$30 off During Our Annual Pro Sale. View Details »

サーバーレスのセキュリティを考える / Consider serverless security.

サーバーレスのセキュリティを考える / Consider serverless security.

JAWS-UG 福岡 #14:11度目はちょっと濃い目にAWS re:Inforce 2023を振り返ろう
https://jaws-ug-kyushu.doorkeeper.jp/events/157035

shiro seike
PRO

July 23, 2023
Tweet

More Decks by shiro seike

Other Decks in Programming

Transcript

  1. JAWS-UG #14

    11 AWS re:Inforce
    20 2
    3
    2
    0
    23
    .
    7
    .
    23



    @seike
    4
    60
    1

    View Slide

  2. @seike
    460
    -


    - @seike
    46
    0

    - Fusic


    - /


    - /


    -


    - JAWS Days


    - AWS Dev Day


    - Serverless Days


    -


    - JAWS Festa
    2023
    in Kyushu Staff


    - ServerlessDays
    2
    023
    Organizer
    2

    View Slide

  3. Agenda
    1
    .


    2
    .


    3
    .IAM


    4
    .


    5
    .
    3

    View Slide

  4. 1

    View Slide

  5. AWS
    5 
 

    AWS Lambda

    AWS

    View Slide








  6. 6

    View Slide






  7. ->

    7

    View Slide

  8. API


    21,172/ -> 1,543,602/



    S
    3
    Select



    1,000 /


    600 2000 rps
    8

    View Slide

  9. 9 



    View Slide

  10. 2 


    View Slide

  11. 11




    API Gateway API KEY

    API KEY



    View Slide

  12. 12
    AWS WAF



    SQL


    IP


    DOS

    IP




    View Slide

  13. 3
    IAM

    View Slide

  14. AWS Lambda IAM Role
    14
    AWS Lambda



    AWS Lambda AWS




    IAM

    IAM Role

    View Slide

  15. IAM
    15
    SES S
    3
    DynamoDB





    View Slide

  16. DynamoDB
    16
    DynamoDB

    IAM


    GetItem PutItem
    {


    "Version": "
    2
    012
    -
    1 0
    -
    17
    ",


    "Statement": [


    {


    "Effect": "Allow",


    "Action": [


    "dynamodb:GetItem",


    "dynamodb:PutItem"


    ],


    "Resource": "arn:aws:dynamodb:us-
    west-
    2
    :
    123
    4567
    890
    1 2
    :table/ExampleTable"


    }


    ]


    }

    View Slide

  17. S
    3
    17
    S
    3
    IAM


    GetObject PutObject

    {


    "Version": "
    2
    0 12
    -
    1
    0
    -
    17
    ",


    "Statement": [


    {


    "Effect": "Allow",


    "Action": [


    "s
    3
    :GetObject",


    "s
    3
    :PutObject"


    ],


    "Resource":
    "arn:aws:s
    3
    :::examplebucket/*"


    }


    ]


    }

    View Slide

  18. SES
    18
    SES IAM



    {


    "Version": "
    2
    0 12
    -
    1
    0
    -
    17
    ",


    "Statement": [


    {


    "Effect": "Allow",


    "Action": [


    "ses:SendEmail",


    "ses:SendRawEmail"


    ],


    "Resource": "arn:aws:ses:us-
    west-
    2
    :
    1
    234 5 6
    7 89 01
    2
    :identity/
    example.com"


    }


    ]


    }

    View Slide

  19. IAM
    19


    AdministratorAccess

    View Slide

  20. 4

    View Slide

  21. 21 


    HTML Javascript






    NG

    View Slide

  22. 22
    Secret





    Secret

    Secret Manager Secret

    View Slide

  23. 5

    View Slide

  24. 24
    Security Hub CloudTrail AWS Config


    View Slide

  25. 25
    Point
    1
    IAM AdministratorAccess
    Point
    2
    Secret
    Point
    3
    Point
    4

    View Slide

  26. View Slide

  27. Serverless Days Tokyo
    2023
    27

    View Slide

  28. Thank You
    We are Hiring !


    https://recruit.fusic.co.jp/

    View Slide