JAWSUG千葉支部 Vol.7で発表した『AWSアカウントのセキュリティを守る』の資料です https://jawsug-chiba.doorkeeper.jp/events/99430
"84ΞΧϯτͷηΩϡϦςΟΛकΔ/3*ωοτίϜגࣜձࣾɹࠤʑ+"846(ઍ༿ࢧ෦ɹୈճ#jawsug
View Slide
ࠤʑCMPHIUUQTCMPHUBLVSPTOFU5XJUUFS!ELGKࣗݾհ #jawsug
+BQBO"1/"NCBTTBEPSબग़͞Ε·ͨࣗ͠ݾհ #jawsug
ࠓ͢ςʔϚ"84ʹ͓͚Δ̐ͭͷηΩϡϦςΟͷ࣠*".େࣄͩΑηΩϡϦςΟΛҡ࣋͢ΔͨΊͷ"84αʔϏε͓·͚#jawsug
"84ͱηΩϡϦςΟ
"84ͱηΩϡϦςΟ#jawsug͍Ζ͍ΖΔ͜ͱ͕ଟͯ͘ɺ͍͜͠ͱࢥͬͨ͜ͱ͋Γ·ͤΜ͔શମ૾ΛѲ͢ΔͨΊʹɺͬ͘͟Γͱྨͯ͠Έ·͠ΐ͏
"84ͱηΩϡϦςΟ#jawsug"84ͷηΩϡϦςΟͭͷ࣠Ͱߟ͑Δᶃ"84ʹߏஙͨ͠ωοτϫʔΫͱαʔόʔͷηΩϡϦςΟᶄ"84ͷαʔϏε܈ͷઃܭɾઃఆᶅ"84ૢ࡞ʹؔ͢Δݖݶʢ*".ʣᶆηΩϡϦςΟΛҡ࣋ཧ͢ΔͨΊͷ"84αʔϏεAWS ManagementConsoleRoleVPCAWS CloudSubnetInternet gatewayAmazon Simple StorageService (S3)VPN gatewayEndpointsUserૢ࡞ݖݶInstance Instance InstanceAWS LambdaRoleᶅ ᶄ ᶃAWS Command LineInterfaceAWS Config AWS Systems ManagerAWS Service Catalog AWS Trusted Advisor AWS CloudTrailᶆηΩϡϦςΟΛҡ࣋ཧ͢ΔαʔϏε
ᶃ"84ʹߏஙͨ͠ωοτϫʔΫͱαʔόʔͷηΩϡϦςΟ#jawsugڞ༗Ϟσϧͷͷ෦ઃܭͷߟ͑ํΦϯϓϨͱେ͖͘ҧΘͳ͍͕ɺઃఆͷํ"84ͷྲّྀʹै͏ඞཁ͕͋ΔIUUQTBXTBNB[PODPNKQDPNQMJBODFTIBSFESFTQPOTJCJMJUZNPEFM
ᶄ"84ͷαʔϏε܈ͷઃܭɾઃఆ#jawsug͍ΘΏΔϚωʔδυαʔϏεϢʔβʔࣗͰΧόʔ͢Δൣғগͳ͍͕ɺαʔϏε͝ͱʹಛੑΛཧղ͢Δඞཁ͕͋Δ㱺·ͣɺ͏ͷ͚֮ͩ͑Εྑ͍IUUQTXXXTMJEFTIBSFOFU"NB[PO8FC4FSWJDFT+BQBOBXTXIJUFCFMUPOMJOFTFNJOBSBXT
ᶅ"84ͷૢ࡞ʹؔ͢Δݖݶʢ*".ʣ#jawsug"84ͷηΩϡϦςΟͷத֩ͷҰͭͲΜͳʹωοτϫʔΫαʔόʔͷηΩϡϦςΟΛڧݻʹ͍ͯͯ͠ɺ"84Λૢ࡞͞ΕΔͱ͕݀։͚ΒΕΔIUUQTCMPHUBLVSPTOFUFOUSZͷ4FDVSJUZ+"84Ͱɺ͜ͷςʔϚͰ͠·ͨ͠
ᶆηΩϡϦςΟΛҡ࣋ཧ͢ΔͨΊͷ"84αʔϏε#jawsug"84ಠࣗͷ෦ར༻͠ͳͯ͘γεςϜΛηΩϡΞͳঢ়ଶΛҡ࣋Ͱ͖Δ͕ɺ্ख͘׆༻͢ΔͱࣗྗͰΔΑΓഒָʹͳΔࠓͷςʔϚͰ͢ʂʂ
ྨ͠ݴޠԽ͢Δ͜ͱʹΑΓཧղ͕ਐΉ#jawsug@kaitendaentaishttps://twitter.com/kaitendaentai/status/1052689241744896001
*".ͷઃܭΛݴޠԽ͢Δ
*".ͷϚχΞοΫͳͷհhttps://takuros.booth.pm/items/1563844
*".ͷϚχΞοΫͳɹ࣍͡Ίʹୈষ"84ͱ*".ୈষ*".ͷػೳୈষ*".νϡʔτϦΞϧୈষ*".ϙϦγʔͷσβΠϯύλʔϯୈষ*".άϧʔϓͷσβΠϯύλʔϯୈষ*".ͱηΩϡϦςΟୈষ*".ͷӡ༻ୈষ*".ͱ$MPVE'PSNBUJPOୈষ*".ͷςϯϓϨʔτूୈষ*".Ҏ֎ͷ"84αʔϏεͷ׆༻"ΞΧϯτ։ઃ࣌ͷઃఆνΣοΫϦετ#jawsug
*".ઃܭͷجຊํ
*".ઃܭͷجຊํ#jawsugकΔ͖جຊํ͚̎ͭͩೝূใΛ౪·Εͳ͍Α͏ʹ͢Δӡ༻ઃܭΞΫηεΩʔʗγʔΫϨοτΞΫηεΩʔͰͳ͘ϩʔϧͷར༻HJUTFDSFUTͷར༻ೝূใ͕౪·ΕͯඃΛ࠷খݶʹ͢Δݖݶઃܭ.'"ඞਢԽ*1੍ݶͳͲͷར༻੍ݶ࠷খݖݶͷઃఆ
*".ϙϦγʔͷσβΠϯύλʔϯ
*".ϙϦγʔ*".ϙϦγʔͷσβΠϯύλʔϯ̏ͭϗϫΠτϦετɾύλʔϯϒϥοΫϦετɾύλʔϯϋΠϒϦοτɾύλʔϯ#jawsug
ڐՄ͢ΔݖݶͷΈ༩͍ͯ͘͠ύλʔϯɹɹ&$4ͱ͍ͬͨαʔϏε୯Ґɺߋʹࡉ͔͘ΞΫγϣϯ୯ҐͰ༩"84ཧϙϦγʔɺ͋ΔҙຯϗϫΠτϦετύλʔϯ˞Ͱɺͦͷ··͏ʹૈ͍#jawsugϗϫΠτϦετɾύλʔϯFD%FTDSJCF4UPQ4UBSUಛఆͷαʔϏεɾΞΫγϣϯͷΈڐՄڋ൱ڐՄڐՄڐՄڋ൱ϝϦοτɹ࠷খݖݶͷઃܭ͕Ͱ͖Δཧղͯ͠࡞ΕɺҰ൪ηΩϡΞσϝϦοτɹઃܭ͕ਐ·ͳ͍ͱઃఆͰ͖ͳ͍ཧෛՙ͕ߴ͍
ڋ൱ΛՃ͍ͯ͘͠ύλʔϯɹɹڐՄ͍͚ͯ͠ͳ͍ݖݶΛണୣ͍ͯ͘͠#jawsugϒϥοΫϦετɾύλʔϯڐՄ4&D*".ಛఆͷαʔϏεɾΞΫγϣϯͷΈڋ൱ڐՄڋ൱ڋ൱ڋ൱ϝϦοτɹઃܭ͕࠷খݶʹͰ͖Δࣗ༝͕ߴ͍σϝϦοτɹ༧ظͤ͵αʔϏε͕ಥવ͑ΔΑ͏ʹͳΔϦεΫ͕͋Δ
ϗϫΠτϦετɾϒϥοΫϦετͷΈ߹ΘͤݖݶΛ༩্ͨ͠Ͱɺېࢭ͍ͨ͠ݖݶΛΔ˞ݫີʹ͍͏ͱɺϒϥοΫϦετύλʔϯͯ͢ϋΠϒϦοτʹͳΔ#jawsugϋΠϒϦοτɾύλʔϯڐՄ"ENJOJTUSBUPS"DDFTT &D࠷ॳʹݖݶΛ༩ͯ͠ɺෆཁͳݖݶΛΔϝϦοτɹ"84ཧϙϦγʔ͕͍͍ࣗ͢༝͕ߴ͘ઃܭָ͕σϝϦοτɹ͋·Γແ͍ɹ˞ॏͶ͕͚ํ๏ʹҙ*".ڋ൱
*".άϧʔϓͷσβΠϯύλʔϯ
*".άϧʔϓ*".άϧʔϓͷσβΠϯύλʔϯ̎ͭෳάϧʔϓʹॴଐάϧʔϓʹෳͷϙϦγʔ#jawsug
Ϣʔβʔ͕ෳͷάϧʔϓʹଐ͢Δ͜ͱΛલఏʹݖݶઃఆɹશࣾһ͚ͷڞ௨άϧʔϓͱׂผͷάϧʔϓ֊ߏΛ࡞Γ͍͢#jawsugෳάϧʔϓʹॴଐ
Ϣʔβʔ͕ͭͷάϧʔϓʹଐ͢Δ͜ͱΛલఏʹݖݶઃఆϢʔβ͔ΒΈΔͱγϯϓϧͳߏݖݶͷݟ௨͕͠ྑ͍#jawsugάϧʔϓʹෳϙϦγʔ
ύλʔϯͷݪଇΛ౿·্͑ͨͰ۩ମతͳઃܭʹམͱ͠ࠐΉ
ڞ௨Ͱར༻͢ΔϙϦγʔͰ·ͣݕ౼͢Δͷ͜ͷͭ.'"ඞਢԽඞͣ͢Δ͜ͱ*1੍ݶɺӡ༻ϙϦγʔͱ૬ஊɻ࡞ۀॴΛ੍ݶͰ͖Δͱ͍͏ޮՌ͕͋Δ#jawsug.'"ඞਢԽͱ*1੍ݶ\&⒎FDU%FOZ "DUJPO $POEJUJPO\/PU*Q"EESFTT\BXT4PVSDF*Q<>^^ 3FTPVSDF^\&⒎FDU%FOZ /PU"DUJPO<JBN> 3FTPVSDF $POEJUJPO\#PPM*G&YJTUT\BXT.VMUJ'BDUPS"VUI1SFTFOUGBMTF^^^
"ENJOݖݶΛ༩্ͨ͠Ͱ੍ݶΛՃ͑Δ.'"ඞਢˍ*1ΞυϨε੍ݶ*1੍ݶΛͳͨ͘͢Ίͷཧऀ༻ϩʔϧ#jawsugཧऀݖݶͷઃܭ㱺εΠονલΛࢀরݖݶͷΈʹ͢Δͱ͍͏ઃܭΑ͋͘Δ
ϩάΠϯ࣌ࢀরݖݶͷΈࢀরݖݶͱ4XJUDI3PMFΛڐՄ͢ΔݖݶΛ༩εΠονϩʔϧ͢Δ͜ͱʹΑΓཧऀݖݶ͕ར༻ՄೳஈΫογϣϯΛஔ͘͜ͱʹΑΓɺΦϖϛεͷࢭޮՌΛૂ͏#jawsugཧऀݖݶͷ҆શઃܭ
৬ػೳͷ"84ཧϙϦγʔͷ׆༻ಛఆͷ༻్͚ͷݖݶηοτʢ৬ػೳͷ"84ཧϙϦγʔʣFDͷݖݶɺΠϯελϯεͷૢ࡞ͱωοτϫʔΫૢ࡞ؚ͕·Ε͍ͯΔͷͰҙ͕ඞཁ#jawsugωοτϫʔΫཧऀͷઃܭ
Ұ൪·͍͠ͷ͕։ൃऀ͚ݖݶ*".ϩʔϧͷ࡞ݖݶ͕ඞཁʹͳ͖͍ͬͯͯΔཧऀݖݶΛ༩্ͨ͠Ͱɺ1FSNJTTJPO#PVOEBSZͷ׆༻͔ʁ#jawsug։ൃऀͷઃܭIUUQTUFDICPPLGFTUPSHFWFOUUCG͋ͱ࡞ͬͨ*".ϩʔϧɾϙϦγʔͷςετํ๏ΛԿͱ͔͍ͨ͠
1SJODJQBMΛߜΒͳ͍ͱɺશϢʔβʔ͕εΠονͰ͖ΔσϑΥϧτςϯϓϨʔτͷઃఆɺΞΧϯτͷϢʔβʔʹରͯ͠ߜΔඞཁ͕͋ΓɺϢʔβʔࢦఆͰߜΔʢάϧʔϓͰ͖ͳ͍ʣผղͱͯ͠"TTVNF3PMFͷݖݶΛͯ͢ണୣͷ͏͑ͰɺඞཁͳϢʔβʔʹ༩͢Δͱ͍͏ํ๏͋Δ#jawsugεΠονϩʔϧͷҙ\7FSTJPO 4UBUFNFOU<\&⒎FDU"MMPX 1SJODJQBM\"84BSOBXTJBNSPPU^ "DUJPOTUT"TTVNF3PMF $POEJUJPO\^^>^\7FSTJPO 4UBUFNFOU<\&⒎FDU"MMPX 1SJODJQBM\"84BSOBXTJBNVTFSUFTUVTFS^ "DUJPOTUT"TTVNF3PMF $POEJUJPO\^^>^
ϕετϓϥΫςΟε͚ͩͲɻɻɻઃܭ͕ݻ·্ͬͨͰɺ*".ʹؔ͢Δߴͳ͕ࣝඞཁϓϩάϥϜతͳར༻ʹ͍͍ͯΔ͕ɺ"84ίϯιʔϧ͔Βͷར༻͍͍ͯͳ͍৽نαʔϏεͷՃʹऑ͍ͦͦ"ENJOݖݶΛ͍࣋ͬͯΔਓ͔͠࠷খݖݶΛٻͰ͖ͳ͍ઃܭɾӡ༻͕େ͖͍ݱ࣮తͳӡ༻ఆܕతͳ࡞ۀʢ-BNCEBɾόονʣͷΈ࠷খݖݶΛ༩ਓؒܥͷ࡞ۀɺϒϥοΫϦετͷ׆༻ࢹʹηΩϡϦςΟࣄނΛى͜͞ͳ͍ͱ͍͏؍Ͱ࠷খݖݶΛ୳ٻ#jawsug࠷খݖݶͷδϨϯϚ
ηΩϡϦςΟΛҡ࣋͢ΔͨΊͷ"84αʔϏε
ʲ࠶ܝʳ"84ͱηΩϡϦςΟ #jawsug"84ͷηΩϡϦςΟͭͷ࣠Ͱߟ͑Δᶃ"84ʹߏஙͨ͠ωοτϫʔΫͱαʔόʔͷηΩϡϦςΟᶄ"84ͷαʔϏε܈ͷઃܭɾઃఆᶅ"84ૢ࡞ʹؔ͢Δݖݶʢ*".ʣᶆηΩϡϦςΟΛҡ࣋ཧ͢ΔͨΊͷ"84αʔϏεAWS ManagementConsoleRoleVPCAWS CloudSubnetInternet gatewayAmazon Simple StorageService (S3)VPN gatewayEndpointsUserૢ࡞ݖݶInstance Instance InstanceAWS LambdaRoleᶅ ᶄ ᶃAWS Command LineInterfaceAWS Config AWS Systems ManagerAWS Service Catalog AWS Trusted Advisor AWS CloudTrailᶆηΩϡϦςΟΛҡ࣋ཧ͢ΔαʔϏε
ΨόφϯεͷҝͷΨʔυϨʔϧ#jawsugηΩϡϦςΟҰઃఆ͓ͯ͠ऴ͍Ͱͳ͍ɻڥશମʹܧଓతͳΨόφϯεΛఏڙ͢Δҝͷϧʔϧ͕ඞཁɻ"84ͦΕΛαϙʔτ͢ΔαʔϏεΛఏڙ͍ͯ͠Δᶃ༧ᶄݕग़
#jawsug$MPVE5SBJMAWS ManagementConsoleUserAWS Command LineInterfaceAWS CloudTrailAmazon Simple StorageService (S3)Amazon CloudWatch"84Ϧιʔεͷૢ࡞ཤྺΛهɾ௨ᶃϚωδϝϯτίϯιʔϧͱ"1*ͷૢ࡞ཤྺΛ4ʹอଘᶄ$MPVE8BUDI-PHTΛར༻ͯ͠4/4ܦ༝Ͱ௨ՄೳAWSϦιʔε
#jawsug$POpHఆˍΠϕϯτൃੜ࣌ʹ"84ͷঢ়ଶΛهᶃ"84ͷঢ়ଶΛه͠ཧ͢ΔαʔϏεᶄ$POpH3VMFTΛར༻͢Δ͜ͱʹΑΓɺ͋Δ͖ঢ়ଶ͔Β֎Εͨ͜ͱΛݕ͢Δ͜ͱ͕Ͱ͖ΔAWS ConfigUserAWSϦιʔεͷߏมߋߏཧɾهͷอଘมߋޙͷߏͷධՁʢConfig RulesʣAmazon SimpleNotification Service
#jawsug(VBSE%VUZڴҖͷݕग़ᶃηΩϡϦςΟ؍͔ΒͷڴҖϦεΫΛݕग़ᶄϩάσʔλʢ71$'MPX-PHT $MPVE5SBJM&WFOU-PHT %/4-PHTʣΛੳᶅڴҖΛ"*ʹΑΓΠϯςϦδΣϯεʹݕग़ѱҙͷ͋ΔεΩϟϯΠϯελϯεͷڴҖΞΧϯτͷڴҖAmazon GuardDutyFlow logsEvent LogsDNS LogsϩάڴҖͷஅAmazon SimpleNotification ServiceAmazon CloudWatchEvents௨
#jawsug4FDVSJUZ)VChttps://aws.amazon.com/jp/security-hub/ηΩϡϦςΟΞϥʔτΛҰݩཧᶃ(VBSE%VUZ .BDJF *OTQFDUPSͷΞϥʔτΛ౷߹ͯ͠ཧᶄ֤छϩάΛݩʹίϯϓϥΠΞϯενΣοΫᶅαʔυύʔςΟπʔϧͱͷ࿈ܞɾෳ"84ΞΧϯτͷ౷߹Մೳ
#jawsug5SVTUFE"EWJTPS"84ͷར༻ঢ়گΛධՁᶃ̑ͭͷ؍ʢίετ࠷దԽɾύϑΥʔϚϯεɾηΩϡϦςΟɾϑΥʔϧττϨϥϯεɾαʔϏε੍ݶʣͰධՁᶄσϑΥϧτͰద༻͞Ε͍ͯΔͷͰɺҰݟͯΈΔ͜ͱᶅ௨ʢ&ϝʔϧͷΈʣՄೳ
#jawsug$POUSPM5PXFShttps://aws.amazon.com/jp/controltower/ෳΞΧϯτͷηΩϡϦςΟઃఆͱࢹᶃ"84ͷϕετϓϥΫςΟεΛΓࠐΜͩઃఆͰɺ"84ΞΧϯτͷߏஙᶄΞΧϯτͷϙϦγʔΛܧଓతʹཧͱՄࢹԽᶅݱঢ়ͷͱ͜ΖɺطଘͷΞΧϯτʹద༻Ͱ͖ͳ͍
#jawsugϕετϓϥΫςΟεࡧதᶃෳΞΧϯτཧ͕લఏᶄࢹͱӡ༻ͷσβΠϯύλʔϯᶅߏஙςϯϓϨʔτIUUQTUFDICPPLGFTUPSHFWFOUUCGٕज़ॻయʢ ʣͰ൦༧ఆ
͓·͚
#jawsug͜Ε͚͓͚ͩͬͯ"84ΞΧϯτʹ࠷ݶɺԼهͷઃఆΛ͢ΔϧʔτΞΧϯτͷ.'"ઃఆཧऀ༻ͷ*".άϧʔϓͱ*".Ϣʔβʔͷ࡞*".ύεϫʔυϙϦγʔͷద༻$MPVE5SBJMͱ$POpH (VBSE%VUZͷ༗ޮԽ5SVTUFE"EWJTPUSͷ&ϝʔϧ௨ઃఆ$PTU6TBHF3FQPSUͷग़ྗ*".ϢʔβʔͷٻใͷΞΫηεڐՄࢧ͍௨՟Λຊԁʹมߋίετλάͷઃఆସ࿈བྷઌͷઃఆ
#jawsug͜ΕͬͪΌμϝ*".Ͱ͜ΕΛͬͪΌμϝϧʔτϢʔβʔͰӡ༻ར༻ऀશһɺ"ENJOݖݶཧऀҎ֎ʹ*".ݖݶΛ༩ڞ༻ͷ*".Ϣʔβʔͷ࡞ෳͷ$-*ɾϓϩάϥϜ͔Βͷ*".Ϣʔβʔʗϩʔϧͷڞ༻ιʔείʔυʹΫϨσϯγϟϧʢΞΫηεΩʔɾγʔΫϨοτΞΫηεΩʔʣͷຒΊࠐΈ-BNCEB'VMM"DDFTTͷ༩ωοτϫʔΫཧऀҎ֎ʹ&$'VMM"DDFTTͷ༩4ͷΞΫηείϯτϩʔϧΛ*".͚ͩͰߦ͏ʢόέοτϙϦγʔͷซ༻ඞਢʣ
·ͱΊ
ࠓͨ͠ςʔϚ"84ʹ͓͚Δ̐ͭͷηΩϡϦςΟͷ࣠*".େࣄͩΑηΩϡϦςΟΛҡ࣋͢ΔͨΊͷ"84αʔϏε͓·͚#jawsug
એపఈ׆༻(PPHMFΞφϦςΟΫεσδλϧϚʔέςΟϯάΛޭʹಋ͘ղੳɾվળͷͨΊͷૢ࡞ΨΠυIUUQTBN[OUP181M#jawsug
͓·͚*".ຊʢμϯϩʔυ൛ʣΛϓϨθϯτ#jawsug
takuros
inureyes
masasuzu
yoshimi0227
coconala_engineer
karamem0
i35_267
pkshadeck
akkie76
mraible
etaroid
ysasago
cybozuinsideout
jlugia
dougneiner
pedronauck
zakiyama
chrislema
stephaniewalter
brettharned
aki_iinuma
zenorocha
eileencodes
davidbonilla
chriscoyier