【エンジニア編】AWS活用を考えているなら”必ず！"知っておくべきセキュリティの話

Transcript

1. AWS WAFͱDeep SecurityΛ
   ࿈ܞͤͯ͞Έͨ
   Ϋϥεϝιουגࣜձࣾ
   ιϦϡʔγϣϯΞʔΩςΫτ ৿Ӭେࢤ
   

   View Slide

2. ࣗݾ঺հ
   

   View Slide

3. Morinaga Taishi(@morimoritaitai)
   AWS Solution Archetect
   ✦ झຯ : ήʔϜ(શൠ) / ञ / Χϝϥ
   ✦ ڵຯ : Security / DevOps
   ✦ ޷͖ͳαʔϏε:Config/CloudTrail/IAM
   AWS Certified
   Solutions Architect - Professional
   DevOps Engineer - Professional
   I ❤ Config
   

   View Slide

4. ձࣾ঺հ
   

   View Slide

5. Classmethod,Inc.
   

   View Slide

6. Classmethod,Inc.
   Ϋϥεϝιου޿ใ୲౰
   ΊͦࢠͰ͢ɻ
   

   View Slide

7. AWSʢΠϯϑϥʣ
   ϞόΠϧΞϓϦ
   Ϗοάσʔλ෼ੳ
   IoTʢηϯαʔʣ
   

   View Slide

8. AWSϓϨϛΞ
   ίϯαϧςΟϯάύʔτφʔ
   ʢશੈքͰ46ࣾʣ
   

   View Slide

9. AWS Ҡߦίϯϐςϯγʔɹ ɹɹ
   ʢશੈքͰ17ࣾʣ
   Ϗοάσʔλίϯϐςϯγʔɹɹɹ
   ʢશੈքͰ20ࣾʣ
   ϞόΠϧίϯϐςϯγʔɹɹɹɹ
   ʢશੈքͰ 6ࣾʣ
   

   View Slide

10. ੈքதʹΦϑΟε
    

    View Slide

11. ळ༿ݪɾେࡕɾࡳຈɾ্ӽ
    όϯΫʔόʔɾϕϧϦϯ
    

    View Slide

12. ळ༿ݪɾେࡕɾࡳຈɾ্ӽ
    όϯΫʔόʔɾϕϧϦϯ
    New
    ਓ͕͍Δ৔ॴʹΦϑΟε͕ग़དྷ·͢
    

    View Slide

13. Developers.IO
    

    View Slide

14. 6600ຊͷٕज़هࣄ
    2780ຊͷAWSهࣄ
    ݄ؒ100ສPV
    

    View Slide

15. ࣮຿Λ͍ͯ͠Δࣾһ͕ࣥච
    ࣮ફͨ͠هࣄ͕๛෋
    ϊ΢ϋ΢͸ੵۃతʹެ։
    

    View Slide

16. Agenda
    • AWS WAFͱ͸
    • AWS WAFͱDeep Securityͷ࿈ܞ
    

    View Slide

17. AWS WAFͱ͸
    

    View Slide

18. AWS͕ఏڙ͢Δ
    Web Application Firewall
    

    View Slide

19. Web Application Firewall?
    • WebΞϓϦέʔγϣϯ΁ͷෆਖ਼ͳ߈ܸΛ๷͙
    ΫϩεαΠτεΫϦϓςΟϯά / SQLΠϯδΣΫγϣϯ౳
    

    View Slide

20. AWS WAFͷཁૉ
    • Web ACL
    • Rule
    • Condition
    Web ACL
    Rule Rule
    Condition
    Condition
    Condition
    Condition
    

    View Slide

21. Condition
    • ൑ఆͷͨΊͷཁૉΛఆٛ
    • IPΞυϨε
    • ΫϩεαΠτεΫϦϓςΟϯά
    • SQLΠϯδΣΫγϣϯ
    • จࣈྻ
    • αΠζ੍ݶ
    

    View Slide

22. Rule
    • AND৚݅ͰConditionΛ·ͱΊΔ
    • Condition A ͔ͭ Condition B
    • Condition C Ͱͳ͍ ͔ͭ Condition D

    ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹͳͲ
    

    View Slide

23. Web ACL
    • RuleͰݕ஌ͨ͠ϦΫΤετΛͲ͏͢Δ͔ ɺ

    ͦΕҎ֎ͷϦΫΤετΛͲ͏͢Δ͔Λఆٛ
    • Rule A͸ڋ൱ɺRule B͸Χ΢ϯτ 

    ͦΕҎ֎͸ڐՄ͢Δ
    • Rule C͸ڐՄɺͦΕҎ֎͸શͯڋ൱

    ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹͳͲ
    

    View Slide

24. Deep Security࿈ܞ
    

    View Slide

25. GitHubͰεΫϦϓτ͕ެ։
    https://github.com/deep-security/aws-waf
    

    View Slide

26. ԿΛͯ͘͠ΕΔͷ͔
    • Conditionͷ࡞੒
    • WAFద༻͕ඞཁͳαʔόΛ൑அ
    • Ruleͷ࡞੒
    

    View Slide

27. ࢼͯ͠ΈΔ
    

    View Slide

28. ※ ઈࢍ։ൃதͰ͢ɻ
    ࢓༷͕มΘΔՄೳੑ͕͋Γ͋·͢ɻ
    

    View Slide

29. ࣮ߦ༻໾ׂʢϩʔϧʣ࡞੒
    

    View Slide

30. AWS؀ڥߏங
    • ݱࡏ͸ҎԼͷߏ੒ͷΈಈ࡞
    • ༧ΊWeb ACL͸࡞੒͕ඞཁ
    

    View Slide

31. ࣮ߦ༻Ϣʔβ࡞੒
    

    View Slide

32. πʔϧಋೖ
    $ git clone https://github.com/deep-security/aws-waf.git
    $ cd aws-waf
    $ pip install -r requirements.txt
    

    View Slide

33. $ python ds-to-aws-waf.py
    usage: ds-to-aws-waf [COMMAND]
    For more help on a specific command, type ds-to-aws-waf [COMMAND] --
    help
    Available commands:
    rules
    > Determine which instances protected by Deep Security should also…
    iplist
    > Push a Deep Security IP list to an AWS WAF IP Set
    xss
    > Determine which instances protected by Deep Security should also…
    sqli
    > Determine which instances protected by Deep Security should also…
    πʔϧಋೖ֬ೝ
    

    View Slide

34. Condition࡞੒ʢdryrunʣ
    $ python ds-to-aws-waf.py sqli -u aws_integration -p Password -t tenant
    --create-match --dryrun
    ***********************************************************************
    * DRY RUN ENABLED. NO CHANGES WILL BE MADE
    ***********************************************************************
    Would request an AWS WAF change token to create a new SQLi match set
    SQLi match set will contain;
    {'Action': 'INSERT', 'SqlInjectionMatchTuple':
    {'TextTransformation': 'URL_DECODE', 'FieldToMatch': {'Data': 'string',
    'Type': 'URI'}}}
    … লུ …
    {'Action': 'INSERT', 'SqlInjectionMatchTuple':
    {'TextTransformation': 'LOWERCASE', 'FieldToMatch': {'Data': 'string',
    'Type': 'BODY'}}}
    

    View Slide

35. Condition࡞੒
    $ python ds-to-aws-waf.py sqli -u aws_integration -p Password -t
    tenant --create-match
    Updated SQLi match set; Deep Security SQLi Guidance
    

    View Slide

36. Condition࡞੒֬ೝ
    

    View Slide

37. WAFద༻ཁ൱ͷ֬ೝ
    $ python ds-to-aws-waf.py sqli -u aws_integration -p Password -t
    tenant -l -r ap-northeast-1
    Requesting information from Deep Security about your deployment
    [2016-08-23 00:00:00] Calling DPIRuleRetrieveAll. This may take
    15-30 seconds as the call returns a substantial amount of data
    *******************************************************************
    Completed recommendation phase
    Instance Recommendation Suggested WACL
    i-00000000 True 00000000-0000-0000-0000-000000000000
    i-11111111 False
    *******************************************************************
    

    View Slide

38. Ruleͷ࡞੒ɾWebACLద༻
    $ python ds-to-aws-waf.py sqli -u aws_integration -p Password -t
    tenant -l -r ap-northeast-1 —create-rule
    Requesting information from Deep Security about your deployment
    [2016-08-23 00:00:00] Calling DPIRuleRetrieveAll. This may take
    15-30 seconds as the call returns a substantial amount of data
    *******************************************************************
    Completed recommendation phase
    Instance Recommendation Suggested WACL
    i-00000000 True 00000000-0000-0000-0000-000000000000
    i-11111111 False
    *******************************************************************
    Successfully created rule[]
    Successfully created WACL[00000000-0000-0000-0000-000000000000]
    

    View Slide

39. Ruleͷ࡞੒ɾWebACLద༻֬ೝ
    

    View Slide

40. ੋඇࢼͯ͠Έ͍ͯͩ͘͞ʂ
    

    View Slide

41. ͪͳΈʹखॱ͸ϒϩάʹ͋Γ·͢
    http://dev.classmethod.jp/cloud/aws/deepsecurity-aws-waf-sqlixss/
    

    View Slide

42. ͓·͚
    

    View Slide

43. Deep Security࿈ܞ͸ଞʹ΋
    https://github.com/deep-security
    

    View Slide

44. ଞͷ࿈ܞεΫϦϓτ
    • CloudFormation
    • Elastic Beanstalk
    • Amazon SNS
    • AWS Config Rules
    • Inspector
    

    View Slide

45. ଞͷ࿈ܞεΫϦϓτ
    • CloudFormation
    • Elastic Beanstalk
    • Amazon SNS
    • AWS Config Rules
    • Inspector
    

    View Slide

46. CloudFormationͰ
    Deep Security ManagerΛߏங
    

    View Slide

47. ଞͷ࿈ܞεΫϦϓτ
    • CloudFormation
    • Elastic Beanstalk
    • Amazon SNS
    • AWS Config Rules
    • Inspector
    

    View Slide

48. Elastic Beanstalkܦ༝Ͱ
    EC2ʹDSAΛΠϯετʔϧ
    

    View Slide

49. ଞͷ࿈ܞεΫϦϓτ
    • CloudFormation
    • Elastic Beanstalk
    • Amazon SNS
    • AWS Config Rules
    • Inspector
    

    View Slide

50. SNSͰ௨஌͞Εͨ
    Deep SecurityͷΠϕϯτΛ
    ύʔεͯ͠S3ʹอଘ
    

    View Slide

51. ଞͷ࿈ܞεΫϦϓτ
    • CloudFormation
    • Elastic Beanstalk
    • Amazon SNS
    • AWS Config Rules
    • Inspector
    

    View Slide

52. Deep Securityͷঢ়ଶΛ
    νΣοΫ͠ҰཡԽ
    

    View Slide

53. ଞͷ࿈ܞεΫϦϓτ
    • CloudFormation
    • Elastic Beanstalk
    • Amazon SNS
    • AWS Config Rules
    • Inspector
    

    View Slide

54. InspectorͰݕग़ͨ͠੬ऑੑΛ
    ෼ੳɾDSͰ๷ޚՄ൱൑அ
    

    View Slide

55. ͍ͬͺ͍͋Γ·͢Ͷɻ
    ؤுͬͯϒϩάʹ͠·͢ɻ
    

    View Slide

56. ※ ઈࢍ։ൃதͰ͢ɻ
    ݕূΛͯ͠࢖ͬͯԼ͍͞ɻ
    ৄ͘͠͸Trend Micro͞Μ΁ɻ
    

    View Slide

57. Πϕϯτͷ͝঺հ
    

    View Slide

58. େࡕͰ͸9/15։࠵༧ఆ
    http://dev.classmethod.jp/news/bigdata-20160915-27/
    

    View Slide

59. 9/16։࠵༧ఆ
    http://dev.classmethod.jp/news/aws-premier-night-2/
    

    View Slide

60. ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ
    

    View Slide

61. View Slide