AWS認定セキュリティ - 専門知識 AWSのサービスを使って楽してセキュリティ向上！！

"84ೝఆηΩϡϦςΟઐ໳஌ࣝ "84ͷαʔϏεΛ࢖ͬͯ ָͯ͠ηΩϡϦςΟ޲্ʂʂ /3*ωοτίϜגࣜձࣾɹ ࠤʑ໦୓࿠ 'JO+"84ୈճ'JOਓྨҭ੒ܭը #ﬁnjaws

ࠤʑ໦୓࿠ CMPHIUUQTCMPHUBLVSPTOFU 5XJUUFS!ELGK ࣗݾ঺հ #ﬁnjaws

+BQBO"1/"NCBTTBEPS બग़͞Ε·ͨ͠ ࣗݾ঺հ #ﬁnjaws

ೝఆηΩϡϦςΟࢼݧͷରࡦຊ #ﬁnjaws ཁ఺੔ཧ͔Β߈ུ͢Δ ʰ"84ೝఆηΩϡϦςΟઐ໳஌ࣝʱ IUUQTBN[OUP1,4D( "84ೝఆηΩϡϦςΟઐ໳஌ࣝͷษڧͷ࢓ํͱ "84ͷηΩϡϦςΟͷΨΠυϒοΫͱͯࣥ͠චʢͨͭ͠΋Γʣ

ࠓ೔࿩͢಺༰ "84ͷηΩϡϦςΟͷߟ͑ํͱೝఆࢼݧ "84ʹ͓͚Δ̏ͭͷηΩϡϦςΟͷ࣠ ηΩϡϦςΟΛҡ࣋͢ΔͨΊͷ"84αʔϏε #ﬁnjaws

ຊ೔ͷΰʔϧ "84ͷηΩϡϦςΟͬͯɺ͜͏͍͏͜ͱ΍ΔΜͩΑͱ ಉ྅ʹ࿩ͤΔΑ͏ʹͳΔ 㱺ਓʹઆ໌͢Δͷ͕ɺཧղ΁ͷૣಓʂʂ #ﬁnjaws *".ϕετϓϥΫςΟεʹ͍ͭͯϏσΦͰઆ໌͢Δ *".ͰͷηΩϡϦςΟͷϕετϓϥΫςΟε IUUQTEPDTBXTBNB[PODPNKB@KQ*".MBUFTU6TFS(VJEFCFTUQSBDUJDFTIUNM

"84ͷηΩϡϦςΟͱೝఆࢼݧ

"84ೝఆηΩϡϦςΟɹઐ໳஌ࣝ ιϦϡʔγϣϯΞʔΩςΫτͱͷҧ͍ #ﬁnjaws ιϦϡʔγϣϯ ΞʔΩςΫτ ηΩϡϦςΟ ઐ໳஌ࣝ ͲͷΑ͏ʹ࡞Δͷ͔ʁ ͲͷΑ͏ʹ҆શΛ ֬อ͢Δͷ͔ʁ

ࢼݧൣғͱ഑఺ #ﬁnjaws ߲൪ ෼໺ ׂ߹ ΠϯγσϯτରԠ ϩάͱ؂ࢹ
ΠϯϑϥετϥΫνϟͷ ηΩϡϦςΟ *%͓ΑͼΞΫηε؅ཧ σʔλอޢ ॏ఺߲໨

"84ͱηΩϡϦςΟ ͍Ζ͍Ζ΍Δ͜ͱ͕ଟͯ͘ɺ ΍΍͍͜͠ͱࢥͬͨ͜ͱ͋Γ·ͤΜ͔ શମ૾Λ೺Ѳ͢ΔͨΊʹɺͬ͘͟Γͱ ෼ྨͯ͠Έ·͠ΐ͏ #ﬁnjaws

ਓੜɺָͯ͠ͳΜ΅ #ﬁnjaws

ڊਓͷݞͷ্ʹཱͭ Ұ͔Βશ෦ࣗ෼Ͱߟ͑Δͱେม ϑϨʔϜϫʔΫʹ৐ͬͯɺ࠷খݶͷ࿑ྗͰ ·ͣ͸ఆੴΛ֮͑ͯɺਅࣅΔ͜ͱ͔Β࢝ΊΔ #ﬁnjaws

/*45αΠόʔηΩϡϦςΟϑϨʔϜϫʔΫ ෼ྨ ΧςΰϦʔ ಛఆ ʢ*EFOUJGZʣ ɾࢿ࢈؅ཧ ɾϏδωε؀ڥ ɾΨόφϯε ɾϦεΫΞηεϝϯτɺϦεΫΞηεϝϯτ؅ཧ ɾαϓϥΠνΣʔϯϦεΫϚωδϝϯτ
๷ޚ ʢ1SPUFDUʣ ɾΞΫηε੍ޚ ɾҙࣝ޲্͓ΑͼτϨʔχϯά ɾσʔληΩϡϦςΟ ɾ৘ใΛอޢ͢ΔͨΊͷϓϩηε͓Αͼखॱ ɾอक ɾอޢٕज़ ݕ஌ ʢ%FUFDUʣ ɾҟৗͱΠϕϯτ ɾηΩϡϦςΟͷܧଓతͳϞχλϦϯά ɾݕ஌ϓϩηε ରԠ ʢ3FTQPOEʣ ɾରԠܭըͷ࡞੒ ɾίϛϡχέʔγϣϯ ɾ෼ੳ ɾ௿ݮ ෮چ ʢ3FDPWFSʣ ɾ෮چܭըͷ࡞੒ ɾվળ ɾίϛχέʔγϣϯ IPA CSFίΞ https://www.ipa.go.jp/files/000071204.pdf

"848FMM"SDIJUFDUFEϑϨʔϜϫʔΫ ப ઃܭݪଇ ӡ༻্ͷ ༏लੑ ɾӡ༻Λίʔυͱͯ͠ӡ༻ ɾఆظతʹɺখن໛ͳɺݩʹ໭͢͜ͱ͕Ͱ͖ΔมߋΛద༻͢Δ ɾӡ༻खॱΛఆظతʹվળ͢Δ ɾো֐Λ༧૝͢Δ ɾ͋ΒΏΔӡ༻্ͷো֐͔ΒֶͿ
ηΩϡϦςΟ ɾڧݻͳೝূج൫ͷ࣮૷ ɾτϨαϏϦςΟʔͷ࣮ݱ ɾશϨΠϠʔ΁ͷηΩϡϦςΟͷద༻ ɾηΩϡϦςΟͷϕετϓϥΫςΟεͷࣗಈԽ ɾ఻ૹத͓Αͼอ؅தͷσʔλอޢ ɾσʔλʹਓͷखΛೖΕͳ͍ ɾηΩϡϦςΟΠϕϯτ΁ͷඋ͑ ৴པੑ ɾো֐͔Βࣗಈతʹ෮چ͢Δ ɾ෮چखॱΛςετ͢Δ ɾਫฏํ޲ʹεέʔϧͯ͠ू߹తͳϫʔΫϩʔυͷՄ༻ੑΛߴΊΔ ɾΩϟύγςΟʔΛײʹཔΒͳ͍ ɾࣗಈԽͰมߋΛ؅ཧ͢Δ ύϑΥʔϚϯεޮ཰ ɾߴ౓ͳςΫϊϩδʔΛ୭Ͱ΋࢖͑ΔΑ͏ʹ͢Δ ɾ͢෼Ͱάϩʔόϧʹల։͢Δ ɾαʔόʔϨεΞʔΩςΫνϟΛ࢓༷͢Δ ɾΑΓසൟʹ࣮ݧ͢Δ ɾϝΧχΧϧγϯύγʔΛߟྀ͢Δ ίετ࠷దԽ ɾΫϥ΢υͷࡒ຿؅ཧͷӡ༻ ɾফඅϞσϧΛಋೖ͢Δ ɾશମతͳޮ཰Λଌఆ͢Δ ɾඅ༻Λ෼ੳ͠ɺؼ݁ͤ͞Δ AWS Well-Architented ϑϨʔϜϫʔΫ https://aws.amazon.com/jp/architecture/well-architected/

ϑϨʔϜϫʔΫʹԊͬͯ ઃܭ͞Ε͍ͯΔ͔Λߟ͑Δ

ϑϨʔϜϫʔΫʹ౰ͯ͸ΊͯΈΔͱʁ Lambda Systems Manager Automation CloudFormation Organizations SCP IAM SNS
Config CloudWatch Inspector Macie GuardDuty Shield Firewall Manager WAF VPC ༧๷ ๷ޚ ݕ஌ ରԠ ෮چ ௨஌ ࣗಈԽ Lambda CloudWatch ௐࠪ CloudWatch CloudTrail ౷߹ Security Hub #ﬁnjaws

ΞʔΩςΫνϟʔผʹݟͯΈΔͱ Shield WAF CloudFront ELB ߈ܸରࡦ ର৅Ϧιʔε NACL Security Group
ωοτϫʔΫ๷ޚ ର৅Ϧιʔε ELB EC2 RDS KMS σʔλอޢ ର৅Ϧιʔε EC2 RDS S3 %%P4߈ܸ ΞϓϦέʔγϣϯ ߈ܸ ෆਖ਼ ωοτϫʔΫ ΞΫηε ෆਖ਼ ɹσʔλΞΫηε Inspector Systems Manager αʔόʔ؅ཧ Security Hub CloudTrail CloudWatch GuardDuty Config VPC Flow logs ՄࢹԽɾϞχλϦϯά ௨஌ ௨஌ SNS ௨஌ ӡ༻୲౰ ؂ࢹ ɾશϨΠϠʔ΁ͷηΩϡϦςΟͷద༻ ɾτϨαϏϦςΟʔͷ࣮ݱ

γεςϜͷϨΠϠʔผʹ౰ͯ͸ΊΔͱ #ﬁnjaws Ϛωδϝϯτ ίϯιʔϧ 71$Ծ૝ઐ༗ྖҬ &$04ྖҬ &#4ϩʔΧϧσΟεΫ 3%4σʔλϕʔε 4ετϨʔδ $MPVE8BUDI؂ࢹ
%JSFDU$POOFDU/8 ηΩϡϦςΟͷରԠྫʢ๷ޚʣ ݕ஌ͷରԠྫ (VBSE%VUZ $POUSPM5PXFS 4FDVSJUZ)VC 'JSFXBMM.BOBHFS .BDJF 5SVTUFE"EWJTPS ɾ"84ΞΧ΢ϯτɿར༻੍ݶ ɾ*".Ϣʔβɿૢ࡞ݖݶͱ઀ଓݩ੍ݶ ɹར༻ՄೳϦιʔεʹର͢ΔΞΫηείϯτϩʔϧɺଟཁૉೝূͷಋೖ ɾຊ൪؀ڥɺ։ൃ؀ڥͱ͍ͬͨ؀ڥ୯ҐͰ71$ͷ෼཭ ɾαϒωοτ୯ҐͰͷ௨৴੍ޚɺϧʔςΟϯάઃఆ ɾ71$ϑϩʔϩάͷऔಘ ɾ4FDVSJUZ(SPVQʹΑΔαʔόؒ௨৴੍ޚ ɾ4ZTUFNT.BOBHFS౳Λར༻ͯ͠ͷɺαʔόঢ়ଶͷ೺ѲͱҰׅύον౰ͯ ɾαʔόͷϩάΠϯ؅ཧͷ࢓૊Έͱɺϩάू໿ͷ࢓૊Έͷಋೖ ɾ҉߸ԽΦϓγϣϯʹΑΔσΟεΫશମͷ҉߸Խ $MPVE5SBJMʹΑΔ "84ૢ࡞ཤྺ τϥϑΟοΫϩά ֤छΞϓϦέʔγϣϯϩά 04ϩάΠϯཤྺ %#؂ࠪϩά "84αʔϏε֤छʹΑΔ ϩάɾΞϥʔτ ݕࠪ͢Δ΂͖ϩά ɾઐ༻ઢʢ%9ʣ΍71/Λར༻ͨ͠ܦ࿏҆શͷ֬อ ɾ5SBOTJU(BUFXBZΛར༻ͨ͠71$ɾܦ࿏ͷ؅ཧ ɾܦ࿏ͷ৑௕ԽʹΑΔࣄۀܧଓੑͷ֬อ ɾDBMSͷػೳʹΑΔςʔϒϧશମʢදྖҬʣͷ҉߸Խ ɾDBʹର͢ΔΞΫηεݖݶͷ؅ཧ ɾ҉߸ԽΦϓγϣϯʹΑΔετϨʔδશମͷ҉߸Խ ɾΫϥΠΞϯταΠυ͸҉߸ԽΩʔʹΑΓσʔλΛอޢ ɾCloudWatchʹΑΔAWSͷ؂ࢹͱɺӡ༻؂ࢹιϑτ΢ΣΞΛར༻ͨ͠αʔ ϏεɺΞϓϦέʔγϣϯ؂ࢹͷซ༻ *OTQFDUPS "84ͷར༻ঢ়گͷ؂ࠪ "84ΞΧ΢ϯτͷઃఆͱΨόφϯε ηΩϡϦςΟʔΞϥʔτͷू໿ͱݕ஌ɾରԠ "84ͷෆਖ਼ར༻ͷݕ஌ 04ɺΞϓϦͷηΩϡϦςΟධՁ 'JSFXBMMͷҰݩ؅ཧͱݕ஌ɾରԠ 4಺ͷػີ৘ใͷݕग़ɺ෼ྨɺอޢ 0SHBOJ[BUJPOT

༧๷త౷੍ͱൃݟత౷੍ #ﬁnjaws ηΩϡϦςΟͷϕετϓϥΫςΟεͷҰͭ 0SHBOJ[BUJPO6OJU Automation AWS Systems Manager AWS Config
Rule ઃఆෆඋΛ ݕ஌ म෮ࢦࣔ ༧๷త౷੍ ൃݟత౷੍ SCP AWS Organizations SCPΛར༻ͯ͠ ΞΧ΢ϯτશମʹ ېࢭࣄ߲ͷઃఆ AWSΞΧ΢ϯτ IAM User ྫʣ SPPUϢʔβʔͷΞΫηεΩʔͷ ࡞੒Λېࢭ͢Δ ྫʣ *".Ϣʔβʔͷ.'"͕༗ޮʹ ͳ͍ͬͯΔ͔νΣοΫ͢Δ Ұ࣌తʹ IAMϢʔβʔͷ ແޮԽ

͜ͷลΛҙࣝ͠ͳ͕Β ઃఆΛࣗ෼Ͱ΍Δͱ ഒཧղ͕ਐΉ

΋͏গ͠ղΓ΍͘͢͢ΔͨΊʹ "84্ͷγεςϜΛ෼ղ

"84ͱηΩϡϦςΟ "84ͷηΩϡϦςΟ͸̏ͭͷ࣠Ͱߟ͑Δ ᶃ"84಺ʹߏஙͨ͠ωοτϫʔΫͱαʔόʔͷηΩϡϦςΟ ᶄ"84ૢ࡞ʹؔ͢Δݖݶʢ*".ʣ ᶅηΩϡϦςΟΛҡ࣋؅ཧ͢ΔͨΊͷ"84αʔϏε AWS Management Console Role VPC
AWS Cloud Subnet Internet gateway Amazon Simple Storage Service (S3) VPN gateway Endpoints User ૢ࡞ݖݶ Instance Instance Instance AWS Lambda Role ᶄ ᶃ AWS Command Line Interface AWS Config AWS Systems Manager AWS Service Catalog AWS Trusted Advisor AWS CloudTrail ᶅ ηΩϡϦςΟΛҡ࣋ ؅ཧ͢ΔαʔϏε #ﬁnjaws

ᶃ"84಺ʹߏஙͨ͠ωοτϫʔΫͱ αʔόʔͷηΩϡϦςΟ ੹೚ڞ༗Ϟσϧͷ੺࿮ͷ෦෼ ઃܭͷߟ͑ํ͸ΦϯϓϨͱେ͖͘ҧΘͳ͍͕ɺઃఆͷ࢓ ํ͸"84ͷྲّྀʹै͏ඞཁ͕͋Δ IUUQTBXTBNB[PODPNKQDPNQMJBODFTIBSFESFTQPOTJCJMJUZNPEFM #ﬁnjaws

ᶄ"84ͷૢ࡞ʹؔ͢Δݖݶʢ*".ʣ "84ͷηΩϡϦςΟͷத֩ͷҰͭ ͲΜͳʹωοτϫʔΫ΍αʔόʔͷηΩϡϦςΟΛڧݻʹ ͍ͯͯ͠΋ɺ"84Λ௚઀ૢ࡞͞ΕΔͱ͕݀։͚ΒΕΔ "84ͷബ͍ຊɹ*".ͷϚχΞοΫͳ࿩ IUUQTCPPUIQNKBJUFNT #ﬁnjaws

ᶅηΩϡϦςΟΛҡ࣋؅ཧ͢Δ ɹͨΊͷ"84αʔϏε "84ಠࣗͷ෦෼ ར༻͠ͳͯ͘΋γεςϜΛηΩϡΞͳঢ়ଶΛҡ࣋Ͱ͖Δ͕ɺ ্ख͘׆༻͢ΔͱࣗྗͰ΍ΔΑΓഒָʹͳΔ "84ͷബ͍ຊᶘΞΧ΢ϯτηΩϡϦςΟͷϕʔγοΫηΦϦʔ IUUQTCPPUIQNKBJUFNT #ﬁnjaws

ηΩϡϦςΟΛҡ࣋͢ΔͨΊͷ "84αʔϏε

ΨόφϯεͷҝͷΨʔυϨʔϧ ηΩϡϦςΟ͸Ұ౓ઃఆ͓ͯ͠ऴ͍Ͱ͸ͳ͍ɻ ؀ڥશମʹܧଓతͳΨόφϯεΛఏڙ͢Δҝͷϧʔϧ͕ඞ ཁɻ"84͸ͦΕΛαϙʔτ͢ΔαʔϏεΛఏڙ͍ͯ͠Δ ᶃ༧๷ɹʜɹ*".΍4$1Ͱېࢭࣄ߲ͷૢ࡞ࣄ߲Λग़དྷͳ͘͢Δ͜ͱ ᶄݕ஌ɹʜɹېࢭࣄ߲ͷૢ࡞͕͞ΕͨΒؾ͕෇͚Δঢ়ଶʹ͢Δ͜ͱ ΨʔυϨʔϧ ؔॴ #ﬁnjaws

$MPVE5SBJM AWS Management Console User AWS Command Line Interface AWS
CloudTrail Amazon Simple Storage Service (S3) Amazon CloudWatch "84Ϧιʔεͷૢ࡞ཤྺΛه࿥ɾ௨஌ ᶃϚωδϝϯτίϯιʔϧͱ"1*ͷૢ࡞ཤྺΛ4ʹอଘ ᶄ$MPVE8BUDI-PHTΛར༻ͯ͠4/4ܦ༝Ͱ௨஌΋Մೳ AWSϦιʔε #ﬁnjaws

$POpH ఆ఺ˍΠϕϯτൃੜ࣌ʹ"84ͷঢ়ଶΛه࿥ ᶃ"84ͷঢ়ଶΛه࿥͠؅ཧ͢ΔαʔϏε ᶄ$POpH3VMFTΛར༻͢Δ͜ͱʹΑΓɺ͋Δ΂͖ঢ়ଶ͔Β֎Ε ͨ͜ͱΛݕ஌͢Δ͜ͱ͕Ͱ͖Δ AWS Config User AWSϦιʔε ͷߏ੒มߋ
ߏ੒؅ཧɾه࿥ ͷอଘ มߋޙͷߏ੒ͷ ධՁ ʢConfig Rulesʣ Amazon Simple Notification Service #ﬁnjaws

(VBSE%VUZ ڴҖͷݕग़ ᶃηΩϡϦςΟ؍఺͔ΒͷڴҖϦεΫΛݕग़ ᶄϩάσʔλʢ71$'MPX-PHT $MPVE5SBJM&WFOU-PHT %/4 -PHTʣΛ෼ੳ ᶅڴҖΛ"*ʹΑΓΠϯςϦδΣϯεʹݕग़ ѱҙͷ͋ΔεΩϟϯ Πϯελϯε΁ͷڴҖ
ΞΧ΢ϯτ΁ͷڴҖ Amazon GuardDuty Flow logs Event Logs DNS Logs ϩά ڴҖͷ൑அ Amazon Simple Notification Service Amazon CloudWatch Events ௨஌ #ﬁnjaws

4FDVSJUZ)VC https://aws.amazon.com/jp/security-hub/ ηΩϡϦςΟΞϥʔτΛҰݩ؅ཧ ᶃ(VBSE%VUZ .BDJF *OTQFDUPSͷΞϥʔτΛ౷߹ͯ͠؅ཧ ᶄ֤छϩάΛݩʹίϯϓϥΠΞϯενΣοΫ ᶅαʔυύʔςΟπʔϧͱͷ࿈ܞɾෳ਺"84ΞΧ΢ϯτͷ౷߹ ΋Մೳ #ﬁnjaws

5SVTUFE"EWJTPS "84ͷར༻ঢ়گΛධՁ ᶃ̑ͭͷ؍఺ʢίετ࠷దԽɾύϑΥʔϚϯεɾηΩϡϦςΟɾ ϑΥʔϧττϨϥϯεɾαʔϏε੍ݶʣͰධՁ ᶄσϑΥϧτͰద༻͞Ε͍ͯΔͷͰɺҰ౓ݟͯΈΔ͜ͱ ᶅ௨஌ʢ&ϝʔϧͷΈʣ΋Մೳ #ﬁnjaws

$POUSPM5PXFS https://aws.amazon.com/jp/controltower/ ෳ਺ΞΧ΢ϯτͷηΩϡϦςΟઃఆͱ؂ࢹ ᶃ"84ͷϕετϓϥΫςΟεΛ੝ΓࠐΜͩઃఆͰɺ"84ΞΧ΢ ϯτͷߏங ᶄΞΧ΢ϯτͷϙϦγʔΛܧଓతʹ؅ཧͱՄࢹԽ ᶅطଘͷΞΧ΢ϯτΛ$POUSPM5PXFSʹొ࿥͢Δͷා͍ #ﬁnjaws

ϕετϓϥΫςΟε ᶃద੾ͳݖݶ؅ཧ͕࠷ॏཁʢ*".ͱ4$1ʣ ᶄ"84ͷαʔϏεΛ࢖ͬͯݕ஌ͷػೳΛ੝ΓࠐΉ ᶅߏஙςϯϓϨʔτԽɻϚϧνΞΧ΢ϯτͰ͋Ε͹ɺ $MPVE'PSNBUJPO4UBDL4FUT 0SHBOJ[BUJPOT͕ਆ #ﬁnjaws $MPVE'PSNBUJPO4UBDL4FUT 0SHBOJ[BUJPOTͷνϡʔτϦΞϧ IUUQTCPPUIQNKBJUFNT

ͪΐͬͱએ఻ #ﬁnjaws ࣗ૸Ͱ͖ΔΑ͏ʹͳΔ·Ͱɺ ൐૸ͯ͠΋Β͏ͷ΋͋Γʂʁ /3*ωοτίϜɹ"84ΞΧ΢ϯτɹηΩϡϦςΟରࡦࢧԉαʔϏε IUUQTXXXOSJOFUDPNQSPEVDUTBXTBDDPVOUTFD

ηΩϡϦςΟ͸"*ͷྖҬʹ #ﬁnjaws ߈ܸଆ͸ɺ࣌ؒ೔΄΅શࣗಈͰ߈ܸ ๷ޚଆʢ͋ͳͨʣ͸ɺͦΕΛਓྗͰकΕ·͔͢ʁ AWS Cloud ͋ͳͨͷ γεςϜ ๷ޚଆ΋ɺࣗಈతͳ๷ޚ͕ඞ༻ ݸʑͷ൑அ͸"*ʹ೚ͤͳ͍ͱແཧͳྖҬʹ
࣌ؒ೔ λʔήοτΛ୳ͯ͠߈ܸ

·ͱΊ

ࠓ೔࿩ͨ͠ςʔϚ "84ͷηΩϡϦςΟͷߟ͑ํͱೝఆࢼݧ "84ʹ͓͚Δ̏ͭͷηΩϡϦςΟͷ࣠ ηΩϡϦςΟΛҡ࣋͢ΔͨΊͷ"84αʔϏε #ﬁnjaws

AWS認定セキュリティ - 専門知識 AWSのサービスを使って楽してセキュリティ向上！！

AWS認定セキュリティ - 専門知識 AWSのサービスを使って楽してセキュリティ向上！！

More Decks by Takuro SASAKI

Other Decks in Technology

Featured

Transcript