Upgrade to Pro — share decks privately, control downloads, hide ads and more …

【エンジニア編】AWS活用を考えているなら”必ず!"知っておくべきセキュリティの話

Tmorinaga
August 25, 2016

 【エンジニア編】AWS活用を考えているなら”必ず!"知っておくべきセキュリティの話

20160825 大阪

Tmorinaga

August 25, 2016
Tweet

More Decks by Tmorinaga

Other Decks in Technology

Transcript

  1. Morinaga Taishi(@morimoritaitai) AWS Solution Archetect ✦ झຯ : ήʔϜ(શൠ) /

    ञ / Χϝϥ ✦ ڵຯ : Security / DevOps ✦ ޷͖ͳαʔϏε:Config/CloudTrail/IAM AWS Certified Solutions Architect - Professional DevOps Engineer - Professional I ❤ Config
  2. AWS WAFͷཁૉ • Web ACL • Rule • Condition Web

    ACL Rule Rule Condition Condition Condition Condition
  3. Rule • AND৚݅ͰConditionΛ·ͱΊΔ • Condition A ͔ͭ Condition B •

    Condition C Ͱͳ͍ ͔ͭ Condition D
 ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹͳͲ
  4. Web ACL • RuleͰݕ஌ͨ͠ϦΫΤετΛͲ͏͢Δ͔ ɺ
 ͦΕҎ֎ͷϦΫΤετΛͲ͏͢Δ͔Λఆٛ • Rule A͸ڋ൱ɺRule B͸Χ΢ϯτ

    
 ͦΕҎ֎͸ڐՄ͢Δ • Rule C͸ڐՄɺͦΕҎ֎͸શͯڋ൱
 ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹͳͲ
  5. $ python ds-to-aws-waf.py usage: ds-to-aws-waf [COMMAND] For more help on

    a specific command, type ds-to-aws-waf [COMMAND] -- help Available commands: rules > Determine which instances protected by Deep Security should also… iplist > Push a Deep Security IP list to an AWS WAF IP Set xss > Determine which instances protected by Deep Security should also… sqli > Determine which instances protected by Deep Security should also… πʔϧಋೖ֬ೝ
  6. Condition࡞੒ʢdryrunʣ $ python ds-to-aws-waf.py sqli -u aws_integration -p Password -t

    tenant --create-match --dryrun *********************************************************************** * DRY RUN ENABLED. NO CHANGES WILL BE MADE *********************************************************************** Would request an AWS WAF change token to create a new SQLi match set SQLi match set will contain; {'Action': 'INSERT', 'SqlInjectionMatchTuple': {'TextTransformation': 'URL_DECODE', 'FieldToMatch': {'Data': 'string', 'Type': 'URI'}}} … লུ … {'Action': 'INSERT', 'SqlInjectionMatchTuple': {'TextTransformation': 'LOWERCASE', 'FieldToMatch': {'Data': 'string', 'Type': 'BODY'}}}
  7. Condition࡞੒ $ python ds-to-aws-waf.py sqli -u aws_integration -p Password -t

    tenant --create-match Updated SQLi match set; Deep Security SQLi Guidance
  8. WAFద༻ཁ൱ͷ֬ೝ $ python ds-to-aws-waf.py sqli -u aws_integration -p Password -t

    tenant -l -r ap-northeast-1 Requesting information from Deep Security about your deployment [2016-08-23 00:00:00] Calling DPIRuleRetrieveAll. This may take 15-30 seconds as the call returns a substantial amount of data ******************************************************************* Completed recommendation phase Instance Recommendation Suggested WACL i-00000000 True 00000000-0000-0000-0000-000000000000 i-11111111 False *******************************************************************
  9. Ruleͷ࡞੒ɾWebACLద༻ $ python ds-to-aws-waf.py sqli -u aws_integration -p Password -t

    tenant -l -r ap-northeast-1 —create-rule Requesting information from Deep Security about your deployment [2016-08-23 00:00:00] Calling DPIRuleRetrieveAll. This may take 15-30 seconds as the call returns a substantial amount of data ******************************************************************* Completed recommendation phase Instance Recommendation Suggested WACL i-00000000 True 00000000-0000-0000-0000-000000000000 i-11111111 False ******************************************************************* Successfully created rule[] Successfully created WACL[00000000-0000-0000-0000-000000000000]