devio2022-sharr

"84ࣄۀຊ෦ίϯαϧςΟϯά෦ɹਿۚɹ৾ ηΩϡϦςΟӡ༻ͷࣗಈԽʹʂ "844FDVSJUZ)VCࣗಈम෮ιϦϡʔγϣϯ

໨࣍ "844FDVSJUZ)VCͱ͸ "844FDVSJUZ)VCࣗಈम෮ιϦϡʔγϣϯͷ঺հ ྑ͍ͱ͜Ζ ಋೖํ๏
म෮ΞΫγϣϯͷ࣮ߦ τϥϒϧγϡʔςΟϯά ΧελϚΠζํ๏

஫ҙࣄ߲ ࠓճઆ໌͢Δ಺༰͸ "844FDVSJUZ)VCࣗಈम෮ιϦϡʔγϣϯͷ όʔδϣϯΛର৅

"844FDVSJUZ)VCͱ͸ ηΩϡϦςΟͷϕετϓϥΫςΟεͷνΣοΫΛߦ͍ɺ   ΞϥʔτΛू໿͠ɺࣗಈम෮ΛՄೳʹ͢Δ   Ϋϥ΢υηΩϡϦςΟମ੍؅ཧαʔϏε Ҿ༻ɿIUUQTBXTBNB[PODPNKQTFDVSJUZIVC

"844FDVSJUZ)VCͷը໘

ར༻ՄೳͳηΩϡϦςΟج४ ɾ"84جૅηΩϡϦςΟͷϕετϓϥΫςΟεW ɾ$*4"84'PVOEBUJPOT#FODINBSLW ɾ1$*%44W

ίϯτϩʔϧͱ͸ ಛఆͷϦιʔεʹର͢ΔηΩϡϦςΟνΣοΫ߲໨ ͨͱ͑͹ʜ ɾ<&$>͢΂ͯͷ71$Ͱ71$ϑϩʔϩάه࿥Λ ༗ޮʹ͢Δඞཁ͕͋Γ·͢ ɾ<*".>ະ࢖༻ͷ*".Ϣʔβʔೝূ৘ใ͸ ࡟আ͢Δඞཁ͕͋Γ·͢ ɾ<3%4>3%4εφοϓγϣοτ͸ ϓϥΠϕʔτͰ͋Δඞཁ͕͋Γ·͢

ίϯτϩʔϧͷ਺ ηΩϡϦςΟج४͝ͱʹෳ਺ͷίϯτϩʔϧ͕ଘࡏ͢Δ

ࣗಈम෮Λ࣮૷͢Δʹ͸ "NB[PO&WFOU#SJEHFͱ૊Έ߹ΘͤΔ

ࣗಈम෮Λ࣮૷͢Δʹ͸ "NB[PO&WFOU#SJEHFͱ૊Έ߹ΘͤΔ ઃܭͲ͏͠Α͏ ؆୯ʹ࣮૷͍ͨ͠

"844FDVSJUZ)VC ࣗಈम෮ιϦϡʔγϣϯͷ঺հ

"844FDVSJUZ)VCࣗಈम෮ιϦϡʔγϣϯͱ͸ ͋Β͔͡Ίఆٛ͞Εͨ ରԠɾम෮ΞΫγϣϯΛ࣮ߦ͢ΔΞυΦϯ ˞ຊηογϣϯͰ͸WΛϕʔεʹઆ໌

ͲͷΑ͏ͳϦιʔε͕࡞ΒΕΔ͔ ෳ਺ͷ"84αʔϏεͱ૊Έ߹Θͤ Ҿ༻ɿIUUQTBXTBNB[PODPNTPMVUJPOTJNQMFNFOUBUJPOTBXTTFDVSJUZIVCBVUPNBUFESFTQPOTFBOESFNFEJBUJPO

ࣗಈम෮ιϦϡʔγϣϯͷྑ͍ͱ͜Ζ ɾ"844FDVSJUZ)VCͱ౷߹͍ͯ͠Δ ɾϫϯΫϦοΫͰΫϩεΞΧ΢ϯτͷम෮͕Ͱ͖Δ ɾम෮ͷϓϨΠϒοΫ͕͋Β͔͡Ί༻ҙ͞Ε͍ͯΔ ɾࣗಈम෮͕Ͱ͖Δ

"844FDVSJUZ)VCͱ౷߹͍ͯ͠Δ ࣗಈम෮ιϦϡʔγϣϯΛಋೖ͍ͯ͠ͳ͍ঢ়ଶ

"844FDVSJUZ)VCͱ౷߹͍ͯ͠Δ ࣗಈम෮ιϦϡʔγϣϯಋೖޙ

ϫϯΫϦοΫͰΫϩεΞΧ΢ϯτͷम෮͕Ͱ͖Δ ؅ཧΞΧ΢ϯτ͔ΒϝϯόʔΞΧ΢ϯτʹम෮ࢦྩ

म෮ͷϓϨΠϒοΫ͕͋Β͔͡Ί༻ҙ͞Ε͍ͯΔ "844ZTUFNT.BOBHFSͷυΩϡϝϯτ͔Β֬ೝՄೳ

म෮ͷϓϨΠϒοΫ͕͋Β͔͡Ί༻ҙ͞Ε͍ͯΔ υΩϡϝϯτͷίϯςϯπʹॲཧ಺༰͕هࡌ

ࣗಈम෮͕Ͱ͖Δ &WFOU#SJEHFϧʔϧ༗ޮԽͰࣗಈम෮0O

"844FDVSJUZ)VC ࣗಈम෮ιϦϡʔγϣϯͷಋೖํ๏

ࣗಈम෮ιϦϡʔγϣϯͷಋೖํ๏ ͭͷ$MPVE'PSNBUJPOελοΫΛ࡞੒͢Δ͚ͩ ࢀߟϦϯΫʢγϯάϧΞΧ΢ϯτ༻खॱʣɿhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/deployment.html ɹɹɹɹɹʢϚϧνΞΧ΢ϯτ༻खॱʣɿhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/deployment-stackset.html

ࣗಈम෮ιϦϡʔγϣϯͷϚϧνΞΧ΢ϯτಋೖ $MPVE'PSNBUJPO4UBDL4FUTΛར༻͢Δ Ҿ༻ɿIUUQTEPDTBXTBNB[PODPNFO@VTTPMVUJPOTMBUFTUBVUPNBUFETFDVSJUZSFTQPOTFPOBXTEFQMPZNFOUTUBDLTFUIUNMTUFQTUBDLTFU

ࣗಈम෮ιϦϡʔγϣϯͷϚϧνϦʔδϣϯల։ $MPVE'PSNBUJPO4UBDL4FUTͷΦϓγϣϯͰઃఆ

աڈόʔδϣϯ͔ΒͷΞοϓάϨʔυํ๏ όʔδϣϯʹΑͬͯҟͳΔ ɾόʔδϣϯະຬͷ৔߹ ɹιϦϡʔγϣϯͷΞϯΠϯετʔϧ ɹιϦϡʔγϣϯͷΠϯετʔϧ   ɹɹ˞όʔδϣϯҎ߱ͷ৔߹͸Πϯετʔϧ࣌ͷύϥϝʔλʔ ɹɹɹ6TFFYJTUJOH0SDIFTUSBUPS-PH(SPVQΛ:FTʹ͢Δ ࢀߟϦϯΫɿhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/update-the-solution.html
ɹɹɹɹɹɹhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/uninstall-the-solution.html

աڈόʔδϣϯ͔ΒͷΞοϓάϨʔυํ๏ ɾόʔδϣϯҎ߱ͷ৔߹ ɹˠಋೖ͍ͯ͠Δ$MPVE'PSNBUJPOελοΫΛߋ৽ ɹ؅ཧΞΧ΢ϯτ༻$MPVE'PSNBUJPOελοΫΛߋ৽ ɹϝϯόʔΞΧ΢ϯτ্ͷύʔϛογϣϯߋ৽ ɹϝϯόʔΞΧ΢ϯτ༻$MPVE'PSNBUJPOελοΫΛߋ৽ ࢀߟϦϯΫɿhttps://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on-aws/update-the-solution.html

म෮ΞΫγϣϯͷ࣮ߦ

छྨͷम෮ΞΫγϣϯ खಈम෮ PS ࣗಈम෮

खಈम෮ म෮ର৅ΛબͼʮΞΫγϣϯʯˠʮ3FNFEJBUFXJUI4)"33ʯ

ࣗಈम෮ &WFOU#SJEHFϧʔϧ༗ޮԽͰࣗಈम෮0O

म෮ޙͷ4FDVSJUZ)VC΁ͷ݁Ռ൓ө ϫʔΫϑϩʔɿ3&40-7&%ʹมߋ͞ΕΔ ίϯϓϥΠΞϯεͷεςʔλεɿ͠͹Βͯ͘͠൓ө͞ΕΔ

म෮಺༰Λ஌Γ͍ͨ ɾϓϨΠϒοΫҰཡ https://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on- aws/playbooks-1.html ɾ44.υΩϡϝϯτ͔Βम෮಺༰Λ֬ೝͰ͖Δ

म෮಺༰Λ஌Γ͍ͨʢݕࡧྫʣ 4)"33&OBCMF"VUP4DBMJOH(SPVQ&-#)FBMUI$IFDLͷྫ Ҿ༻ɿIUUQTEPDTBXTBNB[PODPNFO@VTTPMVUJPOTMBUFTUBVUPNBUFETFDVSJUZSFTQPOTFPOBXTQMBZCPPLTIUNM

म෮಺༰Λ஌Γ͍ͨʢݕࡧྫʣ ʮ"VUP4DBMJOHʯͰݕࡧͯ͠ΈΔ

म෮಺༰Λ஌Γ͍ͨʢݕࡧྫʣ υΩϡϝϯτͷઆ໌λϒ͔Βॲཧ֓ཁΛ֬ೝ

τϥϒϧγϡʔςΟϯά

ओͳϩά $MPVE8BUDIϩάάϧʔϓ͔Β֬ೝ ɹɾ404)"33 ɹɹˠ"844ZTUFNT.BOBHFSʹΑΔम෮݁Ռ   ɹɾ404)"330SDIFTUSBUPS ɹɹˠ"844UFQ'VODUJPOTͷ࣮ߦ݁Ռ

ଞʹ΋֬ೝͨ͠ํ͕ྑ͍ͱ͜Ζ ɾ4ZTUFNT.BOBHFS"VUPNBUJPOίϯιʔϧ ɾ4UFQ'VODUJPOTίϯιʔϧ ɾ-BNCEBͷίϯιʔϧ

τϥϒϧͱରॲྫ <τϥϒϧ> ࣗಈम෮ιϦϡʔγϣϯͷ$MPVE'PSNBUJPOελοΫ ࡞੒Ͱɺ$MPVE8BUDIϩάάϧʔϓ͕طʹଘࡏ͍ͯ͠Δ Τϥʔ <ରॲํ๏> $MPVE'PSNBUJPOελοΫ࡞੒࣌ͷύϥϝʔλͰ ϩάάϧʔϓͷ࠶ར༻ΛZFTʹ͢Δ

τϥϒϧͱରॲྫ <τϥϒϧ> म෮ΞΫγϣϯΛ࣮ߦ͕ͨ͠Կ΋ઃఆมߋ͞Εͳ͍ɻ <ରॲํ๏> ର৅ͷίϯτϩʔϧ͕म෮ର৅͔Λ֬ೝ͢Δɻम෮ର৅ ͷ৔߹͸ϩά΍ίϯιʔϧͰঢ়گΛ֬ೝ͢Δɻ   म෮ϓϨΠϒοΫҰཡ  
https://docs.aws.amazon.com/en_us/solutions/latest/automated-security-response-on- aws/playbooks-1.html

௨஌ઃఆ "NB[PO4/4ʣ 4/4τϐοΫ໊ɿ404)"33@5PQJD ௨஌ϝοηʔδྫ ɹɾ3FNFEJBUJPO queued for <standard> control
<control_ID>   in account <account_ID> ɹɾ3FNFEJBUJPO failed for <standard> control <control_ID>   in account <account_ID> ɹɾ<control_ID> remediation was successfully invoke via AWS Systems Manager   in account <account_ID>

௨஌಺༰ͷྫʢϝʔϧʣ { "severity": "INFO", "message": "22ca9bc8-0000-4c3e-8bf9-e6dba09a95ec: Remediation succeeded for
AFSBP control EC2.2 in account 123456789012: See Automation Execution output for details (AwsEc2SecurityGroup sg-xxxxxxxx)”, " fi nding": { " fi nding_id": "19f9612c-0000-49ed-ab63-254e35a4b1aa", " fi nding_description": "This AWS control checks that the default security group of a VPC does not allow inbound or outbound traf fi c.", "standard_name": "aws-foundational-security-best-practices", "standard_version": "1.0.0", "standard_control": "EC2.2", "title": "EC2.2 The VPC default security group should not allow inbound and outbound traf fi c", "region": "ap-northeast-1", "account": “123456789012", " fi nding_arn": “arn:aws:securityhub:ap-northeast-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/ EC2.2/ fi nding/19f9612c-0000-49ed-ab63-254e35a4b1aa" } }

ΧελϚΠζํ๏

ΧελϚΠζɿ৽͍͠म෮ͷ௥Ճ म෮ 3VOCPPL ௥Ճͷ࢖͍Ͳ͜Ζ ɾ৽͘͠௥Ճ͞Εͨίϯτϩʔϧ༻ ɾιϦϡʔγϣϯͰम෮ॲཧ͕ఏڙ͞Ε͍ͯͳ͍ ɹίϯτϩʔϧ༻

3VOCPPL௥Ճखॱ "844ZTUFNT.BOBHFS"VUPNBUJPO༻ͷ   3VOCPPLʢ%PDVNFOUʣ࡞੒ *".ϩʔϧͷ࡞੒

3VOCPPL࡞੒ํ๏ʢҰൠతͳํ๏ʣ "844ZTUFNT.BOBHFSͷυΩϡϝϯτ͔Β "VUPNBUJPO༻ͷυΩϡϝϯτΛ௥Ճ

3VOCPPL࡞੒ํ๏ʢΑΓָͳํ๏ʣ ͔Β࡞ΔΑΓυΩϡϝϯτͷΫϩʔϯ࡞੒ͷํ͕͓खܰ

3VOCPPL࡞੒ɿ໊લΛ͚ͭΔ υΩϡϝϯτ໊ͷ໋໊نଇ͋Γ 4)"33ηΩϡϦςΟج४@ηΩϡϦςΟج४ͷόʔδϣϯ@ίϯτϩʔϧ

3VOCPPL࡞੒ɿೖྗύϥϝʔλઃఆ ೖྗύϥϝʔλʹ'JOEJOHͱ"VUPNBUJPO"TTVNF3PMF ͕ඞཁ

3VOCPPL࡞੒ɿॲཧεςοϓهड़ εςοϓ໊ɿʻ೚ҙͷ໊લʼ ΞΫγϣϯλΠϓɿʻ೚ҙͷૢ࡞ʼ ɹˠࠓճ͸ྫͱͯ͠ ɹɹεςοϓ໊ɿ4FOE4/4 ɹɹΞΫγϣϯλΠϓɿ"84"1*ΞΫγϣϯΛݺͼग़࣮ͯ͠ߦ ࢀߟϦϯΫʢΞΫγϣϯλΠϓҰཡʣɿhttps://docs.aws.amazon.com/ja_jp/systems-manager/latest/userguide/automation-actions.html

3VOCPPL࡞੒ɿݺͼग़͢"84"1*ͷઃఆ ࣮ߦ͍ͨ͠ॲཧΛهड़͢Δ ࢀߟϦϯΫʢ໊લۭؒͷҰཡʣɿhttps://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/index.html

*".ϩʔϧ࡞੒ɿ*".ϩʔϧͷ࡞੒ طଘͷ*".ϩʔϧ 40Ͱ࢝·Δ΋ͷ Λࢀߟʹ࡞੒ *".ϩʔϧ໊ʹ໋໊نଇ͋Γ 403FNFEJBUFηΩϡϦςΟج४ηΩϡϦςΟج४ͷόʔδϣϯίϯτϩʔϧ ɹˠྫɿ403FNFEJBUF"'4#1&$

*".ϩʔϧ࡞੒ɿ*".ϩʔϧͷઃఆ <ࢀߟ>৴པϙϦγʔͷ"TTVNF3PMFͷڐՄʹ   ɹɹɹҎԼͷϩʔϧηογϣϯϓϦϯγύϧΛ௥Ճ BSOBXTTUT"DDPVOU*%BTTVNFESPMF404)"330SDIFTUSBUPS "ENJO404)"33FYFD"VUPNBUJPO { "Effect": "Allow",
"Principal": { "AWS": [ "arn:aws:iam::<AccountID>:role/SO0111-SHARR-Orchestrator-Member", "arn:aws:sts::<AccountID>:assumed-role/SO0111-SHARR-Orchestrator-Admin/SO0111-SHARR-execAutomation" ] }, "Action": "sts:AssumeRole" }

࡞੒׬ྃɺࢼ͠ʹ࣮ߦ खಈम෮Λ࣮ߦ

Ͳ͜Ͱࣦഊͨ͠ͷ͔௥੻ɿ4UFQ'VODUJPOT 4UFQ'VODUJPOTͷεςʔτϚγϯ ʮ404)"330SDIFTUSBUPSʯΛ֬ೝ

Ͳ͜Ͱࣦഊͨ͠ͷ͔௥੻ɿ4ZTUFNT.BOBHFS 4ZTUFNT.BOBHFSͷࣗಈԽʢΦʔτϝʔγϣϯʣͷ ࣮ߦϩάΛ֬ೝ

ͲͷεςοϓͰࣦഊ͔ͨ͠ εςʔλε͕ࣦഊͱͳ͍ͬͯΔεςοϓ*%Λબ୒͢Δ

ର৅εςοϓͷΤϥʔ಺༰Λ֬ೝ ࣦഊͷৄࡉ͔ΒɺݪҼΛ֬ೝ͢Δ

·ͱΊ ɾ"844FDVSJUZ)VCࣗಈम෮ιϦϡʔγϣϯ ɹɹྑ͍ͱ͜Ζɿͭͷྑ͍ͱ͜Ζ ɹɹಋೖํ๏ɿछྨͷ$MPVE'PSNBUJPOελοΫ࡞੒ ɹɹ࢖͍ํɿखಈम෮ͱࣗಈम෮ɺम෮಺༰ͷ֬ೝํ๏ ɹɹτϥϒϧγϡʔςΟϯάɿϩάͱίϯιʔϧͷ֬ೝ ɹɹΧελϚΠζɿ৽͍͠म෮ͷ௥Ճ ɹ

devio2022-sharr

devio2022-sharr

Other Decks in Technology

Featured

Transcript