Security-JAWS IAMの設計を言語化する

*".ͷઃܭΛݴޠԽ͢Δ
/3*ωοτίϜגࣜձࣾɹ
ࠤʑ໦୓࿠

4FDVSJUZ+"84ɹୈճ
#secjaws

View Slide

ࠤʑ໦୓࿠
CMPHIUUQTCMPHUBLVSPTOFU
5XJUUFS!ELGK
ࣗݾ঺հ #secjaws

View Slide

+BQBO"1/"NCBTTBEPS
બग़͞Ε·ͨ͠
ࣗݾ঺հ #secjaws

View Slide

ࠓ೔࿩͢ςʔϚ͸̐ͭ
෼ྨ্ͨ͠ͰݴޠԽ͢ΔͱԿͱͳ͘ղ͔Δ
ઃܭ͢Δ্Ͱ͸ɺ·ͣσβΠϯύλʔϯΛ࡞Δ
۩ମతͳϙϦγʔͷઃܭྫ
*".ͷ౾஌ࣝ
#secjaws

View Slide

"84ͱηΩϡϦςΟ

View Slide

"84ͱηΩϡϦςΟ
#secjaws
͍Ζ͍Ζ΍Δ͜ͱ͕ଟͯ͘ɺ
΍΍͍͜͠ͱࢥͬͨ͜ͱ͋Γ·ͤΜ͔
શମ૾Λ೺Ѳ͢ΔͨΊʹɺͬ͘͟Γͱ
෼ྨͯ͠Έ·͠ΐ͏

View Slide

"84ͱηΩϡϦςΟ
#secjaws
"84ͷηΩϡϦςΟ͸ͭͷ࣠Ͱߟ͑Δ
ᶃ"84಺ʹߏஙͨ͠ωοτϫʔΫͱαʔόʔͷηΩϡϦςΟ
ᶄ"84ͷαʔϏε܈ͷઃܭɾઃఆ
ᶅ"84ૢ࡞ʹؔ͢Δݖݶʢ*".ʣ
ᶆηΩϡϦςΟΛҡ࣋؅ཧ͢ΔͨΊͷ"84αʔϏε
AWS Management
Console
Role
VPC
AWS Cloud
Subnet
Internet gateway
Amazon Simple Storage
Service (S3)
VPN gateway
Endpoints
User
ૢ࡞ݖݶ
Instance Instance Instance
AWS Lambda
Role
ᶅ ᶄ ᶃ
AWS Command Line
Interface
AWS Config AWS Systems Manager
AWS Service Catalog AWS Trusted Advisor AWS CloudTrail
ᶆ
ηΩϡϦςΟΛҡ࣋
؅ཧ͢ΔαʔϏε

View Slide

ᶃ"84಺ʹߏஙͨ͠ωοτϫʔΫͱ
αʔόʔͷηΩϡϦςΟ
#secjaws
੹೚ڞ༗Ϟσϧͷ੺࿮ͷ෦෼
ઃܭͷߟ͑ํ͸ΦϯϓϨͱେ͖͘ҧΘͳ͍͕ɺઃఆͷ࢓
ํ͸"84ͷྲّྀʹै͏ඞཁ͕͋Δ
IUUQTBXTBNB[PODPNKQDPNQMJBODFTIBSFESFTQPOTJCJMJUZNPEFM

View Slide

ᶄ"84ͷαʔϏε܈ͷઃܭɾઃఆ
#secjaws
͍ΘΏΔϚωʔδυαʔϏε
Ϣʔβʔࣗ਎ͰΧόʔ͢Δൣғ͸গͳ͍͕ɺαʔϏε͝
ͱʹಛੑΛཧղ͢Δඞཁ͕͋Δ
㱺·ͣ͸ɺ࢖͏΋ͷ͚֮ͩ͑Ε͹ྑ͍
IUUQTXXXTMJEFTIBSFOFU"NB[PO8FC4FSWJDFT+BQBOBXTXIJUFCFMUPOMJOFTFNJOBSBXT

View Slide

ᶅ"84ͷૢ࡞ʹؔ͢Δݖݶʢ*".ʣ
#secjaws
"84ͷηΩϡϦςΟͷத֩ͷҰͭ
ͲΜͳʹωοτϫʔΫ΍αʔόʔͷηΩϡϦςΟઃఆΛ͠
͍ͯͯ΋ɺ"84Λ௚઀ૢ࡞͞ΕΔͱ͕݀։͚ΒΕΔ
ࠓ೔ͷςʔϚͰ͢ʂʂ

View Slide

ᶆηΩϡϦςΟΛҡ࣋؅ཧ͢Δ
ͨΊͷ"84αʔϏε
#secjaws
"84ಠࣗͷ෦෼
ར༻͠ͳͯ͘΋γεςϜΛηΩϡΞͳঢ়ଶΛҡ࣋Ͱ͖Δ͕ɺ
্ख͘׆༻͢ΔͱࣗྗͰ΍ΔΑΓഒָʹͳΔ
ͷ+"846(ઍ༿Ͱɺ͜ͷςʔϚͰ࿩͢༧ఆͰ͢

IUUQTKBXTVHDIJCBEPPSLFFQFSKQFWFOUT

View Slide

෼ྨ͠ݴޠԽ͢Δ͜ͱʹΑΓ
ཧղ͕ਐΉ
#secjaws
@kaitendaentais
https://twitter.com/kaitendaentai/status/1052689241744896001

View Slide

*".ͷઃܭΛݴޠԽ͢Δ

View Slide

*".ͷϚχΞοΫͳ࿩ͷ঺հ
https://takuros.booth.pm/items/1563844

View Slide

*".ͷϚχΞοΫͳ࿩ɹ໨࣍
͸͡Ίʹ
ୈষ"84ͱ*".
ୈষ*".ͷػೳ
ୈষ*".νϡʔτϦΞϧ
ୈষ*".ϙϦγʔͷσβΠϯύλʔϯ
ୈষ*".άϧʔϓͷσβΠϯύλʔϯ
ୈষ*".ͱηΩϡϦςΟ
ୈষ*".ͷӡ༻
ୈষ*".ͱ$MPVE'PSNBUJPO
ୈষ*".ͷςϯϓϨʔτू
ୈষ*".Ҏ֎ͷ"84αʔϏεͷ׆༻
෇࿥"ΞΧ΢ϯτ։ઃ࣌ͷઃఆνΣοΫϦετ
#secjaws

View Slide

*".ઃܭͷجຊํ਑

View Slide

*".ઃܭͷجຊํ਑
#secjaws
कΔ΂͖جຊํ਑͸͚̎ͭͩ
ೝূ৘ใΛ౪·Εͳ͍Α͏ʹ͢Δӡ༻ઃܭ
ΞΫηεΩʔʗγʔΫϨοτΞΫηεΩʔͰ͸ͳ͘ϩʔϧͷར༻
HJUTFDSFUTͷར༻
ೝূ৘ใ͕౪·Εͯ΋ඃ֐Λ࠷খݶʹ͢Δݖݶઃܭ
.'"ඞਢԽ΍*1੍ݶ΍ͳͲͷར༻੍ݶ
࠷খݖݶͷઃఆ

View Slide

*".ϙϦγʔͷσβΠϯύλʔϯ

View Slide

*".ϙϦγʔ
*".ϙϦγʔͷσβΠϯύλʔϯ͸̏ͭ
ϗϫΠτϦετɾύλʔϯ
ϒϥοΫϦετɾύλʔϯ
ϋΠϒϦοτɾύλʔϯ
#secjaws

View Slide

ڐՄ͢ΔݖݶͷΈ෇༩͍ͯ͘͠ύλʔϯɹɹ
&$΍4ͱ͍ͬͨαʔϏε୯Ґ΍ɺߋʹࡉ͔͘ΞΫγϣϯ୯ҐͰ෇༩
"84؅ཧϙϦγʔ΋ɺ͋ΔҙຯϗϫΠτϦετύλʔϯ
˞Ͱ΋ɺͦͷ··࢖͏ʹ͸ૈ͍
#secjaws
ϗϫΠτϦετɾύλʔϯ
FD
%FTDSJCF

4UPQ
4UBSU
ಛఆͷαʔϏεɾΞΫγϣϯͷΈڐՄ
ڋ൱
ڐՄ
ڐՄ
ڐՄ
ڋ൱
ϝϦοτɹ
࠷খݖݶͷઃܭ͕Ͱ͖Δ
ཧղͯ͠࡞Ε͹ɺҰ൪ηΩϡΞ
σϝϦοτɹ
ઃܭ͕ਐ·ͳ͍ͱઃఆͰ͖ͳ͍
؅ཧෛՙ͕ߴ͍

View Slide

ڋ൱Λ௥Ճ͍ͯ͘͠ύλʔϯɹɹ
ڐՄͯ͠͸͍͚ͳ͍ݖݶΛണୣ͍ͯ͘͠
#secjaws
ϒϥοΫϦετɾύλʔϯ
ڐՄ
4

&D
*".

ಛఆͷαʔϏεɾΞΫγϣϯͷΈڋ൱
ڐՄ
ڋ൱
ڋ൱
ڋ൱
ϝϦοτɹ
ઃܭ͕࠷খݶʹͰ͖Δ
ࣗ༝౓͕ߴ͍
σϝϦοτɹ
༧ظͤ͵αʔϏε͕ಥવ࢖͑ΔΑ͏
ʹͳΔϦεΫ͕͋Δ

View Slide

ϗϫΠτϦετɾϒϥοΫϦετͷ૊Έ߹Θͤ
ݖݶΛ෇༩্ͨ͠Ͱɺېࢭ͍ͨ͠ݖݶΛ࡟Δ
˞ݫີʹ͍͏ͱɺϒϥοΫϦετύλʔϯ͸͢΂ͯϋΠϒϦοτʹͳΔ
#secjaws
ϋΠϒϦοτɾύλʔϯ
ڐՄ
"ENJOJTUSBUPS
"DDFTT &D
࠷ॳʹݖݶΛ෇༩ͯ͠ɺෆཁͳݖݶΛ࡟Δ
ϝϦοτɹ
"84؅ཧϙϦγʔ͕࢖͍΍͍͢
ࣗ༝౓͕ߴ͘ઃܭָ͕
σϝϦοτɹ
͋·Γແ͍
ɹ˞ॏͶ͕͚ํ๏ʹ͸஫ҙ
*".

ڋ൱

View Slide

*".άϧʔϓͷσβΠϯύλʔϯ

View Slide

*".άϧʔϓ
*".άϧʔϓͷσβΠϯύλʔϯ͸̎ͭ
ෳ਺άϧʔϓʹॴଐ
άϧʔϓ಺ʹෳ਺ͷϙϦγʔ
#secjaws

View Slide

Ϣʔβʔ͕ෳ਺ͷάϧʔϓʹଐ͢Δ͜ͱΛલఏʹݖݶઃఆɹ
શࣾһ޲͚ͷڞ௨άϧʔϓͱ໾ׂผͷάϧʔϓ
֊૚ߏ଄Λ࡞Γ΍͍͢
#secjaws
ෳ਺άϧʔϓʹॴଐ

View Slide

Ϣʔβʔ͕ͭͷάϧʔϓʹଐ͢Δ͜ͱΛલఏʹݖݶઃఆ
Ϣʔβ͔ΒΈΔͱγϯϓϧͳߏ੒
ݖݶͷݟ௨͕͠ྑ͍
#secjaws
άϧʔϓ಺ʹෳ਺ϙϦγʔ

View Slide

ύλʔϯͷݪଇΛ౿·্͑ͨͰ
۩ମతͳઃܭʹམͱ͠ࠐΉ

View Slide

ڞ௨Ͱར༻͢ΔϙϦγʔͰ·ͣݕ౼͢Δͷ͸͜ͷͭ
.'"ඞਢԽ͸ඞͣ͢Δ͜ͱ
*1੍ݶ͸ɺӡ༻ϙϦγʔͱ૬ஊɻ࡞ۀ৔ॴΛ੍ݶͰ͖Δͱ͍͏ޮՌ͕͋Δ
#secjaws
.'"ඞਢԽͱ*1੍ݶ
\
&⒎FDU%FOZ
"DUJPO
$POEJUJPO\
/PU*Q"EESFTT\
BXT4PVSDF*Q<

>
^
^
3FTPVSDF
^
\
&⒎FDU%FOZ
/PU"DUJPO<
JBN
>
3FTPVSDF
$POEJUJPO\
#PPM*G&YJTUT\
BXT.VMUJ'BDUPS"VUI1SFTFOUGBMTF
^
^
^

View Slide

"ENJOݖݶΛ෇༩্ͨ͠Ͱ੍ݶΛՃ͑Δ
.'"ඞਢˍ*1ΞυϨε੍ݶ
*1੍ݶΛͳͨ͘͢Ίͷ؅ཧऀ༻ϩʔϧ
#secjaws
؅ཧऀݖݶͷઃܭ
㱺εΠονલΛࢀরݖݶͷΈʹ͢Δͱ͍͏ઃܭ΋Α͋͘Δ

View Slide

ϩάΠϯ࣌͸ࢀরݖݶͷΈ
ࢀরݖݶͱ4XJUDI3PMFΛڐՄ͢ΔݖݶΛ෇༩
εΠονϩʔϧ͢Δ͜ͱʹΑΓ؅ཧऀݖݶ͕ར༻Մೳ
ஈΫογϣϯΛஔ͘͜ͱʹΑΓɺΦϖϛεͷ๷ࢭޮՌΛૂ͏
#secjaws
؅ཧऀݖݶͷ҆શઃܭ

View Slide

৬຿ػೳͷ"84؅ཧϙϦγʔͷ׆༻
ಛఆͷ༻్޲͚ͷݖݶηοτʢ৬຿ػೳͷ"84؅ཧϙϦγʔʣ
FDͷݖݶ͸ɺΠϯελϯεͷૢ࡞ͱωοτϫʔΫૢ࡞ؚ͕·Ε͍ͯΔͷͰ
஫ҙ͕ඞཁ
#secjaws
ωοτϫʔΫ؅ཧऀͷઃܭ

View Slide

౾஌ࣝT

View Slide

1SJODJQBMΛߜΒͳ͍ͱɺશϢʔβʔ͕εΠονͰ͖Δ
σϑΥϧτςϯϓϨʔτͷઃఆ͸ɺΞΧ΢ϯτ಺ͷϢʔβʔʹରͯ͠
ߜΔඞཁ͕͋ΓɺϢʔβʔࢦఆͰߜΔʢάϧʔϓ͸Ͱ͖ͳ͍ʣ
ผղͱͯ͠"TTVNF3PMFͷݖݶΛ͢΂ͯണୣͷ͏͑ͰɺඞཁͳϢʔβʔʹ
෇༩͢Δͱ͍͏ํ๏΋͋Δ
#secjaws
εΠονϩʔϧͷ஫ҙ఺
\
7FSTJPO
4UBUFNFOU<
\
&⒎FDU"MMPX
1SJODJQBM\
"84BSOBXTJBN
SPPU
^
"DUJPOTUT"TTVNF3PMF
$POEJUJPO\^
^
>
^
\
7FSTJPO
4UBUFNFOU<
\
&⒎FDU"MMPX
1SJODJQBM\
"84BSOBXTJBNVTFSUFTU
VTFS
^
"DUJPOTUT"TTVNF3PMF
$POEJUJPO\^
^
>
^

View Slide

ϕετϓϥΫςΟε͚ͩͲɻɻɻ
ઃܭ͕ݻ·্ͬͨͰɺ*".ʹؔ͢Δߴ౓ͳ஌͕ࣝඞཁ
ϓϩάϥϜతͳར༻ʹ͸޲͍͍ͯΔ͕ɺ"84ίϯιʔϧ͔Βͷར༻͸޲͍
͍ͯͳ͍
৽نαʔϏεͷ௥Ճʹऑ͍
ͦ΋ͦ΋"ENJOݖݶΛ͍࣋ͬͯΔਓ͔͠࠷খݖݶΛ௥ٻͰ͖ͳ͍
ઃܭɾӡ༻޻਺͕େ͖͍
ݱ࣮తͳӡ༻
ఆܕతͳ࡞ۀʢ-BNCEBɾόον౳ʣͷΈ࠷খݖݶΛ෇༩
ਓؒܥͷ࡞ۀ͸ɺϒϥοΫϦετͷ׆༻΋ࢹ໺ʹ
ηΩϡϦςΟࣄނΛى͜͞ͳ͍ͱ͍͏؍఺Ͱ࠷খݖݶΛ୳ٻ
#secjaws
࠷খݖݶͷδϨϯϚ

View Slide

#secjaws
͜Ε͚ͩ͸΍͓͚ͬͯ
"84ΞΧ΢ϯτʹ࠷௿ݶɺԼهͷઃఆΛ͢Δ
ϧʔτΞΧ΢ϯτͷ.'"ઃఆ
؅ཧऀ༻ͷ*".άϧʔϓͱ*".Ϣʔβʔͷ࡞੒
*".ύεϫʔυϙϦγʔͷద༻
$MPVE5SBJMͱ$POpH (VBSE%VUZͷ༗ޮԽ
5SVTUFE"EWJTPUSͷ&ϝʔϧ௨஌ઃఆ
$PTU6TBHF3FQPSUͷग़ྗ
*".Ϣʔβʔ΁ͷ੥ٻ৘ใͷΞΫηεڐՄ
ࢧ෷͍௨՟Λ೔ຊԁʹมߋ
ίετ഑෼λάͷઃఆ
୅ସ࿈བྷઌͷઃఆ

View Slide

#secjaws
͜Ε͸΍ͬͪΌμϝ
*".Ͱ͜ΕΛ΍ͬͪΌμϝ
ϧʔτϢʔβʔͰӡ༻
ར༻ऀશһɺ"ENJOݖݶ
؅ཧऀҎ֎ʹ*".ݖݶΛ෇༩
ڞ༻ͷ*".Ϣʔβʔͷ࡞੒
ෳ਺ͷ$-*ɾϓϩάϥϜ͔Βͷ*".Ϣʔβʔʗϩʔϧͷڞ༻
ιʔείʔυʹΫϨσϯγϟϧʢΞΫηεΩʔɾγʔΫϨοτΞ
ΫηεΩʔʣͷຒΊࠐΈ
-BNCEB'VMM"DDFTTͷ෇༩
ωοτϫʔΫ؅ཧऀҎ֎ʹ&$'VMM"DDFTTͷ෇༩
4ͷΞΫηείϯτϩʔϧΛ*".͚ͩͰߦ͏ʢόέοτϙϦγʔ
ͷซ༻ඞਢʣ

View Slide

·ͱΊ

View Slide

ࠓ೔࿩ͨ͠ςʔϚ
෼ྨ্ͨ͠ͰݴޠԽ͢ΔͱԿͱͳ͘ղ͔Δ
ઃܭ͢Δ্Ͱ͸ɺ·ͣσβΠϯύλʔϯΛ࡞Δ
۩ମతͳϙϦγʔͷઃܭྫ
*".ͷ౾஌ࣝ
#secjaws

View Slide

͓·͚
*".ຊʢμ΢ϯϩʔυ൛ʣΛ
ϓϨθϯτ
#secjaws

View Slide

એ఻
పఈ׆༻(PPHMFΞφϦςΟΫε
σδλϧϚʔέςΟϯάΛ੒ޭʹ
ಋ͘ղੳɾվળͷͨΊͷૢ࡞ΨΠυ
IUUQTBN[OUP181M
#secjaws

View Slide

Security-JAWS IAMの設計を言語化する

Security-JAWS IAMの設計を言語化する

Takuro SASAKI

More Decks by Takuro SASAKI

Other Decks in Technology

Featured

Transcript