devio2022-sharr

Transcript

1. "84ࣄۀຊ෦ίϯαϧςΟϯά෦ɹਿۚɹ৾ ηΩϡϦςΟӡ༻ͷࣗಈԽʹʂ
   "84
   4FDVSJUZ
   )VCࣗಈम෮ιϦϡʔγϣϯ

2. ໨࣍   "84
   4FDVSJUZ
   )VCͱ͸
    "84
   4FDVSJUZ
   )VCࣗಈम෮ιϦϡʔγϣϯͷ঺հ
    ྑ͍ͱ͜Ζ
    ಋೖํ๏
   

    म෮ΞΫγϣϯͷ࣮ߦ
    τϥϒϧγϡʔςΟϯά
    ΧελϚΠζํ๏

3. ஫ҙࣄ߲  ࠓճઆ໌͢Δ಺༰͸
   "84
   4FDVSJUZ
   )VC
   ࣗಈम෮ιϦϡʔγϣϯͷ
   όʔδϣϯΛର৅

4. "84
   4FDVSJUZ
   )VCͱ͸  ηΩϡϦςΟͷϕετϓϥΫςΟεͷνΣοΫΛߦ͍ɺ 
 ΞϥʔτΛू໿͠ɺࣗಈम෮ΛՄೳʹ͢Δ 
 Ϋϥ΢υηΩϡϦςΟମ੍؅ཧαʔϏε Ҿ༻ɿIUUQTBXTBNB[PODPNKQTFDVSJUZIVC

5. "84
   4FDVSJUZ
   )VCͷը໘ 

6. "84
   4FDVSJUZ
   )VCͷը໘ 

7. ར༻ՄೳͳηΩϡϦςΟج४  ɾ"84
   جૅηΩϡϦςΟͷϕετϓϥΫςΟε
   W
   ɾ$*4
   "84
   'PVOEBUJPOT
   #FODINBSL
   W
   ɾ1$*
   %44
   W

8. ίϯτϩʔϧͱ͸  ಛఆͷϦιʔεʹର͢ΔηΩϡϦςΟνΣοΫ߲໨
   ͨͱ͑͹ʜ
   ɾ<&$>
   ͢΂ͯͷ
   71$
   Ͱ
   71$
   ϑϩʔϩάه࿥Λ
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   ༗ޮʹ͢Δඞཁ͕͋Γ·͢
   ɾ<*".>
   ະ࢖༻ͷ
   *".
   Ϣʔβʔೝূ৘ใ͸
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   ࡟আ͢Δඞཁ͕͋Γ·͢
   ɾ<3%4>
   3%4
   εφοϓγϣοτ͸
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   ϓϥΠϕʔτͰ͋Δඞཁ͕͋Γ·͢
   

9. ίϯτϩʔϧͷ਺  ηΩϡϦςΟج४͝ͱʹෳ਺ͷίϯτϩʔϧ͕ଘࡏ͢Δ

10. ࣗಈम෮Λ࣮૷͢Δʹ͸  "NB[PO
    &WFOU#SJEHFͱ૊Έ߹ΘͤΔ

11. ࣗಈम෮Λ࣮૷͢Δʹ͸  "NB[PO
    &WFOU#SJEHFͱ૊Έ߹ΘͤΔ ઃܭͲ͏͠Α͏
    ؆୯ʹ࣮૷͍ͨ͠

12.  "84
    4FDVSJUZ
    )VC
    ࣗಈम෮ιϦϡʔγϣϯͷ঺հ

13. "84
    4FDVSJUZ
    )VCࣗಈम෮ιϦϡʔγϣϯͱ͸  ͋Β͔͡Ίఆٛ͞Εͨ
    ରԠɾम෮ΞΫγϣϯΛ࣮ߦ͢ΔΞυΦϯ
    ˞ຊηογϣϯͰ͸WΛϕʔεʹઆ໌

14. ͲͷΑ͏ͳϦιʔε͕࡞ΒΕΔ͔  ෳ਺ͷ"84αʔϏεͱ૊Έ߹Θͤ Ҿ༻ɿIUUQTBXTBNB[PODPNTPMVUJPOTJNQMFNFOUBUJPOTBXTTFDVSJUZIVCBVUPNBUFESFTQPOTFBOESFNFEJBUJPO

15. ࣗಈम෮ιϦϡʔγϣϯͷྑ͍ͱ͜Ζ  ɾ"84
    4FDVSJUZ
    )VCͱ౷߹͍ͯ͠Δ
    ɾϫϯΫϦοΫͰΫϩεΞΧ΢ϯτͷम෮͕Ͱ͖Δ
    ɾम෮ͷϓϨΠϒοΫ͕͋Β͔͡Ί༻ҙ͞Ε͍ͯΔ
    ɾࣗಈम෮͕Ͱ͖Δ

16. "84
    4FDVSJUZ
    )VCͱ౷߹͍ͯ͠Δ  ࣗಈम෮ιϦϡʔγϣϯΛಋೖ͍ͯ͠ͳ͍ঢ়ଶ

17. "84
    4FDVSJUZ
    )VCͱ౷߹͍ͯ͠Δ  ࣗಈम෮ιϦϡʔγϣϯಋೖޙ

18. ϫϯΫϦοΫͰΫϩεΞΧ΢ϯτͷम෮͕Ͱ͖Δ  ؅ཧΞΧ΢ϯτ͔ΒϝϯόʔΞΧ΢ϯτʹम෮ࢦྩ

19. म෮ͷϓϨΠϒοΫ͕͋Β͔͡Ί༻ҙ͞Ε͍ͯΔ  "84
    4ZTUFNT
    .BOBHFSͷυΩϡϝϯτ͔Β֬ೝՄೳ

20. म෮ͷϓϨΠϒοΫ͕͋Β͔͡Ί༻ҙ͞Ε͍ͯΔ  υΩϡϝϯτͷίϯςϯπʹॲཧ಺༰͕هࡌ

21. ࣗಈम෮͕Ͱ͖Δ  &WFOU#SJEHFϧʔϧ༗ޮԽͰࣗಈम෮0O

22.  "84
    4FDVSJUZ
    )VC
    ࣗಈम෮ιϦϡʔγϣϯͷಋೖํ๏

23. ࣗಈम෮ιϦϡʔγϣϯͷಋೖํ๏  ͭͷ$MPVE'PSNBUJPOελοΫΛ࡞੒͢Δ͚ͩ ࢀߟϦϯΫʢγϯάϧΞΧ΢ϯτ༻खॱʣɿhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/deployment.html ɹɹɹɹɹʢϚϧνΞΧ΢ϯτ༻खॱʣɿhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/deployment-stackset.html

24. ࣗಈम෮ιϦϡʔγϣϯͷϚϧνΞΧ΢ϯτಋೖ  $MPVE'PSNBUJPO
    4UBDL4FUTΛར༻͢Δ Ҿ༻ɿIUUQTEPDTBXTBNB[PODPNFO@VTTPMVUJPOTMBUFTUBVUPNBUFETFDVSJUZSFTQPOTFPOBXTEFQMPZNFOUTUBDLTFUIUNMTUFQTUBDLTFU

25. ࣗಈम෮ιϦϡʔγϣϯͷϚϧνϦʔδϣϯల։  $MPVE'PSNBUJPO
    4UBDL4FUTͷΦϓγϣϯͰઃఆ

26. աڈόʔδϣϯ͔ΒͷΞοϓάϨʔυํ๏  όʔδϣϯʹΑͬͯҟͳΔ
    ɾόʔδϣϯະຬͷ৔߹
    ɹ
    ιϦϡʔγϣϯͷΞϯΠϯετʔϧ
    ɹ
    ιϦϡʔγϣϯͷΠϯετʔϧ 
 ɹɹ˞όʔδϣϯҎ߱ͷ৔߹͸Πϯετʔϧ࣌ͷύϥϝʔλʔ
    ɹɹɹ
    
    6TF
    FYJTUJOH
    0SDIFTUSBUPS
    -PH
    (SPVQΛ:FTʹ͢Δ
    ࢀߟϦϯΫɿhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/update-the-solution.html

    ɹɹɹɹɹɹhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/uninstall-the-solution.html

27. աڈόʔδϣϯ͔ΒͷΞοϓάϨʔυํ๏  ɾόʔδϣϯҎ߱ͷ৔߹
    ɹˠಋೖ͍ͯ͠Δ$MPVE'PSNBUJPOελοΫΛߋ৽
    ɹ
    ؅ཧΞΧ΢ϯτ༻$MPVE'PSNBUJPOελοΫΛߋ৽
    ɹ
    ϝϯόʔΞΧ΢ϯτ্ͷύʔϛογϣϯߋ৽
    ɹ
    ϝϯόʔΞΧ΢ϯτ༻$MPVE'PSNBUJPOελοΫΛߋ৽ ࢀߟϦϯΫɿhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/update-the-solution.html

28.  म෮ΞΫγϣϯͷ࣮ߦ

29. छྨͷम෮ΞΫγϣϯ  खಈम෮
    PS
    ࣗಈम෮

30. खಈम෮  म෮ର৅ΛબͼʮΞΫγϣϯʯˠʮ3FNFEJBUF
    XJUI
    4)"33ʯ

31. ࣗಈम෮  &WFOU#SJEHFϧʔϧ༗ޮԽͰࣗಈम෮0O

32. म෮ޙͷ4FDVSJUZ)VC΁ͷ݁Ռ൓ө  ϫʔΫϑϩʔɿ3&40-7&%ʹมߋ͞ΕΔ
    ίϯϓϥΠΞϯεͷεςʔλεɿ͠͹Βͯ͘͠൓ө͞ΕΔ

33. म෮಺༰Λ஌Γ͍ͨ  ɾϓϨΠϒοΫҰཡ
    https://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on- aws/playbooks-1.html
    ɾ44.υΩϡϝϯτ͔Βम෮಺༰Λ֬ೝͰ͖Δ

34. म෮಺༰Λ஌Γ͍ͨʢݕࡧྫʣ  4)"33&OBCMF"VUP4DBMJOH(SPVQ&-#)FBMUI$IFDLͷྫ Ҿ༻ɿIUUQTEPDTBXTBNB[PODPNFO@VTTPMVUJPOTMBUFTUBVUPNBUFETFDVSJUZSFTQPOTFPOBXTQMBZCPPLTIUNM

35. म෮಺༰Λ஌Γ͍ͨʢݕࡧྫʣ  ʮ"VUP4DBMJOHʯͰݕࡧͯ͠ΈΔ

36. म෮಺༰Λ஌Γ͍ͨʢݕࡧྫʣ  υΩϡϝϯτͷઆ໌λϒ͔Βॲཧ֓ཁΛ֬ೝ

37.  τϥϒϧγϡʔςΟϯά

38. ओͳϩά  $MPVE8BUDIϩάάϧʔϓ͔Β֬ೝ
    ɹɾ404)"33
    ɹɹˠ"84
    4ZTUFNT
    .BOBHFSʹΑΔम෮݁Ռ 
 ɹɾ404)"330SDIFTUSBUPS
    ɹɹˠ"84
    4UFQ
    'VODUJPOTͷ࣮ߦ݁Ռ

39. ଞʹ΋֬ೝͨ͠ํ͕ྑ͍ͱ͜Ζ  ɾ4ZTUFNT
    .BOBHFS
    "VUPNBUJPOίϯιʔϧ
    ɾ4UFQ
    'VODUJPOTίϯιʔϧ
    ɾ-BNCEBͷίϯιʔϧ

40. τϥϒϧͱରॲྫ  <τϥϒϧ>
    ࣗಈम෮ιϦϡʔγϣϯͷ$MPVE'PSNBUJPOελοΫ
    ࡞੒Ͱɺ$MPVE8BUDIϩάάϧʔϓ͕طʹଘࡏ͍ͯ͠Δ Τϥʔ
    <ରॲํ๏>
    $MPVE'PSNBUJPOελοΫ࡞੒࣌ͷύϥϝʔλͰ
    ϩάάϧʔϓͷ࠶ར༻ΛZFTʹ͢Δ

41. τϥϒϧͱରॲྫ  <τϥϒϧ>
    म෮ΞΫγϣϯΛ࣮ߦ͕ͨ͠Կ΋ઃఆมߋ͞Εͳ͍ɻ
    <ରॲํ๏>
    ର৅ͷίϯτϩʔϧ͕म෮ର৅͔Λ֬ೝ͢Δɻम෮ର৅ ͷ৔߹͸ϩά΍ίϯιʔϧͰঢ়گΛ֬ೝ͢Δɻ 
 म෮ϓϨΠϒοΫҰཡ 


    https://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on- aws/playbooks-1.html

42. ௨஌ઃఆ "NB[PO
    4/4ʣ  4/4τϐοΫ໊ɿ404)"33@5PQJD
    ௨஌ϝοηʔδྫ
    ɹɾ3FNFEJBUJPO queued for <standard> control

    <control_ID> 
 in account <account_ID> ɹɾ3FNFEJBUJPO failed for <standard> control <control_ID> 
 in account <account_ID> ɹɾ<control_ID> remediation was successfully invoke via AWS Systems Manager 
 in account <account_ID>

43. ௨஌಺༰ͷྫʢϝʔϧʣ  { "severity": "INFO", "message": "22ca9bc8-0000-4c3e-8bf9-e6dba09a95ec: Remediation succeeded for

    AFSBP control EC2.2 in account 123456789012: See Automation Execution output for details (AwsEc2SecurityGroup sg-xxxxxxxx)”, " fi nding": { " fi nding_id": "19f9612c-0000-49ed-ab63-254e35a4b1aa", " fi nding_description": "This AWS control checks that the default security group of a VPC does not allow inbound or outbound traf fi c.", "standard_name": "aws-foundational-security-best-practices", "standard_version": "1.0.0", "standard_control": "EC2.2", "title": "EC2.2 The VPC default security group should not allow inbound and outbound traf fi c", "region": "ap-northeast-1", "account": “123456789012", " fi nding_arn": “arn:aws:securityhub:ap-northeast-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/ EC2.2/ fi nding/19f9612c-0000-49ed-ab63-254e35a4b1aa" } }

44.  ΧελϚΠζํ๏

45. ΧελϚΠζɿ৽͍͠म෮ͷ௥Ճ  म෮ 3VOCPPL ௥Ճͷ࢖͍Ͳ͜Ζ
    ɾ৽͘͠௥Ճ͞Εͨίϯτϩʔϧ༻
    ɾιϦϡʔγϣϯͰम෮ॲཧ͕ఏڙ͞Ε͍ͯͳ͍
    ɹίϯτϩʔϧ༻
    

46. 3VOCPPL௥Ճखॱ   "84
    4ZTUFNT
    .BOBHFS
    "VUPNBUJPO༻ͷ 
 3VOCPPLʢ%PDVNFOUʣ࡞੒
    
    *".ϩʔϧͷ࡞੒
    

47. 3VOCPPL࡞੒ํ๏ʢҰൠతͳํ๏ʣ  "84
    4ZTUFNT
    .BOBHFSͷυΩϡϝϯτ͔Β
    "VUPNBUJPO༻ͷυΩϡϝϯτΛ௥Ճ
    

48. 3VOCPPL࡞੒ํ๏ʢΑΓָͳํ๏ʣ  ͔Β࡞ΔΑΓυΩϡϝϯτͷΫϩʔϯ࡞੒ͷํ͕͓खܰ
    

49. 3VOCPPL࡞੒ɿ໊લΛ͚ͭΔ  υΩϡϝϯτ໊ͷ໋໊نଇ͋Γ
    4)"33ηΩϡϦςΟج४@ηΩϡϦςΟج४ͷόʔδϣϯ@ίϯτϩʔϧ
    

50. 3VOCPPL࡞੒ɿೖྗύϥϝʔλઃఆ  ೖྗύϥϝʔλʹ'JOEJOHͱ"VUPNBUJPO"TTVNF3PMF
    ͕ඞཁ

51. 3VOCPPL࡞੒ɿॲཧεςοϓهड़  εςοϓ໊ɿʻ೚ҙͷ໊લʼ
    ΞΫγϣϯλΠϓɿʻ೚ҙͷૢ࡞ʼ
    ɹˠࠓճ͸ྫͱͯ͠
    ɹɹεςοϓ໊ɿ4FOE4/4
    ɹɹΞΫγϣϯλΠϓɿ"84
    "1*ΞΫγϣϯΛݺͼग़࣮ͯ͠ߦ ࢀߟϦϯΫʢΞΫγϣϯλΠϓҰཡʣɿhttps://docs.aws.amazon.com/ja_jp/systems-manager/latest/userguide/automation-actions.html

52. 3VOCPPL࡞੒ɿݺͼग़͢"84
    "1*ͷઃఆ  ࣮ߦ͍ͨ͠ॲཧΛهड़͢Δ
    ࢀߟϦϯΫʢ໊લۭؒͷҰཡʣɿhttps://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/index.html

53. *".ϩʔϧ࡞੒ɿ*".ϩʔϧͷ࡞੒  طଘͷ*".ϩʔϧ 40Ͱ࢝·Δ΋ͷ Λࢀߟʹ࡞੒
    *".ϩʔϧ໊ʹ໋໊نଇ͋Γ
    403FNFEJBUFηΩϡϦςΟج४ηΩϡϦςΟج४ͷόʔδϣϯίϯτϩʔϧ
    ɹˠྫɿ403FNFEJBUF"'4#1&$

54. *".ϩʔϧ࡞੒ɿ*".ϩʔϧͷઃఆ  <ࢀߟ>৴པϙϦγʔͷ"TTVNF3PMFͷڐՄʹ 
 ɹɹɹҎԼͷϩʔϧηογϣϯϓϦϯγύϧΛ௥Ճ
    BSOBXTTUT"DDPVOU*%BTTVNFESPMF404)"330SDIFTUSBUPS "ENJO404)"33FYFD"VUPNBUJPO { "Effect": "Allow",

    "Principal": { "AWS": [ "arn:aws:iam::<AccountID>:role/SO0111-SHARR-Orchestrator-Member", "arn:aws:sts::<AccountID>:assumed-role/SO0111-SHARR-Orchestrator-Admin/SO0111-SHARR-execAutomation" ] }, "Action": "sts:AssumeRole" }

55. ࡞੒׬ྃɺࢼ͠ʹ࣮ߦ  खಈम෮Λ࣮ߦ

56. Ͳ͜Ͱࣦഊͨ͠ͷ͔௥੻ɿ4UFQ
    'VODUJPOT  4UFQ
    'VODUJPOTͷεςʔτϚγϯ
    ʮ404)"330SDIFTUSBUPSʯΛ֬ೝ

57. Ͳ͜Ͱࣦഊͨ͠ͷ͔௥੻ɿ4ZTUFNT
    .BOBHFS  4ZTUFNT
    .BOBHFSͷࣗಈԽʢΦʔτϝʔγϣϯʣͷ
    ࣮ߦϩάΛ֬ೝ

58. ͲͷεςοϓͰࣦഊ͔ͨ͠  εςʔλε͕ࣦഊͱͳ͍ͬͯΔεςοϓ*%Λબ୒͢Δ

59. ର৅εςοϓͷΤϥʔ಺༰Λ֬ೝ  ࣦഊͷৄࡉ͔ΒɺݪҼΛ֬ೝ͢Δ

60. ·ͱΊ  ɾ"84
    4FDVSJUZ
    )VCࣗಈम෮ιϦϡʔγϣϯ
    ɹɹ
    ྑ͍ͱ͜Ζɿͭͷྑ͍ͱ͜Ζ
    ɹɹ
    ಋೖํ๏ɿछྨͷ$MPVE'PSNBUJPOελοΫ࡞੒
    ɹɹ
    ࢖͍ํɿखಈम෮ͱࣗಈम෮ɺम෮಺༰ͷ֬ೝํ๏
    ɹɹ
    τϥϒϧγϡʔςΟϯάɿϩάͱίϯιʔϧͷ֬ೝ
    ɹɹ
    ΧελϚΠζɿ৽͍͠म෮ͷ௥Ճ
    ɹ

61. None