Save 37% off PRO during our Black Friday Sale! »

【エンジニア編】AWS活用を考えているなら”必ず!"知っておくべきセキュリティの話

 【エンジニア編】AWS活用を考えているなら”必ず!"知っておくべきセキュリティの話

20160825 大阪

C97900102deff1d3359eb64c9a00b080?s=128

Tmorinaga

August 25, 2016
Tweet

Transcript

  1. AWS WAFͱDeep SecurityΛ ࿈ܞͤͯ͞Έͨ Ϋϥεϝιουגࣜձࣾ ιϦϡʔγϣϯΞʔΩςΫτ ৿Ӭେࢤ

  2. ࣗݾ঺հ

  3. Morinaga Taishi(@morimoritaitai) AWS Solution Archetect ✦ झຯ : ήʔϜ(શൠ) /

    ञ / Χϝϥ ✦ ڵຯ : Security / DevOps ✦ ޷͖ͳαʔϏε:Config/CloudTrail/IAM AWS Certified Solutions Architect - Professional DevOps Engineer - Professional I ❤ Config
  4. ձࣾ঺հ

  5. Classmethod,Inc.

  6. Classmethod,Inc. Ϋϥεϝιου޿ใ୲౰ ΊͦࢠͰ͢ɻ

  7. AWSʢΠϯϑϥʣ ϞόΠϧΞϓϦ Ϗοάσʔλ෼ੳ IoTʢηϯαʔʣ

  8. AWSϓϨϛΞ ίϯαϧςΟϯάύʔτφʔ ʢશੈքͰ46ࣾʣ

  9. AWS Ҡߦίϯϐςϯγʔɹ ɹɹ ʢશੈքͰ17ࣾʣ Ϗοάσʔλίϯϐςϯγʔɹɹɹ ʢશੈքͰ20ࣾʣ ϞόΠϧίϯϐςϯγʔɹɹɹɹ ʢશੈքͰ 6ࣾʣ

  10. ੈքதʹΦϑΟε

  11. ळ༿ݪɾେࡕɾࡳຈɾ্ӽ όϯΫʔόʔɾϕϧϦϯ

  12. ळ༿ݪɾେࡕɾࡳຈɾ্ӽ όϯΫʔόʔɾϕϧϦϯ New ਓ͕͍Δ৔ॴʹΦϑΟε͕ग़དྷ·͢

  13. Developers.IO

  14. 6600ຊͷٕज़هࣄ 2780ຊͷAWSهࣄ ݄ؒ100ສPV

  15. ࣮຿Λ͍ͯ͠Δࣾһ͕ࣥච ࣮ફͨ͠هࣄ͕๛෋ ϊ΢ϋ΢͸ੵۃతʹެ։

  16. Agenda • AWS WAFͱ͸ • AWS WAFͱDeep Securityͷ࿈ܞ

  17. AWS WAFͱ͸

  18. AWS͕ఏڙ͢Δ Web Application Firewall

  19. Web Application Firewall? • WebΞϓϦέʔγϣϯ΁ͷෆਖ਼ͳ߈ܸΛ๷͙ ΫϩεαΠτεΫϦϓςΟϯά / SQLΠϯδΣΫγϣϯ౳

  20. AWS WAFͷཁૉ • Web ACL • Rule • Condition Web

    ACL Rule Rule Condition Condition Condition Condition
  21. Condition • ൑ఆͷͨΊͷཁૉΛఆٛ • IPΞυϨε • ΫϩεαΠτεΫϦϓςΟϯά • SQLΠϯδΣΫγϣϯ •

    จࣈྻ • αΠζ੍ݶ
  22. Rule • AND৚݅ͰConditionΛ·ͱΊΔ • Condition A ͔ͭ Condition B •

    Condition C Ͱͳ͍ ͔ͭ Condition D
 ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹͳͲ
  23. Web ACL • RuleͰݕ஌ͨ͠ϦΫΤετΛͲ͏͢Δ͔ ɺ
 ͦΕҎ֎ͷϦΫΤετΛͲ͏͢Δ͔Λఆٛ • Rule A͸ڋ൱ɺRule B͸Χ΢ϯτ

    
 ͦΕҎ֎͸ڐՄ͢Δ • Rule C͸ڐՄɺͦΕҎ֎͸શͯڋ൱
 ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹͳͲ
  24. Deep Security࿈ܞ

  25. GitHubͰεΫϦϓτ͕ެ։ https://github.com/deep-security/aws-waf

  26. ԿΛͯ͘͠ΕΔͷ͔ • Conditionͷ࡞੒ • WAFద༻͕ඞཁͳαʔόΛ൑அ • Ruleͷ࡞੒

  27. ࢼͯ͠ΈΔ

  28. ※ ઈࢍ։ൃதͰ͢ɻ ࢓༷͕มΘΔՄೳੑ͕͋Γ͋·͢ɻ

  29. ࣮ߦ༻໾ׂʢϩʔϧʣ࡞੒

  30. AWS؀ڥߏங • ݱࡏ͸ҎԼͷߏ੒ͷΈಈ࡞ • ༧ΊWeb ACL͸࡞੒͕ඞཁ

  31. ࣮ߦ༻Ϣʔβ࡞੒

  32. πʔϧಋೖ $ git clone https://github.com/deep-security/aws-waf.git $ cd aws-waf $ pip

    install -r requirements.txt
  33. $ python ds-to-aws-waf.py usage: ds-to-aws-waf [COMMAND] For more help on

    a specific command, type ds-to-aws-waf [COMMAND] -- help Available commands: rules > Determine which instances protected by Deep Security should also… iplist > Push a Deep Security IP list to an AWS WAF IP Set xss > Determine which instances protected by Deep Security should also… sqli > Determine which instances protected by Deep Security should also… πʔϧಋೖ֬ೝ
  34. Condition࡞੒ʢdryrunʣ $ python ds-to-aws-waf.py sqli -u aws_integration -p Password -t

    tenant --create-match --dryrun *********************************************************************** * DRY RUN ENABLED. NO CHANGES WILL BE MADE *********************************************************************** Would request an AWS WAF change token to create a new SQLi match set SQLi match set will contain; {'Action': 'INSERT', 'SqlInjectionMatchTuple': {'TextTransformation': 'URL_DECODE', 'FieldToMatch': {'Data': 'string', 'Type': 'URI'}}} … লུ … {'Action': 'INSERT', 'SqlInjectionMatchTuple': {'TextTransformation': 'LOWERCASE', 'FieldToMatch': {'Data': 'string', 'Type': 'BODY'}}}
  35. Condition࡞੒ $ python ds-to-aws-waf.py sqli -u aws_integration -p Password -t

    tenant --create-match Updated SQLi match set; Deep Security SQLi Guidance
  36. Condition࡞੒֬ೝ

  37. WAFద༻ཁ൱ͷ֬ೝ $ python ds-to-aws-waf.py sqli -u aws_integration -p Password -t

    tenant -l -r ap-northeast-1 Requesting information from Deep Security about your deployment [2016-08-23 00:00:00] Calling DPIRuleRetrieveAll. This may take 15-30 seconds as the call returns a substantial amount of data ******************************************************************* Completed recommendation phase Instance Recommendation Suggested WACL i-00000000 True 00000000-0000-0000-0000-000000000000 i-11111111 False *******************************************************************
  38. Ruleͷ࡞੒ɾWebACLద༻ $ python ds-to-aws-waf.py sqli -u aws_integration -p Password -t

    tenant -l -r ap-northeast-1 —create-rule Requesting information from Deep Security about your deployment [2016-08-23 00:00:00] Calling DPIRuleRetrieveAll. This may take 15-30 seconds as the call returns a substantial amount of data ******************************************************************* Completed recommendation phase Instance Recommendation Suggested WACL i-00000000 True 00000000-0000-0000-0000-000000000000 i-11111111 False ******************************************************************* Successfully created rule[] Successfully created WACL[00000000-0000-0000-0000-000000000000]
  39. Ruleͷ࡞੒ɾWebACLద༻֬ೝ

  40. ੋඇࢼͯ͠Έ͍ͯͩ͘͞ʂ

  41. ͪͳΈʹखॱ͸ϒϩάʹ͋Γ·͢ http://dev.classmethod.jp/cloud/aws/deepsecurity-aws-waf-sqlixss/

  42. ͓·͚

  43. Deep Security࿈ܞ͸ଞʹ΋ https://github.com/deep-security

  44. ଞͷ࿈ܞεΫϦϓτ • CloudFormation • Elastic Beanstalk • Amazon SNS •

    AWS Config Rules • Inspector
  45. ଞͷ࿈ܞεΫϦϓτ • CloudFormation • Elastic Beanstalk • Amazon SNS •

    AWS Config Rules • Inspector
  46. CloudFormationͰ Deep Security ManagerΛߏங

  47. ଞͷ࿈ܞεΫϦϓτ • CloudFormation • Elastic Beanstalk • Amazon SNS •

    AWS Config Rules • Inspector
  48. Elastic Beanstalkܦ༝Ͱ EC2ʹDSAΛΠϯετʔϧ

  49. ଞͷ࿈ܞεΫϦϓτ • CloudFormation • Elastic Beanstalk • Amazon SNS •

    AWS Config Rules • Inspector
  50. SNSͰ௨஌͞Εͨ Deep SecurityͷΠϕϯτΛ ύʔεͯ͠S3ʹอଘ

  51. ଞͷ࿈ܞεΫϦϓτ • CloudFormation • Elastic Beanstalk • Amazon SNS •

    AWS Config Rules • Inspector
  52. Deep Securityͷঢ়ଶΛ νΣοΫ͠ҰཡԽ

  53. ଞͷ࿈ܞεΫϦϓτ • CloudFormation • Elastic Beanstalk • Amazon SNS •

    AWS Config Rules • Inspector
  54. InspectorͰݕग़ͨ͠੬ऑੑΛ ෼ੳɾDSͰ๷ޚՄ൱൑அ

  55. ͍ͬͺ͍͋Γ·͢Ͷɻ ؤுͬͯϒϩάʹ͠·͢ɻ

  56. ※ ઈࢍ։ൃதͰ͢ɻ ݕূΛͯ͠࢖ͬͯԼ͍͞ɻ ৄ͘͠͸Trend Micro͞Μ΁ɻ

  57. Πϕϯτͷ͝঺հ

  58. େࡕͰ͸9/15։࠵༧ఆ http://dev.classmethod.jp/news/bigdata-20160915-27/

  59. 9/16։࠵༧ఆ http://dev.classmethod.jp/news/aws-premier-night-2/

  60. ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ

  61. None