Amazon inspector で自動セキュリティ診断 / Automatic security diagnostics with Amazon inspector

Transcript

1. Amazon Inspector Ͱ ࣗಈηΩϡϦςΟ਍அ גࣜձࣾβούϥε @serima / ࣲࢁ ྮ

2. ࣗݾ঺հ • ىۀˠ·͙·͙ˠάϦʔˠβούϥε • βούϥεೖࣾ 1 ೥ܦͬͨ • αʔόαΠυΤϯδχΞ •

   Πϯϑϥ΋΍͍ͬͯ·͢

3. Rint

4. AWS ࢖ͬͯ·͢ • βούϥεͰ͸ɺҰ෦αʔϏεͰ AWS Λར༻ • EC2/ELB/Route 53/S3/RDS/ElastiCache ౳

   • ελϯμʔυͳߏ੒

5. ੬ऑੑ ಡΊͳ͍

6. ੬ऑੑ • γεςϜͷ҆શ্ͷܽؕ • ηΩϡϦςΟϗʔϧ • ์͓ͬͯ͘ͱɺ͜ΕΛಥ͔Εͯඃ֐Λड͚Δ Մೳੑ͕͋Δ

7. ຖिͷΑ͏ʹݟ͔ͭΔ੬ऑੑ

8. ৘ใݯ • JPCERT • IPA • Wordpress ެࣜαΠτ • PHP

   ެࣜαΠτ • ଞʹ΋͍Ζ͍Ζ…
9. None

10. CVE • Common Vulnerabilities and Exposures • ڞ௨੬ऑੑࣝผࢠ • ถࠃͷMITRE͕ࣾఏڙ͍ͯ͠Δ੬ऑੑ৘ใ

    σʔλϕʔε • CVE-ID ͸ҰҙʹৼΒΕɺੈքڞ௨

11. ηΩϡϦςΟνΣοΫɺ ͯ͠·͔͢ʁ

12. Amazon Inspector • 2016೥5݄ʹҰൠར༻։࢝ • EC2 Πϯελϯεͷ੬ऑੑΛݕ஌ͯ͘͠ΕΔ αʔϏε

13. None
14. None

15. ԿͷνΣοΫ͕Ͱ͖Δͷ͔ • Common Vulnerabilities and Exposures • CIS Operating System

    Security Configuration Benchmarks • Security Best Practices • Runtime Behavior Analysis

16. खॱ • Inspector ༻ͷϩʔϧΛ࡞੒͢Δ • ର৅ͱ͢Δ EC2 ΠϯελϯεʹλάΛઃఆ • σʔϞϯΛΠϯετʔϧ

    • ධՁςϯϓϨʔτͷ࡞੒ • Ͳͷλά͕͍ͭͨΠϯελϯεʹ͍࣮ͭͯߦ͢Δͷ͔ • ԿͷηΩϡϦςΟνΣοΫΛߦ͏ͷ͔ • ࣮ߦ
17. None

18. $ curl -O https:// d1wk0tztpsntt1.cloudfront. net/linux/latest/install $ sudo bash install

19. None

20. ࢼݧ༻ʹ OpenSSL ͷ όʔδϣϯ͕গ͠ݹ͍ ΠϯελϯεΛ༻ҙ

21. None

22. ݁Ռ

23. ͦΕͧΕʹ͍ͭͯৄࡉઆ໌ͱରॲ๏͕ࢀরͰ͖Δ

24. Ϧϕϯδ ͱΓ͋͑ͣॏཁ౓ High ͷ΋ͷ͸ͳ͘ͳͬͨ

25. ֦͕Γͱͯ͠͸ • Amazon SNS ରԠ͍ͯ͠ΔͷͰɺ׬ྃ࣌ʹ Slack ͳͲʹ௨஌ • ΋ͪΖΜ SDK

    ΋ެ։͞Ε͍ͯΔͷͰɺఆظత ʹࣗಈ࣮ߦͤ͞Δ͜ͱ΋Մೳ
 ʢࠓͷͱ͜Ζίϯιʔϧ͔ΒͰ͖Δػೳ͸ͳ ͛͞ʣ

26. ҆৺ɾ҆શͳ։ൃΛ • ͱ͸͍͑ɺ͜Ε͚ͩͰ͸ෆे෼ • ੬ऑੑʹରͯ͠ɺҰఆͷอݥΛ͔͚Δ • χϡʔεΛνΣοΫͯ͠ɺద੾ͳରԠΛʂ