rights reserved. S U M M I T AWSʹ͓͚ΔΫϥυωΠςΟϒͰ ηΩϡΞͳূ݊γεςϜͷӡ༻ Satoshi Tajima Twitter: @s_tajima Lead Developer Finatext Holdings Ltd. L 2 - 0 3 Atsushi Ishibashi Twitter: @bashi0501 Lead Developer Finatext Holdings Ltd.
rights reserved. S U M M I T • ͯ͢ͷγεςϜ͕ ΞϚκϯ Σϒ αʔϏε(AWS) ্ͰՔಇ • ढ़හੑͷ͋ΔαʔόϦιʔεௐୡ͕Մೳ • ΫϦοΫ or ίϚϯυͰ৽͍͠αʔόϦιʔε͕ར༻Մೳʹ • ࣄۀͷঢ়گ͕ʑେ͖͘มԽ͢Δϕϯνϟʔاۀʹͱͬͯ͜ͷढ़හੑෆՄܽ • αʔόϦιʔεͷಈతͳ૿ݮ͕Մೳ • ূ݊γεςϜβϥதͱβϥ֎ͰγεςϜͷෛՙ͕େ͖͘มಈ͢Δ • βϥ֎ͰෆཁͳαʔόϦιʔεΛఀࢭ͢Δ͜ͱͰίετݮ͕Մೳ • ӡ༻ෛ୲ܰݮͱੜ࢈ੑͷ্͕Մೳ • ڞ༗Ϟσϧɺଟ͘ͷϚωʔδυαʔϏεʹΑΓɺγεςϜͷӡ༻ෛՙ͕ܰݮ • ϏδωεͷίΞͳ෦ͷ։ൃʹྗͰ͖Δ STREAMͷγεςϜ
rights reserved. S U M M I T • FISCʹΑΔʮ҆શରࡦج४ɾղઆॻʯʹैͬͨγεςϜ • ਖ਼ࣜʹʮۚ༥ػؔίϯϐϡʔλγεςϜͷ҆શରࡦج४ɾղઆॻʯ • ۚ༥ػؔͷใγεςϜͷ҆શରࡦʹؔ͢ΔσϑΝΫτελϯμʔυ • ࠷৽ͷୈ9൛ʹ͓͍ͯɺϦεΫϕʔεΞϓϩʔνΛऔΓೖΕΔ͜ͱΛਪ͍ͯ͠Δ • શͯͷϦεΫΛθϩʹ͢Δͷඞͣ͠߹ཧతͰͳ͘ɺ ঢ়گʹ߹ΘͤͯదͳରԠΛߟ͑·͠ΐ͏ͱ͍͏ͷ • ͋Β͔͡ΊఆΊΒΕͨըҰతͳΓํʹै͍ͬͯΔ͚ͩͰ͍͍Θ͚Ͱͳ͘ɺ ࣗΒͷڥʹͱͬͯదͳITΨόφϯεΛݕ౼͢Δඞཁ͕͋Δ STREAMͷγεςϜ
rights reserved. S U M M I T • AWS্ͰͷదͳITΨόφϯε • AWS FinTech ϦϑΝϨϯεɾΞʔΩςΫνϟʔ (https://aws.amazon.com/jp/blogs/news/aws-fintech-architecture-jp/) Λࢀߟʹ • ΫϥυωΠςΟϒθϩτϥετͷߟ͑ํΛऔΓೖΕΔ͜ͱͰ ࣗΒͷڥʹͱͬͯద Ͱ ϦεΫϕʔεΞϓϩʔν ͳγεςϜΛߏங STREAMͷγεςϜ
rights reserved. S U M M I T • ΫϥυωΠςΟϒ • ΦϯϓϨϛεڥΛલఏͱͨ͠ैདྷͷγεςϜߏஙͷํ๏ʹറΒΕͣɺΫϥυͷಛੑΛे ʹ׆͔ͨ͠γεςϜΛߏங͢Δ͜ͱ • ୯ʹΫϥυΛ͍ͬͯΔ͚ͩͷঢ়گΛࢦ͢Θ͚Ͱͳ͍ • θϩτϥετ • ڴҖ͍͔ͳΔॴʹଘࡏ͠ɺͯ͢ͷڥ߈ܸɾ৵͞Ε͏Δͱ͍͏લఏʹཱͭ • ରࡦʹ͑ΔϦιʔε༗ݶͰ͋Δ͜ͱΛೝΊɺ͋ΒΏΔڴҖʹશͳରࡦΛߦ͏ͷͰͳ ͘ɺඅ༻ରޮՌΛҙࣝͨ͠ࢪࡦΛ࣮ࢪ͖͢ STREAMͷγεςϜ
rights reserved. S U M M I T • ΫϥυωΠςΟϒ × θϩτϥετ • ʮϦιʔεΛ͍ࣺͯʹͯ͠ఆظతʹ࠶ߏங͠ɺڥΛΫϦʔϯʹอͭʯ • ʮݖݶΛಈతʹ༩͠ɺΫϨσϯγϟϧظؒͰࣦޮͤ͞Δʯ • ʮϚωʔδυαʔϏεΛੵۃతʹ͍ɺඅ༻ରޮՌͷߴ͍ηΩϡϦςΟࢪࡦΛ࣮ࢪ͢Δʯ STREAMͷγεςϜ
rights reserved. S U M M I T • Opsαʔό (Operationsαʔό) ͱ • ຊ൪ڥʹର͢ΔΦϖϨʔγϣϯΛ͢ΔͨΊͷαʔό • Ұൠతʹɺ౿ΈαʔόɾήʔτΣΠαʔόͱݺΕΔ͜ͱ͕ଟ͍ • ͳͥඞཁ͔ • ϓϥΠϕʔτͳωοτϫʔΫͷϦιʔεͷΞΫηεͷதܧ • ཧతͳฆࣦ౪ͷϦεΫͷߴ͍ʹॏཁͳσʔλΛ͞ͳ͍ͨΊ • ॏཁͳσʔλͷऔΓѻ͍Λޮతʹࠪ͢ΔͨΊ • ୭Ͱ؆୯ʹར༻Ͱ͖ΔωοτϫʔΫճઢ͔ΒॏཁͳσʔλʹΞΫηεͤ͞ͳ͍ͨΊ • ෳͷ࡞ۀऀͷڥΛ౷Ұ͢ΔͨΊ Opsαʔό
rights reserved. S U M M I T • ͜ͷख๏ͷ • ʮৗઃʯ • ຊ൪ڥͷܦ࿏͕ৗʹ͍͍͋ͯΔঢ়ଶ • ҰϚϧΣΞʹײછͯ͠͠·͏ͱɺظؒͦͷ··ʹͳͬͯ͠·͏ • Ϛγϯ্ʹॏཁͳσʔλ͕ੵͯ͠͠·͏ • ʮڞ༗ʯ • ΞΫηεͰ͖ΔϦιʔεΛ࡞ۀऀຖʹ੍ݶ͢Δͷ͕͍͠ • ଞͷ࡞ۀऀͷσʔλʹΞΫηεͰ͖ͯ͠·͏/͞Εͯ͠·͏ (ݖݶઃఆͷෆඋ/ݖݶঢ֨) Opsαʔό
rights reserved. S U M M I T • STREAMʹ͓͚Δӡ༻ • Opsαʔόઐ༻ͷAWSΞΧϯτΛ༻ҙ • ຊ൪ڥͷVPCͱVPC PeeringͰ࿈ܞ • ࡞ۀऀݸਓຖʹ1ͷEC2ΠϯελϯεΛOpsαʔόͱׂͯ͠Γͯ • Opsαʔόඞཁͳͱ͖ʹࣗࣗͰىಈ͢Δ • Security GroupͱIAMͷInstance Profileɺ࡞ۀऀຖʹݸผʹ࡞ • ىಈ࣌ͷΠϯελϯεઃఆ Launch Template ʹΑ੍ͬͯݶ (ଞਓ༻ͷઃఆͰͷىಈΛ͙) • ༻ޙʹຖճλʔϛωʔτ͞ΕΔ Opsαʔό
rights reserved. S U M M I T • Launch Templateͱ • EC2ΠϯελϯεΛىಈ͢ΔͨΊͷઃఆใͷςϯϓϨʔτ • AMI ID, ΠϯελϯελΠϓ, ωοτϫʔΫઃఆΛࢦఆ͢Δ͜ͱ͕Ͱ͖Δ • IAMͷConditionΛࢦఆ͢Δ͜ͱͰɺ ʮࢦఆͷLaunch TemplateΛͬͨ߹ͷΈΠϯελϯεͷىಈΛڐՄʯ ͱ੍͍ͬͨݶ͕Ͱ͖Δ Opsαʔό
rights reserved. S U M M I T • ͜ͷӡ༻ͷϝϦοτ • ʮ͍ࣺͯʯ • ຊ൪ڥͷܦ࿏͕ඞཁͳͱ͖Ҏ֎ด͍ͯ͡Δঢ়ଶ • ϚϧΣΞʹײછͯ͠͠·͙ͬͯ͢ʹࣺͯΒΕΔͷͰӨڹ͕খ͍͞ • ॏཁͳσʔλ͕Ϛγϯ্ʹੵͯ͠͠·͏͜ͱΛ͙ • ʮઐ༻ʯ • ΞΫηεͰ͖ΔϦιʔεΛ࡞ۀऀຖʹ੍ݶ͢Δ͜ͱ͕Ͱ͖Δ • ଞͷ࡞ۀऀͷσʔλʹΞΫηεͰ͖Δ/͞Εͯ͠·͏ϦεΫ͕ͳ͍ Opsαʔό
rights reserved. S U M M I T • ͜ͷख๏ͷ • ΫϥΠΞϯτ͕อ࣋͢Δൿີ伴ͷཧ͕͍͠ • αʔό͕૿͑Δͱൿີ伴૿͑Δ • ిࢠతͳ౪ (·ͨɺ౪·Εͯؾ͖ʹ͍͘) • ҙਤ͠ͳ͍ڞ༗͍ճ͠ • ୀ৬ऀʹΑΔ࣋ͪग़͠ • αʔόʹઃఆ͢Δެ։伴 (authorized_keys) ͷཧ͕໘ • ΫϥΠΞϯτ͕૿͑Δͱެ։伴૿͑Δ • ϝϯόʔୀ৬࣌ʹେྔͷαʔόͷઃఆΛߋ৽͢Δඞཁ ೝূ
rights reserved. S U M M I T • θϩτϥετͳख๏ • SSHΫϥΠΞϯτূ໌ॻೝূ • X.509ͷPKIʹΑΔূ໌ॻΛSSHͷೝূʹར༻͢Δ (RFC6187) • ূ໌ॻൃߦ༻ͷCA(ೝূہ)Λ༻ҙ͢Δ (ҰൠతʹϓϥΠϕʔτͳCAΛ༻ҙ͢Δ) • αʔόʹCAͷূ໌ॻ(ެ։伴) Λొ͓ͯ͘͠ • CA͔ΒΫϥΠΞϯτূ໌ॻΛൃߦ͢Δ (ͦͷࡍʹదͳೝূΛڬΉ) • ΫϥΠΞϯτূ໌ॻʹɺ༗ޮظݶΛࢦఆ͢Δ͜ͱ͕Ͱ͖Δ • ΫϥΠΞϯτɺΫϥΠΞϯτূ໌ॻΛར༻ͯ͠αʔόʹଓ͢Δ ೝূ
rights reserved. S U M M I T • STREAMͰͷӡ༻ • Pritunl Zero (https://zero.pritunl.com/) Λ͏ • Pritunl Zero͕ɺCAͱΫϥΠΞϯτূ໌ॻൃߦ࣌ͷೝূͱϢʔβཧΛ୲͏ • ΫϥΠΞϯτূ໌ॻͷൃߦɺύεϫʔυ + U2F ʹΑͬͯೝূ • U2F༻ͷσόΠεYubiKeyΛ༻ • ΫϥΠΞϯτূ໌ॻɺ1࣌ؒͰࣦޮ͢Δઃఆ ೝূ
rights reserved. S U M M I T • Pritunl Zeroͱ • θϩτϥετͳγεςϜΛߏங͢ΔͨΊͷOSS • ओʹҎԼͷ2ͭͷػೳ͕ར༻Ͱ͖Δ • WebαʔϏε༻ͷProxy • SSH ূ໌ॻ༻ͷCA (ࠓճͪ͜ΒͷػೳΛར༻) • ProxyͷΞΫηεূ໌ॻͷൃߦʹɺೝূΛڬΉ͜ͱ͕Ͱ͖Δ • ೝূ༻ͷΞΧϯτɺϩʔΧϧϢʔβ֤͘͠छΫϥυαʔϏεͷSSO͕ར༻Մೳ • U2FSmart CardʹΑΔ2ཁૉೝূʹରԠ ೝূ
rights reserved. S U M M I T • U2F (Universal 2nd Factor) ͱ • 2ཁૉೝূΛڧݻʹ͠ɺ͔ͭ؆୯ʹ͢ΔͨΊͷඪ४༷ • 2ཁૉͷೝূʹɺUSBσόΠεNFCσόΠεͱ͍ͬͨཧσόΠεΛ༻͍Δ͜ͱ͕Ͱ͖Δ • U2FͷUSBσόΠεͱͯ͠YubiKey͕༗໊ • YubiKeyͷ߹ɺೝূ࣌ʹσόΠεΛཧతʹλον͢Δ͜ͱͰೝূ͕ߦ͑Δ • ࠓͩͱޙܧͷ FIDO 2.0 ͱ͍͏༷ग़͖͍ͯͯΔ ೝূ
rights reserved. S U M M I T • ͜ͷӡ༻ͷϝϦοτ • ΫϥΠΞϯτূ໌ॻɺిࢠతʹ౪͞Εͯɺҙਤ͠ͳ͍ڞ༗͍ճ͠Λ͞Εͯɺ ୀ৬ऀʹ࣋ͪग़͞ΕͯɺҰఆظؒͰࣦޮ͢ΔͷͰӨڹ͕গͳ͍ • αʔόʹɺCAͷެ։伴Λஔ͢Δ͚ͩͰΑ͍ • ύεϫʔυɺύεϫʔυϚωʔδϟΛ͏͜ͱͰൿີ伴ΑΓཧָ͕ʹͳΔ • U2FʹΑͬͯɺೝূΛ௨ͨ͢ΊʹཧσόΠε(ͭ·ΓYubiKey)͕ඞཁͰ͋ΓɺΦϯϥΠϯͷ ߈ܸ͚ͩෆਖ਼ΞΫηε͢Δ͜ͱ͕Ͱ͖ͳ͍ • ͠ཧσόΠε͕ཧతʹ౪·Εͨ߹ɺൺֱత͙͢ʹؾͮ͘͜ͱ͕Ͱ͖Δ ೝূ
rights reserved. S U M M I T • ঝೝͱ • ઃఆมߋ࡞ۀͷ༰͕ਖ਼Ͱ͋Δ͜ͱΛ͔֬Ίͯɺ࣮ࢪΛೝΊͯڐՄ͢Δ͜ͱ • ͳͥඞཁ͔ • ͋Δ࡞ۀʹରͯ͠ผͷਓ͕ϨϏϡʔΛ͢Δ͜ͱͰෆదͳมߋ͕ߦΘͳ͍Α͏ʹ͢ΔͨΊ • Ұਓͷ࡞ۀऀ͕ѱҙΛ࣋ͬͨ߹ʹɺ୯ಠͰຊ൪ڥͷӨڹΛ༩͑ΒΕͳ͍Α͏ʹ͢ΔͨΊ • Ծʹ୭͔Ұਓͷ࡞ۀऀͷೝূใ͕౪·Εͨ߹ʹɺຊ൪ڥͷӨڹΛ͙ͨΊ ঝೝ
rights reserved. S U M M I T • ඇΫϥυωΠςΟϒͳख๏ͷྫ • ࡞ۀऀ͕ɺࣄલʹ࡞ۀͷ༰ΛจষͰهड़͠ɺਃΛߦ͏ • ঝೝऀ͕ɺਃ͞Εͨ࡞ۀ༰ʹج͖ͮɺ࡞ۀ༻ͷڥ४උ(ΞΧϯτͷൃߦ)ΛखಈͰߦ ͏ • ͜ͷख๏ͷ • ঝೝऀ͕ɺखಈͰ࡞ۀ༻ͷڥΛ༻ҙ͍ͯ͠ΔͨΊɺঝೝ·Ͱʹ༨ܭͳ͕͔͔࣌ؒΔ • ਃ͞Εͨ࡞ۀҎ֎ͷૢ࡞͕ߦΘΕͳ͍͜ͱΛอূ͢Δͷ͕͍͠ • ਃ௨Γͷ࡞ۀ͕ͳ͞Εͨ͜ͱΛอূ͢Δ͜ͱ͕͍͠ • ۓٸ࣌ʹɺීஈͲ͓ΓͷঝೝϑϩʔΛεΩοϓͯ͠࡞ۀͯ͠͠·͍͕ͪʹͳΔ ঝೝ
rights reserved. S U M M I T • STREAMͰͷӡ༻ • ChatOpsʹΑͬͯঝೝϑϩʔΛ࣮ݱ͢Δ • ਃऀɺSlackΛͬͯ࡞ۀ༰ͷਃΛߦ͏ • ਃͷ༰ʹɺඞཁͳIAMͷݖݶɺ௨৴ઌͷใΛهड़͢Δ • ঝೝऀɺSlack্Ͱ༰Λ֬ೝ͠ɺਃ༰͕దͰ͋Εঝೝ͢Δ • ঝೝͷ༰Λͱʹɺݖݶͷ༩ͱ௨৴ͷڐՄΛΞϓϦέʔγϣϯ͕ࣗಈͰߦ͏ • ࡞ۀͷऴྃ࣌ʹɺ༩͞Εͨݖݶͱ௨৴ͷڐՄͷࣗಈআΛߦ͏ ঝೝ
rights reserved. S U M M I T • ͜ͷӡ༻ͷϝϦοτ • ࣗಈԽʹΑΓɺঝೝͷӡ༻ͷ࣌ؒͱख͕ؒݮ͞ΕΔ • ӡ༻ͷख͕ؒখ͍͞ͷͰɺۓٸ࣌ʹྫ֎ӡ༻Λ͢Δ͜ͱͳ͘ରԠ͕ՄೳͱͳΔ • ࡞ۀʹඞཁͳ࠷খݶͷݖݶͱ௨৴ڐՄʹ੍ݶ͢Δ͜ͱͰɺ ਃ͞Εͨ࡞ۀҎ֎ͷૢ࡞͕ߦΘΕΔϦεΫΛ࠷খԽͰ͖Δ • ఆظతʹࣗಈআΛ͢Δ͜ͱͰෆඞཁͳݖݶ௨৴ڐՄ͕ͬͯ͠·͏͜ͱΛ͙ • ঝೝ͕νϟοτͷՄࢹԽ͞ΕͨڥͰߦΘΕΔͨΊɺۓٸ࣌ʹॊೈͳରԠ͕ূΛ্ͨ͠ ͰՄೳͱͳΔ ঝೝ
rights reserved. S U M M I T • ඇΫϥυωΠςΟϒͳख๏ͷྫ • αʔόωοτϫʔΫػثͷϩάΛɺಉҰσʔληϯλͷूαʔόʹసૹ • ूαʔό্ʹࢹϓϩάϥϜΛσϓϩΠ • ҰఆִؒͰࢹϓϩάϥϜΛ࣮ߦͯ͠ෆ৹ͳΞΫςΟϏςΟ͕ͳ͍͔ΛνΣοΫ • ΞυϗοΫͳௐࠪੳɺूαʔό্ͷϩάʹରͯ͠awkgrepͷίϚϯυΛ࣮ߦ ηΩϡϦςΟϞχλϦϯά
rights reserved. S U M M I T • ͜ͷख๏ͷ • ࢹ͕ਖ਼͘͠Քಇ͍ͯ͠Δ͜ͱΛอূ͢ΔͨΊͷଟ͘ͷखؒ • ग़ྗͷఀࢭͷݕ • ϩάͷվ͟Μͷݕ • ࢹϓϩάϥϜͷվ͟Μͷݕ • ෆ৹ͳΞΫςΟϏςΟͷݕ·Ͱͷ͕࣌ؒҾ͖͗ͯ͢͠·͏ • grepawkͰϩάͷߴͳௐࠪੳΛ͢Δͷେม ηΩϡϦςΟϞχλϦϯά
rights reserved. S U M M I T • ͜ͷӡ༻ͷϝϦοτ • ϩάͷվ͟ΜআΛ͙͜ͱ͕؆୯ • IAMͷݖݶͷཧS3 Object LockʹΑΔԸܙ • ࢹϓϩάϥϜͷվ͟ΜΛݕ͢Δ͜ͱ͕؆୯ • CodeSha256ʹΑΔԸܙ • ϋʔυΣΞOSϥϯλΠϜͷϨΠϠʔͷվ͟Μ͕ࣗͨͪέΞ͠ͳͯ͘Α͍ • ෆਖ਼ΞΫηεΛૣظʹൃݟͰ͖Δ͜ͱ͕ظ͞ΕΔ • AthenaʹΑͬͯɺෳࡶͳௐࠪੳ؆୯ʹ࣮ࢪͰ͖Δ ηΩϡϦςΟϞχλϦϯά
rights reserved. S U M M I T • OpsαʔόͷϢʔβϏϦςΟ্ • ݱࡏɺOpsαʔόͷىಈ͔Βຊ൪ڥͷΞΫηε·Ͱͷ࡞ۀऀͷεςοϓ͕গ͠ଟ͍ • ͏গ͠γʔϜϨεʹ͑ΔΑ͏ͳΈΛ༻ҙ͍ͨ͠ • ۓٸ࣌ͷରԠͷεϐʔυΞοϓ • ࡞ۀऀͷମݧΛ্ • Pritunl ZeroͷWebαʔϏε༻Proxyͷར༻ • STREAMʹɺγεςϜͷߏ্ෳͷ͞·͟·ͳཧը໘͕ଘࡏ͢Δ • ͦΕΒͷཧը໘ͷΞΫηείϯτϩʔϧͷϕʔεϥΠϯ͕Ҿ্͖͛ΒΕΔ ࠓޙͷల
stajima
nihonbuson
ijin
itohiro73
nagauta
kyohmizu
hr01
kakehashi
kenichirokimura
shuzon
mappie_kochi
.png){kind=avatar}
customercloud
trycycle
deanohume
bluesmoon
chriscoyier
pauljervisheath
lauravandoore
morganepeng
smashingmag
garrettdimon
thoeni
carmenintech
cassininazir
productmarketing
