Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Secure Serverless Architecture

Secure Serverless Architecture

Security-JAWS【第33回】 勉強会
https://s-jaws.doorkeeper.jp/events/173294

shiro seike

May 23, 2024
Tweet

More Decks by shiro seike

Other Decks in Programming

Transcript

  1. ©Fusic Co., Ltd. 2 ਗ਼Ո ࢙࿠ @seike460 AWS Community Builder

    Serverless ίϛϡχςΟ Fukuoka.php Fukuoka.go JAWS-UG Fukuoka Serverless Meetup Fukuoka Cloudflare Meetup Fukuoka JP_Stripes Fukuoka ࣗݾ঺հ ͸͡Ίʹ גࣜձࣾFusic ϓϦϯγύϧΤϯδχΞ/ΤόϯδΣϦετ
  2. ©Fusic Co., Ltd. 3 CONTENTS ໨࣍ 1. αʔόʔϨεΞʔΩςΫνϟͷར఺ͱ՝୊ 2. Amazon

    API GatewayɺAWS LambdaͷηΩϡϦςΟ 3. Amazon CloudFrontɺAmazon S3ͷηΩϡϦςΟ 4. Amazon DynamoDBͷηΩϡϦςΟ 5. ·ͱΊ
  3. ©Fusic Co., Ltd. 5 αʔόʔϨεͱ͸ͳΜͳͷ͔ 言 Cloud Native Computing Foundation

    CNCF Serverless Whitepaper v 1 . 0 行 https://github.com/cncf/wg-serverless/tree/master/whitepapers/serverless-overview
  4. ©Fusic Co., Ltd. 6 αʔόʔϨεΞʔΩςΫνϟͷར఺ - - 自 - -

    用 金 - 用 - - - - 高 用 - AWS 自 長
  5. ©Fusic Co., Ltd. 7 αʔόʔϨεΞʔΩςΫνϟͷ՝୊ - ηΩϡϦςΟͷෳࡶੑ - αʔόʔϨε؀ڥಛ༗ͷηΩϡϦςΟϦεΫͱରࡦ͕ඞཁ -

    ϞχλϦϯάͱτϥϒϧγϡʔςΟϯάͷ೉͠͞ - ෼ࢄΞʔΩςΫνϟͷͨΊɺτϥϒϧγϡʔςΟϯά͕ෳࡶԽ - ґଘؔ܎ͷ؅ཧ - ෳ਺ͷϚΠΫϩαʔϏεؒͰͷґଘؔ܎ͱͦͷ؅ཧ - ίʔϧυελʔτ - ؔ਺ͷॳճݺͼग़࣌͠ʹൃੜ͢Δ஗Ԇ - ϕετϓϥΫςΟεͷਐԽ - ٕज़ͷਐలʹ൐͍ɺ࠷৽ͷϕετϓϥΫςΟεΛৗʹֶͼଓ͚Δඞཁੑ
  6. ©Fusic Co., Ltd. 8 αʔόʔϨεΞʔΩςΫνϟͷ՝୊ - ηΩϡϦςΟͷෳࡶੑ - αʔόʔϨε؀ڥಛ༗ͷηΩϡϦςΟϦεΫͱରࡦ͕ඞཁ -

    ϞχλϦϯάͱτϥϒϧγϡʔςΟϯάͷ೉͠͞ - ෼ࢄΞʔΩςΫνϟͷͨΊɺτϥϒϧγϡʔςΟϯά͕ෳࡶԽ - ґଘؔ܎ͷ؅ཧ - ෳ਺ͷϚΠΫϩαʔϏεؒͰͷґଘؔ܎ͱͦͷ؅ཧ - ίʔϧυελʔτ - ؔ਺ͷॳճݺͼग़࣌͠ʹൃੜ͢Δ஗Ԇ - ϕετϓϥΫςΟεͷਐԽ - ٕज़ͷਐలʹ൐͍ɺ࠷৽ͷϕετϓϥΫςΟεΛৗʹֶͼଓ͚Δඞཁੑ
  7. ©Fusic Co., Ltd. 9 ηΩϡϦςΟͷॏཁੑ - σʔλ࿙ӮϦεΫ - ݸਓ৘ใ΍ػີ৘ใͷ࿙Ӯ͸اۀͷ৴པΛଛͳ͏ -

    αΠόʔ߈ܸͷ૿Ճ - Ϋϥ΢υ؀ڥΛૂͬͨ߈ܸ͕૿Ճ͓ͯ͠Γɺରࡦ͕ෆՄܽ - ίϯϓϥΠΞϯε९क - GDPR΍HIPAAͳͲͷن੍ʹରԠ͢ΔͨΊͷηΩϡϦςΟાஔ - Ϗδωεܧଓੑ - ηΩϡϦςΟΠϯγσϯτ͕ൃੜ͢Δͱ ϏδωεͷܧଓʹࢧোΛ͖ͨ͢Մೳੑ
  8. ©Fusic Co., Ltd. 10 ηΩϡϦςΟରࡦͷΞϓϩʔν - ༧๷ - ΞΫηε੍ޚ΍σʔλ҉߸ԽʹΑΔ༧๷ࡦ -

    ݕ஌ - ҟৗݕ஌΍ϩά؂ࢹʹΑΔϦΞϧλΠϜͷ؂ࢹ - ରԠ - Πϯγσϯτൃੜ࣌ͷਝ଎ͳରԠͱ෮چखॱ - ෮چ - σʔλόοΫΞοϓͱϦετΞϓϩηεͷཱ֬
  9. ©Fusic Co., Ltd. 11 ηΩϡϦςΟରࡦͷΞϓϩʔν - ༧๷ - ΞΫηε੍ޚ΍σʔλ҉߸ԽʹΑΔ༧๷ࡦ -

    ݕ஌ - ҟৗݕ஌΍ϩά؂ࢹʹΑΔϦΞϧλΠϜͷ؂ࢹ - ରԠ - Πϯγσϯτൃੜ࣌ͷਝ଎ͳରԠͱ෮چखॱ - ෮چ - σʔλόοΫΞοϓͱϦετΞϓϩηεͷཱ֬
  10. ©Fusic Co., Ltd. 12 ର৅ͱ͢ΔAWS αʔϏε - Amazon API Gateway

    - AWS Lambda - Amazon CloudFront - Amazon S3 - Amazon DynamoDB
  11. ©Fusic Co., Ltd. 15 Amazon API GatewayͷηΩϡϦςΟ - ೝূͱೝՄ -

    τϥϑΟοΫͷอޢ - ωοτϫʔΫηΩϡϦςΟ
  12. ©Fusic Co., Ltd. 16 Amazon API GatewayͷηΩϡϦςΟʢೝূͱೝՄʣ - API KEYೝূ

    - IAMೝূ - CognitoϢʔβʔϓʔϧΛ௨ͨ͠ೝূʢ಺෦తʹ͸IAMೝূʣ
  13. ©Fusic Co., Ltd. 17 Amazon API GatewayͷηΩϡϦςΟʢೝূͱೝՄʣ - API KEYೝূ

    - ΫϥΠΞϯτ͕৴༻Ͱ͖Δ৔߹ͷΈ༗ޮ - ύϒϦοΫʹެ։͞ΕͨHTML΍JavaScriptʹຒΊࠐΉͷ͸ඇਪ঑ - ࣗ෼PC΍ɺۀ຿༻PCͳͲ͔Βར༻͢Δ৔߹
  14. ©Fusic Co., Ltd. 18 Amazon API GatewayͷηΩϡϦςΟʢೝূͱೝՄʣ - IAMೝূ -

    ηΩϡΞͳ৔ॴʹ഑ஔͨ͠ΞΫηεΩʔγʔΫϨοτΩʔΛར༻ ॺ໊෇͖ϦΫΤετΛੜ੒ (ύϒϦοΫNGͳͷ͸ݴΘͣ΋͕ͳ) - AWS Signature Version 4Λ࢖༻ͯ͠ϦΫΤετʹॺ໊ - όοΫΤϯυʹ഑ஔ͢Δͷ͕Ұൠత
  15. ©Fusic Co., Ltd. 19 Amazon API GatewayͷηΩϡϦςΟʢೝূͱೝՄʣ - CognitoϢʔβʔϓʔϧΛ௨ͨ͠ೝূʢ಺෦తʹ͸IAMೝূʣ -

    ϢʔβʔϓʔϧΛ࢖༻͠ϢʔβʔೝূΛߦ͍JWTτʔΫϯΛൃߦ - ൃߦ͞ΕͨΞΫηετʔΫϯΛ࢖༻ͯ͠API GatewayʹΞΫηε - API Gateway͸ΞΫηετʔΫϯΛݕূ ಺෦తʹ͸IAMϩʔϧΛ࢖༻ͯ͠ೝՄΛߦ͏
  16. ©Fusic Co., Ltd. 20 ೝূͱೝՄʢCognitoೝূʣ ▪Ϣʔβʔ ↓ᶃϩάΠϯʢϢʔβʔϓʔϧೝূʣ ▪CognitoϢʔβʔϓʔϧ ↓ᶄτʔΫϯൃߦʢIDτʔΫϯɺΞΫηετʔΫϯɺϦϑϨογϡτʔΫϯʣ ▪ΫϥΠΞϯτΞϓϦέʔγϣϯ

    ↓ᶅΞΫηετʔΫϯΛ࢖༻ͯ͠API GatewayʹϦΫΤετ ▪API Gateway ↓ᶆτʔΫϯݕূ ↓ᶇIdentity PoolΛ࢖༻ͯ͠IAMϩʔϧΛऔಘ ▪Cognito Identity Pool ↓ᶈҰ࣌తͳIAMೝূ৘ใΛൃߦ ▪API Gateway ↓ᶉόοΫΤϯυͷAWSϦιʔεʹΞΫηεʢIAMೝূʣ ▪Lambdaؔ਺
  17. ©Fusic Co., Ltd. 21 Amazon API GatewayͷηΩϡϦςΟʢτϥϑΟοΫͷอޢʣ - WAFͷಋೖ -

    AWS WAFΛ࢖༻ͯ͠SQL InjectionɺXSSͳͲͷ߈ܸ͔Βอޢ - Ϩʔτ੍ݶͱεϩοτϦϯά - Ϩʔτ੍ݶͱεϩοτϦϯάΛઃఆ͠ɺDDoS߈ܸΛରࡦ
  18. ©Fusic Co., Ltd. 22 Amazon API GatewayͷηΩϡϦςΟʢωοτϫʔΫηΩϡϦςΟʣ - VPCϦϯΫ -

    API Gateway͔ΒVPC಺ͷϦιʔεʹΞΫηε͢ΔͨΊͷϝΧχζϜ - NLB΍ALBΛ࢖༻ͯ͠API Gateway͔ΒVPC಺ʹ҆શʹ઀ଓ - VPC ΤϯυϙΠϯτ - VPC ΤϯυϙΠϯτΛ௨ͯ͠VPC͔Β API GatewayʹΞΫηεΛߦ͏
  19. ©Fusic Co., Ltd. 25 ؔ਺ͷݖݶઃఆʢIAMϩʔϧʣ - ࠷খݖݶͷݪଇɿඞཁ࠷௿ݶͷݖݶͷ෇༩ - IAMϙϦγʔͷ࡞੒ͱద༻ ɹɹྫʣS3όέοτ΁ͷಡΈऔΓݖݶͷΈ౉͢

    { "Version": "2012-10-17", "Statement": [ { ᴽ "Effect": "Allow", ᴽ "Action": "s3:GetObject", ᴽ "Resource": “arn:aws:s3:::seike460-bucket/*" } ] }
  20. ©Fusic Co., Ltd. 26 ؀ڥม਺ͷ؅ཧͱηΩϡϦςΟ - KMSʹΑΔ҉߸Խ - ؀ڥม਺ʹػີ৘ใΛ֨ೲ͢Δࡍͷ҉߸Խͱ෮߸Խ -

    SAM Template಺Ͱ؀ڥม਺Ληοτ͢Δ࣌ʹར༻ - AWS Secrets Managerͷར༻ - γʔΫϨοτʢࢿ֨৘ใɺAPI KEY౳ʣΛ҆શʹ؅ཧɾऔಘ - ίʔυͰRDSͷ઀ଓ৘ใͳͲΛऔಘ͢Δͱ͖ʹར༻
  21. ©Fusic Co., Ltd. 27 VPCઃఆͱηΩϡϦςΟάϧʔϓ - VPC಺ͷLambdaؔ਺ - ϓϥΠϕʔτϦιʔε΁ͷΞΫηεΛఏڙ -

    RDSʹ઀ଓ͍ͨ͠৔߹౳ʹར༻ - ίʔϧυελʔτɺVPC಺ͷIP਺ʹ஫ҙ͕ඞཁ - ηΩϡϦςΟάϧʔϓͷϕετϓϥΫςΟε - ࠷খݶͷΞΫηεΛڐՄ͢ΔϙϦγʔઃఆ - VPCͷ௨ৗͷӡ༻ͱಉ༷
  22. ©Fusic Co., Ltd. 31 Amazon CloudFrontͷηΩϡϦςΟ(ΦϦδϯαʔόʔͷอޢ) - ΦϦδϯΞΫηεΞΠσϯςΟςΟʢOAIʣ - S3όέοτʹର͢Δ௚઀ΞΫηεΛ๷͗ɺ

    CloudFrontܦ༝ͷΞΫηεͷΈΛڐՄ - ॺ໊෇͖URL͓Αͼॺ໊෇͖ΫοΩʔ - ࢦఆ͞ΕͨϢʔβʔͷΈ͕ΞΫηεՄೳͳURL΍ΫοΩʔΛੜ੒
  23. ©Fusic Co., Ltd. 33 Amazon CloudFrontͷηΩϡϦςΟ(AWS WAFͷઃఆ) - AWS WAF

    - SQLΠϯδΣΫγϣϯɺXSSɺDDoS߈ܸͳͲ͔Βͷ๷ޚ - WAFϧʔϧͷ࡞੒ͱద༻ - ෆਖ਼ϦΫΤετΛϑΟϧλϦϯά͠ɺϒϩοΫ
  24. ©Fusic Co., Ltd. 36 Amazon S3ͷηΩϡϦςΟ(όέοτϙϦγʔͱΞΫηείϯτϩʔϧϦετ) - όέοτϙϦγʔ - JSONܗࣜͰఆٛ͞Εɺόέοτ͓ΑͼͦͷΦϒδΣΫτʹର͢Δ

    ΞΫηε੍ޚΛ؅ཧωοτϫʔΫΞΫηε੍ޚ - ΞΫηείϯτϩʔϧϦετʢACLʣ - όέοτ͓ΑͼΦϒδΣΫτϨϕϧͰͷΞΫηε੍ޚ ྫ) όέοτΛެ։͢ΔACL { "Version": "2012-10-17", "Statement": [ { ᴽ "Effect": "Allow", ᴽ "Principal": "*", ᴽ "Action": "s3:GetObject", ᴽ "Resource": "arn:aws:s3:::example-bucket/*" } ] }
  25. ©Fusic Co., Ltd. 37 Amazon S3ͷηΩϡϦςΟ(αʔόʔαΠυ҉߸Խ) - SSE-S3 - Amazon

    S3؅ཧͷΩʔʹΑΔ҉߸Խ - SSE-KMS - AWS KMS؅ཧͷΩʔʹΑΔ҉߸Խ - SSE-C - ސ٬؅ཧͷΩʔʹΑΔ҉߸Խ
  26. ©Fusic Co., Ltd. 38 Amazon S3ͷηΩϡϦςΟ(ωοτϫʔΫΞΫηε੍ޚ) - VPCΤϯυϙΠϯτ - ϓϥΠϕʔτωοτϫʔΫ಺ͰͷS3ΞΫηεΛఏڙ

    - VPC಺͔ΒAWS LambdaΛར༻͢Δ৔߹͸ઃఆਪ঑ - ύϒϦοΫΞΫηεϒϩοΫ - όέοτ΍ΞΧ΢ϯτϨϕϧͰͷύϒϦοΫΞΫηε੍ޚ - ύϒϦοΫΞΫηεͷඞཁ͕ͳ͍ͱ͖͸ɺύϒϦοΫΞΫηεOFF
  27. ©Fusic Co., Ltd. 39 Amazon S3ͷηΩϡϦςΟ(AWS CloudTrail) - CloudTrailʹΑΔ؂ࠪϩά -

    S3όέοτͷૢ࡞ϩάΛه࿥ - ϩάͷ؂ࢹͱΞϥʔτ - CloudWatchͱͷ࿈ܞͰҟৗΛݕ஌
  28. ©Fusic Co., Ltd. 43 Amazon DynamoDBͷηΩϡϦςΟ(σʔλอޢ) - αʔόʔαΠυ҉߸Խ - อଘσʔλΛ҉߸Խ͢ΔͨΊʹAWS

    KMSΛ࢖༻ - ҉߸Խ͸σϑΥϧτͰ༗ޮɺಡΈग़࣌͠ʹࣗಈతʹ෮߸Խ͞ΕΔ
  29. ©Fusic Co., Ltd. 44 Amazon DynamoDBͷηΩϡϦςΟ(ΞΫηε੍ޚ) - IAMϙϦγʔ - IAMϙϦγʔΛ࢖༻ͯ͠ɺಛఆͷϢʔβʔ΍ϩʔϧʹର͢Δ

    DynamoDBϦιʔε΁ͷΞΫηεΛ੍ޚ - CRUDૢ࡞ʹର͢Δࡉ͔͍ݖݶ؅ཧ - ඞཁ࠷খݶͷݖݶΛ෇༩͠ɺա৒ͳΞΫηεΛ๷ࢭ - IAMϩʔϧͷར༻ - ΞΫηε͢ΔΞϓϦέʔγϣϯʹɺ࠷খݖݶͷIAMϩʔϧΛ෇༩ - Lambdaؔ਺ʹIAMϩʔϧΛ෇༩ͯ͠DynamoDBʹΞΫηε
  30. ©Fusic Co., Ltd. 45 Amazon DynamoDBͷηΩϡϦςΟ(ωοτϫʔΫηΩϡϦςΟ) - VPCΤϯυϙΠϯτ - VPCΤϯυϙΠϯτΛ࢖༻ͯ͠ɺ

    VPC಺͔ΒDynamoDB΁ͷ҆શͳϓϥΠϕʔτΞΫηεΛఏڙ - ΠϯλʔωοτΛܦ༝ͤͣʹDynamoDBʹΞΫηεՄೳ
  31. ©Fusic Co., Ltd. 46 ϩάͱϞχλϦϯά - CloudWatchɺAWS CloudTrail - ϝτϦΫε

    - ϝτϦΫεΛCloudWatchͰ؂ࢹ - ϩά - ֤छϦιʔεͷৄࡉΛϩάʹه࿥ - ΞΫηεཤྺ - ΞϥʔϜ - ҟৗτϥϑΟοΫ΍ΤϥʔϨʔτʹରͯ͠ΞϥʔϜΛઃఆ - ҟৗݕग़࣌ʹSNSΛ࢖༻ͯ͠௨஌Λड͚औΔ
  32. ©Fusic Co., Ltd. 48 ·ͱΊ αʔόʔϨεʹͳ͔ͬͨΒɺηΩϡϦςΟ্͕͕ΔΘ͚Ͱ͸ͳ͍͠ɺෳࡶੑ͸্͕ͬͯ͠·͏ Point 01 ೖޱΛ͔ͬ͠ΓकΔ͜ͱ͸ͱͯ΋ॏཁɻ·ͨೖޱʹηΩϡΞͳ৘ใΛஔ͘ͷ͸ઈରʹආ͚·͠ΐ͏ Point

    02 ͲΜͳଐੑͷ΋ͷΛɺͳΜͷ໨తͰɺͲ͜ʹɺͲͷΑ͏ʹ഑ஔ͢Δͷ͔Λཧղ͢Δ Point 03 ηΩϡΞͳӡ༻Λߦ͏ͨΊʢ΋͘͠͸ཁ݅ʹԠͯ͡ʣʹ͸VPCͷར༻΋૝ఆ͢Δ͜ͱ΋ߟ͑·͠ΐ͏ Point 04