Secure Serverless Architecture

Transcript

1. ©Fusic Co., Ltd. 1 Secure Serverless Architecture 2024.05.23 @seike460 Security-JAWSʲୈ33ճʳ

2. ©Fusic Co., Ltd. 2 ਗ਼Ո ࢙࿠ @seike460 AWS Community Builder

   Serverless ίϛϡχςΟ Fukuoka.php Fukuoka.go JAWS-UG Fukuoka Serverless Meetup Fukuoka Cloudflare Meetup Fukuoka JP_Stripes Fukuoka ࣗݾ঺հ ͸͡Ίʹ גࣜձࣾFusic ϓϦϯγύϧΤϯδχΞ/ΤόϯδΣϦετ

3. ©Fusic Co., Ltd. 3 CONTENTS ໨࣍ 1. αʔόʔϨεΞʔΩςΫνϟͷར఺ͱ՝୊ 2. Amazon

   API GatewayɺAWS LambdaͷηΩϡϦςΟ 3. Amazon CloudFrontɺAmazon S3ͷηΩϡϦςΟ 4. Amazon DynamoDBͷηΩϡϦςΟ 5. ·ͱΊ

4. ©Fusic Co., Ltd. 4 αʔόʔϨεΞʔΩςΫνϟͷར఺ͱ՝୊ 1

5. ©Fusic Co., Ltd. 5 αʔόʔϨεͱ͸ͳΜͳͷ͔ 言 Cloud Native Computing Foundation

   CNCF Serverless Whitepaper v 1 . 0 行 https://github.com/cncf/wg-serverless/tree/master/whitepapers/serverless-overview

6. ©Fusic Co., Ltd. 6 αʔόʔϨεΞʔΩςΫνϟͷར఺ - - 自 - -

   用 金 - 用 - - - - 高 用 - AWS 自 長

7. ©Fusic Co., Ltd. 7 αʔόʔϨεΞʔΩςΫνϟͷ՝୊ - ηΩϡϦςΟͷෳࡶੑ - αʔόʔϨε؀ڥಛ༗ͷηΩϡϦςΟϦεΫͱରࡦ͕ඞཁ -

   ϞχλϦϯάͱτϥϒϧγϡʔςΟϯάͷ೉͠͞ - ෼ࢄΞʔΩςΫνϟͷͨΊɺτϥϒϧγϡʔςΟϯά͕ෳࡶԽ - ґଘؔ܎ͷ؅ཧ - ෳ਺ͷϚΠΫϩαʔϏεؒͰͷґଘؔ܎ͱͦͷ؅ཧ - ίʔϧυελʔτ - ؔ਺ͷॳճݺͼग़࣌͠ʹൃੜ͢Δ஗Ԇ - ϕετϓϥΫςΟεͷਐԽ - ٕज़ͷਐలʹ൐͍ɺ࠷৽ͷϕετϓϥΫςΟεΛৗʹֶͼଓ͚Δඞཁੑ

8. ©Fusic Co., Ltd. 8 αʔόʔϨεΞʔΩςΫνϟͷ՝୊ - ηΩϡϦςΟͷෳࡶੑ - αʔόʔϨε؀ڥಛ༗ͷηΩϡϦςΟϦεΫͱରࡦ͕ඞཁ -

   ϞχλϦϯάͱτϥϒϧγϡʔςΟϯάͷ೉͠͞ - ෼ࢄΞʔΩςΫνϟͷͨΊɺτϥϒϧγϡʔςΟϯά͕ෳࡶԽ - ґଘؔ܎ͷ؅ཧ - ෳ਺ͷϚΠΫϩαʔϏεؒͰͷґଘؔ܎ͱͦͷ؅ཧ - ίʔϧυελʔτ - ؔ਺ͷॳճݺͼग़࣌͠ʹൃੜ͢Δ஗Ԇ - ϕετϓϥΫςΟεͷਐԽ - ٕज़ͷਐలʹ൐͍ɺ࠷৽ͷϕετϓϥΫςΟεΛৗʹֶͼଓ͚Δඞཁੑ

9. ©Fusic Co., Ltd. 9 ηΩϡϦςΟͷॏཁੑ - σʔλ࿙ӮϦεΫ - ݸਓ৘ใ΍ػີ৘ใͷ࿙Ӯ͸اۀͷ৴པΛଛͳ͏ -

   αΠόʔ߈ܸͷ૿Ճ - Ϋϥ΢υ؀ڥΛૂͬͨ߈ܸ͕૿Ճ͓ͯ͠Γɺରࡦ͕ෆՄܽ - ίϯϓϥΠΞϯε९क - GDPR΍HIPAAͳͲͷن੍ʹରԠ͢ΔͨΊͷηΩϡϦςΟાஔ - Ϗδωεܧଓੑ - ηΩϡϦςΟΠϯγσϯτ͕ൃੜ͢Δͱ ϏδωεͷܧଓʹࢧোΛ͖ͨ͢Մೳੑ

10. ©Fusic Co., Ltd. 10 ηΩϡϦςΟରࡦͷΞϓϩʔν - ༧๷ - ΞΫηε੍ޚ΍σʔλ҉߸ԽʹΑΔ༧๷ࡦ -

    ݕ஌ - ҟৗݕ஌΍ϩά؂ࢹʹΑΔϦΞϧλΠϜͷ؂ࢹ - ରԠ - Πϯγσϯτൃੜ࣌ͷਝ଎ͳରԠͱ෮چखॱ - ෮چ - σʔλόοΫΞοϓͱϦετΞϓϩηεͷཱ֬

11. ©Fusic Co., Ltd. 11 ηΩϡϦςΟରࡦͷΞϓϩʔν - ༧๷ - ΞΫηε੍ޚ΍σʔλ҉߸ԽʹΑΔ༧๷ࡦ -

    ݕ஌ - ҟৗݕ஌΍ϩά؂ࢹʹΑΔϦΞϧλΠϜͷ؂ࢹ - ରԠ - Πϯγσϯτൃੜ࣌ͷਝ଎ͳରԠͱ෮چखॱ - ෮چ - σʔλόοΫΞοϓͱϦετΞϓϩηεͷཱ֬

12. ©Fusic Co., Ltd. 12 ର৅ͱ͢ΔAWS αʔϏε - Amazon API Gateway

    - AWS Lambda - Amazon CloudFront - Amazon S3 - Amazon DynamoDB

13. ©Fusic Co., Ltd. 13 Amazon API GatewayɺAWS LambdaͷηΩϡϦςΟ 2

14. ©Fusic Co., Ltd. 14 Amazon API GatewayͷηΩϡϦςΟ ·ͣ͸ϦΫΤετͷೖΓޱͷ෦෼ʹ஫໨͠·͢ Ұൠతʹ͸͜ͷೖޱ෦෼ʹରͯ͠߈ܸΛड͚ΔՄೳੑ͕͋Γ·͢ɻ ೖΓޱ͔ΒόοΫΤϯυʹߦ͚ͳ͚Ε͹ɺ

    جຊతʹ߈ܸ͸੒ޭ͠·ͤΜɻ

15. ©Fusic Co., Ltd. 15 Amazon API GatewayͷηΩϡϦςΟ - ೝূͱೝՄ -

    τϥϑΟοΫͷอޢ - ωοτϫʔΫηΩϡϦςΟ

16. ©Fusic Co., Ltd. 16 Amazon API GatewayͷηΩϡϦςΟʢೝূͱೝՄʣ - API KEYೝূ

    - IAMೝূ - CognitoϢʔβʔϓʔϧΛ௨ͨ͠ೝূʢ಺෦తʹ͸IAMೝূʣ

17. ©Fusic Co., Ltd. 17 Amazon API GatewayͷηΩϡϦςΟʢೝূͱೝՄʣ - API KEYೝূ

    - ΫϥΠΞϯτ͕৴༻Ͱ͖Δ৔߹ͷΈ༗ޮ - ύϒϦοΫʹެ։͞ΕͨHTML΍JavaScriptʹຒΊࠐΉͷ͸ඇਪ঑ - ࣗ෼PC΍ɺۀ຿༻PCͳͲ͔Βར༻͢Δ৔߹

18. ©Fusic Co., Ltd. 18 Amazon API GatewayͷηΩϡϦςΟʢೝূͱೝՄʣ - IAMೝূ -

    ηΩϡΞͳ৔ॴʹ഑ஔͨ͠ΞΫηεΩʔγʔΫϨοτΩʔΛར༻ ॺ໊෇͖ϦΫΤετΛੜ੒ (ύϒϦοΫNGͳͷ͸ݴΘͣ΋͕ͳ) - AWS Signature Version 4Λ࢖༻ͯ͠ϦΫΤετʹॺ໊ - όοΫΤϯυʹ഑ஔ͢Δͷ͕Ұൠత

19. ©Fusic Co., Ltd. 19 Amazon API GatewayͷηΩϡϦςΟʢೝূͱೝՄʣ - CognitoϢʔβʔϓʔϧΛ௨ͨ͠ೝূʢ಺෦తʹ͸IAMೝূʣ -

    ϢʔβʔϓʔϧΛ࢖༻͠ϢʔβʔೝূΛߦ͍JWTτʔΫϯΛൃߦ - ൃߦ͞ΕͨΞΫηετʔΫϯΛ࢖༻ͯ͠API GatewayʹΞΫηε - API Gateway͸ΞΫηετʔΫϯΛݕূ ಺෦తʹ͸IAMϩʔϧΛ࢖༻ͯ͠ೝՄΛߦ͏

20. ©Fusic Co., Ltd. 20 ೝূͱೝՄʢCognitoೝূʣ ▪Ϣʔβʔ ↓ᶃϩάΠϯʢϢʔβʔϓʔϧೝূʣ ▪CognitoϢʔβʔϓʔϧ ↓ᶄτʔΫϯൃߦʢIDτʔΫϯɺΞΫηετʔΫϯɺϦϑϨογϡτʔΫϯʣ ▪ΫϥΠΞϯτΞϓϦέʔγϣϯ

    ↓ᶅΞΫηετʔΫϯΛ࢖༻ͯ͠API GatewayʹϦΫΤετ ▪API Gateway ↓ᶆτʔΫϯݕূ ↓ᶇIdentity PoolΛ࢖༻ͯ͠IAMϩʔϧΛऔಘ ▪Cognito Identity Pool ↓ᶈҰ࣌తͳIAMೝূ৘ใΛൃߦ ▪API Gateway ↓ᶉόοΫΤϯυͷAWSϦιʔεʹΞΫηεʢIAMೝূʣ ▪Lambdaؔ਺

21. ©Fusic Co., Ltd. 21 Amazon API GatewayͷηΩϡϦςΟʢτϥϑΟοΫͷอޢʣ - WAFͷಋೖ -

    AWS WAFΛ࢖༻ͯ͠SQL InjectionɺXSSͳͲͷ߈ܸ͔Βอޢ - Ϩʔτ੍ݶͱεϩοτϦϯά - Ϩʔτ੍ݶͱεϩοτϦϯάΛઃఆ͠ɺDDoS߈ܸΛରࡦ

22. ©Fusic Co., Ltd. 22 Amazon API GatewayͷηΩϡϦςΟʢωοτϫʔΫηΩϡϦςΟʣ - VPCϦϯΫ -

    API Gateway͔ΒVPC಺ͷϦιʔεʹΞΫηε͢ΔͨΊͷϝΧχζϜ - NLB΍ALBΛ࢖༻ͯ͠API Gateway͔ΒVPC಺ʹ҆શʹ઀ଓ - VPC ΤϯυϙΠϯτ - VPC ΤϯυϙΠϯτΛ௨ͯ͠VPC͔Β API GatewayʹΞΫηεΛߦ͏

23. ©Fusic Co., Ltd. 23 AWS LambdaͷηΩϡϦςΟ AWS Lambda͕ಛʹؾΛ͚ͭΔ΂͖͸IAMͷݖݶͰ͢ αʔόʔϨεͷίΞ͔ͩΒͦ͜ɺ༷ʑͳ໾ׂΛ୲͍·͢ͷͰ ࣮֬ʹʮIAM࠷খݖݶͷݪଇʯΛҙࣝ͠·͠ΐ͏

24. ©Fusic Co., Ltd. 24 AWS LambdaͷηΩϡϦςΟ - ؔ਺ͷݖݶઃఆʢIAMϩʔϧʣ - ؀ڥม਺ͷ؅ཧͱηΩϡϦςΟ

    - VPCઃఆͱηΩϡϦςΟάϧʔϓ

25. ©Fusic Co., Ltd. 25 ؔ਺ͷݖݶઃఆʢIAMϩʔϧʣ - ࠷খݖݶͷݪଇɿඞཁ࠷௿ݶͷݖݶͷ෇༩ - IAMϙϦγʔͷ࡞੒ͱద༻ ɹɹྫʣS3όέοτ΁ͷಡΈऔΓݖݶͷΈ౉͢

    { "Version": "2012-10-17", "Statement": [ { ᴽ "Effect": "Allow", ᴽ "Action": "s3:GetObject", ᴽ "Resource": “arn:aws:s3:::seike460-bucket/*" } ] }

26. ©Fusic Co., Ltd. 26 ؀ڥม਺ͷ؅ཧͱηΩϡϦςΟ - KMSʹΑΔ҉߸Խ - ؀ڥม਺ʹػີ৘ใΛ֨ೲ͢Δࡍͷ҉߸Խͱ෮߸Խ -

    SAM Template಺Ͱ؀ڥม਺Ληοτ͢Δ࣌ʹར༻ - AWS Secrets Managerͷར༻ - γʔΫϨοτʢࢿ֨৘ใɺAPI KEY౳ʣΛ҆શʹ؅ཧɾऔಘ - ίʔυͰRDSͷ઀ଓ৘ใͳͲΛऔಘ͢Δͱ͖ʹར༻

27. ©Fusic Co., Ltd. 27 VPCઃఆͱηΩϡϦςΟάϧʔϓ - VPC಺ͷLambdaؔ਺ - ϓϥΠϕʔτϦιʔε΁ͷΞΫηεΛఏڙ -

    RDSʹ઀ଓ͍ͨ͠৔߹౳ʹར༻ - ίʔϧυελʔτɺVPC಺ͷIP਺ʹ஫ҙ͕ඞཁ - ηΩϡϦςΟάϧʔϓͷϕετϓϥΫςΟε - ࠷খݶͷΞΫηεΛڐՄ͢ΔϙϦγʔઃఆ - VPCͷ௨ৗͷӡ༻ͱಉ༷

28. ©Fusic Co., Ltd. 28 Amazon CloudFrontɺAmazon S3ͷηΩϡϦςΟ 3

29. ©Fusic Co., Ltd. 29 Amazon CloudFrontͷηΩϡϦςΟ ΦϦδϯʹͳΔʢࣄ͕ଟ͍ʣAmazon S3ΛͲ͏อޢ͢Δ͔ Ұ൪લʹཱͭ͜ͱʹͳΔͷͰɺAWS WAFͳͲͰकΔ͜ͱΛࢹ໺ʹೖΕΔ

30. ©Fusic Co., Ltd. 30 Amazon CloudFrontͷηΩϡϦςΟ - ΦϦδϯαʔόʔͷอޢ - HTTPSͷڧ੍ͱSSL/TLSͷઃఆ

    - AWS WAFͷઃఆ

31. ©Fusic Co., Ltd. 31 Amazon CloudFrontͷηΩϡϦςΟ(ΦϦδϯαʔόʔͷอޢ) - ΦϦδϯΞΫηεΞΠσϯςΟςΟʢOAIʣ - S3όέοτʹର͢Δ௚઀ΞΫηεΛ๷͗ɺ

    CloudFrontܦ༝ͷΞΫηεͷΈΛڐՄ - ॺ໊෇͖URL͓Αͼॺ໊෇͖ΫοΩʔ - ࢦఆ͞ΕͨϢʔβʔͷΈ͕ΞΫηεՄೳͳURL΍ΫοΩʔΛੜ੒

32. ©Fusic Co., Ltd. 32 Amazon CloudFrontͷηΩϡϦςΟ(HTTPSͷڧ੍ͱSSL/TLSͷઃఆ) - HTTPSͷڧ੍ઃఆ - HTTPϦΫΤετΛHTTPSʹϦμΠϨΫτ

    - ΧελϜSSLূ໌ॻ - AWS Certificate Manager (ACM)Ͱऔಘͨ͠ূ໌ॻͷར༻

33. ©Fusic Co., Ltd. 33 Amazon CloudFrontͷηΩϡϦςΟ(AWS WAFͷઃఆ) - AWS WAF

    - SQLΠϯδΣΫγϣϯɺXSSɺDDoS߈ܸͳͲ͔Βͷ๷ޚ - WAFϧʔϧͷ࡞੒ͱద༻ - ෆਖ਼ϦΫΤετΛϑΟϧλϦϯά͠ɺϒϩοΫ

34. ©Fusic Co., Ltd. 34 Amazon S3ͷηΩϡϦςΟ Amazon S3ͷΞΫηείϯτϩʔϧΛద੾ʹ͢Δ͜ͱ ·ͨެ։͞ΕΔ͜ͱΛҙࣝͯ͠ެ։͢ΔHTMLɺCSSɺJSʹؔͯ͠͸ ʮઈରʹʯΞΫηεΩʔɺγʔΫϨοτΩʔͳͲͷॏཁ৘ใΛ഑ஔ͠ͳ͍

35. ©Fusic Co., Ltd. 35 Amazon S3ͷηΩϡϦςΟ - όέοτϙϦγʔͱΞΫηείϯτϩʔϧϦετʢACLʣ - αʔόʔαΠυ҉߸Խ

    - ωοτϫʔΫΞΫηε੍ޚ - AWS CloudTrail

36. ©Fusic Co., Ltd. 36 Amazon S3ͷηΩϡϦςΟ(όέοτϙϦγʔͱΞΫηείϯτϩʔϧϦετ) - όέοτϙϦγʔ - JSONܗࣜͰఆٛ͞Εɺόέοτ͓ΑͼͦͷΦϒδΣΫτʹର͢Δ

    ΞΫηε੍ޚΛ؅ཧωοτϫʔΫΞΫηε੍ޚ - ΞΫηείϯτϩʔϧϦετʢACLʣ - όέοτ͓ΑͼΦϒδΣΫτϨϕϧͰͷΞΫηε੍ޚ ྫ) όέοτΛެ։͢ΔACL { "Version": "2012-10-17", "Statement": [ { ᴽ "Effect": "Allow", ᴽ "Principal": "*", ᴽ "Action": "s3:GetObject", ᴽ "Resource": "arn:aws:s3:::example-bucket/*" } ] }

37. ©Fusic Co., Ltd. 37 Amazon S3ͷηΩϡϦςΟ(αʔόʔαΠυ҉߸Խ) - SSE-S3 - Amazon

    S3؅ཧͷΩʔʹΑΔ҉߸Խ - SSE-KMS - AWS KMS؅ཧͷΩʔʹΑΔ҉߸Խ - SSE-C - ސ٬؅ཧͷΩʔʹΑΔ҉߸Խ

38. ©Fusic Co., Ltd. 38 Amazon S3ͷηΩϡϦςΟ(ωοτϫʔΫΞΫηε੍ޚ) - VPCΤϯυϙΠϯτ - ϓϥΠϕʔτωοτϫʔΫ಺ͰͷS3ΞΫηεΛఏڙ

    - VPC಺͔ΒAWS LambdaΛར༻͢Δ৔߹͸ઃఆਪ঑ - ύϒϦοΫΞΫηεϒϩοΫ - όέοτ΍ΞΧ΢ϯτϨϕϧͰͷύϒϦοΫΞΫηε੍ޚ - ύϒϦοΫΞΫηεͷඞཁ͕ͳ͍ͱ͖͸ɺύϒϦοΫΞΫηεOFF

39. ©Fusic Co., Ltd. 39 Amazon S3ͷηΩϡϦςΟ(AWS CloudTrail) - CloudTrailʹΑΔ؂ࠪϩά -

    S3όέοτͷૢ࡞ϩάΛه࿥ - ϩάͷ؂ࢹͱΞϥʔτ - CloudWatchͱͷ࿈ܞͰҟৗΛݕ஌

40. ©Fusic Co., Ltd. 40 Amazon DynamoDBͷηΩϡϦςΟ 4

41. ©Fusic Co., Ltd. 41 Amazon DynamoDBͷηΩϡϦςΟ Amazon DynamoDBͷΞΫηείϯτϩʔϧΛద੾ʹ͢Δ͜ͱ σʔλอޢʹ͍ͭͯ͸جຊతʹࣗಈతʹ͞ΕΔͷͰ ಛผͳࣄ৘͕ͳ͍͔͗Γղআ͠ͳ͍Α͏ʹ͢Δ

42. ©Fusic Co., Ltd. 42 Amazon DynamoDBͷηΩϡϦςΟ - σʔλอޢ - ΞΫηε੍ޚ

    - ωοτϫʔΫηΩϡϦςΟ

43. ©Fusic Co., Ltd. 43 Amazon DynamoDBͷηΩϡϦςΟ(σʔλอޢ) - αʔόʔαΠυ҉߸Խ - อଘσʔλΛ҉߸Խ͢ΔͨΊʹAWS

    KMSΛ࢖༻ - ҉߸Խ͸σϑΥϧτͰ༗ޮɺಡΈग़࣌͠ʹࣗಈతʹ෮߸Խ͞ΕΔ

44. ©Fusic Co., Ltd. 44 Amazon DynamoDBͷηΩϡϦςΟ(ΞΫηε੍ޚ) - IAMϙϦγʔ - IAMϙϦγʔΛ࢖༻ͯ͠ɺಛఆͷϢʔβʔ΍ϩʔϧʹର͢Δ

    DynamoDBϦιʔε΁ͷΞΫηεΛ੍ޚ - CRUDૢ࡞ʹର͢Δࡉ͔͍ݖݶ؅ཧ - ඞཁ࠷খݶͷݖݶΛ෇༩͠ɺա৒ͳΞΫηεΛ๷ࢭ - IAMϩʔϧͷར༻ - ΞΫηε͢ΔΞϓϦέʔγϣϯʹɺ࠷খݖݶͷIAMϩʔϧΛ෇༩ - Lambdaؔ਺ʹIAMϩʔϧΛ෇༩ͯ͠DynamoDBʹΞΫηε

45. ©Fusic Co., Ltd. 45 Amazon DynamoDBͷηΩϡϦςΟ(ωοτϫʔΫηΩϡϦςΟ) - VPCΤϯυϙΠϯτ - VPCΤϯυϙΠϯτΛ࢖༻ͯ͠ɺ

    VPC಺͔ΒDynamoDB΁ͷ҆શͳϓϥΠϕʔτΞΫηεΛఏڙ - ΠϯλʔωοτΛܦ༝ͤͣʹDynamoDBʹΞΫηεՄೳ

46. ©Fusic Co., Ltd. 46 ϩάͱϞχλϦϯά - CloudWatchɺAWS CloudTrail - ϝτϦΫε

    - ϝτϦΫεΛCloudWatchͰ؂ࢹ - ϩά - ֤छϦιʔεͷৄࡉΛϩάʹه࿥ - ΞΫηεཤྺ - ΞϥʔϜ - ҟৗτϥϑΟοΫ΍ΤϥʔϨʔτʹରͯ͠ΞϥʔϜΛઃఆ - ҟৗݕग़࣌ʹSNSΛ࢖༻ͯ͠௨஌Λड͚औΔ

47. ©Fusic Co., Ltd. 47 ·ͱΊ 5

48. ©Fusic Co., Ltd. 48 ·ͱΊ αʔόʔϨεʹͳ͔ͬͨΒɺηΩϡϦςΟ্͕͕ΔΘ͚Ͱ͸ͳ͍͠ɺෳࡶੑ͸্͕ͬͯ͠·͏ Point 01 ೖޱΛ͔ͬ͠ΓकΔ͜ͱ͸ͱͯ΋ॏཁɻ·ͨೖޱʹηΩϡΞͳ৘ใΛஔ͘ͷ͸ઈରʹආ͚·͠ΐ͏ Point

    02 ͲΜͳଐੑͷ΋ͷΛɺͳΜͷ໨తͰɺͲ͜ʹɺͲͷΑ͏ʹ഑ஔ͢Δͷ͔Λཧղ͢Δ Point 03 ηΩϡΞͳӡ༻Λߦ͏ͨΊʢ΋͘͠͸ཁ݅ʹԠͯ͡ʣʹ͸VPCͷར༻΋૝ఆ͢Δ͜ͱ΋ߟ͑·͠ΐ͏ Point 04

49. ©Fusic Co., Ltd. 49 Thank You We are Hiring! https://recruit.fusic.co.jp/

    ͝ਗ਼ௌ͍͖ͨͩ͋Γ͕ͱ͏͍͟͝·ͨ͠