༻ҙ͢Δ౳ͷҠߦݕ౼
 ᶅᶆਖ਼ৗ֬ೝͷ্ɺ%/4੾Γସ͑ 8"'ӡ༻ ̋ ˚ ˕ ˕ ᶅᶆ೚ͤΒΕΔͱ͍͏ҙຯͰ˕ ίετ໘ ˕ ˚ ̋ ̋ ᶄϥΠηϯε͸΍͸Γߴ͍

ߏ੒ൺֱɿAWS WAF vs WAF on AWS 
 vs SaaS WAF vs Cloud WAF ᶃ"84 8"' ᶄ8"'PO "84 ᶅ4BB4 8"' ᶆ$MPVE 8"' උߟ ύϑΥʔϚϯε໘ ˕ ˕ ̋ ̋ ᶄ8"'͕εέʔϧ͢ΔͳΒ໰୊ͳ͠
 ᶅᶆখن໛τϥϑΟοΫʹ޲͍ͯΔײ͡ ηΩϡϦςΟ໘ ˚ ̋ʙ˕ ̋ʙ˕ ̋ʙ˕ ᶃ෺଍Γͳ͍
 ᶄᶅᶆ8"'ͷධՁʹґଘ ࣍ท ૯߹݁Ռ ʁ ʁ ʁ ʁ ࣗࣾͰ΍ΔʁଞࣾͰ΍Δʁ ࣗ͝਎Ͱߟ͑ͯΈ͍ͯͩ͘͞

Amazon Web Services – 
 DDoSʹର͢ΔAWSͷϕετϓϥΫςΟε • গ͠ࢿྉ͸ݹ͍͕೔ຊޠ༁ͷDDoSϗ ϫΠτϖʔύʔ΋͋Δɻ
 ˞WAFαϯυΠονʴWAFΦʔτε έʔϧʢEDoSରࡦʹ͸ͳ͍ͬͯͳ ͍ʣ • Super Defense in Depthͳߏ੒ɿ
 CF(withWAF/Shield)→ELB
 →IPS→ELB→WAF
 →ELB→EC2withίϯςϯπվ᜵ݕ஌ • https://d0.awsstatic.com/International/ja_JP/ Whitepapers/DDoS%20White%20Paper.pdf

(2016)Gartner: Magic Quadrant for 
 Web Application Firewalls • https://www.gartner.com/doc/reprints?id=1-3BZK2PZ&ct=160720&st=sb

DDoSରࡦɺWAFಋೖ
 ͦͷޙ͸ʁ • ༗ޮʹͨ͠Β͓ΘΓͰ͸ͳ͘ɺΠϯγσϯτϨεϙϯεͷϑϩʔΛݕ౼ɻ • Πϯγσϯτͱؾͮͨ͘Ίʹ͸ʁ • Ϧιʔε؂ࢹ౳Λߦ͏ɻ • ϩάऔಘ͸ඞਢ • Ͱ͖ΔͷͳΒɺϩάΛ༻͍ͨ૬ؔ෼ੳʢwith SIEMʣ • DDoSରॲͷઓज़ͱઓུ
 https://www.slideshare.net/nakatomoorg/ddos-69640523/1 • ্هࢿྉ͔ΒΠϯγσϯτϨεϙϯεͷͨΊͷ४උ΍͍·࢝ΊΒΕΔ͜ͱ͕·ͱ·ͬͯͯΘ͔Γ΍͍͢ɻ


DDoSରࡦɺWAFಋೖ
 ͦͷલʹʁ • ઃܭஈ֊ͰͷηΩϡϦςΟʹ͍ͭͯߟ͑Α͏ • ϦϦʔεલWebΞϓϦέʔγϣϯ਍அ͸΍ΊΑ͏ • ΩʔϫʔυɿSecurity by Design(SdP)ɺDevSecOps • ࠷ۙɺOWASP Japan ChapterϦʔμʔԬా͞Μͷهࣄ͕
 ಺༰ͱͯ͠ͱͯ΋·ͱ·͍ͬͯΔ΋ͷͰͨ͠ͷͰɺ
 ͥͻɺಡΜͰΈ͍ͯͩ͘͞ɻ ʮηΩϡΞ։ൃʯ͸ͳͥਁಁ͠ͳ͍ͷ͔ʁʕʕ%FW4FD0QTΛ๦͛Δlͭͷఢz 
 IUUQXXXBUNBSLJUDPKQBJUBSUJDMFTOFXT@IUNM


͓ΘΓʹ • ࠙਌ձʹ΋ࢀՃ͢Δ༧ఆͰ͢ɻ • ໊ࢗަ׵ɺEightަ׵ɺTwitterɺFacebookɺ
 LinkedinɺϝʔϧͰͷ໰߹ͤɺ໰୊͋Γ·ͤΜɻ • ૉఢͳηΩϡϦςΟϥΠϑΛɻ

࣍͸ AWS Config ʹ͍ͭͯ…

ࣗݾ঺հ • ৿Ӭ େࢤ (@morimoritaitai) • ձࣾɿΫϥεϝιουגࣜձࣾ AWSࣄۀ෦ • ৬छɿιϦϡʔγϣϯΞʔΩςΫτ • झຯ : ήʔϜ(શൠ) / ञ ʢমயϝΠϯʣ/ Χϝϥ • ڵຯ : Security / OpsࣗಈԽ • ޷͖ͳαʔϏεɿConfig /CloudTrail ͳͲ྘ܥ • AWSೝఆࢿ֨5ף

AWS Config

AWS Configͱ͸ • ߏ੒؅ཧɺมߋ؅ཧͷͨΊͷαʔϏε • ߏ੒৘ใͷεφοϓγϣοτͷऔಘ • ߏ੒৘ใɺมߋཤྺͷݕࡧɺӾཡ • ࡞੒ɺมߋɺ࡟আ͞Εͨࡍͷ௨஌ • AWSϦιʔεؒͷؔ܎ੑͷ֬ೝ

ݱࡏରԠ͍ͯ͠ΔAWSϦιʔε • 2017/3/11ݱࡏ Resource Type Resource Amazon Redshift Cluster Cluster parameter group Cluster security group Cluster snapshot Cluster subnet group Event subscription Amazon Relational Database Service (RDS) RDS DB instance RDS DB security group RDS DB snapshot RDS DB subnet group Event subscription Amazon Simple Storage Service (S3) Amazon S3 bucket Amazon Virtual Private Cloud (VPC) Customer gateway Internet gateway Network access control list (ACL) Route table Subnet Virtual private cloud (VPC) VPN connection VPN gateway Resource Type Resource AWS Certificate Manager certificate AWS CloudTrail Trail Amazon Elastic Block Store Amazon EBS volume Amazon Elastic Compute Cloud (EC2) EC2 Dedicated hosts EC2 Elastic IP EC2 instance EC2 network interface EC2 security group Amazon EC2 Systems Manager Managed instance inventory Elastic Load Balancing (ELB) Application load balancer AWS Identity and Access Management (IAM) IAM user IAM group IAM role IAM customer managed policy

ݱࡏରԠ͍ͯ͠ΔAWSϦιʔε • 2017/3/11ݱࡏ Resource Type Resource Amazon Redshift Cluster Cluster parameter group Cluster security group Cluster snapshot Cluster subnet group Event subscription Amazon Relational Database Service (RDS) RDS DB instance RDS DB security group RDS DB snapshot RDS DB subnet group Event subscription Amazon Simple Storage Service (S3) Amazon S3 bucket Amazon Virtual Private Cloud (VPC) Customer gateway Internet gateway Network access control list (ACL) Route table Subnet Virtual private cloud (VPC) VPN connection VPN gateway Resource Type Resource AWS Certificate Manager certificate AWS CloudTrail Trail Amazon Elastic Block Store Amazon EBS volume Amazon Elastic Compute Cloud (EC2) EC2 Dedicated hosts EC2 Elastic IP EC2 instance EC2 network interface EC2 security group Amazon EC2 Systems Manager Managed instance inventor Elastic Load Balancing (ELB) Application load balancer AWS Identity and Access Management (IAM) IAM user IAM group IAM role IAM customer managed policy Α͔ͭ͘͏αʔϏε͸΄΅ରԠࡁΈ Α͔ͭ͘͏αʔϏε͸΄΅ରԠࡁΈ

Ϣʔεέʔε

AWSϦιʔεͷߏ੒؅ཧ • ҰཡͰAWSϦιʔεΛ֬ೝग़དྷΔ • ࡟আ͞ΕͨϦιʔεʹ͍ͭͯ΋௥੻Մೳ

؂ࠪɺίϯϓϥΠΞϯε • ͍ͭɺͲͷΑ͏ʹมߋ͞Ε͔ͨΛه࿥͢ΔͷͰূ੻ͱͯ͠ར༻Մೳ • PCI DSSͷΑ͏ͳن֨ʹ४ڌ͢ΔͨΊʹ΋ඞཁ

τϥϒϧγϡʔςΟϯά • ઃఆϛε͸ΠϯγσϯτൃੜݪҼͷͻͱͭ • ؔ࿈͢ΔAWSϦιʔε΋ḷΕΔͷͰτϥϒϧγϡʔτ͠΍͍͢

ΰνϟΰνϟ͠΍͍͢AWSϦιʔεΛ ؆୯ʹʮݟ͑ΔԽʯग़དྷΔʂ

Ͱ΋Configͬͯઃఆ΍ઃఆมߋΛݟ͑ΔԽ ͢Δ͚ͩͩΑͶʁ

݁ہͦΕ͕ਖ਼͍͠ઃఆ͔ ਓ͕ؒ൑அ͠ͳ͍ͱ͍͚ͳ͍ΑͶʁ

҆͝৺Լ͍͞ɻ

ઃఆͷνΣοΫΛߦ͏αʔϏε ΋͋Γ·͢ʂ

AWS Config Rules

AWS Config Rulesͱ͸ • AWS ConfigͰه࿥ͨ͠ઃఆ͕ਖ਼͍͔͠Λ൑ఆ͢Δ ϧʔϧΛઃఆͰ͖Δ • ྫ͑͹ɺ • ηΩϡϦςΟάϧʔϓ͕ϑϧΦʔϓϯ • MFAઃఆ͍ͯ͠ͳ͍ • ACMͷূ໌ॻͷ༗ޮظݶ͕͋ͱগ͠

ϧʔϧͷछྨ • Ϛωʔδυϧʔϧ • AWS͕ఏڙ͍ͯ͠Δϧʔϧ • ͋Δ͋Δͳ΋ͷΛ༻ҙͯ͘͠Ε͍ͯ·͢ • ΧελϜϧʔϧ • ࣗ෼Ͱࣗ༝ʹ࡞ΕΔϧʔϧ • ൑ఆ͢Δػߏ͸LambdaͰ࡞੒ • LambdaͳͷͰ࡞Γ͜Ί͹૬౰͍Ζ͍Ζग़དྷΔ

ఏڙ͞Ε͍ͯΔϚωʔδυϧʔϧ • Compute • approved-amis-by-id • approved-amis-by-tag • desired-instance-tenancy • desired-instance-type • ebs-optimized-instance • ec2-instance-detailed-monitoring-enabled • ec2-instances-in-vpc • ec2-managedinstance-applications-blacklisted • ec2-managedinstance-applications-required • ec2-managedinstance-inventory-blacklisted • ec2-managedinstance-platform-check • ec2-volume-inuse-check • eip-attached • encrypted-volumes • restricted-common-ports • restricted-ssh • Management Tools • cloudtrail-enabled • required-tags • Database • db-instance-backup-enabled • dynamodb-throughput-limit-check • rds-multi-az-support • rds-storage-encrypted • redshift-cluster-configuration-check • redshift-cluster-maintenancesettings-check • Security, Identity & Compliance • acm-certificate-expiration-check • iam-password-policy • iam-user-group-membership-check • iam-user-no-policies-check • root-account-mfa-enabled • Storage • s3-bucket-logging-enabled • s3-bucket-ssl-requests-only • s3-bucket-versioning-enabled IUUQEPDTBXTBNB[PODPNKB@KQDPOpHMBUFTUEFWFMPQFSHVJEFNBOBHFESVMFTCZBXTDPOpHIUNM

ΧελϜϧʔϧ • LambdaͰ൑ఆ෦෼Λهड़͢Δ • ࣗ෼ͰίʔυΛॻ͘ඞཁ͕͋ΔͷͰগ͠ϋʔυϧ͕ߴ͍

AWS͕ΧελϜϧʔϧެ։ • 2017/3ݱࡏ34ͷϧʔϧ͕ެ։த • https://github.com/awslabs/aws-config-rules

AWS ConfigΛ༗ޮԽͯ͠ՄࢹԽ Config RulesͰઃఆ஋νΣοΫ ࣗಈͰηΩϡϦςΟ/ΨόφϯεΛ୲อ͠·͠ΐ͏ʂ

Configؔ࿈ϒϩάެ։ͯ͠·͢ɻ http://dev.classmethod.jp/referencecat/aws-config/

ࠂ஌ • Ҏ্ͰൃදΛ͓ΘΓ·͢ɻ • Πϕϯτࠂ஌͸Doorkeeper(https://s-jaws.doorkeeper.jp/) • Twitterɿ@security_jaws
 ϋογϡλά͸#secjaws