Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWSアカウントのセキュリティを守る IAM編

 AWSアカウントのセキュリティを守る IAM編

2020年4月25日開催の富山IT勉強会で発表した資料です
https://toyama-it.connpass.com/event/162626/

IAMとAWSのセキュリティサービスを利用して、AWSのアカウントを守るにはどうすればよいのかという内容です

Takuro SASAKI

April 25, 2020
Tweet

More Decks by Takuro SASAKI

Other Decks in Technology

Transcript

  1. "84ͱηΩϡϦςΟ #෋ࢁITษڧձ "84ͷηΩϡϦςΟ͸ͭͷ࣠Ͱߟ͑Δ ᶃ"84಺ʹߏஙͨ͠ωοτϫʔΫͱαʔόʔͷηΩϡϦςΟ ᶄ"84ͷαʔϏε܈ͷઃܭɾઃఆ ᶅ"84ૢ࡞ʹؔ͢Δݖݶʢ*".ʣ ᶆηΩϡϦςΟΛҡ࣋؅ཧ͢ΔͨΊͷ"84αʔϏε AWS Management Console

    Role VPC AWS Cloud Subnet Internet gateway Amazon Simple Storage Service (S3) VPN gateway Endpoints User ૢ࡞ݖݶ Instance Instance Instance AWS Lambda Role ᶅ ᶄ ᶃ AWS Command Line Interface AWS Config AWS Systems Manager AWS Service Catalog AWS Trusted Advisor AWS CloudTrail ᶆ ηΩϡϦςΟΛҡ࣋ ؅ཧ͢ΔαʔϏε
  2. ڐՄ͢ΔݖݶͷΈ෇༩͍ͯ͘͠ύλʔϯɹɹ &$΍4ͱ͍ͬͨαʔϏε୯Ґ΍ɺߋʹࡉ͔͘ΞΫγϣϯ୯ҐͰ෇༩ "84؅ཧϙϦγʔ΋ɺ͋ΔҙຯϗϫΠτϦετύλʔϯ ˞Ͱ΋ɺͦͷ··࢖͏ʹ͸ૈ͍ #෋ࢁITษڧձ ϗϫΠτϦετɾύλʔϯ FD %FTDSJCF 4UPQ 4UBSU

    ಛఆͷαʔϏεɾΞΫγϣϯͷΈڐՄ ڋ൱ ڐՄ ڐՄ ڐՄ ڋ൱ ϝϦοτɹ ࠷খݖݶͷઃܭ͕Ͱ͖Δ ཧղͯ͠࡞Ε͹ɺҰ൪ηΩϡΞ σϝϦοτɹ ઃܭ͕ਐ·ͳ͍ͱઃఆͰ͖ͳ͍ ؅ཧෛՙ͕ߴ͍
  3. ڋ൱Λ௥Ճ͍ͯ͘͠ύλʔϯɹɹ ڐՄͯ͠͸͍͚ͳ͍ݖݶΛണୣ͍ͯ͘͠ #෋ࢁITษڧձ ϒϥοΫϦετɾύλʔϯ ڐՄ 4 &D *". ಛఆͷαʔϏεɾΞΫγϣϯͷΈڋ൱ ڐՄ

    ڋ൱ ڋ൱ ڋ൱ ϝϦοτɹ ઃܭ͕࠷খݶʹͰ͖Δ ࣗ༝౓͕ߴ͍ σϝϦοτɹ ༧ظͤ͵αʔϏε͕ಥવ࢖͑ΔΑ͏ ʹͳΔϦεΫ͕͋Δ
  4. ڞ௨Ͱར༻͢ΔϙϦγʔͰ·ͣݕ౼͢Δͷ͸͜ͷͭ .'"ඞਢԽ͸ඞͣ͢Δ͜ͱ *1੍ݶ͸ɺӡ༻ϙϦγʔͱ૬ஊɻ࡞ۀ৔ॴΛ੍ݶͰ͖Δͱ͍͏ޮՌ͕͋Δ #෋ࢁITษڧձ .'"ඞਢԽͱ*1੍ݶ \ &⒎FDU%FOZ  "DUJPO 

     $POEJUJPO\ /PU*Q"EESFTT\ BXT4PVSDF*Q<  > ^ ^  3FTPVSDF  ^ \ &⒎FDU%FOZ  /PU"DUJPO< JBN  >  3FTPVSDF   $POEJUJPO\ #PPM*G&YJTUT\ BXT.VMUJ'BDUPS"VUI1SFTFOUGBMTF ^ ^ ^
  5. 1SJODJQBMΛߜΒͳ͍ͱɺશϢʔβʔ͕εΠονͰ͖Δ σϑΥϧτςϯϓϨʔτͷઃఆ͸ɺΞΧ΢ϯτ಺ͷϢʔβʔʹରͯ͠ ߜΔඞཁ͕͋ΓɺϢʔβʔࢦఆͰߜΔʢάϧʔϓ͸Ͱ͖ͳ͍ʣ ผղͱͯ͠"TTVNF3PMFͷݖݶΛ͢΂ͯണୣͷ͏͑ͰɺඞཁͳϢʔβʔʹ ෇༩͢Δͱ͍͏ํ๏΋͋Δ #෋ࢁITษڧձ εΠονϩʔϧͷ஫ҙ఺ \ 7FSTJPO 

    4UBUFNFOU< \ &⒎FDU"MMPX  1SJODJQBM\ "84 BSOBXTJBNSPPU ^  "DUJPOTUT"TTVNF3PMF  $POEJUJPO\^ ^ > ^ \ 7FSTJPO  4UBUFNFOU< \ &⒎FDU"MMPX  1SJODJQBM\ "84BSOBXTJBNVTFSUFTU VTFS ^  "DUJPOTUT"TTVNF3PMF  $POEJUJPO\^ ^ > ^
  6. ʲ࠶ܝʳ"84ͱηΩϡϦςΟ #෋ࢁITษڧձ "84ͷηΩϡϦςΟ͸ͭͷ࣠Ͱߟ͑Δ ᶃ"84಺ʹߏஙͨ͠ωοτϫʔΫͱαʔόʔͷηΩϡϦςΟ ᶄ"84ͷαʔϏε܈ͷઃܭɾઃఆ ᶅ"84ૢ࡞ʹؔ͢Δݖݶʢ*".ʣ ᶆηΩϡϦςΟΛҡ࣋؅ཧ͢ΔͨΊͷ"84αʔϏε AWS Management Console

    Role VPC AWS Cloud Subnet Internet gateway Amazon Simple Storage Service (S3) VPN gateway Endpoints User ૢ࡞ݖݶ Instance Instance Instance AWS Lambda Role ᶅ ᶄ ᶃ AWS Command Line Interface AWS Config AWS Systems Manager AWS Service Catalog AWS Trusted Advisor AWS CloudTrail ᶆ ηΩϡϦςΟΛҡ࣋ ؅ཧ͢ΔαʔϏε
  7. #෋ࢁITษڧձ $MPVE5SBJM AWS Management Console User AWS Command Line Interface

    AWS CloudTrail Amazon Simple Storage Service (S3) Amazon CloudWatch "84Ϧιʔεͷૢ࡞ཤྺΛه࿥ɾ௨஌ ᶃϚωδϝϯτίϯιʔϧͱ"1*ͷૢ࡞ཤྺΛ4ʹอଘ ᶄ$MPVE8BUDI-PHTΛར༻ͯ͠4/4ܦ༝Ͱ௨஌΋Մೳ AWSϦιʔε
  8. #෋ࢁITษڧձ (VBSE%VUZ ڴҖͷݕग़ ᶃηΩϡϦςΟ؍఺͔ΒͷڴҖϦεΫΛݕग़ ᶄϩάσʔλʢ71$'MPX-PHT $MPVE5SBJM&WFOU-PHT %/4 -PHTʣΛ෼ੳ ᶅڴҖΛ"*ʹΑΓΠϯςϦδΣϯεʹݕग़ ѱҙͷ͋ΔεΩϟϯ

    Πϯελϯε΁ͷڴҖ ΞΧ΢ϯτ΁ͷڴҖ Amazon GuardDuty Flow logs Event Logs DNS Logs ϩά ڴҖͷ൑அ Amazon Simple Notification Service Amazon CloudWatch Events ௨஌