AWSにおけるクラウドネイティブでセキュアな証券システムの運用 / aws-summit-tokyo-2019-l2-03-finatext

Transcript

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
   S U M M I T
   AWSʹ͓͚ΔΫϥ΢υωΠςΟϒͰ
   ηΩϡΞͳূ݊γεςϜͷӡ༻
   Satoshi Tajima
   Twitter: @s_tajima
   Lead Developer
   Finatext Holdings Ltd.
   L 2 - 0 3
   Atsushi Ishibashi
   Twitter: @bashi0501
   Lead Developer
   Finatext Holdings Ltd.
   

   View Slide

2. View Slide

3. View Slide

4. View Slide

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
   S U M M I T
   1. STREAMͷγεςϜ
   2. Ϋϥ΢υωΠςΟϒͱθϩτϥετͷ࣮ફ
   • Opsαʔό
   • ೝূ
   • ঝೝ
   • ηΩϡϦςΟϞχλϦϯά
   3. ࠓޙͷల๬
   Agenda
   

   View Slide

6. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
   STREAMͷγεςϜ
   

   View Slide

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
   S U M M I T
   • ͢΂ͯͷγεςϜ͕ ΞϚκϯ ΢Σϒ αʔϏε(AWS) ্ͰՔಇ
   • ढ़හੑͷ͋ΔαʔόϦιʔεௐୡ͕Մೳ
   • ਺ΫϦοΫ or ਺ίϚϯυͰ৽͍͠αʔόϦιʔε͕ར༻Մೳʹ
   • ࣄۀͷঢ়گ͕೔ʑେ͖͘มԽ͢Δϕϯνϟʔاۀʹͱͬͯ͜ͷढ़හੑ͸ෆՄܽ
   • αʔόϦιʔεͷಈతͳ૿ݮ͕Մೳ
   • ূ݊γεςϜ͸βϥ৔தͱβϥ৔֎ͰγεςϜͷෛՙ͕େ͖͘มಈ͢Δ
   • βϥ৔֎Ͱ͸ෆཁͳαʔόϦιʔεΛఀࢭ͢Δ͜ͱͰίετ࡟ݮ͕Մೳ
   • ӡ༻ෛ୲ܰݮͱੜ࢈ੑͷ޲্͕Մೳ
   • ੹೚ڞ༗Ϟσϧ΍ɺଟ͘ͷϚωʔδυαʔϏεʹΑΓɺγεςϜͷӡ༻ෛՙ͕ܰݮ
   • ϏδωεͷίΞͳ෦෼ͷ։ൃʹ஫ྗͰ͖Δ
   STREAMͷγεςϜ
   

   View Slide

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
   S U M M I T
   • FISCʹΑΔʮ҆શରࡦج४ɾղઆॻʯʹैͬͨγεςϜ
   • ਖ਼ࣜʹ͸ʮۚ༥ػؔ౳ίϯϐϡʔλγεςϜͷ҆શରࡦج४ɾղઆॻʯ
   • ۚ༥ػؔ౳ͷ৘ใγεςϜͷ҆શରࡦʹؔ͢ΔσϑΝΫτελϯμʔυ
   • ࠷৽ͷୈ9൛ʹ͓͍ͯ͸ɺϦεΫϕʔεΞϓϩʔνΛऔΓೖΕΔ͜ͱΛਪ঑͍ͯ͠Δ
   • શͯͷϦεΫΛθϩʹ͢Δͷ͸ඞͣ͠΋߹ཧతͰ͸ͳ͘ɺ

   ঢ়گʹ߹Θͤͯద੾ͳରԠΛߟ͑·͠ΐ͏ͱ͍͏΋ͷ
   • ͋Β͔͡ΊఆΊΒΕͨըҰతͳ΍Γํʹै͍ͬͯΔ͚ͩͰ͍͍Θ͚Ͱ͸ͳ͘ɺ

   ࣗΒͷ؀ڥʹͱͬͯద੾ͳITΨόφϯεΛݕ౼͢Δඞཁ͕͋Δ
   STREAMͷγεςϜ
   

   View Slide

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
   S U M M I T
   • AWS্Ͱͷద੾ͳITΨόφϯε
   • AWS FinTech ϦϑΝϨϯεɾΞʔΩςΫνϟʔ 

   (https://aws.amazon.com/jp/blogs/news/aws-fintech-architecture-jp/) Λࢀߟʹ
   • Ϋϥ΢υωΠςΟϒ΍θϩτϥετͷߟ͑ํΛऔΓೖΕΔ͜ͱͰ

   ࣗΒͷ؀ڥʹͱͬͯద੾ Ͱ ϦεΫϕʔεΞϓϩʔν ͳγεςϜΛߏங
   STREAMͷγεςϜ
   

   View Slide

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • Ϋϥ΢υωΠςΟϒ
    • ΦϯϓϨϛε؀ڥΛલఏͱͨ͠ैདྷͷγεςϜߏஙͷํ๏࿦ʹറΒΕͣɺΫϥ΢υͷಛੑΛे
    ෼ʹ׆͔ͨ͠γεςϜΛߏங͢Δ͜ͱ
    • ୯ʹΫϥ΢υΛ࢖͍ͬͯΔ͚ͩͷঢ়گΛࢦ͢Θ͚Ͱ͸ͳ͍

    • θϩτϥετ
    • ڴҖ͸͍͔ͳΔ৔ॴʹ΋ଘࡏ͠ɺ͢΂ͯͷ؀ڥ͸߈ܸɾ৵֐͞Ε͏Δͱ͍͏લఏʹཱͭ
    • ରࡦʹ࢖͑ΔϦιʔε͸༗ݶͰ͋Δ͜ͱΛೝΊɺ͋ΒΏΔڴҖʹ׬શͳରࡦΛߦ͏ͷͰ͸ͳ
    ͘ɺඅ༻ରޮՌΛҙࣝͨ͠ࢪࡦΛ࣮ࢪ͢΂͖
    STREAMͷγεςϜ
    

    View Slide

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • Ϋϥ΢υωΠςΟϒ × θϩτϥετ
    • ʮϦιʔεΛ࢖͍ࣺͯʹͯ͠ఆظతʹ࠶ߏங͠ɺ؀ڥΛΫϦʔϯʹอͭʯ
    • ʮݖݶΛಈతʹ෇༩͠ɺΫϨσϯγϟϧ͸୹ظؒͰࣦޮͤ͞Δʯ
    • ʮϚωʔδυαʔϏεΛੵۃతʹ࢖͍ɺඅ༻ରޮՌͷߴ͍ηΩϡϦςΟࢪࡦΛ࣮ࢪ͢Δʯ
    STREAMͷγεςϜ
    

    View Slide

12. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Ϋϥ΢υωΠςΟϒͱ
    θϩτϥετͷ࣮ફ
    

    View Slide

13. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Opsαʔό
    

    View Slide

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • Opsαʔό (Operationsαʔό) ͱ͸
    • ຊ൪؀ڥʹର͢ΔΦϖϨʔγϣϯΛ͢ΔͨΊͷαʔό
    • Ұൠతʹ͸ɺ౿Έ୆αʔόɾήʔτ΢ΣΠαʔό౳ͱݺ͹ΕΔ͜ͱ͕ଟ͍
    • ͳͥඞཁ͔
    • ϓϥΠϕʔτͳωοτϫʔΫ಺ͷϦιʔε΁ͷΞΫηεͷதܧ
    • ෺ཧతͳฆࣦ΍౪೉ͷϦεΫͷߴ͍୺຤ʹॏཁͳσʔλΛ࢒͞ͳ͍ͨΊ
    • ॏཁͳσʔλͷऔΓѻ͍Λޮ཰తʹ؂ࠪ͢ΔͨΊ
    • ୭Ͱ΋؆୯ʹར༻Ͱ͖ΔωοτϫʔΫճઢ͔ΒॏཁͳσʔλʹΞΫηεͤ͞ͳ͍ͨΊ
    • ෳ਺ͷ࡞ۀऀͷ؀ڥΛ౷Ұ͢ΔͨΊ
    Opsαʔό
    

    View Slide

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • ඇΫϥ΢υωΠςΟϒͳख๏ͷྫ
    • ʮৗઃʯͰʮڞ༗ʯͷOpsαʔό
    Opsαʔό
    

    View Slide

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • ͜ͷख๏ͷ໰୊఺
    • ʮৗઃʯ
    • ຊ൪؀ڥ΁ͷܦ࿏͕ৗʹ͍͍͋ͯΔঢ়ଶ
    • Ұ౓Ϛϧ΢ΣΞʹײછͯ͠͠·͏ͱɺ௕ظؒͦͷ··ʹͳͬͯ͠·͏
    • Ϛγϯ্ʹॏཁͳσʔλ͕஝ੵͯ͠͠·͏
    • ʮڞ༗ʯ
    • ΞΫηεͰ͖ΔϦιʔεΛ࡞ۀऀຖʹ੍ݶ͢Δͷ͕೉͍͠
    • ଞͷ࡞ۀऀͷσʔλʹΞΫηεͰ͖ͯ͠·͏/͞Εͯ͠·͏ (ݖݶઃఆͷෆඋ/ݖݶঢ֨)
    Opsαʔό
    

    View Slide

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • Ϋϥ΢υωΠςΟϒͳख๏
    • ʮ࢖͍ࣺͯʯͰʮઐ༻ʯͷOpsαʔό
    Opsαʔό
    

    View Slide

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • STREAMʹ͓͚Δӡ༻
    • Opsαʔόઐ༻ͷAWSΞΧ΢ϯτΛ༻ҙ
    • ຊ൪؀ڥͷVPCͱVPC PeeringͰ࿈ܞ
    • ࡞ۀऀݸਓຖʹ1୆ͷEC2ΠϯελϯεΛOpsαʔόͱׂͯ͠Γ౰ͯ
    • Opsαʔό͸ඞཁͳͱ͖ʹࣗ෼ࣗ਎Ͱىಈ͢Δ
    • Security GroupͱIAMͷInstance Profile΋ɺ࡞ۀऀຖʹݸผʹ࡞੒
    • ىಈ࣌ͷΠϯελϯεઃఆ͸ Launch Template ʹΑ੍ͬͯݶ (ଞਓ༻ͷઃఆͰͷىಈΛ๷͙)
    • ࢖༻ޙʹ͸ຖճλʔϛωʔτ͞ΕΔ
    Opsαʔό
    

    View Slide

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • Launch Templateͱ͸
    • EC2ΠϯελϯεΛىಈ͢ΔͨΊͷઃఆ৘ใͷςϯϓϨʔτ
    • AMI ID, ΠϯελϯελΠϓ, ωοτϫʔΫઃఆ౳Λࢦఆ͢Δ͜ͱ͕Ͱ͖Δ
    • IAMͷConditionΛࢦఆ͢Δ͜ͱͰɺ

    ʮࢦఆͷLaunch TemplateΛ࢖ͬͨ৔߹ͷΈΠϯελϯεͷىಈΛڐՄʯ

    ͱ੍͍ͬͨݶ͕Ͱ͖Δ
    Opsαʔό
    

    View Slide

20. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    • ಛఆͷLaunch Templateࢦఆ࣌ͷΈRunInstanceͰ͖ΔIAM Policy
    {
    "Effect": "Allow",
    "Action": [ "ec2:RunInstances" ],
    "Resource": "*",
    "Condition": {
    "StringEquals": { "ec2:LaunchTemplate": “" },
    "Bool": { "ec2:IsLaunchTemplateResource": "true"}
    }
    }
    Opsαʔό
    

    View Slide

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • ͜ͷӡ༻ͷϝϦοτ
    • ʮ࢖͍ࣺͯʯ
    • ຊ൪؀ڥ΁ͷܦ࿏͕ඞཁͳͱ͖Ҏ֎͸ด͍ͯ͡Δঢ়ଶ
    • Ϛϧ΢ΣΞʹײછͯ͠͠·ͬͯ΋͙͢ʹࣺͯΒΕΔͷͰӨڹ͕খ͍͞
    • ॏཁͳσʔλ͕Ϛγϯ্ʹ஝ੵͯ͠͠·͏͜ͱΛ๷͙
    • ʮઐ༻ʯ
    • ΞΫηεͰ͖ΔϦιʔεΛ࡞ۀऀຖʹ੍ݶ͢Δ͜ͱ͕Ͱ͖Δ
    • ଞͷ࡞ۀऀͷσʔλʹΞΫηεͰ͖Δ/͞Εͯ͠·͏ϦεΫ͕ͳ͍
    Opsαʔό
    

    View Slide

22. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    ೝূ
    

    View Slide

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • ೝূͱ͸
    • γεςϜͷར༻ऀ͕ɺҙਤͨ͠௨Γͷຊਓͩͱ͔֬ΊΔ͜ͱ
    • ࠓճ͸ओʹOpsαʔό΁ͷSSHΞΫηε࣌ͷೝূʹ͍ͭͯ
    ೝূ
    

    View Slide

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • ඇθϩτϥετͳख๏ͷྫ
    • ެ։伴ೝূ
    • ΫϥΠΞϯτ͕ੜ੒ͨ͠ΩʔϖΞͷ͏ͪɺެ։伴Λαʔόʹొ࿥͓ͯ͘͠
    • ΫϥΠΞϯτ͸ൿີ伴Λ࢖ͬͯαʔόʹ઀ଓ͢Δ
    ೝূ
    

    View Slide

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • ͜ͷख๏ͷ໰୊఺
    • ΫϥΠΞϯτ͕อ࣋͢Δൿີ伴ͷ؅ཧ͕೉͍͠
    • αʔό͕૿͑Δͱൿີ伴΋૿͑Δ
    • ిࢠతͳ౪೉ (·ͨɺ౪·Εͯ΋ؾ෇͖ʹ͍͘)
    • ҙਤ͠ͳ͍ڞ༗΍࢖͍ճ͠
    • ୀ৬ऀʹΑΔ࣋ͪग़͠
    • αʔόʹઃఆ͢Δެ։伴 (authorized_keys) ͷ؅ཧ͕໘౗
    • ΫϥΠΞϯτ͕૿͑Δͱެ։伴΋૿͑Δ
    • ϝϯόʔୀ৬࣌ʹେྔͷαʔόͷઃఆΛߋ৽͢Δඞཁ
    ೝূ
    

    View Slide

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • θϩτϥετͳख๏
    • SSHΫϥΠΞϯτূ໌ॻೝূ
    • X.509ͷPKIʹΑΔূ໌ॻΛSSHͷೝূʹར༻͢Δ (RFC6187)
    • ূ໌ॻൃߦ༻ͷCA(ೝূہ)Λ༻ҙ͢Δ (Ұൠతʹ͸ϓϥΠϕʔτͳCAΛ༻ҙ͢Δ)
    • αʔόʹ͸CAͷূ໌ॻ(ެ։伴) Λొ࿥͓ͯ͘͠
    • CA͔ΒΫϥΠΞϯτূ໌ॻΛൃߦ͢Δ (ͦͷࡍʹద੾ͳೝূΛڬΉ)
    • ΫϥΠΞϯτূ໌ॻʹ͸ɺ༗ޮظݶΛࢦఆ͢Δ͜ͱ͕Ͱ͖Δ
    • ΫϥΠΞϯτ͸ɺΫϥΠΞϯτূ໌ॻΛར༻ͯ͠αʔόʹ઀ଓ͢Δ
    ೝূ
    

    View Slide

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • θϩτϥετͳख๏ͷߏ੒ਤ
    ೝূ
    

    View Slide

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • STREAMͰͷӡ༻
    • Pritunl Zero (https://zero.pritunl.com/) Λ࢖͏
    • Pritunl Zero͕ɺCAͱΫϥΠΞϯτূ໌ॻൃߦ࣌ͷೝূͱϢʔβ؅ཧΛ୲͏
    • ΫϥΠΞϯτূ໌ॻͷൃߦ͸ɺύεϫʔυ + U2F ʹΑͬͯೝূ
    • U2F༻ͷσόΠε͸YubiKeyΛ࢖༻
    • ΫϥΠΞϯτূ໌ॻ͸ɺ1࣌ؒͰࣦޮ͢Δઃఆ
    ೝূ
    

    View Slide

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • Pritunl Zeroͱ͸
    • θϩτϥετͳγεςϜΛߏங͢ΔͨΊͷOSS
    • ओʹҎԼͷ2ͭͷػೳ͕ར༻Ͱ͖Δ
    • WebαʔϏε༻ͷProxy
    • SSH ূ໌ॻ༻ͷCA (ࠓճ͸ͪ͜ΒͷػೳΛར༻)
    • Proxy΁ͷΞΫηε΍ূ໌ॻͷൃߦʹɺೝূΛڬΉ͜ͱ͕Ͱ͖Δ
    • ೝূ༻ͷΞΧ΢ϯτ͸ɺϩʔΧϧϢʔβ΋͘͠͸֤छΫϥ΢υαʔϏεͷSSO͕ར༻Մೳ
    • U2F΍Smart CardʹΑΔ2ཁૉೝূʹ΋ରԠ
    ೝূ
    

    View Slide

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • U2F (Universal 2nd Factor) ͱ͸
    • 2ཁૉೝূΛڧݻʹ͠ɺ͔ͭ؆୯ʹ͢ΔͨΊͷඪ४࢓༷
    • 2ཁૉ໨ͷೝূʹɺUSBσόΠε΍NFCσόΠεͱ͍ͬͨ෺ཧσόΠεΛ༻͍Δ͜ͱ͕Ͱ͖Δ
    • U2FͷUSBσόΠεͱͯ͠͸YubiKey͕༗໊
    • YubiKeyͷ৔߹͸ɺೝূ࣌ʹσόΠεΛ෺ཧతʹλον͢Δ͜ͱͰೝূ͕ߦ͑Δ
    • ࠓͩͱޙܧͷ FIDO 2.0 ͱ͍͏࢓༷΋ग़͖͍ͯͯΔ
    ೝূ
    

    View Slide

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • STREAMͰͷӡ༻ͷߏ੒ਤ
    ೝূ
    

    View Slide

32. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    σϞಈը (ެ։ͷͨΊʹը૾ʹࠩ͠ସ͑)
    

    View Slide

33. View Slide

34. View Slide

35. View Slide

36. View Slide

37. View Slide

38. View Slide

39. View Slide

40. View Slide

41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • ͜ͷӡ༻ͷϝϦοτ
    • ΫϥΠΞϯτূ໌ॻ͸ɺిࢠతʹ౪೉͞Εͯ΋ɺҙਤ͠ͳ͍ڞ༗΍࢖͍ճ͠Λ͞Εͯ΋ɺ

    ୀ৬ऀʹ࣋ͪग़͞Εͯ΋ɺҰఆظؒͰࣦޮ͢ΔͷͰӨڹ͕গͳ͍
    • αʔόʹ͸ɺCAͷެ։伴Λ഑ஔ͢Δ͚ͩͰΑ͍
    • ύεϫʔυ͸ɺύεϫʔυϚωʔδϟΛ࢖͏͜ͱͰൿີ伴ΑΓ΋؅ཧָ͕ʹͳΔ
    • U2FʹΑͬͯɺೝূΛ௨ͨ͢Ίʹ͸෺ཧσόΠε(ͭ·ΓYubiKey)͕ඞཁͰ͋ΓɺΦϯϥΠϯͷ
    ߈ܸ͚ͩ͸ෆਖ਼ΞΫηε͢Δ͜ͱ͕Ͱ͖ͳ͍
    • ΋͠΋෺ཧσόΠε͕෺ཧతʹ౪·Εͨ৔߹͸ɺൺֱత͙͢ʹؾͮ͘͜ͱ͕Ͱ͖Δ
    ೝূ
    

    View Slide

42. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    ঝೝ
    

    View Slide

43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • ঝೝͱ͸
    • ઃఆมߋ࡞ۀͷ಺༰͕ਖ਼౰Ͱ͋Δ͜ͱΛ͔֬Ίͯɺ࣮ࢪΛೝΊͯڐՄ͢Δ͜ͱ
    • ͳͥඞཁ͔
    • ͋Δ࡞ۀʹରͯ͠ผͷਓ͕ϨϏϡʔΛ͢Δ͜ͱͰෆద੾ͳมߋ͕ߦΘͳ͍Α͏ʹ͢ΔͨΊ
    • Ұਓͷ࡞ۀऀ͕ѱҙΛ࣋ͬͨ৔߹ʹɺ୯ಠͰຊ൪؀ڥ΁ͷӨڹΛ༩͑ΒΕͳ͍Α͏ʹ͢ΔͨΊ
    • Ծʹ୭͔Ұਓͷ࡞ۀऀͷೝূ৘ใ͕౪·Εͨ৔߹ʹɺຊ൪؀ڥ΁ͷӨڹΛ๷͙ͨΊ
    ঝೝ
    

    View Slide

44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • ඇΫϥ΢υωΠςΟϒͳख๏ͷྫ
    • ࡞ۀऀ͕ɺࣄલʹ࡞ۀͷ಺༰ΛจষͰهड़͠ɺਃ੥Λߦ͏
    • ঝೝऀ͕ɺਃ੥͞Εͨ࡞ۀ಺༰ʹج͖ͮɺ࡞ۀ༻ͷ؀ڥ४උ(ΞΧ΢ϯτͷൃߦ౳)ΛखಈͰߦ
    ͏
    • ͜ͷख๏ͷ໰୊఺
    • ঝೝऀ͕ɺखಈͰ࡞ۀ༻ͷ؀ڥΛ༻ҙ͍ͯ͠ΔͨΊɺঝೝ·Ͱʹ༨ܭͳ͕͔͔࣌ؒΔ
    • ਃ੥͞Εͨ࡞ۀҎ֎ͷૢ࡞͕ߦΘΕͳ͍͜ͱΛอূ͢Δͷ͕೉͍͠
    • ਃ੥௨Γͷ࡞ۀ͕ͳ͞Εͨ͜ͱΛอূ͢Δ͜ͱ͕೉͍͠
    • ۓٸ࣌ʹ͸ɺීஈͲ͓ΓͷঝೝϑϩʔΛεΩοϓͯ͠࡞ۀͯ͠͠·͍͕ͪʹͳΔ
    ঝೝ
    

    View Slide

45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • Ϋϥ΢υωΠςΟϒͳख๏
    • ࣗಈԽ͞ΕͨঝೝϑϩʔΛ࣮ݱ͢Δ
    • ࡞ۀʹඞཁͳ࠷খݶͷݖݶ΍௨৴ڐՄΛɺΦϯσϚϯυʹ෇༩͢Δ
    ঝೝ
    

    View Slide

46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • STREAMͰͷӡ༻
    • ChatOpsʹΑͬͯঝೝϑϩʔΛ࣮ݱ͢Δ
    • ਃ੥ऀ͸ɺSlackΛ࢖ͬͯ࡞ۀ಺༰ͷਃ੥Λߦ͏
    • ਃ੥ͷ಺༰ʹɺඞཁͳIAMͷݖݶ΍ɺ௨৴ઌͷ৘ใΛهड़͢Δ
    • ঝೝऀ͸ɺSlack্Ͱ಺༰Λ֬ೝ͠ɺਃ੥಺༰͕ద੾Ͱ͋Ε͹ঝೝ͢Δ
    • ঝೝͷ಺༰Λ΋ͱʹɺݖݶͷ෇༩ͱ௨৴ͷڐՄΛΞϓϦέʔγϣϯ͕ࣗಈͰߦ͏
    • ࡞ۀͷऴྃ࣌ʹɺ෇༩͞Εͨݖݶͱ௨৴ͷڐՄͷࣗಈ࡟আΛߦ͏
    ঝೝ
    

    View Slide

47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    ঝೝ
    • STREAMͰͷӡ༻ͷߏ੒ਤ
    

    View Slide

48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • ͜ͷӡ༻ͷϝϦοτ
    • ࣗಈԽʹΑΓɺঝೝͷӡ༻ͷ࣌ؒͱख͕ؒ࡟ݮ͞ΕΔ
    • ӡ༻ͷख͕ؒখ͍͞ͷͰɺۓٸ࣌ʹྫ֎ӡ༻Λ͢Δ͜ͱͳ͘ରԠ͕ՄೳͱͳΔ
    • ࡞ۀʹඞཁͳ࠷খݶͷݖݶͱ௨৴ڐՄʹ੍ݶ͢Δ͜ͱͰɺ

    ਃ੥͞Εͨ࡞ۀҎ֎ͷૢ࡞͕ߦΘΕΔϦεΫΛ࠷খԽͰ͖Δ
    • ఆظతʹࣗಈ࡟আΛ͢Δ͜ͱͰෆඞཁͳݖݶ΍௨৴ڐՄ͕࢒ͬͯ͠·͏͜ͱΛ๷͙
    • ঝೝ͕νϟοτͷՄࢹԽ͞Εͨ؀ڥͰߦΘΕΔͨΊɺۓٸ࣌ʹ΋ॊೈͳରԠ͕ূ੻Λ࢒্ͨ͠
    ͰՄೳͱͳΔ
    ঝೝ
    

    View Slide

49. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    ηΩϡϦςΟϞχλϦϯά
    

    View Slide

50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • ηΩϡϦςΟϞχλϦϯάͱ͸
    • ෆਖ਼ΞΫηεΛൃݟ͢ΔͨΊɺෆ৹ͳΞΫςΟϏςΟΛ؂ࢹ͢Δ͜ͱ
    • ͢΂ͯͷϦεΫΛࣄલʹ೺Ѳ͠༧๷͢Δ͜ͱ͸Ͱ͖ͳ͍ͱ͍͏ߟ͑ʹجͮ͘
    ηΩϡϦςΟϞχλϦϯά
    

    View Slide

51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • ඇΫϥ΢υωΠςΟϒͳख๏ͷྫ
    • αʔό΍ωοτϫʔΫػثͷϩάΛɺಉҰσʔληϯλ಺ͷू໿αʔόʹసૹ
    • ू໿αʔό্ʹ؂ࢹϓϩάϥϜΛσϓϩΠ
    • ҰఆִؒͰ؂ࢹϓϩάϥϜΛ࣮ߦͯ͠ෆ৹ͳΞΫςΟϏςΟ͕ͳ͍͔ΛνΣοΫ
    • ΞυϗοΫͳௐࠪ΍෼ੳ͸ɺू໿αʔό্ͷϩάʹରͯ͠awk΍grep౳ͷίϚϯυΛ࣮ߦ
    ηΩϡϦςΟϞχλϦϯά
    

    View Slide

52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • ඇΫϥ΢υωΠςΟϒͳख๏ͷΠϝʔδ
    ηΩϡϦςΟϞχλϦϯά
    

    View Slide

53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • ͜ͷख๏ͷ໰୊఺
    • ؂ࢹ͕ਖ਼͘͠Քಇ͍ͯ͠Δ͜ͱΛอূ͢ΔͨΊͷଟ͘ͷखؒ
    • ग़ྗͷఀࢭͷݕ஌
    • ϩάͷվ͟Μͷݕ஌
    • ؂ࢹϓϩάϥϜͷվ͟Μͷݕ஌
    • ෆ৹ͳΞΫςΟϏςΟͷݕ஌·Ͱͷ͕࣌ؒ௕Ҿ͖͗ͯ͢͠·͏
    • grep΍awkͰϩάͷߴ౓ͳௐࠪ΍෼ੳΛ͢Δͷ͸େม
    ηΩϡϦςΟϞχλϦϯά
    

    View Slide

54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • Ϋϥ΢υωΠςΟϒͳख๏
    • ϩάΛΫϥ΢υετϨʔδʹอଘ
    • ؂ࢹϓϩάϥϜΛ “Function as a Service” ͳ؀ڥʹσϓϩΠ
    • ΠϕϯτυϦϒϯͰͷ؂ࢹ
    ηΩϡϦςΟϞχλϦϯά
    

    View Slide

55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • STREAMͰͷӡ༻
    • ϩάอଘઐ༻ͷAWSΞΧ΢ϯτΛ༻ҙ
    • ͜ͷAWSΞΧ΢ϯτͷIAMͷݖݶ͸ɺଞͷAWSΞΧ΢ϯτΑΓ΋ݫ͘͠؅ཧ
    • ֤छϩάΛɺΫϩεΞΧ΢ϯτΞΫηεͰอଘ
    • S3্ͷϩά͸ɺ S3 Object LockʹΑΓ࡟আ΍্ॻ͖ΛෆՄೳʹ
    • ϩά؂ࢹ༻ͷϓϩάϥϜΛLambda Functionͱͯ͠σϓϩΠ
    • CodeSha256Λ࢖ͬͯվ͟ΜΛ֬ೝ
    • CloudTrail ΍ AWS Config ͷ௨஌ΛSNSͰड৴ͯ͠ɺ؂ࢹ༻ͷϓϩάϥϜΛ࣮ߦ
    • S3 Bucketͷϩάʹରͯ͠ΫΤϦΛ͔͚ΔͨΊͷAthenaͷςʔϒϧΛ༻ҙ
    ηΩϡϦςΟϞχλϦϯά
    

    View Slide

56. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    • S3 Object Lock ͱ͸
    • ࢦఆͨ͠อ࣋ظؒதɺS3ͷΦϒδΣΫτ͕࡟আ͞Εͳ͍Α͏ʹ͢Δػೳ
    • ͍ΘΏΔ WORM (Write Once Read Many) ͳετϨʔδͱͯ͠S3Λར༻Ͱ͖Δ
    • ٻΊΒΕΔσʔλͷอޢͷϨϕϧʹԠͯ͡2ͭͷϞʔυ͕ར༻Մೳ
    • ΨόφϯεϞʔυ
    • ϧʔτΞΧ΢ϯτ౳ɺݖݶ͕͋Ε͹Object LockࣗମΛղআ͢Δ͜ͱ͕Մೳ
    • ΑͬͯΦϒδΣΫτΛ࡟আ͢Δ͜ͱ͕Մೳ
    • ίϯϓϥΠΞϯεϞʔυ:
    • ͍͔ͳΔϢʔβ΋Object Lockͷղআ͸ෆՄೳ
    • ΑͬͯઈରʹΦϒδΣΫτ͸࡟আ͢Δ͜ͱ͕Ͱ͖ͳ͍
    ηΩϡϦςΟϞχλϦϯά
    

    View Slide

57. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    • CodeSha256 ͱ͸
    • Lambda Functionʹొ࿥͞ΕͨίʔυͷSHA256ͷϋογϡ஋
    • खݩͷਖ਼͍͠ίʔυͱൺֱ͢Δ͜ͱͰɺվ͟ΜΛݕ஌Ͱ͖Δ
    $ aws lambda list-functions \
    —query "Functions[*].[FunctionName,CodeSha256,LastModified]" \
    —output table
    -------------------------------------------------------------------------------------------------------
    | ListFunctions |
    +-----------------------+----------------------------------------------+------------------------------+
    | root-activity-monitor | mVlZR3E2rvLT0ALp8WyUo8bmbV/6qx1t2Dow9hmkLII= | 2019-05-04T15:51:38.210+0000 |
    | aws-config-monitor | CSi58x6MPRtSJPwtG/m70rsY6ybrXXadGqCcj51/+PU= | 2019-05-10T06:58:02.772+0000 |
    +-----------------------+----------------------------------------------+------------------------------+
    $ shasum -a 256 root-activity-monitor.zip | awk '{print $1}' | xxd -r -p | base64
    mVlZR3E2rvLT0ALp8WyUo8bmbV/6qx1t2Dow9hmkLII=
    ηΩϡϦςΟϞχλϦϯά
    

    View Slide

58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • STREAMͰͷӡ༻ͷߏ੒ਤ
    ηΩϡϦςΟϞχλϦϯά
    

    View Slide

59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • ͜ͷӡ༻ͷϝϦοτ
    • ϩάͷվ͟Μ΍࡟আΛ๷͙͜ͱ͕؆୯
    • IAMͷݖݶͷ؅ཧ΍S3 Object LockʹΑΔԸܙ
    • ؂ࢹϓϩάϥϜͷվ͟ΜΛݕ஌͢Δ͜ͱ͕؆୯
    • CodeSha256ʹΑΔԸܙ
    • ϋʔυ΢ΣΞ΍OS΍ϥϯλΠϜͷϨΠϠʔͷվ͟Μ͸ࣗ෼͕ͨͪέΞ͠ͳͯ͘Α͍
    • ෆਖ਼ΞΫηεΛૣظʹൃݟͰ͖Δ͜ͱ͕ظ଴͞ΕΔ
    • AthenaʹΑͬͯɺෳࡶͳௐࠪ΍෼ੳ΋؆୯ʹ࣮ࢪͰ͖Δ
    ηΩϡϦςΟϞχλϦϯά
    

    View Slide

60. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    ࠓޙͷల๬
    

    View Slide

61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    • OpsαʔόͷϢʔβϏϦςΟ޲্
    • ݱࡏ͸ɺOpsαʔόͷىಈ͔Βຊ൪؀ڥ΁ͷΞΫηε·Ͱͷ࡞ۀऀͷεςοϓ਺͕গ͠ଟ͍
    • ΋͏গ͠γʔϜϨεʹ࢖͑ΔΑ͏ͳ࢓૊ΈΛ༻ҙ͍ͨ͠
    • ۓٸ࣌ͷରԠͷεϐʔυΞοϓ
    • ࡞ۀऀͷମݧΛ޲্
    • Pritunl ZeroͷWebαʔϏε༻Proxyͷར༻
    • STREAMʹ͸ɺγεςϜͷߏ੒্ෳ਺ͷ͞·͟·ͳ؅ཧը໘͕ଘࡏ͢Δ
    • ͦΕΒͷ؅ཧը໘ͷΞΫηείϯτϩʔϧͷϕʔεϥΠϯ͕Ҿ্͖͛ΒΕΔ
    ࠓޙͷల๬
    

    View Slide

62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    Thank you!
    S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Atsushi Ishibashi
    Twitter: @bashi0501
    Satoshi Tajima
    Twitter: @s_tajima
    

    View Slide