Slide 1

Slide 1 text

AWS SECURITY DEATH \m/
 ʙηΩϡ伸༷͔Βͷ͓ࠂ͛ʙ 4FDVSJUZ+"84 େتଟར࠸ ٢ߐॠ ৿Ӭେࢤ

Slide 2

Slide 2 text

͸͡Ίʹ • ηΩϡ伸༷͔Β͓ࠂ͕͛͋ͬͨͷͰ͓͠Βͤ͠·͢ɻAWSʹ͓͚Δ ωοτϫʔΫͷجຊ͔ΒɺAWS WAF/AWS Shield/AWS Config౳ͷ ηΩϡϦςΟػೳʹ͍ͭͯ΍͞͠Ίʹ঺հ͠·͢ɻ • ͳ͓ɺηΩϡ伸༷ͱ͸ɺ

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

͸͡Ίʹ • Ͱ͸ͳ͘ɺӡӦϝϯόʔେ஛ըഢʹΑͬͯ߱ྟ͠·ͨ͠

Slide 5

Slide 5 text

CZେ஛ըഢ

Slide 6

Slide 6 text

಺༰ • ͔͜͜Β͸ਅ໘໨ʹҎԼ͕୲౰͠·͢ɻ • AWSʹ͓͚ΔωοτϫʔΫͷجຊ → େتଟ • AWS WAF/AWS Shield → ٢ߐ • AWS Config → ৿Ӭ

Slide 7

Slide 7 text

Security-JAWS • 2016/04 ൃ଍ • ӡӦ͸10ਓ • ୈҰճ͸2016/05։࠵ • هࣄʹ΋͍͖ͯͨͩ͠·ͨ͠
 http://ascii.jp/elem/000/001/164/1164664/ • ܧଓͯ͠ɺ3ϲ݄ʹҰճͷϖʔεͰ։࠵த

Slide 8

Slide 8 text

Security-JAWS •͜Ε·ͰͷϝΠϯλΠ τϧ • AWSͰͷVPCɾIAMϑϧ׆༻ज़
 ʢϦΫϧʔτςΫϊϩδʔζ ٶ࡚͞Μʣ • ͱ͋Δ਍அһͱAWS ʢऱ࡚͞Μʣ • Managing Privacy and Security Risk 
 ʢFINOVATORS େٱอ͞Μʣ • Ubiquitous Encryption on AWS
 ʢAWS Eugene͞ΜˍPedro͞Μʣ • AWS Compliance Quick Startͷ͝঺հ
 ʢAWSJ দຊ͞Μʣ • CloudHSMͬͯ݁ہͳʹʁ~ϋʔυ΢ΣΞ͕ ඞཁͳΘ͚~ʢAWSJ ُా͞Μʣ • AWS IAMͱOpenAMΛ࿈ܞͯ͠ΞΧ΢ϯτ؅ ཧΛޮ཰Խͯ͠ΈͨɹʢΦʔδε૯ݚ ࢯೄ͞ Μʣ • Amazon InspectorΛิ׬͢Δ - VulsͱOWASP Dependency-CheckΛ૊Έ߹Θͤͯϓϩάϥ ϛϯάݴޠϥΠϒϥϦͷ੬ऑੑεΩϟϯ݁ՌΛ ೔ຊޠԽɺSlack௨஌Ͱ͖ΔΑ͏ʹͯ͠Έͨ
 ʢϑϡʔνϟʔΞʔΩςΫτ ਆށ͞Μʣ • Deep Dive on AWS ShieldʢAWSJ ۅࢁ͞ Μʣ • AWSʹ͓͚ΔWAFಋೖʹ͍ͭͯ 
 ʢNECιϦϡʔγϣϯΠϊϕʔλ ࢁਫ͞Μʣ • WordPress goes Serverless. - ShifterͰ࢝ΊΔ WordPressͷηΩϡΞͳӡ༻ - 
 ʢσδλϧΩϡʔϒ খլ͞Μʣ

Slide 9

Slide 9 text

Security-JAWS •͜Ε·ͰͷϝΠϯλΠ τϧ • AWSͰͷVPCɾIAMϑϧ׆༻ज़
 ʢϦΫϧʔτςΫϊϩδʔζ ٶ࡚͞Μʣ • ͱ͋Δ਍அһͱAWS ʢऱ࡚͞Μʣ • Managing Privacy and Security Risk 
 ʢFINOVATORS େٱอ͞Μʣ • Ubiquitous Encryption on AWS
 ʢAWS Eugene͞ΜˍPedro͞Μʣ • AWS Compliance Quick Startͷ͝঺հ
 ʢAWSJ দຊ͞Μʣ • CloudHSMͬͯ݁ہͳʹʁ~ϋʔυ΢ΣΞ͕ ඞཁͳΘ͚~ʢAWSJ ُా͞Μʣ • AWS IAMͱOpenAMΛ࿈ܞͯ͠ΞΧ΢ϯτ؅ ཧΛޮ཰Խͯ͠ΈͨɹʢΦʔδε૯ݚ ࢯೄ͞ Μʣ • Amazon InspectorΛิ׬͢Δ - VulsͱOWASP Dependency-CheckΛ૊Έ߹Θͤͯϓϩάϥ ϛϯάݴޠϥΠϒϥϦͷ੬ऑੑεΩϟϯ݁ՌΛ ೔ຊޠԽɺSlack௨஌Ͱ͖ΔΑ͏ʹͯ͠Έͨ
 ʢϑϡʔνϟʔΞʔΩςΫτ ਆށ͞Μʣ • Deep Dive on AWS ShieldʢAWSJ ۅࢁ͞ Μʣ • AWSʹ͓͚ΔWAFಋೖʹ͍ͭͯ 
 ʢNECιϦϡʔγϣϯΠϊϕʔλ ࢁਫ͞Μʣ • WordPress goes Serverless. - ShifterͰ࢝ΊΔ WordPressͷηΩϡΞͳӡ༻ - 
 ʢσδλϧΩϡʔϒ খլ͞Μʣ ͝ొஃ͍͖ͨͩ ͋Γ͕ͱ͏ ͍͟͝·ͨ͠ʂʂ ͝ొஃ͍͖ͨͩ ͋Γ͕ͱ͏ ͍͟͝·ͨ͠ʂʂ

Slide 10

Slide 10 text

AWS SECURITY DEATH ʘmʗ
 ʙηΩϡ伸༷͔Βͷ͓ࠂ͛ʙ Security-JAWS େتଟ ར࠸ AWSʹ͓͚ΔωοτϫʔΫͷجຊ

Slide 11

Slide 11 text

ࣗݾ঺հ • େتଟ ར࠸(https://ookita.biz/) • ࢓ࣄɿճઢαʔϏεɾVPNɾF/W͕ઐ໳ͷ
 ωοτϫʔΫΤϯδχΞ • ׆ಈίϛϡχςΟɿ • Security-JAWS ӡӦϝϯόʔ • JAWS-UG ԣ඿ࢧ෦ ӡӦϝϯόʔ • KUSANAGI-UG౦ژ ୅ද

Slide 12

Slide 12 text

ηΩϡϦςΟઐ໳ࢧ෦ͳͷʹ ԿͰωοτϫʔΫͷ࿩ͳͷʁ • Ϋϥ΢υ͸ωοτϫʔΫͷ޲͜͏ʹ͋Δ
 →ωοτϫʔΫ௒େࣄʂʂ • Ϋϥ΢υͱ͸͍͑ɺωοτϫʔΫͷجૅΛཧղ͍ͯ͠ͳ͍ͱ
 ηΩϡϦςΟΛߟྀͨ͠ద੾ͳγεςϜߏங͕Ͱ͖ͳ͍ͷ͸
 ΦϯϓϨϛεͱมΘΒͳ͍ • ҰํͰΫϥ΢υಠࣗͷ࡞๏΋͋Δ

Slide 13

Slide 13 text

ࠓճΈͳ͞Μʹ ͓͸ͳ͢͠Δ͜ͱ • AWSʹ͓͚ΔωοτϫʔΫઃܭͷجຊ
 (VPC/ηΩϡϦςΟάϧʔϓ౳) • AWS VPCͱͷηΩϡΞͳ઀ଓ
 (VPN/Direct Connect/֤ࣾαʔϏε౳)

Slide 14

Slide 14 text

Amazon VPC • ύϒϦοΫΫϥ΢υ্ʹ࿦ཧతʹಠཱͨࣗࣾ͠ઐ༻ͷΫϥ΢υ؀ڥΛ ࡞੒͢Δػೳ • ࠓ͸VPC͕ඪ४ʹ(ੲ͸ҧ͍·ͨ͠)
 ੲͷ໊࢒ɺClassic EC2 AWS cloud RDS DB 
 instance standby 
 (Multi-AZ) Web Server #1 RDS DB instance Web Server #2 Availability Zone #1 Availability Zone #2

Slide 15

Slide 15 text

Public subnet
 Private subnet • Public subnet
 Πϯλʔωοτʹ௚઀઀ଓՄೳͳαϒ ωοτ(ެ։αʔό͕ஔ͚ΔɺEIPͱͷ ඥ෇͚΋Ͱ͖Δ) • Private subnet
 Πϯλʔωοτ͔Β௚઀઀ଓ͞Εͨ͘ ͳ͍Πϯελϯεʹ࢖༻
 NATήʔτ΢ΣΠΛܦ༝ͯ͠಺ˠ֎ͷ
 Πϯλʔωοτ௨৴͸Մೳ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24

Slide 16

Slide 16 text

ηΩϡϦςΟάϧʔϓ
 ωοτϫʔΫACL • ηΩϡϦςΟάϧʔϓ
 Πϯελϯεʹରͯ͠ద༻
 εςʔτϑϧ • ωοτϫʔΫACL
 αϒωοτ୯ҐͰͷΞΫηε੍ޚ ʹ࢖༻
 εςʔτϨε AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24

Slide 17

Slide 17 text

εςʔτϑϧͱεςʔτϨε • ͱͯ΋ݹయతͳ࿩͚ͩͲɺͪΌΜͱઆ໌͠ͳ͍ͱ఻ΘΒͳ͍ Source…203.0.113.100:25284 Destination…198.51.100.100:80 ϙʔτ80൪/઀ଓݩAnyͱ ઃఆ͓͚ͯ͠͹ ໭Γͷ௨৴΋ΑΖͯ͘͘͠͠ΕΔ →εςʔτϑϧ ΫϥΠΞϯτˠαʔόͷϧʔϧͱ αʔόˠΫϥΠΞϯτͷ௨৴ϧʔϧΛ ྆ํ໌ࣔతʹॻ͍͓ͯ͘ඞཁ͕͋Δ →εςʔτϨε ํ޲ ϙʔτϓϩτί ϧ ΞυϨε Մ൱ 0VUˠ*O UDQ "MMPX *Oˠ0VU UDQ "MMPX ํ޲ ϙʔτϓϩτί ϧ ΞυϨε Մ൱ 0VUˠ*O UDQ "MMPX NAT഑ԼͷΫϥΠΞϯτͷ Source Port͸ϋΠϙʔτ (1024ʙ65535)͔Β ϥϯμϜʹઃఆ͞ΕΔ

Slide 18

Slide 18 text

VPN/Direct Connect • Webαʔό/DBαʔόͷϝϯςφϯε ͸ϓϥΠϕʔτωοτϫʔΫܦ༝Ͱߦ ͍͍ͨ • Πϯλʔωοτʹެ։͠ͳ͍ࣾ಺γε ςϜΛAWSʹஔ͘৔߹ɺࣄۀॴͱ AWSؒͷηΩϡΞͳ௨৴ܦ࿏Λ֬อ͠ ͍ͨ(৔߹ʹΑͬͯ͸඼࣭ΛߴΊ͍ͨ) • طଘͷࣾ಺γεςϜ͕σʔληϯλʔ ʹ͋ΓɺAWSΛطଘγεςϜͷ֦ுϦ ιʔεͱͯ͠࢖༻͢ΔΑ͏ͳ৔߹ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24

Slide 19

Slide 19 text

VPN/Direct Connect • VPCͷ֤αϒωοτͱ
 Ծ૝ϓϥΠϕʔτήʔτ΢ΣΠΛ
 ઀ଓ • Ϣʔβʔ͸VPNͷઃఆΛߦ͏͔
 Direct Connectͷख഑Λ͢Δ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24 virtual private gateway

Slide 20

Slide 20 text

VPN • VPNͷ৔߹ɺAWSଆʹ͸
 2ͭͷVPNΤϯυϙΠϯτ͕
 ༻ҙ͞ΕΔ • Ϣʔβʔ͸ɺͦΕͧΕͷ
 VPNΤϯυϙΠϯτͱ
 VPN઀ଓΛߦ͏
 
 
 • ͭ·Γɺ2ͭͷτϯωϧ͕
 ඪ४Ͱඞཁʂ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24 virtual private gateway Customer Gateway

Slide 21

Slide 21 text

VPN • VPN઀ଓ࣌ͷϧʔςΟϯά
 ʢ1ʣ໌ࣔతʹࢦఆ͢ΔελςΟοΫϧʔ ςΟϯά
 ʢ2ʣBGPʹΑΔμΠφϛοΫϧʔςΟϯά
 ͷͲͪΒ͔Λબ୒ • VPN઀ଓͷରԠػث৘ใ
 FAQʹࡌ͍ͬͯ·͢
 https://aws.amazon.com/jp/vpc/faqs/ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24 virtual private gateway Customer Gateway

Slide 22

Slide 22 text

Direct Connect • ͓٬༷ڌ఺ͱAWSؒΛઐ༻ઢ઀ଓ • ͓٬༷୐಺ʙ઀ଓϙΠϯτ(Equinix TY2)
 →Ұൠతʹ͸௨৴ΩϟϦΞʹख഑͢Δ • ઀ଓϙΠϯτʙAWS
 →AWS͕ఏڙ

Slide 23

Slide 23 text

Direct Connect • ෺ཧ઀ଓͱ࿦ཧ઀ଓʹ෼͔ΕΔ • ௨৴ΩϟϦΞʹΑΓαʔϏεܗଶ͸
 ҟͳΔ͕ɺ͓͓·͔ʹ͸ઐ༻ܕͱڞ༻ܕ
 ͕͋Δ

Slide 24

Slide 24 text

௨৴ࣄۀऀผ
 ιϦϡʔγϣϯϥΠϯφοϓ • TOKAIίϛϡχέʔγϣϯζ
 ͔ͳΓॆ࣮ͨ͠ϥΠϯφοϓ
 ઐ༻ܕɾڞ༻ܕɾϚωʔδυVPNͳͲ
 http://www.broadline.ne.jp/aws/ • Colt(چKVH)
 ଳҬʹΑͬͯVLAN෼͚͕Ͱ͖Δ͔Ͱ͖ͳ͍͔͕ܾ·Δ
 http://asia.colt.net/ja/services/network/ethernet-services/colt- cloud-connectivity-services/#etherxen-aws

Slide 25

Slide 25 text

௨৴ࣄۀऀผ
 ιϦϡʔγϣϯϥΠϯφοϓ • TOKAIίϛϡχέʔγϣϯζ

Slide 26

Slide 26 text

௨৴ࣄۀऀผ
 ιϦϡʔγϣϯϥΠϯφοϓ • Colt(چKVH)

Slide 27

Slide 27 text

௨৴ࣄۀऀผ
 ιϦϡʔγϣϯϥΠϯφοϓ • NTTίϛϡχέʔγϣϯζɾKDDIɾιϑτόϯΫ
 ࣗࣾͷڌ఺ؒωοτϫʔΫαʔϏεͷΦϓγϣϯͱͯ͠ఏڙ
 ڞ༻ܕͰ͋Δ͜ͱ͕ଟͦ͏ͳײ͡ • USENɾNUROɾέΠΦϓςΟίϜ౳
 ࣗࣾͰDirect ConnectͷઃඋΛอ༗͓ͯ͠Βͣ
 αʔϏεϥΠϯφοϓʹ΋༻ҙ͞Ε͍ͯͳ͍௨৴ࣄۀऀͷ৔߹
 ϚωʔδυVPNαʔϏεͷΦϓγϣϯͱͯ͠ఏڙ͞Ε͍ͯΔ͜ͱ͕ଟ ͍

Slide 28

Slide 28 text

͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠

Slide 29

Slide 29 text

ࣗݾ঺հ • ٢ߐ ॠ(@Typhon666_death) • ࢓ࣄɿ๭ηΩϡϦςΟઐ໳ձࣾʹͯɺ
 ηΩϡϦςΟΤϯδχΞ/ίϯαϧλϯτ/ΞφϦετ • ׆ಈίϛϡχςΟɿ • Security-JAWS ӡӦϝϯόʔ • JAWS-UG ϥ΢υϩοΫࢧ෦(ඇެࣜ) ӡӦϝϯόʔ • OWASP Japan Promotion Teamϝϯόʔ • AISECjp ӡӦϝϯόʔ • શ೴ΞʔΩςΫνϟएखͷձ ӡӦϝϯόʔ • 2016೥8݄ JAWS-UGϝϯόʔͰॻ͍ͨຊͰ ͸ɺҎԼΛ୲౰ • Glacier • VPCϐΞϦϯάΛ࢖ͬͨݡ͍WAFͷར ༻ํ๏ͱϩά෼ੳΛ୲౰(PDFͷΈ)

Slide 30

Slide 30 text

DDoS • DDoSಈըʢը૾͸ from China to USAʣ
 https://www.youtube.com/watch?v=1wq6LIjPHkk • DDoS (Distributed Denial of Service)ɿෳ਺ͷNWʹ෼ࢄ͢Δେྔͷίϯϐϡʔλ͕Ұ੪ʹಛఆͷ NW΍ίϯϐϡʔλ΁઀ଓཁٻΛૹग़͠ɺ
 ௨৴༰ྔΛ͋;Εͤͯ͞ػೳΛఀࢭͤͯ͞͠·͏߈ܸ

Slide 31

Slide 31 text

DDoS • DDoSͷछྨɿ • L3/L4ʢInfrastrutureʣ • L7ʢApplicationʣ • DDoSͷΑ͏ͳେྔͷτϥϑΟοΫʹର͢Δखஈɿ • DDoSରࡦʢैདྷͷରࡦํ๏ͩͱɺ͓ۚΛֻ͚ࣺͯ͗͢ΔՄೳੑ΋͋Δʣ • DDoSΛ͋͑ͯड͚Δʢམͪͯ΋͍͍αΠτͰ͋Ε͹ɺ์ஔ͢Δͷ΋Ұͭʣ

Slide 32

Slide 32 text

The Forrester Wave™: 
 DDoS Services Providers, Q3 2015 • https://www.forrester.com/report/The+Forrester+Wave+DDoS+Services+Providers+Q3+2015/-/E-RES119802

Slide 33

Slide 33 text

AWS Shield • AWS Shieldɿ2016/12 re:InventʹͯϦϦʔε • ར༻ํ๏ɿCloudFrontʹͯShield ΦϓγϣϯΛ༗ޮԽ • ߏ੒ɿShieldͷޙΖ͸AWSͰ΋ɺΦϯϓϨͰ΋ରࡦՄೳ • ๷ޚର৅ɿCloudFrontɺELBɺALBɺRoute53 • ؂ࢹɿৗʹϞχλϦϯάͯ͠ϕʔεϥΠϯͷ࡞੒ɺҟৗݕग़ AWS Shield

Slide 34

Slide 34 text

AWS Shield • ར༻ྉۚɿ • BasicɿແྉͰར༻Մೳ • Advancedɿ1೥ؒͷར༻ίϛοτɺֹ݄$3,000ʴDataTransferFeeɺDRT෇ • අ༻੥ٻɿDDoSΛड͚ͯ΋֘౰௨৴จͷࢧ෷͍͸ෆཁʢBilling Protectionʣ • DRT(DDoS Response Team)ɿWAFͷνϡʔχϯά΍WAFͷϧʔϧ࡞੒(ࣄલঝೝ༗Γ)΋΍Δ • ؙ౤͛͸ବ໨Ͱ͢ɻ • CloudFront͑͞ೖ͍ͬͯΔͳΒɺಋೖ͓͔ͯ͠ͳ͍ख͸ͳ͍ʂ AWS Shield

Slide 35

Slide 35 text

WAF • WAFɿϨΨγʔͳFW΍IDS/IPSͰ͸๷͙͜ͱ͕Ͱ͖ͳ͍ෆਖ਼ͳ߈ܸ͔Β WebΞϓϦέʔγϣϯΛ๷ޚ͢ΔFW • ಋೖཧ༝ɿWebΞϓϦέʔγϣϯͷ੬ऑੑΛಥ͘߈ܸ΍σʔλ࿙Ӯʹͭ ͳ͕Δ߈ܸΛ๷͙͔ΒɻPCI-DSS 6.6ʹ΋WAFಋೖʹ͍ͭͯ໌ه͞Ε͍ͯΔ
 
 
 1$*%44४ڌΛୡ੒͢ΔͨΊͷ༏ઌతͳΞϓϩʔν
 IUUQTXXXQDJTFDVSJUZTUBOEBSETPSHEPDVNFOUT1SJPSJUJ[FE"QQSPBDIGPS1$*@%44W@KBKQQEG

Slide 36

Slide 36 text

Apache Struts2 ͷ੬ऑੑ
 (CVE-2017-5638)(S2-045) ౎੫ࢧ෷͍αΠτ͔ΒΧʔυ৘ใສ݅௒͕ྲྀग़͔
 IUUQXXXJUNFEJBDPKQCVTJOFTTBSUJDMFTOFXTIUNM
 
 "QBDIF4USVUTͷ੬ऑੑରࡦʹ͍ͭͯ $7& 4 
 IUUQTXXXJQBHPKQTFDVSJUZDJBESWVMTUSVUTIUNM

Slide 37

Slide 37 text

Apache Struts2 ͷ੬ऑੑ
 (CVE-2017-5638)(S2-045) 
 ෆਖ਼ΞΫηεʹؔ͢Δ͝ใࠂͱ৘ใྲྀग़ͷ͓࿳ͼ
 IUUQTDPSQHNPQHDPNOFXT@FNIUNM @HB • IPAͷ৘ใެ։Λ΋ͬͯɺਝ଎ʹWAFʹͯःஅΛߦ͍ෆਖ਼ΞΫηεௐࠪΛߦͬͨɻ • ࿙Ӯͨ͜͠ͱ͸·͍ͣ࿩Ͱ͸͋Δ͕ɺਝ଎ͳରԠͷ಺༰ͱͯ͠͸ɺධՁ͞ΕΔ΂͖

Slide 38

Slide 38 text

AWS WAF • AWS WAFɿ2015/12 ʹ৽͘͠ϦϦʔε͞Εͨػೳ • AWS WAFͰͰ͖Δ͜ͱɿΧελϜϧʔϧʢIPΞυϨε੍ݶ/จࣈྻ੍ݶʣɺ
 SQLI/XSSͱ͍ͬͨجຊతͳWebΞϓϦέʔγϣϯ޲͚ରࡦ͕ՄೳͳWAF • ߏ੒ɿCloudFrontɺELBɺALBʹ࢓ࠐΊΔϚωʔδυWAF • ಋೖɿ؆୯(WAFػೳΛΞλον͢Δ) • ӡ༻ɿෳࡶͳϧʔϧͷӡ༻Λ͠ͳͯ͘΋͍͍
 ʢ㱻ٯʹݴ͍׵͑Ε͹෺଍Γͳ͗͢͞Δɻࡉ͔ʹઃఆ͠ɺνϡʔχϯάΛ͢ΔͱͳΔͱDRTʹґཔ͕ඞਢͱͳ Δʣ • ࢒೦ɿWAFͦͷ΋ͷͷ͖Ίࡉ͔͍ઃఆ͕Ͱ͖ͳ͍ɻϧʔϧΛਖ਼نදݱͰ͔͚ͳ͍ɻ AWS WAF

Slide 39

Slide 39 text

ߏ੒ൺֱɿAWS WAF vs WAF on AWS 
 vs SaaS WAF vs Cloud WAF ˞ݸਓͷओ؍΋
 ೖͬͯ·͢ ᶃ"84 8"' ᶄ8"'PO "84 ᶅ4BB4 8"' ᶆ$MPVE 8"' උߟ %%P4ಋೖ $'༗ ˕ ˕ ˕ ˕ ᶃᶄᶅᶆ ΄΅ 4IJFMEҰ୒Ͱྑͦ͞͏ %%P4ಋೖ $'ແ ˚ ˚ ̋ʁ ᶄᶅ$'ಋೖʹ੾Γସ͑Δʹ͸গ͠େม
 ᶆ%%P4ରࡦ༗ͳΒಋೖ͸໰୊ͳ͠ 8"'ಋೖ ˕˚ ˚ ̋ ̋ ᶃ$'༗ͳΒ8"'ಋೖ͸؆୯
 ᶃ$'ແͳΒ$'ʹಋೖͷίετ͕͔͔Δ ᶄ8"'ઐ༻71$Λ༻ҙ͢Δ౳ͷҠߦݕ౼
 ᶅᶆਖ਼ৗ֬ೝͷ্ɺ%/4੾Γସ͑ 8"'ӡ༻ ̋ ˚ ˕ ˕ ᶅᶆ೚ͤΒΕΔͱ͍͏ҙຯͰ˕ ίετ໘ ˕ ˚ ̋ ̋ ᶄϥΠηϯε͸΍͸Γߴ͍

Slide 40

Slide 40 text

ߏ੒ൺֱɿAWS WAF vs WAF on AWS 
 vs SaaS WAF vs Cloud WAF ᶃ"84 8"' ᶄ8"'PO "84 ᶅ4BB4 8"' ᶆ$MPVE 8"' උߟ ύϑΥʔϚϯε໘ ˕ ˕ ̋ ̋ ᶄ8"'͕εέʔϧ͢ΔͳΒ໰୊ͳ͠
 ᶅᶆখن໛τϥϑΟοΫʹ޲͍ͯΔײ͡ ηΩϡϦςΟ໘ ˚ ̋ʙ˕ ̋ʙ˕ ̋ʙ˕ ᶃ෺଍Γͳ͍
 ᶄᶅᶆ8"'ͷධՁʹґଘ ࣍ท ૯߹݁Ռ ʁ ʁ ʁ ʁ ࣗࣾͰ΍ΔʁଞࣾͰ΍Δʁ ࣗ͝਎Ͱߟ͑ͯΈ͍ͯͩ͘͞

Slide 41

Slide 41 text

Amazon Web Services – 
 DDoSʹର͢ΔAWSͷϕετϓϥΫςΟε • গ͠ࢿྉ͸ݹ͍͕೔ຊޠ༁ͷDDoSϗ ϫΠτϖʔύʔ΋͋Δɻ
 ˞WAFαϯυΠονʴWAFΦʔτε έʔϧʢEDoSରࡦʹ͸ͳ͍ͬͯͳ ͍ʣ • Super Defense in Depthͳߏ੒ɿ
 CF(withWAF/Shield)→ELB
 →IPS→ELB→WAF
 →ELB→EC2withίϯςϯπվ᜵ݕ஌ • https://d0.awsstatic.com/International/ja_JP/ Whitepapers/DDoS%20White%20Paper.pdf

Slide 42

Slide 42 text

(2016)Gartner: Magic Quadrant for 
 Web Application Firewalls • https://www.gartner.com/doc/reprints?id=1-3BZK2PZ&ct=160720&st=sb

Slide 43

Slide 43 text

DDoSରࡦɺWAFಋೖ
 ͦͷޙ͸ʁ • ༗ޮʹͨ͠Β͓ΘΓͰ͸ͳ͘ɺΠϯγσϯτϨεϙϯεͷϑϩʔΛݕ౼ɻ • Πϯγσϯτͱؾͮͨ͘Ίʹ͸ʁ • Ϧιʔε؂ࢹ౳Λߦ͏ɻ • ϩάऔಘ͸ඞਢ • Ͱ͖ΔͷͳΒɺϩάΛ༻͍ͨ૬ؔ෼ੳʢwith SIEMʣ • DDoSରॲͷઓज़ͱઓུ
 https://www.slideshare.net/nakatomoorg/ddos-69640523/1 • ্هࢿྉ͔ΒΠϯγσϯτϨεϙϯεͷͨΊͷ४උ΍͍·࢝ΊΒΕΔ͜ͱ͕·ͱ·ͬͯͯΘ͔Γ΍͍͢ɻ


Slide 44

Slide 44 text

DDoSରࡦɺWAFಋೖ
 ͦͷલʹʁ • ઃܭஈ֊ͰͷηΩϡϦςΟʹ͍ͭͯߟ͑Α͏ • ϦϦʔεલWebΞϓϦέʔγϣϯ਍அ͸΍ΊΑ͏ • ΩʔϫʔυɿSecurity by Design(SdP)ɺDevSecOps • ࠷ۙɺOWASP Japan ChapterϦʔμʔԬా͞Μͷهࣄ͕
 ಺༰ͱͯ͠ͱͯ΋·ͱ·͍ͬͯΔ΋ͷͰͨ͠ͷͰɺ
 ͥͻɺಡΜͰΈ͍ͯͩ͘͞ɻ ʮηΩϡΞ։ൃʯ͸ͳͥਁಁ͠ͳ͍ͷ͔ʁʕʕ%FW4FD0QTΛ๦͛Δlͭͷఢz 
 IUUQXXXBUNBSLJUDPKQBJUBSUJDMFTOFXT@IUNM


Slide 45

Slide 45 text

͓ΘΓʹ • ࠙਌ձʹ΋ࢀՃ͢Δ༧ఆͰ͢ɻ • ໊ࢗަ׵ɺEightަ׵ɺTwitterɺFacebookɺ
 LinkedinɺϝʔϧͰͷ໰߹ͤɺ໰୊͋Γ·ͤΜɻ • ૉఢͳηΩϡϦςΟϥΠϑΛɻ

Slide 46

Slide 46 text

࣍͸ AWS Config ʹ͍ͭͯ…

Slide 47

Slide 47 text

ࣗݾ঺հ • ৿Ӭ େࢤ (@morimoritaitai) • ձࣾɿΫϥεϝιουגࣜձࣾ AWSࣄۀ෦ • ৬छɿιϦϡʔγϣϯΞʔΩςΫτ • झຯ : ήʔϜ(શൠ) / ञ ʢমயϝΠϯʣ/ Χϝϥ • ڵຯ : Security / OpsࣗಈԽ • ޷͖ͳαʔϏεɿConfig /CloudTrail ͳͲ྘ܥ • AWSೝఆࢿ֨5ף

Slide 48

Slide 48 text

AWS Config

Slide 49

Slide 49 text

AWS Configͱ͸ • ߏ੒؅ཧɺมߋ؅ཧͷͨΊͷαʔϏε • ߏ੒৘ใͷεφοϓγϣοτͷऔಘ • ߏ੒৘ใɺมߋཤྺͷݕࡧɺӾཡ • ࡞੒ɺมߋɺ࡟আ͞Εͨࡍͷ௨஌ • AWSϦιʔεؒͷؔ܎ੑͷ֬ೝ

Slide 50

Slide 50 text

ݱࡏରԠ͍ͯ͠ΔAWSϦιʔε • 2017/3/11ݱࡏ Resource Type Resource Amazon Redshift Cluster Cluster parameter group Cluster security group Cluster snapshot Cluster subnet group Event subscription Amazon Relational Database Service (RDS) RDS DB instance RDS DB security group RDS DB snapshot RDS DB subnet group Event subscription Amazon Simple Storage Service (S3) Amazon S3 bucket Amazon Virtual Private Cloud (VPC) Customer gateway Internet gateway Network access control list (ACL) Route table Subnet Virtual private cloud (VPC) VPN connection VPN gateway Resource Type Resource AWS Certificate Manager certificate AWS CloudTrail Trail Amazon Elastic Block Store Amazon EBS volume Amazon Elastic Compute Cloud (EC2) EC2 Dedicated hosts EC2 Elastic IP EC2 instance EC2 network interface EC2 security group Amazon EC2 Systems Manager Managed instance inventory Elastic Load Balancing (ELB) Application load balancer AWS Identity and Access Management (IAM) IAM user IAM group IAM role IAM customer managed policy

Slide 51

Slide 51 text

ݱࡏରԠ͍ͯ͠ΔAWSϦιʔε • 2017/3/11ݱࡏ Resource Type Resource Amazon Redshift Cluster Cluster parameter group Cluster security group Cluster snapshot Cluster subnet group Event subscription Amazon Relational Database Service (RDS) RDS DB instance RDS DB security group RDS DB snapshot RDS DB subnet group Event subscription Amazon Simple Storage Service (S3) Amazon S3 bucket Amazon Virtual Private Cloud (VPC) Customer gateway Internet gateway Network access control list (ACL) Route table Subnet Virtual private cloud (VPC) VPN connection VPN gateway Resource Type Resource AWS Certificate Manager certificate AWS CloudTrail Trail Amazon Elastic Block Store Amazon EBS volume Amazon Elastic Compute Cloud (EC2) EC2 Dedicated hosts EC2 Elastic IP EC2 instance EC2 network interface EC2 security group Amazon EC2 Systems Manager Managed instance inventor Elastic Load Balancing (ELB) Application load balancer AWS Identity and Access Management (IAM) IAM user IAM group IAM role IAM customer managed policy Α͔ͭ͘͏αʔϏε͸΄΅ରԠࡁΈ Α͔ͭ͘͏αʔϏε͸΄΅ରԠࡁΈ

Slide 52

Slide 52 text

Ϣʔεέʔε

Slide 53

Slide 53 text

AWSϦιʔεͷߏ੒؅ཧ • ҰཡͰAWSϦιʔεΛ֬ೝग़དྷΔ • ࡟আ͞ΕͨϦιʔεʹ͍ͭͯ΋௥੻Մೳ

Slide 54

Slide 54 text

؂ࠪɺίϯϓϥΠΞϯε • ͍ͭɺͲͷΑ͏ʹมߋ͞Ε͔ͨΛه࿥͢ΔͷͰূ੻ͱͯ͠ར༻Մೳ • PCI DSSͷΑ͏ͳن֨ʹ४ڌ͢ΔͨΊʹ΋ඞཁ

Slide 55

Slide 55 text

τϥϒϧγϡʔςΟϯά • ઃఆϛε͸ΠϯγσϯτൃੜݪҼͷͻͱͭ • ؔ࿈͢ΔAWSϦιʔε΋ḷΕΔͷͰτϥϒϧγϡʔτ͠΍͍͢

Slide 56

Slide 56 text

ΰνϟΰνϟ͠΍͍͢AWSϦιʔεΛ ؆୯ʹʮݟ͑ΔԽʯग़དྷΔʂ

Slide 57

Slide 57 text

Ͱ΋Configͬͯઃఆ΍ઃఆมߋΛݟ͑ΔԽ ͢Δ͚ͩͩΑͶʁ

Slide 58

Slide 58 text

݁ہͦΕ͕ਖ਼͍͠ઃఆ͔ ਓ͕ؒ൑அ͠ͳ͍ͱ͍͚ͳ͍ΑͶʁ

Slide 59

Slide 59 text

҆͝৺Լ͍͞ɻ

Slide 60

Slide 60 text

ઃఆͷνΣοΫΛߦ͏αʔϏε ΋͋Γ·͢ʂ

Slide 61

Slide 61 text

AWS Config Rules

Slide 62

Slide 62 text

AWS Config Rulesͱ͸ • AWS ConfigͰه࿥ͨ͠ઃఆ͕ਖ਼͍͔͠Λ൑ఆ͢Δ ϧʔϧΛઃఆͰ͖Δ • ྫ͑͹ɺ • ηΩϡϦςΟάϧʔϓ͕ϑϧΦʔϓϯ • MFAઃఆ͍ͯ͠ͳ͍ • ACMͷূ໌ॻͷ༗ޮظݶ͕͋ͱগ͠

Slide 63

Slide 63 text

ϧʔϧͷछྨ • Ϛωʔδυϧʔϧ • AWS͕ఏڙ͍ͯ͠Δϧʔϧ • ͋Δ͋Δͳ΋ͷΛ༻ҙͯ͘͠Ε͍ͯ·͢ • ΧελϜϧʔϧ • ࣗ෼Ͱࣗ༝ʹ࡞ΕΔϧʔϧ • ൑ఆ͢Δػߏ͸LambdaͰ࡞੒ • LambdaͳͷͰ࡞Γ͜Ί͹૬౰͍Ζ͍Ζग़དྷΔ

Slide 64

Slide 64 text

ఏڙ͞Ε͍ͯΔϚωʔδυϧʔϧ • Compute • approved-amis-by-id • approved-amis-by-tag • desired-instance-tenancy • desired-instance-type • ebs-optimized-instance • ec2-instance-detailed-monitoring-enabled • ec2-instances-in-vpc • ec2-managedinstance-applications-blacklisted • ec2-managedinstance-applications-required • ec2-managedinstance-inventory-blacklisted • ec2-managedinstance-platform-check • ec2-volume-inuse-check • eip-attached • encrypted-volumes • restricted-common-ports • restricted-ssh • Management Tools • cloudtrail-enabled • required-tags • Database • db-instance-backup-enabled • dynamodb-throughput-limit-check • rds-multi-az-support • rds-storage-encrypted • redshift-cluster-configuration-check • redshift-cluster-maintenancesettings-check • Security, Identity & Compliance • acm-certificate-expiration-check • iam-password-policy • iam-user-group-membership-check • iam-user-no-policies-check • root-account-mfa-enabled • Storage • s3-bucket-logging-enabled • s3-bucket-ssl-requests-only • s3-bucket-versioning-enabled IUUQEPDTBXTBNB[PODPNKB@KQDPOpHMBUFTUEFWFMPQFSHVJEFNBOBHFESVMFTCZBXTDPOpHIUNM

Slide 65

Slide 65 text

ΧελϜϧʔϧ • LambdaͰ൑ఆ෦෼Λهड़͢Δ • ࣗ෼ͰίʔυΛॻ͘ඞཁ͕͋ΔͷͰগ͠ϋʔυϧ͕ߴ͍

Slide 66

Slide 66 text

AWS͕ΧελϜϧʔϧެ։ • 2017/3ݱࡏ34ͷϧʔϧ͕ެ։த • https://github.com/awslabs/aws-config-rules

Slide 67

Slide 67 text

AWS ConfigΛ༗ޮԽͯ͠ՄࢹԽ Config RulesͰઃఆ஋νΣοΫ ࣗಈͰηΩϡϦςΟ/ΨόφϯεΛ୲อ͠·͠ΐ͏ʂ

Slide 68

Slide 68 text

Configؔ࿈ϒϩάެ։ͯ͠·͢ɻ http://dev.classmethod.jp/referencecat/aws-config/

Slide 69

Slide 69 text

ࠂ஌ • Ҏ্ͰൃදΛ͓ΘΓ·͢ɻ • Πϕϯτࠂ஌͸Doorkeeper(https://s-jaws.doorkeeper.jp/) • Twitterɿ@security_jaws
 ϋογϡλά͸#secjaws