devio2022-sharr

"84ࣄۀຊ෦ίϯαϧςΟϯά෦ɹਿۚɹ৾
ηΩϡϦςΟӡ༻ͷࣗಈԽʹʂ
"844FDVSJUZ)VCࣗಈम෮ιϦϡʔγϣϯ

View Slide

໨࣍
"844FDVSJUZ)VCͱ͸
"844FDVSJUZ)VCࣗಈम෮ιϦϡʔγϣϯͷ঺հ
ྑ͍ͱ͜Ζ
ಋೖํ๏
म෮ΞΫγϣϯͷ࣮ߦ
τϥϒϧγϡʔςΟϯά
ΧελϚΠζํ๏

View Slide

஫ҙࣄ߲
ࠓճઆ໌͢Δ಺༰͸
"844FDVSJUZ)VCࣗಈम෮ιϦϡʔγϣϯͷ
όʔδϣϯΛର৅

View Slide

"844FDVSJUZ)VCͱ͸
ηΩϡϦςΟͷϕετϓϥΫςΟεͷνΣοΫΛߦ͍ɺ
 
ΞϥʔτΛू໿͠ɺࣗಈम෮ΛՄೳʹ͢Δ
 
Ϋϥ΢υηΩϡϦςΟମ੍؅ཧαʔϏε
Ҿ༻ɿIUUQTBXTBNB[PODPNKQTFDVSJUZIVC

View Slide

"844FDVSJUZ)VCͷը໘

View Slide

ར༻ՄೳͳηΩϡϦςΟج४
ɾ"84جૅηΩϡϦςΟͷϕετϓϥΫςΟεW
ɾ$*4"84'PVOEBUJPOT#FODINBSLW
ɾ1$*%44W

View Slide

ίϯτϩʔϧͱ͸
ಛఆͷϦιʔεʹର͢ΔηΩϡϦςΟνΣοΫ߲໨
ͨͱ͑͹ʜ
ɾ<&$>͢΂ͯͷ71$Ͱ71$ϑϩʔϩάه࿥Λ
༗ޮʹ͢Δඞཁ͕͋Γ·͢
ɾ<*".>ະ࢖༻ͷ*".Ϣʔβʔೝূ৘ใ͸
࡟আ͢Δඞཁ͕͋Γ·͢
ɾ<3%4>3%4εφοϓγϣοτ͸
ϓϥΠϕʔτͰ͋Δඞཁ͕͋Γ·͢

View Slide

ίϯτϩʔϧͷ਺
ηΩϡϦςΟج४͝ͱʹෳ਺ͷίϯτϩʔϧ͕ଘࡏ͢Δ

View Slide

ࣗಈम෮Λ࣮૷͢Δʹ͸
"NB[PO&WFOU#SJEHFͱ૊Έ߹ΘͤΔ

View Slide

ࣗಈम෮Λ࣮૷͢Δʹ͸
"NB[PO&WFOU#SJEHFͱ૊Έ߹ΘͤΔ
ઃܭͲ͏͠Α͏
؆୯ʹ࣮૷͍ͨ͠

View Slide

"844FDVSJUZ)VC
ࣗಈम෮ιϦϡʔγϣϯͷ঺հ

View Slide

"844FDVSJUZ)VCࣗಈम෮ιϦϡʔγϣϯͱ͸
͋Β͔͡Ίఆٛ͞Εͨ
ରԠɾम෮ΞΫγϣϯΛ࣮ߦ͢ΔΞυΦϯ
˞ຊηογϣϯͰ͸WΛϕʔεʹઆ໌

View Slide

ͲͷΑ͏ͳϦιʔε͕࡞ΒΕΔ͔
ෳ਺ͷ"84αʔϏεͱ૊Έ߹Θͤ
Ҿ༻ɿIUUQTBXTBNB[PODPNTPMVUJPOTJNQMFNFOUBUJPOTBXTTFDVSJUZIVCBVUPNBUFESFTQPOTFBOESFNFEJBUJPO

View Slide

ࣗಈम෮ιϦϡʔγϣϯͷྑ͍ͱ͜Ζ
ɾ"844FDVSJUZ)VCͱ౷߹͍ͯ͠Δ
ɾϫϯΫϦοΫͰΫϩεΞΧ΢ϯτͷम෮͕Ͱ͖Δ
ɾम෮ͷϓϨΠϒοΫ͕͋Β͔͡Ί༻ҙ͞Ε͍ͯΔ
ɾࣗಈम෮͕Ͱ͖Δ

View Slide

"844FDVSJUZ)VCͱ౷߹͍ͯ͠Δ
ࣗಈम෮ιϦϡʔγϣϯΛಋೖ͍ͯ͠ͳ͍ঢ়ଶ

View Slide

"844FDVSJUZ)VCͱ౷߹͍ͯ͠Δ
ࣗಈम෮ιϦϡʔγϣϯಋೖޙ

View Slide

ϫϯΫϦοΫͰΫϩεΞΧ΢ϯτͷम෮͕Ͱ͖Δ
؅ཧΞΧ΢ϯτ͔ΒϝϯόʔΞΧ΢ϯτʹम෮ࢦྩ

View Slide

म෮ͷϓϨΠϒοΫ͕͋Β͔͡Ί༻ҙ͞Ε͍ͯΔ
"844ZTUFNT.BOBHFSͷυΩϡϝϯτ͔Β֬ೝՄೳ

View Slide

म෮ͷϓϨΠϒοΫ͕͋Β͔͡Ί༻ҙ͞Ε͍ͯΔ
υΩϡϝϯτͷίϯςϯπʹॲཧ಺༰͕هࡌ

View Slide

ࣗಈम෮͕Ͱ͖Δ
&WFOU#SJEHFϧʔϧ༗ޮԽͰࣗಈम෮0O

View Slide

"844FDVSJUZ)VC
ࣗಈम෮ιϦϡʔγϣϯͷಋೖํ๏

View Slide

ࣗಈम෮ιϦϡʔγϣϯͷಋೖํ๏
ͭͷ$MPVE'PSNBUJPOελοΫΛ࡞੒͢Δ͚ͩ
ࢀߟϦϯΫʢγϯάϧΞΧ΢ϯτ༻खॱʣɿhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/deployment.html
ɹɹɹɹɹʢϚϧνΞΧ΢ϯτ༻खॱʣɿhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/deployment-stackset.html

View Slide

ࣗಈम෮ιϦϡʔγϣϯͷϚϧνΞΧ΢ϯτಋೖ
$MPVE'PSNBUJPO4UBDL4FUTΛར༻͢Δ
Ҿ༻ɿIUUQTEPDTBXTBNB[PODPNFO@VTTPMVUJPOTMBUFTUBVUPNBUFETFDVSJUZSFTQPOTFPOBXTEFQMPZNFOUTUBDLTFUIUNMTUFQTUBDLTFU

View Slide

ࣗಈम෮ιϦϡʔγϣϯͷϚϧνϦʔδϣϯల։
$MPVE'PSNBUJPO4UBDL4FUTͷΦϓγϣϯͰઃఆ

View Slide

աڈόʔδϣϯ͔ΒͷΞοϓάϨʔυํ๏
όʔδϣϯʹΑͬͯҟͳΔ
ɾόʔδϣϯະຬͷ৔߹
ɹιϦϡʔγϣϯͷΞϯΠϯετʔϧ
ɹιϦϡʔγϣϯͷΠϯετʔϧ
 
ɹɹ˞όʔδϣϯҎ߱ͷ৔߹͸Πϯετʔϧ࣌ͷύϥϝʔλʔ
ɹɹɹ6TFFYJTUJOH0SDIFTUSBUPS-PH(SPVQΛ:FTʹ͢Δ
ࢀߟϦϯΫɿhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/update-the-solution.html
ɹɹɹɹɹɹhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/uninstall-the-solution.html

View Slide

աڈόʔδϣϯ͔ΒͷΞοϓάϨʔυํ๏
ɾόʔδϣϯҎ߱ͷ৔߹
ɹˠಋೖ͍ͯ͠Δ$MPVE'PSNBUJPOελοΫΛߋ৽
ɹ؅ཧΞΧ΢ϯτ༻$MPVE'PSNBUJPOελοΫΛߋ৽
ɹϝϯόʔΞΧ΢ϯτ্ͷύʔϛογϣϯߋ৽
ɹϝϯόʔΞΧ΢ϯτ༻$MPVE'PSNBUJPOελοΫΛߋ৽
ࢀߟϦϯΫɿhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/update-the-solution.html

View Slide

म෮ΞΫγϣϯͷ࣮ߦ

View Slide

छྨͷम෮ΞΫγϣϯ
खಈम෮
PS
ࣗಈम෮

View Slide

खಈम෮
म෮ର৅ΛબͼʮΞΫγϣϯʯˠʮ3FNFEJBUFXJUI4)"33ʯ

View Slide

ࣗಈम෮
&WFOU#SJEHFϧʔϧ༗ޮԽͰࣗಈम෮0O

View Slide

म෮ޙͷ4FDVSJUZ)VC΁ͷ݁Ռ൓ө
ϫʔΫϑϩʔɿ3&40-7&%ʹมߋ͞ΕΔ
ίϯϓϥΠΞϯεͷεςʔλεɿ͠͹Βͯ͘͠൓ө͞ΕΔ

View Slide

म෮಺༰Λ஌Γ͍ͨ
ɾϓϨΠϒοΫҰཡ
https://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-
aws/playbooks-1.html
ɾ44.υΩϡϝϯτ͔Βम෮಺༰Λ֬ೝͰ͖Δ

View Slide

म෮಺༰Λ஌Γ͍ͨʢݕࡧྫʣ
4)"33&OBCMF"VUP4DBMJOH(SPVQ&-#)FBMUI$IFDLͷྫ
Ҿ༻ɿIUUQTEPDTBXTBNB[PODPNFO@VTTPMVUJPOTMBUFTUBVUPNBUFETFDVSJUZSFTQPOTFPOBXTQMBZCPPLTIUNM

View Slide

ʮ"VUP4DBMJOHʯͰݕࡧͯ͠ΈΔ

View Slide

υΩϡϝϯτͷઆ໌λϒ͔Βॲཧ֓ཁΛ֬ೝ

View Slide

τϥϒϧγϡʔςΟϯά

View Slide

ओͳϩά
$MPVE8BUDIϩάάϧʔϓ͔Β֬ೝ
ɹɾ404)"33
ɹɹˠ"844ZTUFNT.BOBHFSʹΑΔम෮݁Ռ
 
ɹɾ404)"330SDIFTUSBUPS
ɹɹˠ"844UFQ'VODUJPOTͷ࣮ߦ݁Ռ

View Slide

ଞʹ΋֬ೝͨ͠ํ͕ྑ͍ͱ͜Ζ
ɾ4ZTUFNT.BOBHFS"VUPNBUJPOίϯιʔϧ
ɾ4UFQ'VODUJPOTίϯιʔϧ
ɾ-BNCEBͷίϯιʔϧ

View Slide

τϥϒϧͱରॲྫ
<τϥϒϧ>
ࣗಈम෮ιϦϡʔγϣϯͷ$MPVE'PSNBUJPOελοΫ
࡞੒Ͱɺ$MPVE8BUDIϩάάϧʔϓ͕طʹଘࡏ͍ͯ͠Δ
Τϥʔ
<ରॲํ๏>
$MPVE'PSNBUJPOελοΫ࡞੒࣌ͷύϥϝʔλͰ
ϩάάϧʔϓͷ࠶ར༻ΛZFTʹ͢Δ

View Slide

τϥϒϧͱରॲྫ
<τϥϒϧ>
म෮ΞΫγϣϯΛ࣮ߦ͕ͨ͠Կ΋ઃఆมߋ͞Εͳ͍ɻ
<ରॲํ๏>
ର৅ͷίϯτϩʔϧ͕म෮ର৅͔Λ֬ೝ͢Δɻम෮ର৅
ͷ৔߹͸ϩά΍ίϯιʔϧͰঢ়گΛ֬ೝ͢Δɻ
 
म෮ϓϨΠϒοΫҰཡ
 
https://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-
aws/playbooks-1.html

View Slide

௨஌ઃఆ "NB[PO4/4ʣ
4/4τϐοΫ໊ɿ404)"33@5PQJD
௨஌ϝοηʔδྫ
ɹɾ3FNFEJBUJPO queued for control
 
in account
ɹɾ3FNFEJBUJPO failed for control
 
in account
ɹɾ remediation was successfully invoke via AWS Systems Manager
 
in account

View Slide

௨஌಺༰ͷྫʢϝʔϧʣ
{
"severity": "INFO",
"message": "22ca9bc8-0000-4c3e-8bf9-e6dba09a95ec: Remediation succeeded for AFSBP control EC2.2 in account
123456789012: See Automation Execution output for details (AwsEc2SecurityGroup sg-xxxxxxxx)”,
"
fi
nding": {
"
fi
nding_id": "19f9612c-0000-49ed-ab63-254e35a4b1aa",
"
fi
nding_description": "This AWS control checks that the default security group of a VPC does not allow inbound or outbound
traf
fi
c.",
"standard_name": "aws-foundational-security-best-practices",
"standard_version": "1.0.0",
"standard_control": "EC2.2",
"title": "EC2.2 The VPC default security group should not allow inbound and outbound traf
fi
c",
"region": "ap-northeast-1",
"account": “123456789012",
"
fi
nding_arn": “arn:aws:securityhub:ap-northeast-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/
EC2.2/
fi
nding/19f9612c-0000-49ed-ab63-254e35a4b1aa"
}
}

View Slide

ΧελϚΠζํ๏

View Slide

ΧελϚΠζɿ৽͍͠म෮ͷ௥Ճ
म෮ 3VOCPPL
௥Ճͷ࢖͍Ͳ͜Ζ
ɾ৽͘͠௥Ճ͞Εͨίϯτϩʔϧ༻
ɾιϦϡʔγϣϯͰम෮ॲཧ͕ఏڙ͞Ε͍ͯͳ͍
ɹίϯτϩʔϧ༻

View Slide

3VOCPPL௥Ճखॱ
"844ZTUFNT.BOBHFS"VUPNBUJPO༻ͷ
 
3VOCPPLʢ%PDVNFOUʣ࡞੒
*".ϩʔϧͷ࡞੒

View Slide

3VOCPPL࡞੒ํ๏ʢҰൠతͳํ๏ʣ
"844ZTUFNT.BOBHFSͷυΩϡϝϯτ͔Β
"VUPNBUJPO༻ͷυΩϡϝϯτΛ௥Ճ

View Slide

3VOCPPL࡞੒ํ๏ʢΑΓָͳํ๏ʣ
͔Β࡞ΔΑΓυΩϡϝϯτͷΫϩʔϯ࡞੒ͷํ͕͓खܰ

View Slide

3VOCPPL࡞੒ɿ໊લΛ͚ͭΔ
υΩϡϝϯτ໊ͷ໋໊نଇ͋Γ
4)"33ηΩϡϦςΟج४@ηΩϡϦςΟج४ͷόʔδϣϯ@ίϯτϩʔϧ

View Slide

3VOCPPL࡞੒ɿೖྗύϥϝʔλઃఆ
ೖྗύϥϝʔλʹ'JOEJOHͱ"VUPNBUJPO"TTVNF3PMF
͕ඞཁ

View Slide

3VOCPPL࡞੒ɿॲཧεςοϓهड़
εςοϓ໊ɿʻ೚ҙͷ໊લʼ
ΞΫγϣϯλΠϓɿʻ೚ҙͷૢ࡞ʼ
ɹˠࠓճ͸ྫͱͯ͠
ɹɹεςοϓ໊ɿ4FOE4/4
ɹɹΞΫγϣϯλΠϓɿ"84"1*ΞΫγϣϯΛݺͼग़࣮ͯ͠ߦ
ࢀߟϦϯΫʢΞΫγϣϯλΠϓҰཡʣɿhttps://docs.aws.amazon.com/ja_jp/systems-manager/latest/userguide/automation-actions.html

View Slide

3VOCPPL࡞੒ɿݺͼग़͢"84"1*ͷઃఆ
࣮ߦ͍ͨ͠ॲཧΛهड़͢Δ
ࢀߟϦϯΫʢ໊લۭؒͷҰཡʣɿhttps://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/index.html

View Slide

*".ϩʔϧ࡞੒ɿ*".ϩʔϧͷ࡞੒
طଘͷ*".ϩʔϧ 40Ͱ࢝·Δ΋ͷ
Λࢀߟʹ࡞੒
*".ϩʔϧ໊ʹ໋໊نଇ͋Γ
403FNFEJBUFηΩϡϦςΟج४ηΩϡϦςΟج४ͷόʔδϣϯίϯτϩʔϧ
ɹˠྫɿ403FNFEJBUF"'4#1&$

View Slide

*".ϩʔϧ࡞੒ɿ*".ϩʔϧͷઃఆ
<ࢀߟ>৴པϙϦγʔͷ"TTVNF3PMFͷڐՄʹ
 
ɹɹɹҎԼͷϩʔϧηογϣϯϓϦϯγύϧΛ௥Ճ
BSOBXTTUT"DDPVOU*%BTTVNFESPMF404)"330SDIFTUSBUPS
"ENJO404)"33FYFD"VUPNBUJPO
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::role/SO0111-SHARR-Orchestrator-Member",
"arn:aws:sts:::assumed-role/SO0111-SHARR-Orchestrator-Admin/SO0111-SHARR-execAutomation"
]
},
"Action": "sts:AssumeRole"
}

View Slide

࡞੒׬ྃɺࢼ͠ʹ࣮ߦ
खಈम෮Λ࣮ߦ

View Slide

Ͳ͜Ͱࣦഊͨ͠ͷ͔௥੻ɿ4UFQ'VODUJPOT
4UFQ'VODUJPOTͷεςʔτϚγϯ
ʮ404)"330SDIFTUSBUPSʯΛ֬ೝ

View Slide

Ͳ͜Ͱࣦഊͨ͠ͷ͔௥੻ɿ4ZTUFNT.BOBHFS
4ZTUFNT.BOBHFSͷࣗಈԽʢΦʔτϝʔγϣϯʣͷ
࣮ߦϩάΛ֬ೝ

View Slide

ͲͷεςοϓͰࣦഊ͔ͨ͠
εςʔλε͕ࣦഊͱͳ͍ͬͯΔεςοϓ*%Λબ୒͢Δ

View Slide

ର৅εςοϓͷΤϥʔ಺༰Λ֬ೝ
ࣦഊͷৄࡉ͔ΒɺݪҼΛ֬ೝ͢Δ

View Slide

·ͱΊ
ɾ"844FDVSJUZ)VCࣗಈम෮ιϦϡʔγϣϯ
ɹɹྑ͍ͱ͜Ζɿͭͷྑ͍ͱ͜Ζ
ɹɹಋೖํ๏ɿछྨͷ$MPVE'PSNBUJPOελοΫ࡞੒
ɹɹ࢖͍ํɿखಈम෮ͱࣗಈम෮ɺम෮಺༰ͷ֬ೝํ๏
ɹɹτϥϒϧγϡʔςΟϯάɿϩάͱίϯιʔϧͷ֬ೝ
ɹɹΧελϚΠζɿ৽͍͠म෮ͷ௥Ճ
ɹ

View Slide

View Slide

devio2022-sharr

devio2022-sharr

Sugikane Shin

Other Decks in Technology

Featured

Transcript