サーバーレスのセキュリティを考える / Consider serverless security.

Transcript

1. JAWS-UG #14 
 11 AWS re:Inforce 20 2 3 2

   0 23 . 7 . 23 @seike 4 60 1

2. @seike 460 - - @seike 46 0 - Fusic -

   / - / - - JAWS Days - AWS Dev Day - Serverless Days - - JAWS Festa 2023 in Kyushu Staff - ServerlessDays 2 023 Organizer 2

3. Agenda 1 . 2 . 3 .IAM 4 . 5

   . 3

4. 1

5. AWS 5 
 
 AWS Lambda 
 AWS

6. 
 6

7. 
 
 -> 
 7

8. API 21,172/ -> 1,543,602/ 
 S 3 Select 
 1,000

   / 600 2000 rps 8

9. 9 
 
 


10. 2 


11. 11 
 API Gateway API KEY 
 API KEY 


    


12. 12 AWS WAF 
 SQL 
 IP DOS 
 IP

    
 


13. 3 IAM

14. AWS Lambda IAM Role 14 AWS Lambda 
 AWS Lambda

    AWS 
 
 IAM 
 IAM Role 


15. IAM 15 SES S 3 DynamoDB 
 


16. DynamoDB 16 DynamoDB 
 IAM GetItem PutItem { "Version": "

    2 012 - 1 0 - 17 ", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:us- west- 2 : 123 4567 890 1 2 :table/ExampleTable" } ] }

17. S 3 17 S 3 IAM GetObject PutObject 
 {

    "Version": " 2 0 12 - 1 0 - 17 ", "Statement": [ { "Effect": "Allow", "Action": [ "s 3 :GetObject", "s 3 :PutObject" ], "Resource": "arn:aws:s 3 :::examplebucket/*" } ] }

18. SES 18 SES IAM 
 { "Version": " 2 0

    12 - 1 0 - 17 ", "Statement": [ { "Effect": "Allow", "Action": [ "ses:SendEmail", "ses:SendRawEmail" ], "Resource": "arn:aws:ses:us- west- 2 : 1 234 5 6 7 89 01 2 :identity/ example.com" } ] }

19. IAM 19 AdministratorAccess 


20. 4

21. 21 
 
 HTML Javascript 
 
 
 
 NG

22. 22 Secret 
 
 Secret 
 Secret Manager Secret

23. 5

24. 24 Security Hub CloudTrail AWS Config 


25. 25 Point 1 IAM AdministratorAccess Point 2 Secret Point 3

    Point 4
26. None

27. Serverless Days Tokyo 2023 27

28. Thank You We are Hiring ! https://recruit.fusic.co.jp/