Upgrade to Pro — share decks privately, control downloads, hide ads and more …

クラウド脆弱性の傾向とShisho Cloudの活用

クラウド脆弱性の傾向とShisho Cloudの活用

https://findy-tools.connpass.com/event/347629/
クラウドを活用する開発組織の実践的セキュリティ対策 〜脆弱性診断とDBへのアクセス制御〜

adachin0817

March 16, 2025
Tweet

More Decks by adachin0817

Other Decks in Technology

Transcript

  1. 3 ࣗݾ঺հ ҆ୡ ྋ(@adachin0817) ɾϑΝΠϯσΟ(ג) / ϓϩμΫτ։ൃ෦/Senior SRE ɾBlog: blog.adachin.me/wiki.adachin.me

    ɾTechBull(ΤϯδχΞίϛϡχςΟ) techbull.cloud ɹɾSRE/ΤϯδχΞͷϝϯλϦϯά ྦྷܭ300໊↑ ɹɾίϛϡχςΟϚωʔδϟʔ ɾ͔ͭͯ͸OSS൛VulsͷίϯτϦϏϡʔλʔ΍Πϕϯτओ࠵ͳͲ ɾ89೥ੜ·Εɺ౦ژ౎଍ཱ۠ग़਎Ͱ࡛ۄݝय़೔෦ࢢ͕஍ݩ ɾϑϨϯνϒϧυοάͷࣂ͍ओͰ΋͋Δ
  2. 4

  3. ԣஅSREνʔϜͷҐஔ͚ͮͱϛογϣϯ • ԣஅSREνʔϜ ◦ ڈ೥͔ΒνʔϜͱ্ཱ͓ͯͪ͛ͯ͠Γɺݱࡏ͸4໊Ͱ׆ಈ͍ͯ͠Δ • SREͷଘࡏҙٛ ◦ SRE͸ಓΛ࡞ΔͨΊʹଘࡏ͢Δ(։ൃͷεϐʔυͱ҆શੑΛཱ྆) ◦

    ϦεΫΛड͚ೖΕɺ؅ཧ͢Δ(ো֐ͷϦεΫΛ࠷খݶʹ཈͑ͭͭɺޮ཰తͳӡ༻Λ໨ࢦ͢) ◦ SLOΛܭଌ͢Δ(৴པੑͷόϥϯεΛऔΔͨΊͷج४Λࡦఆ) ◦ τΠϧͷ࡟ݮͱࣗಈԽ(Ձ஋ͷߴ͍ۀ຿ʹूதͰ͖Δ؀ڥΛఏڙ) ◦ ϓϩμΫτͷࢧԉ(։ൃεϐʔυͱ৴པੑͷόϥϯεΛอͭͨΊʹٕज़ࢧԉ) ◦ ηΩϡϦςΟͷՄࢹԽͱڧԽ (જࡏతͳϦεΫΛൃݟ͠ɺγεςϜΛΑΓ҆શͳঢ়ଶʹอͭ) • ୹ظϛογϣϯ ◦ ʮϑΝΠϯσΟͷࣄۀ੒௕Λࢧ͑ΔͨΊʹɺSRE૊৫ͷ͋Γํͷཱ֬ʯ • தظϛογϣϯ ◦ ʮࣾһશһ͕ࣄۀ੒௕ʹूதͰ͖ΔΑ͏ͳ࢓૊ΈΛߏங͠ɺ҆શʹఏڙʯ 6
  4. Top Threats to Cloud Computing 2024 • 2024೥ Ϋϥ΢υॏେڴҖϨϙʔτ ◦

    CSA(Ϋϥ΢υηΩϡϦςΟΞϥΠΞϯε)ຊ෦ ◦ 2೥ʹҰ౓ڴҖϨϙʔτΛެ։ ◦ 500ਓҎ্ͷۀքઐ໳ՈΛର৅ʹಛఆ • ՝୊ ◦ ॱҐ͕Լ͕͓ͬͯΓݒ೦͞ΕΔ΋ͷͰ͸ͳ͍ ◦ ઃఆϛεͱෆे෼ͳมߋ؅ཧ ◦ IAMʹΑΔΞΫηε؅ཧ ◦ ηΩϡΞͰ͸ͳ͍ΠϯλʔϑΣʔε΍API ◦ Ϋϥ΢υηΩϡϦςΟͷΞʔΩςΫνϟ ͱઓུͷܽ೗ 12 ࢀߟ: https://www.cloudsecurityalliance.jp/site/?p=35829
  5. Top Threats to Cloud Computing 2024 • ࠓޙͷݟ௨͠ ◦ AIΛؚΉΑΓߴ౓Խͳ߈ܸ

    ◦ αϓϥΠνΣʔϯͷϦεΫ ◦ ਐԽ͢Δن੍ͷঢ়گ ◦ Ransomware-as-a-Service(RaaS) • ରࡦ ◦ SDLC(ιϑτ΢ΣΞ։ൃϥΠϑαΠΫϧ)Λ௨ͨ͡ AIͷ౷߹ ◦ AIΛ׆༻ͨ͠ηΩϡϦςΟπʔϧ ◦ θϩτϥετηΩϡϦςΟϞσϧ ◦ ࣗಈԽͱΦʔέετϨʔγϣϯ ◦ ηΩϡϦςΟεΩϧͷ֨ࠩ 13 ࢀߟ: https://www.cloudsecurityalliance.jp/site/?p=35829
  6. Ϋϥ΢υηΩϡϦςΟʹऔΓ૊ΉࡍͷୈҰา • ηΩϡϦςΟ਍அͱݱঢ়೺Ѳ / CSPM(Cloud Security Posture Management) ◦ ઃఆϛε΍੬ऑͳϦιʔεΛՄࢹԽ͠ɺ༏ઌ͢΂͖ϦεΫΛಛఆ

    ◦ ૣظରԠͰηΩϡϦςΟΠϯγσϯτΛະવʹ๷͙ • ηΩϡϦςΟ؂ࢹͱΞϥʔτͷઃఆ ◦ ҟৗͳϩάΠϯ΍ڴҖΛϦΞϧλΠϜʹݕग़ ◦ ඞཁͳΞϥʔτΛద੾ʹઃఆ͠ɺਝ଎ͳରԠΛՄೳʹ • TrivyΛ׆༻ͨ͠ηΩϡϦςΟεΩϟϯ ◦ ط஌ͷ؀ڥʹର͢Δ਍அͱɺ৽نߏங࣌ͷࣗಈεΩϟϯΛCIԽ • ηΩϡϦςΟϩάͷՄࢹԽ ◦ AWS WAFɺCloudTrailɺGuardDutyͷঢ়ଶΛઃఆ͢Δ͚ͩͰͳ͘ՄࢹԽɾ෼ੳ ◦ ҟৗݕ஌ͷਫ਼౓Λ޲্ͤ͞ɺରԠεϐʔυΛਐΊΔ • ηΩϡϦςΟڭҭͱҙࣝ޲্ ◦ νʔϜશମͷηΩϡϦςΟҙࣝΛߴΊΔ͜ͱ͕େ੾ ◦ ࠷৽ͷڴҖ΍ରࡦํ๏Λڞ༗͢Δ৔Λઃ͚Δ 15
  7. Ϋϥ΢υηΩϡϦςΟڧԽʹ͓͚ΔπʔϧબఆͷΞϓϩʔν • ౰ॳͷܭը: AWS Security Hub Λ׆༻ͨ͠ηΩϡϦςΟ؅ཧΛݕ౼ ◦ AWS OrganizationsͰ؅ཧ͍ͯ͠ΔͨΊɺ਺ेݸҎ্ͷΫϩεΞΧ΢ϯτ͕ଘࡏ

    ◦ σʔλ෼ੳͰ͸GCP΋ར༻͍ͯ͠ΔͨΊɺҰݩ؅ཧ͕Ͱ͖ͣɺҰ؏ੑ͕อͯͳ͍ ◦ ༷ʑͳαʔϏε͕ಈ࡞͢ΔͨΊɺෳࡶʹͳΓ΍͘͢ɺίετ͕ߴ͘ͳΓ΍͍͢ ◦ ૢ࡞ੑɺධՁ݁Ռͷࢹೝੑ͕ѱ͘ɺτϦΞʔδͷूܭʹ޻਺͕͔͔Δ ◦ ରԠํ๏ͷυΩϡϝϯτ͕ӳޠͩΒ͚ͰΤϯδχΞ͕ૉૣ͘ରԠͰ͖ͳ͍ • ༷ʑͳΫϥ΢υηΩϡϦςΟπʔϧΛࢼݧಋೖ ◦ ػೳ΍ૢ࡞ੑɺίετύϑΥʔϚϯεͷ؍఺͔Βൺֱݕ౼ ◦ Shisho Cloud͕࠷΋ཁ݅ʹద߹͠ɺಋೖͷܾఆʹ🎉 16
  8. Shisho Cloudͷ࢖͍΍͢͞ • Simple is the best ◦ ϚϧνΫϥ΢υͷҰݩ؅ཧ ◦

    ηΩϡϦςΟઐ໳஌͕ࣝͳͯ͘΋ରԠՄೳ ◦ ϦεΫͷଈ࣌ՄࢹԽ ◦ ೔ຊޠରԠͷஸೡͳϨϙʔτ ◦ ಋೖͷ༰қ͞ͱݕग़݁Ռͷ଎͞ ◦ े෼ʹ४උ͞ΕͯΔϚωʔδυϙϦγʔ ◦ ϫʔΫϑϩʔʹΑΔΧελϚΠζੑͷߴ͞ ◦ Ձ͕͍֨҆ 18
  9. Shisho Cloudͷӡ༻ϙΠϯτ • ηΩϡϦςΟΨΠυϥΠϯϙϦγʔͷ࡞੒ ◦ ࢛൒ظ͝ͱʹ༏ઌ౓ͷߴ͍IssueΛ͢΂ͯରԠ͢Δ͜ͱΛ໨ඪʹઃఆ • ηΩϡϦςΟ؂ࢹͱΞϥʔτͷઃఆ ◦ ֤ϓϩδΣΫτʹઐ༻ͷSlackνϟϯωϧΛ࡞੒

    ◦ ؔ܎ऀΛר͖ࠐΉ࢓૊ΈΛߏங ◦ Embedded SRE޲͚ʹ৘ใڞ༗ͷ৔Λઃ͚Δ ◦ τϦΞʔδ͞ΕͨΞϥʔτ͸͢΂ͯରԠ͢Δඞཁ͸ͳ͘ɺ༏ઌ౓͔ΒߜΔ • ηΩϡϦςΟରԠͷܗ֚ԽΛ๷͗ɺνʔϜͷཱࣗΛଅਐ ◦ ηΩϡϦςΟରԠͷܗ֚ԽΛ๷͗ɺνʔϜͷཱࣗΛଅਐ 19
  10. Shisho Cloudͷӡ༻՝୊ • ৽نΠϯϑϥߏங࣌ʹຖճΞϥʔτͷޡݕ஌͕ൃੜ ◦ Terraform ͰશΠϯϑϥΛ؅ཧ͍ͯ͠Δ͕ɺ؀ڥ͝ͱͷ౷Ұϧʔϧ͕ͳ͍ ◦ ෛՙςετ؀ڥ΍৽نΠϯϑϥ؀ڥͷςϯϓϨʔτԽ͕ະ੔උ ◦

    ηΩϡϦςΟϙϦγʔ͕؀ڥ͝ͱʹ౷Ұ͞Ε͓ͯΒͣɺෆཁͳΞϥʔτ͕ൃੜ ◦ Slack ௨஌͕ଟൃ͠ɺϊΠζͰຒ·ͬͯ͠·͏ • ॏཁͳ௨஌ݕ஌ ◦ Critical / High ͷΞϥʔτ͸ Slack Ͱϝϯγϣϯ෇͖௨஌ ◦ ϊΠζΛݮΒ͠ɺରԠ͢΂͖ΞϥʔτʹूதͰ͖Δ؀ڥΛߏங 20
  11. ηΩϡϦςΟϩάج൫ • Amazon Security Lakeͷ׆༻ ◦ AWS಺ͰϦΞϧλΠϜʹԿ͕ى͖͍ͯΔ͔൑அͰ͖ͳ͍ ◦ ηΩϡϦςΟपΓͷϞχλϦϯάڧԽ ◦

    CloudTrailɺWAFɺVPC Flow LogɺRoute53 (DNS Query)Λର৅ʹՄࢹԽ͠෼ੳ ◦ Security LakeͰ؆୯ʹҰݩ؅ཧ͕Մೳ ◦ ݄਺ສԁఔ౓Ͱ࣮૷ՄೳͰίεύ͕ྑ͍ ◦ Amazon Managed GrafanaͰμογϡϘʔυԽ 23
  12. WAF Log • WAF(Web ACL) ◦ Request by Country(ࠃผͷϦΫΤετ਺) ◦

    Heat map ◦ Bar graph ◦ Total Request(શϦΫΤετͷूܭ) ◦ WAF Rule Request(WAFϧʔϧ͝ͱͷϦΫΤετ਺) ◦ Access Ranking(IPΞυϨε΍URL͝ͱͷϦΫΤετ਺) ◦ WAF Analytics Logs(෼ੳ༻ͷϩά/ϒϩοΫ৘ใͳͲ) 24
  13. CloudTrail Log • CloudTrail ◦ Total Event Count(શΠϕϯτ਺) ◦ Total

    Errors(શΤϥʔ਺) ◦ Event History(Πϕϯτཤྺ) ◦ Top Event Names(Πϕϯτ໊) ◦ Total Event Source(Πϕϯτൃੜݩ) ◦ Top Users(ϢʔβʔϥϯΩϯά) ◦ Total Source IP(ૢ࡞ݩͷIPΞυϨε) ◦ S3 Access Denied(S3ͰΞΫηεڋ൱͞Εͨճ਺) ◦ EC2 Change Event Count(EC2ͷઃఆมߋճ਺) ◦ VPC Change Event Count(VPCͷઃఆมߋճ਺) ◦ Security Group Change Event Count(SGͷઃఆมߋճ਺) ◦ Error Event(෼ੳ༻ΤϥʔΠϕϯτ) 25
  14. खಈ ੬ऑੑ਍அ࣮ࢪ • GMO Flatt Security x WebΞϓϦέʔγϣϯ਍அ ◦ 2023೥ʙ

    ࣮ࢪࡁΈ ◦ SQLΠϯδΣΫγϣϯ ◦ XSSɺೝূɾೝՄͷ໰୊ͳͲ ◦ ༷ʑͳ੬ऑੑ਍அʹରԠ͍ͯ͠Δ ◦ ใࠂॻ/Ϩϙʔτ΋ඇৗʹݟ΍͍͢ ◦ ΞϑλʔαʔϏε΋ॆ࣮͍ͯ͠Δ 27
  15. ·ͱΊ • Ϋϥ΢υηΩϡϦςΟपΓ͸ՄࢹԽͯ͠ܧଓతʹ෼ੳͱରࡦΛ͢Δ͜ͱ • Shisho Cloud/ϫʔΫϑϩʔͷΧελϚΠζΛ׆͔͖͠Εͯͳ͍ ◦ ඞཁʹԠͯ͡૊৫ݻ༗ͷϙϦγʔΛઃఆ͠ɺӡ༻ʹద༻͢Δ ◦ AWSΞΧ΢ϯτͷ൑ఆج४Λ໌֬Խ͠ɺCritical,HighϨϕϧͷݕ஌࿙ΕΛ๷ࢭ

    ◦ طଘΞϥʔτͷվमͱ୨Է͠ • ηΩϡϦςΟϩάج൫ͷ෼ੳ ◦ Security LakeΛ༻͍ͨج൫͸Ͱ͖ͨͷͰɺ෼ੳΛਐΊ͍ͯ͘ ◦ μογϡϘʔυͷΧελϚΠζ΍ఆظతͳৼΓฦΓΛ࣮ࢪ͠ɺӡ༻վળΛਤΔ ◦ SQLͷ݁Ռ͔ΒBedrockͰ෼ੳ༧ఆ 31