【エンジニア編】AWS活用を考えているなら”必ず！"知っておくべきセキュリティの話

Transcript

1. AWS WAFͱDeep SecurityΛ ࿈ܞͤͯ͞Έͨ Ϋϥεϝιουגࣜձࣾ ιϦϡʔγϣϯΞʔΩςΫτ ৿Ӭେࢤ

2. ࣗݾ঺հ

3. Morinaga Taishi(@morimoritaitai) AWS Solution Archetect ✦ झຯ : ήʔϜ(શൠ) /

   ञ / Χϝϥ ✦ ڵຯ : Security / DevOps ✦ ޷͖ͳαʔϏε:Config/CloudTrail/IAM AWS Certified Solutions Architect - Professional DevOps Engineer - Professional I ❤ Config

4. ձࣾ঺հ

5. Classmethod,Inc.

6. Classmethod,Inc. Ϋϥεϝιου޿ใ୲౰ ΊͦࢠͰ͢ɻ

7. AWSʢΠϯϑϥʣ ϞόΠϧΞϓϦ Ϗοάσʔλ෼ੳ IoTʢηϯαʔʣ

8. AWSϓϨϛΞ ίϯαϧςΟϯάύʔτφʔ ʢશੈքͰ46ࣾʣ

9. AWS Ҡߦίϯϐςϯγʔɹ ɹɹ ʢશੈքͰ17ࣾʣ Ϗοάσʔλίϯϐςϯγʔɹɹɹ ʢશੈքͰ20ࣾʣ ϞόΠϧίϯϐςϯγʔɹɹɹɹ ʢશੈքͰ 6ࣾʣ

10. ੈքதʹΦϑΟε

11. ळ༿ݪɾେࡕɾࡳຈɾ্ӽ όϯΫʔόʔɾϕϧϦϯ

12. ळ༿ݪɾେࡕɾࡳຈɾ্ӽ όϯΫʔόʔɾϕϧϦϯ New ਓ͕͍Δ৔ॴʹΦϑΟε͕ग़དྷ·͢

13. Developers.IO

14. 6600ຊͷٕज़هࣄ 2780ຊͷAWSهࣄ ݄ؒ100ສPV

15. ࣮຿Λ͍ͯ͠Δࣾһ͕ࣥච ࣮ફͨ͠هࣄ͕๛෋ ϊ΢ϋ΢͸ੵۃతʹެ։

16. Agenda • AWS WAFͱ͸ • AWS WAFͱDeep Securityͷ࿈ܞ

17. AWS WAFͱ͸

18. AWS͕ఏڙ͢Δ Web Application Firewall

19. Web Application Firewall? • WebΞϓϦέʔγϣϯ΁ͷෆਖ਼ͳ߈ܸΛ๷͙ ΫϩεαΠτεΫϦϓςΟϯά / SQLΠϯδΣΫγϣϯ౳

20. AWS WAFͷཁૉ • Web ACL • Rule • Condition Web

    ACL Rule Rule Condition Condition Condition Condition

21. Condition • ൑ఆͷͨΊͷཁૉΛఆٛ • IPΞυϨε • ΫϩεαΠτεΫϦϓςΟϯά • SQLΠϯδΣΫγϣϯ •

    จࣈྻ • αΠζ੍ݶ

22. Rule • AND৚݅ͰConditionΛ·ͱΊΔ • Condition A ͔ͭ Condition B •

    Condition C Ͱͳ͍ ͔ͭ Condition D
 ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹͳͲ

23. Web ACL • RuleͰݕ஌ͨ͠ϦΫΤετΛͲ͏͢Δ͔ ɺ
 ͦΕҎ֎ͷϦΫΤετΛͲ͏͢Δ͔Λఆٛ • Rule A͸ڋ൱ɺRule B͸Χ΢ϯτ

    
 ͦΕҎ֎͸ڐՄ͢Δ • Rule C͸ڐՄɺͦΕҎ֎͸શͯڋ൱
 ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹͳͲ

24. Deep Security࿈ܞ

25. GitHubͰεΫϦϓτ͕ެ։ https://github.com/deep-security/aws-waf

26. ԿΛͯ͘͠ΕΔͷ͔ • Conditionͷ࡞੒ • WAFద༻͕ඞཁͳαʔόΛ൑அ • Ruleͷ࡞੒

27. ࢼͯ͠ΈΔ

28. ※ ઈࢍ։ൃதͰ͢ɻ ࢓༷͕มΘΔՄೳੑ͕͋Γ͋·͢ɻ

29. ࣮ߦ༻໾ׂʢϩʔϧʣ࡞੒

30. AWS؀ڥߏங • ݱࡏ͸ҎԼͷߏ੒ͷΈಈ࡞ • ༧ΊWeb ACL͸࡞੒͕ඞཁ

31. ࣮ߦ༻Ϣʔβ࡞੒

32. πʔϧಋೖ $ git clone https://github.com/deep-security/aws-waf.git $ cd aws-waf $ pip

    install -r requirements.txt

33. $ python ds-to-aws-waf.py usage: ds-to-aws-waf [COMMAND] For more help on

    a specific command, type ds-to-aws-waf [COMMAND] -- help Available commands: rules > Determine which instances protected by Deep Security should also… iplist > Push a Deep Security IP list to an AWS WAF IP Set xss > Determine which instances protected by Deep Security should also… sqli > Determine which instances protected by Deep Security should also… πʔϧಋೖ֬ೝ

34. Condition࡞੒ʢdryrunʣ $ python ds-to-aws-waf.py sqli -u aws_integration -p Password -t

    tenant --create-match --dryrun *********************************************************************** * DRY RUN ENABLED. NO CHANGES WILL BE MADE *********************************************************************** Would request an AWS WAF change token to create a new SQLi match set SQLi match set will contain; {'Action': 'INSERT', 'SqlInjectionMatchTuple': {'TextTransformation': 'URL_DECODE', 'FieldToMatch': {'Data': 'string', 'Type': 'URI'}}} … লུ … {'Action': 'INSERT', 'SqlInjectionMatchTuple': {'TextTransformation': 'LOWERCASE', 'FieldToMatch': {'Data': 'string', 'Type': 'BODY'}}}

35. Condition࡞੒ $ python ds-to-aws-waf.py sqli -u aws_integration -p Password -t

    tenant --create-match Updated SQLi match set; Deep Security SQLi Guidance

36. Condition࡞੒֬ೝ

37. WAFద༻ཁ൱ͷ֬ೝ $ python ds-to-aws-waf.py sqli -u aws_integration -p Password -t

    tenant -l -r ap-northeast-1 Requesting information from Deep Security about your deployment [2016-08-23 00:00:00] Calling DPIRuleRetrieveAll. This may take 15-30 seconds as the call returns a substantial amount of data ******************************************************************* Completed recommendation phase Instance Recommendation Suggested WACL i-00000000 True 00000000-0000-0000-0000-000000000000 i-11111111 False *******************************************************************

38. Ruleͷ࡞੒ɾWebACLద༻ $ python ds-to-aws-waf.py sqli -u aws_integration -p Password -t

    tenant -l -r ap-northeast-1 —create-rule Requesting information from Deep Security about your deployment [2016-08-23 00:00:00] Calling DPIRuleRetrieveAll. This may take 15-30 seconds as the call returns a substantial amount of data ******************************************************************* Completed recommendation phase Instance Recommendation Suggested WACL i-00000000 True 00000000-0000-0000-0000-000000000000 i-11111111 False ******************************************************************* Successfully created rule[] Successfully created WACL[00000000-0000-0000-0000-000000000000]

39. Ruleͷ࡞੒ɾWebACLద༻֬ೝ

40. ੋඇࢼͯ͠Έ͍ͯͩ͘͞ʂ

41. ͪͳΈʹखॱ͸ϒϩάʹ͋Γ·͢ http://dev.classmethod.jp/cloud/aws/deepsecurity-aws-waf-sqlixss/

42. ͓·͚

43. Deep Security࿈ܞ͸ଞʹ΋ https://github.com/deep-security

44. ଞͷ࿈ܞεΫϦϓτ • CloudFormation • Elastic Beanstalk • Amazon SNS •

    AWS Config Rules • Inspector

45. ଞͷ࿈ܞεΫϦϓτ • CloudFormation • Elastic Beanstalk • Amazon SNS •

    AWS Config Rules • Inspector

46. CloudFormationͰ Deep Security ManagerΛߏங

47. ଞͷ࿈ܞεΫϦϓτ • CloudFormation • Elastic Beanstalk • Amazon SNS •

    AWS Config Rules • Inspector

48. Elastic Beanstalkܦ༝Ͱ EC2ʹDSAΛΠϯετʔϧ

49. ଞͷ࿈ܞεΫϦϓτ • CloudFormation • Elastic Beanstalk • Amazon SNS •

    AWS Config Rules • Inspector

50. SNSͰ௨஌͞Εͨ Deep SecurityͷΠϕϯτΛ ύʔεͯ͠S3ʹอଘ

51. ଞͷ࿈ܞεΫϦϓτ • CloudFormation • Elastic Beanstalk • Amazon SNS •

    AWS Config Rules • Inspector

52. Deep Securityͷঢ়ଶΛ νΣοΫ͠ҰཡԽ

53. ଞͷ࿈ܞεΫϦϓτ • CloudFormation • Elastic Beanstalk • Amazon SNS •

    AWS Config Rules • Inspector

54. InspectorͰݕग़ͨ͠੬ऑੑΛ ෼ੳɾDSͰ๷ޚՄ൱൑அ

55. ͍ͬͺ͍͋Γ·͢Ͷɻ ؤுͬͯϒϩάʹ͠·͢ɻ

56. ※ ઈࢍ։ൃதͰ͢ɻ ݕূΛͯ͠࢖ͬͯԼ͍͞ɻ ৄ͘͠͸Trend Micro͞Μ΁ɻ

57. Πϕϯτͷ͝঺հ

58. େࡕͰ͸9/15։࠵༧ఆ http://dev.classmethod.jp/news/bigdata-20160915-27/

59. 9/16։࠵༧ఆ http://dev.classmethod.jp/news/aws-premier-night-2/

60. ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ

61. None