Slide 1
Slide 1 text
@ken5scal, 2024/05/22
AWSͩ! Google Cloudͩ! Azureͩ!
ೝূ࿈ܞͩʂ
Slide 2
Slide 2 text
Πϯτϩ
Slide 3
Slide 3 text
- ϚϧνΫϥυͷར༻Λආ͚ΒΕͳ͘ͳΓɺٱ͍͠
- ϚϧνΫϥυԼͰͷϫʔΫϩʔυؒͷॲཧ̍ͭͰ͋Δ
- ͦͷॲཧͷલఏͱͯ͠ೝূ͕ॏཁͰ͋Δ
- ͦͷ͋ͱͷೝূख๏ͷબͱ࣮ͷแׅతͳϦεΫରԠʹ͍ͭͯɺ
ϊϋͷڞ༗
- ͦΕʹ͏ٞͷ׆ൃԽ٩(Ň•̀ω•́Ň)و
- ࣾͷڵຯΛ͋͛Δ
ࠓͷత
Slide 4
Slide 4 text
- ॴଐ
- ࡾҪ࢈σδλϧɾΞηοτϚωδϝϯτ
- ίʔϙϨʔτγεςϜ෦
- LayerX Fintechࣄۀ෦ʢˢʹग़ʣ
- ݸਓ׆ಈ
- िؒχϡʔεϨʔλʔɺPodCastɺಉਓࢽ
- དྷྺ
- SIer > ࢿ࢈ཧɾՈܭɾձܭSP > ূ݊ձࣾ > ݱ
৬
@ken5scal
χϡʔεϨλʔ: https://ken5scal.notion.site/54bda4932da14add9e9911ab3e9a6e5c
podcast: https://open.spotify.com/show/73sFeKzUIkSYfCZWVBNO70
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
k8sͷCNCFϓϩμΫτΛ͏نʹ
ͳΕ͍ͯͳ͍ͷͰɺجຊɺ
ϚωʔδυɾαʔϏεʹཔΔ
Slide 8
Slide 8 text
- ͕ࣗରԠͨ͜͠ͱ͋ΔϚϧνΫϥυϢʔεέʔε
- ূ݊αʔϏεࢿ࢈ӡ༻ͷ͓٬༷͚๏ఆாͷGDriveϑΝΠϧཧ
- ۚ༥αʔϏεʹ͓͚ΔϩάɾΠϕϯτͷू
- Entra ID (AzureAD)ͷIaCతཧ
- AWS্ͷσʔλΛBigQueryج൫సૹ
- ্هରԠதʹ;ͱࢥͬͨ͜ͱ͕͋Δ
ࠓͷഎܠ
Slide 9
Slide 9 text
AWS <-> AzureADؒͷworkload Identityೝূ
https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-
fl
ow.html
- ~2022/10
- Long Lived Secrets
Slide 10
Slide 10 text
AWS <-> AzureADؒͷworkload Identityೝূ
- ~2022/10
- Long Lived Secrets
Slide 11
Slide 11 text
AWS <-> AzureADؒͷworkload Identityೝূ
https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-
fl
ow.html
- 2022/10~
- Short Lived
Slide 12
Slide 12 text
AWS <-> AzureADؒͷworkload Identityೝূ
Slide 13
Slide 13 text
# header
{
"kid": "ap-northeast-15",
"typ": "JWS",
"alg": "RS512"
}
# Payload
{
"sub": “ap-northeast-1:{Cognito Pool IDͷIdentity ID}”,
"aud": “ap-northeast-1:{Cognito Pool Provider ID}“,
"amr": [
"authenticated",
“{Cognito Pool IDͷIdentity໊}”,
"{Cognito Pool IDͷIdentity໊}:ap-northeast-1:{Pol Provider ID}:${Developer ID}”
],
"iss": "https://cognito-identity.amazonaws.com",
"https://cognito-identity.amazonaws.com/identity-pool-arn": “arn:aws:cognito-identity:ap-
northeast-1:${AWS Account ID}:identitypool/ap-northeast-1:${Pool ID}”,
"exp": 1716244163,
"iat": 1716243263
}
13
Slide 14
Slide 14 text
AWS <-> AzureADؒͷworkload Identityೝূ
https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation
Slide 15
Slide 15 text
```shell
$ aws cognito-identity get-open-id-token-for-developer-identity --identity-pool-id ap-
northeast-1:${POOL ID} --logins “${USER NAME}=${Developer Identifiers}”
```
```Go
func getOpenIdToken(ctx context.Context, awsConfig aws.Config)
(*cognitoidentity.GetOpenIdTokenForDeveloperIdentityOutput, error) {
svc := cognitoidentity.NewFromConfig(awsConfig)
input := &cognitoidentity.GetOpenIdTokenForDeveloperIdentityInput{
IdentityPoolId: aws.String(os.Getenv("COGNITO_IDENTITY_POOL_ID")),
Logins: map[string]string{
os.Getenv(“USER NAME"): os.Getenv(“Developer Identity”),
},
}
return svc.GetOpenIdTokenForDeveloperIdentity(ctx, input)
}
```
15
Slide 16
Slide 16 text
```shell
$ aws cognito-identity get-open-id-token-for-developer-identity --identity-pool-id ap-
northeast-1:${POOL ID} --logins “${USER NAME}=${Developer Identifiers}”
```
```Go
func getOpenIdToken(ctx context.Context, awsConfig aws.Config)
(*cognitoidentity.GetOpenIdTokenForDeveloperIdentityOutput, error) {
svc := cognitoidentity.NewFromConfig(awsConfig)
input := &cognitoidentity.GetOpenIdTokenForDeveloperIdentityInput{
IdentityPoolId: aws.String(os.Getenv("COGNITO_IDENTITY_POOL_ID")),
Logins: map[string]string{
os.Getenv(“USER NAME"): os.Getenv(“Developer Identity”),
},
}
return svc.GetOpenIdTokenForDeveloperIdentity(ctx, input)
}
```
16
cognito-
identity:GetOpenIdTokenForDeveloperIdentity
͑͋͞ΕɺಉҰAWS͔Βҙʹ࣮ߦՄೳɻ
ϦιʔεϙϦγʔ͔͚ΒΕͳ͍ɻ
Slide 17
Slide 17 text
- ͦ͜·Ͱߟྀ͢Δ͔ʁ
- ࠪϩάಡΈऔΓͳΒNo
- σΟϨΫτϦɾΦϒδΣΫ
τݖݶͷWriteɾҰ෦Read
Yes
ϫʔΫϩʔυͳΓ͢·͠ϦεΫ
Slide 18
Slide 18 text
AWS -> GCP -> GWS
Slide 19
Slide 19 text
AWS -> GCP -> GWS
Slide 20
Slide 20 text
- ͜͜Ͱɺshort-lived token͕҆શͰ͋Δ͜ͱΛલ
ఏͱͨ͠ϫʔΫϩʔυ࿈ܞΛ࣮͖͕ͯͨ͠ɺͦͷલ
ఏ͕ਖ਼͔Assured͔ͨͬͨ͠
- ຊʹshort-lived͚͕ͩ҆શੑͷཁ݅ͳͷ͔ʁ
- ΑΓแׅతʹݟΔ͖Ͱʁ
ࠓͷഎܠ
Slide 21
Slide 21 text
- ઃఆɾߏ࡞ۀؚΊɺೝূϓϩηεΛՄࢹԽ͢Δ
- ϢʔεέʔεͷཁٻϨϕϧΛܾΊΔ
- ཁٻϨϕϧͱ࣮ͷΪϟοϓʹ͍ͭͯɺڴҖϞσϧΛڵ͢
- ڴҖʹԠͨ͡ରԠɾରࡦΛܾΊΔ
TL;DR
Slide 22
Slide 22 text
- ΠϯτϩμΫγϣϯ
- ϚϧνΫϥυ࣌
- ೝূ
- ϦεΫධՁͱڴҖϞσϦϯά
- ·ͱΊ
ΞδΣϯμ
Slide 23
Slide 23 text
ϚϧνΫϥυ࣌
Slide 24
Slide 24 text
- ʮෳͷϫʔΫϩʔυʹରͯ͠ෳͷύϒϦοΫ Ϋϥυ ϕϯμʔ͕ఏڙ
͢ΔΫϥυ ίϯϐϡʔςΟϯά αʔϏεΛ༻͢Δ͜ͱΛࢦ͠·͢ʯ
- By https://cloud.google.com/learn/what-is-multicloud
- 2006:
- AWS(β), Google Apps for Your Domain(ݱGoogle Workspaces)ొ
- 2024:
- Azure, GC, AWS, Oracle, Cloud
fl
are….
ϚϧνΫϥυɹͱ
Slide 25
Slide 25 text
- શͯΛमΊɺӡ༻͢Δʹଟେͳίετ͕ඞཁ
- ౷੍ͷ؍Ͱɺ୯ҰͷϓϩόΠμʹد͍ͤͨͱ͜Ζ…
- ͔͠͠ɺϓϥοτϑΥʔϜͷൃలͱͱʹɺಛఆϢʔεέʔ
εʹಛఆϓϥοτϑΥʔϜΛબ͢Δʮݸผ࠷దԽʯগͳ
͘ͳ͍Α͏ʹݟ͑Δ
ΫϥυϓϥοτϑΥʔϜͷଟ༷Խ
Slide 26
Slide 26 text
- ϦεΫࢄ
- ಛఆͷػೳɾαʔϏεͰͷ༏Ґੑ
- શମͰͷޮੑɾ߹ੑ
- ࣄۀͷن
WhyϚϧνΫϥυ
Slide 27
Slide 27 text
- όοΫΞοϓػೳɾσʔλͷࢄ
- ϕϯμʔϩοΫΠϯͷϓϩόΠμʔϦεΫରԠ
WhyϚϧνΫϥυ - ϦεΫࢄ
Slide 28
Slide 28 text
- ͢ͰʹσϑΝΫτͳαʔϏε͕͋Δ߹
- ൺֱత৽͍ٕ͠ज़ίϯηϓτʹ͓͚Δαϙʔτͷ༗ແ
- Con
fi
dential ComputingɺLLM
- ৽͍͠ϢʔεέʔεΛ࣮͢Δࡍͷαϙʔτͷ༗ແ
- Google Workspacesͷࠪϩάʹ͓͚ΔBigQueryͰͷσʔλੳ
- App Runner͕ͳ͍ͱ͖ɾ͋Δ͍ग़ͨͱ͖ͷGC Cloud Run
WhyϚϧνΫϥυ-ಛఆͷػೳ - αʔϏεͰͷ༏Ґੑ
Slide 29
Slide 29 text
- ֤छαʔϏεͷϩάɾΠϕϯτͷอ
- σʔλੳ࣌ʹ͓͚ΔσʔλͷҰݩԽ
- ίϯτϩʔϧϓϨʔϯͷӡ༻
- ϓϥοτϑΥʔϜҠߦྃ·Ͱͷฒߦӡ༻
WhyϚϧνΫϥυ - ಛఆྖҬͰͷશମ࠷దԽ
Slide 30
Slide 30 text
- اۀͰෳࣄۀΛߦ͍ͬͯΔ߹ɺͦͷ୯Ґೳྗ
ʹ͋Θͤͨબ͕߹ཧతʹͳΔ͜ͱ͋Δ
- ങऩʹΑΓͦ͏ͳΔ͜ͱ͋Δ
WhyϚϧνΫϥυ - اۀɾࣄۀͷن
Slide 31
Slide 31 text
- ౷੍ɾηΩϡϦςΟͷࢄ
- ෳࡶੑͷ૿Ճ
- ૬ޓӡ༻ੑ
- ϕϯμʔཧ
ϚϧνΫϥυͷϦεΫ
Slide 32
Slide 32 text
- ౷੍ɾηΩϡϦςΟͷࢄ
- ৭ʑ͋Δ͕ಛʹʮೝূʯ
- ෳࡶੑͷ૿Ճ
- ૬ޓӡ༻ੑ
- ϕϯμʔཧ
ϚϧνΫϥυͷϦεΫ
Slide 33
Slide 33 text
- ਓؒʹΑΔೝূ
- ͪ͜ΒSAMLͱ͔OIDCͰ৭ʑ͋Δ
- ඇਓؒతʁͳೝূ
- Cloud workload:
- ʮA logical bundle of software and data that is present in, and processed by, a
cloud computing technologyʯ
- https://csrc.nist.gov/glossary/term/cloud_workload
- AWSͰɺEC2ɺLambdaɺApp RunnerɺECS Service
- ࠓճͪ͜Β
ೝূͷதͰϫʔΫϩʔυ
Slide 34
Slide 34 text
- ࣌ϚϧνΫϥυ
- ϚϧνΫϥυͱͳΔঢ়گ૿͑ͨ
- ආ͚ΔܾఆɾΛෛ͑Δཱʹ͋Εผ
- ͦͷͨΊͷೝূʹ͍ͭͯޠΔ
·ͱΊ
Slide 35
Slide 35 text
ೝূͱ
Slide 36
Slide 36 text
ೝূ (Authentication)
- ϦιʔεͷΞΫηεલͷඞཁ݅ͱͯ͠ɺϢʔ
βʔɺϓϩηεɺσόΠεͷਓͰ͋Δ͔ͷ
ݕূΛ͢Δ͜ͱ
Slide 37
Slide 37 text
- ͋Μ·ΓେࣄͰͳ͍ͷͰɺ༁͔Βͯ͠·ͤΜ͕ɺ
- AAL1:
- ཁٻऀ͕ՃೖऀͷΞΧϯτʹඥ͚ΒΕͨೝূثΛ੍ޚ͍ͯ͠Δ͜ͱʹରͯ͋͠ΔఔͷอূΛఏڙ͠·͢ɻ
AAL1Ͱɺൣͳೝূٕज़Λ༻ͯ͠ɺγϯάϧϑΝΫλʔ·ͨϚϧνϑΝΫλʔೝূͷ͍ͣΕ͔Λཁٻ͠·
͢ɻೝূͷޭʹɺཁٻऀ͕҆શͳೝূϓϩτίϧΛ௨ͯ͡ɺೝূثͷॴ࣋ͱ੍ޚΛূ໌͢Δඞཁ͕͋Γ·͢.
- AAL 2:
- ཁٻऀ͕ՃೖऀͷΞΧϯτʹඥ͚ΒΕͨೝূثΛ੍ޚ͍ͯ͠Δ͜ͱʹରͯ͠ߴ͍৴པΛఏڙ͠·͢ɻೝূͷ
ޭʹɺ҆શͳೝূϓϩτίϧΛ௨ͯ͡ɺҟͳΔ2ͭͷೝূཁૉͷॴ࣋ͱ੍ޚΛূ໌͢Δඞཁ͕͋Γ·͢ɻ
AAL2͓ΑͼͦΕҎ্Ͱɺঝೝ͞Εͨ҉߸ٕज़͕ඞཁͰ͢ɻ
- AAL 3:
- ཁٻऀ͕ՃೖऀͷΞΧϯτʹඥ͚ΒΕͨೝূثΛ੍ޚ͍ͯ͠Δ͜ͱʹରͯ͠ඇৗʹߴ͍৴པΛఏڙ͠·͢ɻ
AAL3ͷೝূɺ҉߸ϓϩτίϧΛ௨ͨ͡伴ͷॴ࣋ͷূ໌ʹج͍͍ͮͯ·͢ɻAAL3ͷೝূʹɺϋʔυΣΞϕʔ
εͷೝূثͱɺݕূऀͳΓ͢·͠ੑΛఏڙ͢Δೝূث͕ඞཁͰ͢ɻಉ͡σόΠε͕͜ΕΒͷཁ݅Λ྆ํຬͨ͢
͜ͱՄೳͰ͢ɻAAL3Ͱೝূ͢ΔͨΊʹɺཁٻऀ͕҆શͳೝূϓϩτίϧΛ௨ͯ͡ɺ2ͭͷҟͳΔೝূཁૉͷ
ॴ࣋ͱ੍ޚΛূ໌͢Δඞཁ͕͋Γ·͢ɻঝೝ͞Εͨ҉߸ٕज़͕ඞཁͰ͢
ೝূͷڧʢAuthenticator Assurance Levelʣ
Slide 38
Slide 38 text
Requirement AAL1 AAL2 AAL3
Permitted
authenticator types
Memorized Secret;
Look-up Secret;
Out-of-Band;
SF OTP Device;
MF OTP Device;
SF Crypto Software;
SF Crypto Device;
MF Crypto Software;
MF OTP Device;
MF Crypto Software;
MF Crypto Device;
or Memorized Secret plus:
• Look-up Secret
• Out-of-Band
• SF OTP Device
• SF Crypto Software
MF Crypto Device;
SF Crypto Device plus Memorized Secret;
SF OTP Device plus MF Crypto Device or Software;
SF OTP Device plus SF Crypto Software plus Memorized Secret
Reauthentication 30 days
12 hours or 30 minutes inactivity;
MAY use one authentication factor
12 hours or 15 minutes inactivity;
SHALL use both authentication factors
Security controls
SP 800-53 Low
Baseline (or equivalent)
SP 800-53 Moderate Baseline
(or equivalent)
SP 800-53 High Baseline
(or equivalent)
Veri
fi
er-
impersonation
resistance
Not required Not required Required
Veri
fi
er-compromise
resistance
Not required Not required Required
Replay resistance Not required Required Required
Authentication
intent
Not required Recommended Required
https://pages.nist.gov/800-63-3/sp800-63b.html#sec4
Slide 39
Slide 39 text
- ೝূใਓใΛҟ
ͳΔωοτϫʔΫ܈ʹ
ୡ͢Δ͜ͱ
ೝূ࿈ܞʢFederationʣ
Slide 40
Slide 40 text
- FAL1:
- Ճೖऀ͕RP(Relying Party)ʹରͯ͠Bearer AssetionΛड͚औΔ͜ͱΛڐՄ͠·͢ɻ͜ͷ
Assertionɺঝೝ͞Εͨ҉߸ٕज़Λ༻ͯ͠IdPʹΑͬͯॺ໊͞Ε·͢ɻ
- FAL2:
- Ξαʔγϣϯ͕ঝೝ͞Εͨ҉߸ٕज़Λ༻ͯ͠҉߸Խ͞ΕɺRP͚͕ͩͦΕΛ෮߸Ͱ͖ΔΑ͏ʹ
͢Δཁ݅ΛՃ͠·͢
- FAL3:
- Ճೖऀ͕ɺΞαʔγϣϯࣗମʹՃ͑ͯɺΞαʔγϣϯͰࢀর͞ΕΔ҉߸伴ͷॴ࣋ূ໌Λఏࣔ
͢Δ͜ͱΛཁٻ͠·͢ɻ͜ͷΞαʔγϣϯɺIdPʹΑͬͯॺ໊͞ΕɺೝՄ͞Εͨ҉߸ٕज़Λ
༻ͯ͠RPʹରͯ͠҉߸Խ͞Ε·͢ɻ
ೝূ࿈ܞͷڧʢFederation Assurance Levelʣ
Slide 41
Slide 41 text
ೝূ࿈ܞͷڧ
Requirement FAL1 FAL2 FAL3
Assetion Type Bearer Bearer Holder of key
Signing Not required Signed by IdP Signed by IdP
Encryption Not required Encrypted Encrypted
Slide 42
Slide 42 text
- ೝূͱೝূ࿈ܞͷఆٛ
- ͦΕͧΕͷڧͱཁҼ
- ϢʔεέʔεʹԠͨ͡ϨϕϧબʢϦεΫରԠʣ͕ॏཁ
·ͱΊ
Slide 43
Slide 43 text
ϦεΫධՁͱ
ڴҖϞσϦϯά
Slide 44
Slide 44 text
ೝূ
- A-1: Assertion Manufacture or Modi
fi
cation
- A-2: Theft
- A-3: Duplication
- A-4: Eavesdropping
- A-5: Of
fl
ine Cracking
- A-6: Side Channel Attack
- A-7: Phishing or Pharming
- A-8: Social engineering
- A-9: Online Guessing
- A-10: Endpoint Compromise
- A-11: Unauthorized Binding
ڴҖ
https://pages.nist.gov/800-63-3/sp800-63b.html#sec8
ೝূ࿈ܞ
- F-1: Assertion Manufacture or
Modi
fi
cation
- F-2: Assertion Disclosure
- F-3: Assertion Repudiation by the
IdP
- F-4: Assertion Repudiation by the
Subscriber
- F-5: Assertion Redirect
- F-6: Assertion Reuse
- F-7: Assertion Substitution
Slide 45
Slide 45 text
AWS -> AzureAD έʔεᶃ
Slide 46
Slide 46 text
ͲΕ͙Β͍ͷϨϕϧΛٻΊΒΕΔ͔ʢϦεΫධՁʣ
- ຌྫɹɹɹ: ϦεΫߴۀ
- ɹɹɹɹɹ: ϦεΫۀ
Slide 47
Slide 47 text
```shell
$ aws cognito-identity get-open-id-token-for-developer-identity --identity-pool-id ap-
northeast-1:${POOL ID} --logins “${USER NAME}=${Developer Identifiers}”
```
```Go
func getOpenIdToken(ctx context.Context, awsConfig aws.Config)
(*cognitoidentity.GetOpenIdTokenForDeveloperIdentityOutput, error) {
svc := cognitoidentity.NewFromConfig(awsConfig)
input := &cognitoidentity.GetOpenIdTokenForDeveloperIdentityInput{
IdentityPoolId: aws.String(os.Getenv("COGNITO_IDENTITY_POOL_ID")),
Logins: map[string]string{
os.Getenv(“USER NAME"): os.Getenv(“Developer Identity”),
},
}
return svc.GetOpenIdTokenForDeveloperIdentity(ctx, input)
}
```
47
cognito-
identity:GetOpenIdTokenForDeveloperIdentity
͑͋͞ΕɺಉҰAWS͔Βҙʹ࣮ߦՄೳɻ
ϦιʔεϙϦγʔ͔͚ΒΕͳ͍ɻ
Slide 48
Slide 48 text
Requirement AAL1 AAL2 AAL3
Permitted
authenticator types
Memorized Secret;
Look-up Secret;
Out-of-Band;
SF OTP Device;
MF OTP Device;
SF Crypto Software;
SF Crypto Device;
MF Crypto Software;
MF OTP Device;
MF Crypto Software;
MF Crypto Device;
or Memorized Secret plus:
• Look-up Secret
• Out-of-Band
• SF OTP Device
• SF Crypto Software
MF Crypto Device;
SF Crypto Device plus Memorized Secret;
SF OTP Device plus MF Crypto Device or Software;
SF OTP Device plus SF Crypto Software plus Memorized Secret
Reauthentication 30 days
12 hours or 30 minutes inactivity;
MAY use one authentication factor
12 hours or 15 minutes inactivity;
SHALL use both authentication factors
Security controls
SP 800-53 Low
Baseline (or equivalent)
SP 800-53 Moderate Baseline
(or equivalent)
SP 800-53 High Baseline
(or equivalent)
Veri
fi
er-
impersonation
resistance
Not required Not required Required
Veri
fi
er-compromise
resistance
Not required Not required Required
Replay resistance Not required Required Required
Authentication
intent
Not required Recommended Required
https://pages.nist.gov/800-63-3/sp800-63b.html#sec4
Slide 49
Slide 49 text
ೝূ࿈ܞͷڧ
Requirement FAL1 FAL2 FAL3
Assetion Type Bearer Bearer Holder of key
Signing Not required Signed by IdP Signed by IdP
Encryption Not required Encrypted Encrypted
Slide 50
Slide 50 text
- ϦεΫۀͰ͋Εͳ͍
- ߴϦεΫۀͰ͋ΕϨϕϧཁ݅Λຬͨ͞ͳ͍
- ຬͨͤͳ͍ϦεΫΛସखஈͳͲʹΑΓݮɺ͋Δ͍
ड༰͢Δඞཁ͕͋Δ
- AAL, FALํͰͷରࡦΛཁ͢Δ
- ۩ମతʹͲ͜Λʁ
݁Ռ
Slide 51
Slide 51 text
ෆͨ͠ߏ(≒ηΩϡϦςΟϗʔϧʣͱ͠ɺͦ͜Λ͚ͭΔڴҖʹରԠ
CloudTrailͰσʔλΠϕϯτΛ༗ޮʹ͠
GetDeveloperIdentityTokenΠϕϯτΛ
ୟ͘RoleΛࢹ
ʢʴLambdaΛVPCԼʹ͓͍ͯsource IPΛ
ࢹʣ
LambdaΛVPCԼʹ͓͍ͯsource IPΛࢹ
Slide 52
Slide 52 text
AWS -> AzureAD έʔεᶄ
Slide 53
Slide 53 text
ͲΕ͙Β͍ͷϨϕϧΛٻΊΒΕΔ͔ʢϦεΫධՁʣ
- ຌྫɹɹɹ: ϦεΫߴۀ
- ɹɹɹɹɹ: ϦεΫۀ
Slide 54
Slide 54 text
Requirement AAL1 AAL2 AAL3
Permitted
authenticator types
Memorized Secret;
Look-up Secret;
Out-of-Band;
SF OTP Device;
MF OTP Device;
SF Crypto Software;
SF Crypto Device;
MF Crypto Software;
MF OTP Device;
MF Crypto Software;
MF Crypto Device;
or Memorized Secret plus:
• Look-up Secret
• Out-of-Band
• SF OTP Device
• SF Crypto Software
MF Crypto Device;
SF Crypto Device plus Memorized Secret;
SF OTP Device plus MF Crypto Device or Software;
SF OTP Device plus SF Crypto Software plus Memorized Secret
Reauthentication 30 days
12 hours or 30 minutes inactivity;
MAY use one authentication factor
12 hours or 15 minutes inactivity;
SHALL use both authentication factors
Security controls
SP 800-53 Low
Baseline (or equivalent)
SP 800-53 Moderate Baseline
(or equivalent)
SP 800-53 High Baseline
(or equivalent)
Veri
fi
er-
impersonation
resistance
Not required Not required Required
Veri
fi
er-compromise
resistance
Not required Not required Required
Replay resistance Not required Required Required
Authentication
intent
Not required Recommended Required
https://pages.nist.gov/800-63-3/sp800-63b.html#sec4
Slide 55
Slide 55 text
- ϦεΫۀͰ͋Εͳ͍
- ߴϦεΫۀͰ͋ΕϨϕϧཁ݅Λຬͨ͞ͳ͍
- ຬͨͤͳ͍ϦεΫΛସखஈͳͲʹΑΓݮɺ͋Δ͍
ड༰͢Δඞཁ͕͋Δ
- AAL, FALํͰͷରࡦΛཁ͢Δ
- ۩ମతʹͲ͜Λʁ
݁Ռ
Slide 56
Slide 56 text
ෆͨ͠ߏ(≒ηΩϡϦςΟϗʔϧʣͱ͠ɺͦ͜Λ͚ͭΔڴҖʹରԠ
- LambdaΛVPCԼʹ͓͍ͯɺGraph APIΛୟ
͘source IPΛࢹ
- ݖݶͷ࠷খԽ
- CredentialൃߦͷΠϕϯτࢹ
Slide 57
Slide 57 text
AWS -> GCP -> GWS
Slide 58
Slide 58 text
AWS -> GCP -> GWS
ҙͷϢʔβʔʹ
ImpersonateͰ͖Δ…
Slide 59
Slide 59 text
ͲΕ͙Β͍ͷϨϕϧΛٻΊΒΕΔ͔ʢϦεΫධՁʣ
- ຌྫɹɹɹ: ϦεΫߴۀ
Slide 60
Slide 60 text
Requirement AAL1 AAL2 AAL3
Permitted
authenticator types
Memorized Secret;
Look-up Secret;
Out-of-Band;
SF OTP Device;
MF OTP Device;
SF Crypto Software;
SF Crypto Device;
MF Crypto Software;
MF OTP Device;
MF Crypto Software;
MF Crypto Device;
or Memorized Secret plus:
• Look-up Secret
• Out-of-Band
• SF OTP Device
• SF Crypto Software
MF Crypto Device;
SF Crypto Device plus Memorized Secret;
SF OTP Device plus MF Crypto Device or Software;
SF OTP Device plus SF Crypto Software plus Memorized Secret
Reauthentication 30 days
12 hours or 30 minutes inactivity;
MAY use one authentication factor
12 hours or 15 minutes inactivity;
SHALL use both authentication factors
Security controls
SP 800-53 Low
Baseline (or equivalent)
SP 800-53 Moderate Baseline
(or equivalent)
SP 800-53 High Baseline
(or equivalent)
Veri
fi
er-
impersonation
resistance
Not required Not required Required
Veri
fi
er-compromise
resistance
Not required Not required Required
Replay resistance Not required Required Required
Authentication
intent
Not required Recommended Required
https://pages.nist.gov/800-63-3/sp800-63b.html#sec4
Slide 61
Slide 61 text
ೝূ࿈ܞͷڧ
Requirement FAL1 FAL2 FAL3
Assetion Type Bearer Bearer Holder of key
Signing Not required Signed by IdP Signed by IdP
Encryption Not required Encrypted Encrypted
ಉ͡Googleͩ͠
Slide 62
Slide 62 text
- Ϩϕϧཁ݅Λຬ͍ͨͯ͠Δ
- ҙͷGWSʹϢʔβʔʹImpersonateͰ͖Δͷ
͍͔Βɺݖݶείʔϓ࠷খԽ͢Δ͢Δඞཁ
͕͋Δʢຊൃදͷର֎ʣ
݁Ռ
Slide 63
Slide 63 text
ෆͨ͠ߏ(≒ηΩϡϦςΟϗʔϧʣͱ͠ɺͦ͜Λ͚ͭΔڴҖʹରԠ
ҙͷϢʔβʔʹ
ImpersonateͰ͖Δ…
GWSࠪϩά͔Βɺ” Delegate”Πϕ
ϯτͷࢹ
OAuth2.0 Scopeͷ࠷খԽ
ઐ༻Ϣʔβʔͷ༻ҙͱࢹ
Slide 64
Slide 64 text
- Short lived token୯ମͰ҆શੑ͕ܾ·ΔΘ͚Ͱ
ͳ͍
- ൃߦϓϩηε੍ݶͳͲΛཧղ͠Α͏
- ϫʔΫϩʔυؒͷΞΫηεͰɺReplay
Resistanceཁ݅ʹΑΔߴ͍ϋʔυϧͰɺͳ͔
ͳ͔AALΛຬͨ͢ͷ͕͍͠ɻFALಉ༷
- ͱ͍͑ɺϦεΫ༧͕Ͱ͖ͳ͍ͷ͋ΔɻͲ
͏͢Δ͔ʁ
·ͱΊ
Slide 65
Slide 65 text
·ͱΊ
Slide 66
Slide 66 text
LayerX Fintechࣄۀ෦
xxxΤϯδχΞΛ
ઈࢍ࠾༻தͰ͢ʂ
https://open.talentio.com/r/1/c/layerx/pages/87524
DM (X): @ken5scal