Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JAWS DAYS 2017 Security-JAWS発表資料

Tmorinaga
March 11, 2017

JAWS DAYS 2017 Security-JAWS発表資料

#jawsdays #jawsug #secjaws

Tmorinaga

March 11, 2017
Tweet

More Decks by Tmorinaga

Other Decks in Technology

Transcript

  1. AWS SECURITY DEATH \m/

    ʙηΩϡ伸༷͔Βͷ͓ࠂ͛ʙ
    4FDVSJUZ+"84
    େتଟར࠸
    ٢ߐॠ
    ৿Ӭେࢤ

    View Slide

  2. ͸͡Ίʹ
    • ηΩϡ伸༷͔Β͓ࠂ͕͛͋ͬͨͷͰ͓͠Βͤ͠·͢ɻAWSʹ͓͚Δ
    ωοτϫʔΫͷجຊ͔ΒɺAWS WAF/AWS Shield/AWS Config౳ͷ
    ηΩϡϦςΟػೳʹ͍ͭͯ΍͞͠Ίʹ঺հ͠·͢ɻ
    • ͳ͓ɺηΩϡ伸༷ͱ͸ɺ

    View Slide

  3. View Slide

  4. ͸͡Ίʹ
    • Ͱ͸ͳ͘ɺӡӦϝϯόʔେ஛ըഢʹΑͬͯ߱ྟ͠·ͨ͠

    View Slide

  5. CZେ஛ըഢ

    View Slide

  6. ಺༰
    • ͔͜͜Β͸ਅ໘໨ʹҎԼ͕୲౰͠·͢ɻ
    • AWSʹ͓͚ΔωοτϫʔΫͷجຊ → େتଟ
    • AWS WAF/AWS Shield → ٢ߐ
    • AWS Config → ৿Ӭ

    View Slide

  7. Security-JAWS
    • 2016/04 ൃ଍
    • ӡӦ͸10ਓ
    • ୈҰճ͸2016/05։࠵
    • هࣄʹ΋͍͖ͯͨͩ͠·ͨ͠

    http://ascii.jp/elem/000/001/164/1164664/
    • ܧଓͯ͠ɺ3ϲ݄ʹҰճͷϖʔεͰ։࠵த

    View Slide

  8. Security-JAWS
    •͜Ε·ͰͷϝΠϯλΠ
    τϧ
    • AWSͰͷVPCɾIAMϑϧ׆༻ज़

    ʢϦΫϧʔτςΫϊϩδʔζ ٶ࡚͞Μʣ
    • ͱ͋Δ਍அһͱAWS ʢऱ࡚͞Μʣ
    • Managing Privacy and Security Risk 

    ʢFINOVATORS େٱอ͞Μʣ
    • Ubiquitous Encryption on AWS

    ʢAWS Eugene͞ΜˍPedro͞Μʣ
    • AWS Compliance Quick Startͷ͝঺հ

    ʢAWSJ দຊ͞Μʣ
    • CloudHSMͬͯ݁ہͳʹʁ~ϋʔυ΢ΣΞ͕
    ඞཁͳΘ͚~ʢAWSJ ُా͞Μʣ
    • AWS IAMͱOpenAMΛ࿈ܞͯ͠ΞΧ΢ϯτ؅
    ཧΛޮ཰Խͯ͠ΈͨɹʢΦʔδε૯ݚ ࢯೄ͞
    Μʣ
    • Amazon InspectorΛิ׬͢Δ - VulsͱOWASP
    Dependency-CheckΛ૊Έ߹Θͤͯϓϩάϥ
    ϛϯάݴޠϥΠϒϥϦͷ੬ऑੑεΩϟϯ݁ՌΛ
    ೔ຊޠԽɺSlack௨஌Ͱ͖ΔΑ͏ʹͯ͠Έͨ

    ʢϑϡʔνϟʔΞʔΩςΫτ ਆށ͞Μʣ
    • Deep Dive on AWS ShieldʢAWSJ ۅࢁ͞
    Μʣ
    • AWSʹ͓͚ΔWAFಋೖʹ͍ͭͯ 

    ʢNECιϦϡʔγϣϯΠϊϕʔλ ࢁਫ͞Μʣ
    • WordPress goes Serverless. - ShifterͰ࢝ΊΔ
    WordPressͷηΩϡΞͳӡ༻ - 

    ʢσδλϧΩϡʔϒ খլ͞Μʣ

    View Slide

  9. Security-JAWS
    •͜Ε·ͰͷϝΠϯλΠ
    τϧ
    • AWSͰͷVPCɾIAMϑϧ׆༻ज़

    ʢϦΫϧʔτςΫϊϩδʔζ ٶ࡚͞Μʣ
    • ͱ͋Δ਍அһͱAWS ʢऱ࡚͞Μʣ
    • Managing Privacy and Security Risk 

    ʢFINOVATORS େٱอ͞Μʣ
    • Ubiquitous Encryption on AWS

    ʢAWS Eugene͞ΜˍPedro͞Μʣ
    • AWS Compliance Quick Startͷ͝঺հ

    ʢAWSJ দຊ͞Μʣ
    • CloudHSMͬͯ݁ہͳʹʁ~ϋʔυ΢ΣΞ͕
    ඞཁͳΘ͚~ʢAWSJ ُా͞Μʣ
    • AWS IAMͱOpenAMΛ࿈ܞͯ͠ΞΧ΢ϯτ؅
    ཧΛޮ཰Խͯ͠ΈͨɹʢΦʔδε૯ݚ ࢯೄ͞
    Μʣ
    • Amazon InspectorΛิ׬͢Δ - VulsͱOWASP
    Dependency-CheckΛ૊Έ߹Θͤͯϓϩάϥ
    ϛϯάݴޠϥΠϒϥϦͷ੬ऑੑεΩϟϯ݁ՌΛ
    ೔ຊޠԽɺSlack௨஌Ͱ͖ΔΑ͏ʹͯ͠Έͨ

    ʢϑϡʔνϟʔΞʔΩςΫτ ਆށ͞Μʣ
    • Deep Dive on AWS ShieldʢAWSJ ۅࢁ͞
    Μʣ
    • AWSʹ͓͚ΔWAFಋೖʹ͍ͭͯ 

    ʢNECιϦϡʔγϣϯΠϊϕʔλ ࢁਫ͞Μʣ
    • WordPress goes Serverless. - ShifterͰ࢝ΊΔ
    WordPressͷηΩϡΞͳӡ༻ - 

    ʢσδλϧΩϡʔϒ খլ͞Μʣ
    ͝ొஃ͍͖ͨͩ
    ͋Γ͕ͱ͏
    ͍͟͝·ͨ͠ʂʂ
    ͝ొஃ͍͖ͨͩ
    ͋Γ͕ͱ͏
    ͍͟͝·ͨ͠ʂʂ

    View Slide

  10. AWS SECURITY DEATH ʘmʗ

    ʙηΩϡ伸༷͔Βͷ͓ࠂ͛ʙ
    Security-JAWS
    େتଟ ར࠸
    AWSʹ͓͚ΔωοτϫʔΫͷجຊ

    View Slide

  11. ࣗݾ঺հ
    • େتଟ ར࠸(https://ookita.biz/)
    • ࢓ࣄɿճઢαʔϏεɾVPNɾF/W͕ઐ໳ͷ

    ωοτϫʔΫΤϯδχΞ
    • ׆ಈίϛϡχςΟɿ
    • Security-JAWS ӡӦϝϯόʔ
    • JAWS-UG ԣ඿ࢧ෦ ӡӦϝϯόʔ
    • KUSANAGI-UG౦ژ ୅ද

    View Slide

  12. ηΩϡϦςΟઐ໳ࢧ෦ͳͷʹ
    ԿͰωοτϫʔΫͷ࿩ͳͷʁ
    • Ϋϥ΢υ͸ωοτϫʔΫͷ޲͜͏ʹ͋Δ

    →ωοτϫʔΫ௒େࣄʂʂ
    • Ϋϥ΢υͱ͸͍͑ɺωοτϫʔΫͷجૅΛཧղ͍ͯ͠ͳ͍ͱ

    ηΩϡϦςΟΛߟྀͨ͠ద੾ͳγεςϜߏங͕Ͱ͖ͳ͍ͷ͸

    ΦϯϓϨϛεͱมΘΒͳ͍
    • ҰํͰΫϥ΢υಠࣗͷ࡞๏΋͋Δ

    View Slide

  13. ࠓճΈͳ͞Μʹ
    ͓͸ͳ͢͠Δ͜ͱ
    • AWSʹ͓͚ΔωοτϫʔΫઃܭͷجຊ

    (VPC/ηΩϡϦςΟάϧʔϓ౳)
    • AWS VPCͱͷηΩϡΞͳ઀ଓ

    (VPN/Direct Connect/֤ࣾαʔϏε౳)

    View Slide

  14. Amazon VPC
    • ύϒϦοΫΫϥ΢υ্ʹ࿦ཧతʹಠཱͨࣗࣾ͠ઐ༻ͷΫϥ΢υ؀ڥΛ
    ࡞੒͢Δػೳ
    • ࠓ͸VPC͕ඪ४ʹ(ੲ͸ҧ͍·ͨ͠)

    ੲͷ໊࢒ɺClassic EC2
    AWS cloud
    RDS DB 

    instance
    standby 

    (Multi-AZ)
    Web Server #1
    RDS DB
    instance
    Web Server #2
    Availability Zone
    #1
    Availability Zone #2

    View Slide

  15. Public subnet

    Private subnet
    • Public subnet

    Πϯλʔωοτʹ௚઀઀ଓՄೳͳαϒ
    ωοτ(ެ։αʔό͕ஔ͚ΔɺEIPͱͷ
    ඥ෇͚΋Ͱ͖Δ)
    • Private subnet

    Πϯλʔωοτ͔Β௚઀઀ଓ͞Εͨ͘
    ͳ͍Πϯελϯεʹ࢖༻

    NATήʔτ΢ΣΠΛܦ༝ͯ͠಺ˠ֎ͷ

    Πϯλʔωοτ௨৴͸Մೳ
    AWS cloud
    Public subnet #2
    10.0.3.0/24
    Availability Zone
    #1
    Availability Zone #2
    Internet gateway
    VPC NAT gateway
    Public subnet #1
    10.0.1.0/24
    Private subnet
    #2
    10.0.4.0/24
    Private subnet
    #1
    10.0.2.0/24

    View Slide

  16. ηΩϡϦςΟάϧʔϓ

    ωοτϫʔΫACL
    • ηΩϡϦςΟάϧʔϓ

    Πϯελϯεʹରͯ͠ద༻

    εςʔτϑϧ
    • ωοτϫʔΫACL

    αϒωοτ୯ҐͰͷΞΫηε੍ޚ
    ʹ࢖༻

    εςʔτϨε
    AWS cloud
    Public subnet #2
    10.0.3.0/24
    Availability Zone
    #1
    Availability Zone #2
    Internet gateway
    VPC NAT gateway
    Public subnet #1
    10.0.1.0/24
    Private subnet
    #2
    10.0.4.0/24
    Private subnet
    #1
    10.0.2.0/24

    View Slide

  17. εςʔτϑϧͱεςʔτϨε
    • ͱͯ΋ݹయతͳ࿩͚ͩͲɺͪΌΜͱઆ໌͠ͳ͍ͱ఻ΘΒͳ͍
    Source…203.0.113.100:25284
    Destination…198.51.100.100:80
    ϙʔτ80൪/઀ଓݩAnyͱ
    ઃఆ͓͚ͯ͠͹
    ໭Γͷ௨৴΋ΑΖͯ͘͘͠͠ΕΔ
    →εςʔτϑϧ
    ΫϥΠΞϯτˠαʔόͷϧʔϧͱ
    αʔόˠΫϥΠΞϯτͷ௨৴ϧʔϧΛ
    ྆ํ໌ࣔతʹॻ͍͓ͯ͘ඞཁ͕͋Δ
    →εςʔτϨε
    ํ޲
    ϙʔτϓϩτί
    ϧ
    ΞυϨε Մ൱
    0VUˠ*O UDQ "MMPX
    *Oˠ0VU

    UDQ
    "MMPX
    ํ޲
    ϙʔτϓϩτί
    ϧ
    ΞυϨε Մ൱
    0VUˠ*O UDQ "MMPX
    NAT഑ԼͷΫϥΠΞϯτͷ
    Source Port͸ϋΠϙʔτ
    (1024ʙ65535)͔Β
    ϥϯμϜʹઃఆ͞ΕΔ

    View Slide

  18. VPN/Direct Connect
    • Webαʔό/DBαʔόͷϝϯςφϯε
    ͸ϓϥΠϕʔτωοτϫʔΫܦ༝Ͱߦ
    ͍͍ͨ
    • Πϯλʔωοτʹެ։͠ͳ͍ࣾ಺γε
    ςϜΛAWSʹஔ͘৔߹ɺࣄۀॴͱ
    AWSؒͷηΩϡΞͳ௨৴ܦ࿏Λ֬อ͠
    ͍ͨ(৔߹ʹΑͬͯ͸඼࣭ΛߴΊ͍ͨ)
    • طଘͷࣾ಺γεςϜ͕σʔληϯλʔ
    ʹ͋ΓɺAWSΛطଘγεςϜͷ֦ுϦ
    ιʔεͱͯ͠࢖༻͢ΔΑ͏ͳ৔߹
    AWS cloud
    Public subnet #2
    10.0.3.0/24
    Availability Zone
    #1
    Availability Zone #2
    Internet gateway
    VPC NAT gateway
    Public subnet #1
    10.0.1.0/24
    Private subnet
    #2
    10.0.4.0/24
    Private subnet
    #1
    10.0.2.0/24

    View Slide

  19. VPN/Direct Connect
    • VPCͷ֤αϒωοτͱ

    Ծ૝ϓϥΠϕʔτήʔτ΢ΣΠΛ

    ઀ଓ
    • Ϣʔβʔ͸VPNͷઃఆΛߦ͏͔

    Direct Connectͷख഑Λ͢Δ
    AWS cloud
    Public subnet #2
    10.0.3.0/24
    Availability Zone
    #1
    Availability Zone #2
    Internet gateway
    VPC NAT gateway
    Public subnet #1
    10.0.1.0/24
    Private subnet
    #2
    10.0.4.0/24
    Private subnet
    #1
    10.0.2.0/24
    virtual
    private
    gateway

    View Slide

  20. VPN
    • VPNͷ৔߹ɺAWSଆʹ͸

    2ͭͷVPNΤϯυϙΠϯτ͕

    ༻ҙ͞ΕΔ
    • Ϣʔβʔ͸ɺͦΕͧΕͷ

    VPNΤϯυϙΠϯτͱ

    VPN઀ଓΛߦ͏



    • ͭ·Γɺ2ͭͷτϯωϧ͕

    ඪ४Ͱඞཁʂ
    AWS cloud
    Public subnet #2
    10.0.3.0/24
    Availability Zone
    #1
    Availability Zone #2
    Internet gateway
    VPC NAT gateway
    Public subnet #1
    10.0.1.0/24
    Private subnet
    #2
    10.0.4.0/24
    Private subnet
    #1
    10.0.2.0/24
    virtual
    private
    gateway
    Customer
    Gateway

    View Slide

  21. VPN
    • VPN઀ଓ࣌ͷϧʔςΟϯά

    ʢ1ʣ໌ࣔతʹࢦఆ͢ΔελςΟοΫϧʔ
    ςΟϯά

    ʢ2ʣBGPʹΑΔμΠφϛοΫϧʔςΟϯά

    ͷͲͪΒ͔Λબ୒
    • VPN઀ଓͷରԠػث৘ใ

    FAQʹࡌ͍ͬͯ·͢

    https://aws.amazon.com/jp/vpc/faqs/
    AWS cloud
    Public subnet #2
    10.0.3.0/24
    Availability Zone
    #1
    Availability Zone #2
    Internet gateway
    VPC NAT gateway
    Public subnet #1
    10.0.1.0/24
    Private subnet
    #2
    10.0.4.0/24
    Private subnet
    #1
    10.0.2.0/24
    virtual
    private
    gateway
    Customer
    Gateway

    View Slide

  22. Direct Connect
    • ͓٬༷ڌ఺ͱAWSؒΛઐ༻ઢ઀ଓ
    • ͓٬༷୐಺ʙ઀ଓϙΠϯτ(Equinix TY2)

    →Ұൠతʹ͸௨৴ΩϟϦΞʹख഑͢Δ
    • ઀ଓϙΠϯτʙAWS

    →AWS͕ఏڙ

    View Slide

  23. Direct Connect
    • ෺ཧ઀ଓͱ࿦ཧ઀ଓʹ෼͔ΕΔ
    • ௨৴ΩϟϦΞʹΑΓαʔϏεܗଶ͸

    ҟͳΔ͕ɺ͓͓·͔ʹ͸ઐ༻ܕͱڞ༻ܕ

    ͕͋Δ

    View Slide

  24. ௨৴ࣄۀऀผ

    ιϦϡʔγϣϯϥΠϯφοϓ
    • TOKAIίϛϡχέʔγϣϯζ

    ͔ͳΓॆ࣮ͨ͠ϥΠϯφοϓ

    ઐ༻ܕɾڞ༻ܕɾϚωʔδυVPNͳͲ

    http://www.broadline.ne.jp/aws/
    • Colt(چKVH)

    ଳҬʹΑͬͯVLAN෼͚͕Ͱ͖Δ͔Ͱ͖ͳ͍͔͕ܾ·Δ

    http://asia.colt.net/ja/services/network/ethernet-services/colt-
    cloud-connectivity-services/#etherxen-aws

    View Slide

  25. ௨৴ࣄۀऀผ

    ιϦϡʔγϣϯϥΠϯφοϓ
    • TOKAIίϛϡχέʔγϣϯζ

    View Slide

  26. ௨৴ࣄۀऀผ

    ιϦϡʔγϣϯϥΠϯφοϓ
    • Colt(چKVH)

    View Slide

  27. ௨৴ࣄۀऀผ

    ιϦϡʔγϣϯϥΠϯφοϓ
    • NTTίϛϡχέʔγϣϯζɾKDDIɾιϑτόϯΫ

    ࣗࣾͷڌ఺ؒωοτϫʔΫαʔϏεͷΦϓγϣϯͱͯ͠ఏڙ

    ڞ༻ܕͰ͋Δ͜ͱ͕ଟͦ͏ͳײ͡
    • USENɾNUROɾέΠΦϓςΟίϜ౳

    ࣗࣾͰDirect ConnectͷઃඋΛอ༗͓ͯ͠Βͣ

    αʔϏεϥΠϯφοϓʹ΋༻ҙ͞Ε͍ͯͳ͍௨৴ࣄۀऀͷ৔߹

    ϚωʔδυVPNαʔϏεͷΦϓγϣϯͱͯ͠ఏڙ͞Ε͍ͯΔ͜ͱ͕ଟ
    ͍

    View Slide

  28. ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠

    View Slide

  29. ࣗݾ঺հ
    • ٢ߐ ॠ(@Typhon666_death)
    • ࢓ࣄɿ๭ηΩϡϦςΟઐ໳ձࣾʹͯɺ

    ηΩϡϦςΟΤϯδχΞ/ίϯαϧλϯτ/ΞφϦετ
    • ׆ಈίϛϡχςΟɿ
    • Security-JAWS ӡӦϝϯόʔ
    • JAWS-UG ϥ΢υϩοΫࢧ෦(ඇެࣜ) ӡӦϝϯόʔ
    • OWASP Japan Promotion Teamϝϯόʔ
    • AISECjp ӡӦϝϯόʔ
    • શ೴ΞʔΩςΫνϟएखͷձ ӡӦϝϯόʔ
    • 2016೥8݄ JAWS-UGϝϯόʔͰॻ͍ͨຊͰ
    ͸ɺҎԼΛ୲౰
    • Glacier
    • VPCϐΞϦϯάΛ࢖ͬͨݡ͍WAFͷར
    ༻ํ๏ͱϩά෼ੳΛ୲౰(PDFͷΈ)

    View Slide

  30. DDoS
    • DDoSಈըʢը૾͸ from China to USAʣ

    https://www.youtube.com/watch?v=1wq6LIjPHkk
    • DDoS (Distributed Denial of Service)ɿෳ਺ͷNWʹ෼ࢄ͢Δେྔͷίϯϐϡʔλ͕Ұ੪ʹಛఆͷ
    NW΍ίϯϐϡʔλ΁઀ଓཁٻΛૹग़͠ɺ

    ௨৴༰ྔΛ͋;Εͤͯ͞ػೳΛఀࢭͤͯ͞͠·͏߈ܸ

    View Slide

  31. DDoS
    • DDoSͷछྨɿ
    • L3/L4ʢInfrastrutureʣ
    • L7ʢApplicationʣ
    • DDoSͷΑ͏ͳେྔͷτϥϑΟοΫʹର͢Δखஈɿ
    • DDoSରࡦʢैདྷͷରࡦํ๏ͩͱɺ͓ۚΛֻ͚ࣺͯ͗͢ΔՄೳੑ΋͋Δʣ
    • DDoSΛ͋͑ͯड͚Δʢམͪͯ΋͍͍αΠτͰ͋Ε͹ɺ์ஔ͢Δͷ΋Ұͭʣ

    View Slide

  32. The Forrester Wave™: 

    DDoS Services Providers, Q3 2015
    • https://www.forrester.com/report/The+Forrester+Wave+DDoS+Services+Providers+Q3+2015/-/E-RES119802

    View Slide

  33. AWS Shield
    • AWS Shieldɿ2016/12 re:InventʹͯϦϦʔε
    • ར༻ํ๏ɿCloudFrontʹͯShield ΦϓγϣϯΛ༗ޮԽ
    • ߏ੒ɿShieldͷޙΖ͸AWSͰ΋ɺΦϯϓϨͰ΋ରࡦՄೳ
    • ๷ޚର৅ɿCloudFrontɺELBɺALBɺRoute53
    • ؂ࢹɿৗʹϞχλϦϯάͯ͠ϕʔεϥΠϯͷ࡞੒ɺҟৗݕग़
    AWS Shield

    View Slide

  34. AWS Shield
    • ར༻ྉۚɿ
    • BasicɿແྉͰར༻Մೳ
    • Advancedɿ1೥ؒͷར༻ίϛοτɺֹ݄$3,000ʴDataTransferFeeɺDRT෇
    • අ༻੥ٻɿDDoSΛड͚ͯ΋֘౰௨৴จͷࢧ෷͍͸ෆཁʢBilling Protectionʣ
    • DRT(DDoS Response Team)ɿWAFͷνϡʔχϯά΍WAFͷϧʔϧ࡞੒(ࣄલঝೝ༗Γ)΋΍Δ
    • ؙ౤͛͸ବ໨Ͱ͢ɻ
    • CloudFront͑͞ೖ͍ͬͯΔͳΒɺಋೖ͓͔ͯ͠ͳ͍ख͸ͳ͍ʂ
    AWS Shield

    View Slide

  35. WAF
    • WAFɿϨΨγʔͳFW΍IDS/IPSͰ͸๷͙͜ͱ͕Ͱ͖ͳ͍ෆਖ਼ͳ߈ܸ͔Β
    WebΞϓϦέʔγϣϯΛ๷ޚ͢ΔFW
    • ಋೖཧ༝ɿWebΞϓϦέʔγϣϯͷ੬ऑੑΛಥ͘߈ܸ΍σʔλ࿙Ӯʹͭ
    ͳ͕Δ߈ܸΛ๷͙͔ΒɻPCI-DSS 6.6ʹ΋WAFಋೖʹ͍ͭͯ໌ه͞Ε͍ͯΔ



    1$*%44४ڌΛୡ੒͢ΔͨΊͷ༏ઌతͳΞϓϩʔν

    IUUQTXXXQDJTFDVSJUZTUBOEBSETPSHEPDVNFOUT1SJPSJUJ[FE"QQSPBDIGPS1$*@%[email protected]

    View Slide

  36. Apache Struts2 ͷ੬ऑੑ

    (CVE-2017-5638)(S2-045)
    ౎੫ࢧ෷͍αΠτ͔ΒΧʔυ৘ใສ݅௒͕ྲྀग़͔

    IUUQXXXJUNFEJBDPKQCVTJOFTTBSUJDMFTOFXTIUNM


    "QBDIF4USVUTͷ੬ऑੑରࡦʹ͍ͭͯ $7&
    4

    IUUQTXXXJQBHPKQTFDVSJUZDJBESWVMTUSVUTIUNM

    View Slide

  37. Apache Struts2 ͷ੬ऑੑ

    (CVE-2017-5638)(S2-045)

    ෆਖ਼ΞΫηεʹؔ͢Δ͝ใࠂͱ৘ใྲྀग़ͷ͓࿳ͼ

    [email protected] @HB
    • IPAͷ৘ใެ։Λ΋ͬͯɺਝ଎ʹWAFʹͯःஅΛߦ͍ෆਖ਼ΞΫηεௐࠪΛߦͬͨɻ
    • ࿙Ӯͨ͜͠ͱ͸·͍ͣ࿩Ͱ͸͋Δ͕ɺਝ଎ͳରԠͷ಺༰ͱͯ͠͸ɺධՁ͞ΕΔ΂͖

    View Slide

  38. AWS WAF
    • AWS WAFɿ2015/12 ʹ৽͘͠ϦϦʔε͞Εͨػೳ
    • AWS WAFͰͰ͖Δ͜ͱɿΧελϜϧʔϧʢIPΞυϨε੍ݶ/จࣈྻ੍ݶʣɺ

    SQLI/XSSͱ͍ͬͨجຊతͳWebΞϓϦέʔγϣϯ޲͚ରࡦ͕ՄೳͳWAF
    • ߏ੒ɿCloudFrontɺELBɺALBʹ࢓ࠐΊΔϚωʔδυWAF
    • ಋೖɿ؆୯(WAFػೳΛΞλον͢Δ)
    • ӡ༻ɿෳࡶͳϧʔϧͷӡ༻Λ͠ͳͯ͘΋͍͍

    ʢ㱻ٯʹݴ͍׵͑Ε͹෺଍Γͳ͗͢͞Δɻࡉ͔ʹઃఆ͠ɺνϡʔχϯάΛ͢ΔͱͳΔͱDRTʹґཔ͕ඞਢͱͳ
    Δʣ
    • ࢒೦ɿWAFͦͷ΋ͷͷ͖Ίࡉ͔͍ઃఆ͕Ͱ͖ͳ͍ɻϧʔϧΛਖ਼نදݱͰ͔͚ͳ͍ɻ
    AWS WAF

    View Slide

  39. ߏ੒ൺֱɿAWS WAF vs WAF on AWS 

    vs SaaS WAF vs Cloud WAF
    ˞ݸਓͷओ؍΋

    ೖͬͯ·͢
    ᶃ"84
    8"'
    ᶄ8"'PO
    "84
    ᶅ4BB4
    8"'
    ᶆ$MPVE
    8"'
    උߟ
    %%P4ಋೖ $'༗
    ˕ ˕ ˕ ˕ ᶃᶄᶅᶆ ΄΅
    4IJFMEҰ୒Ͱྑͦ͞͏
    %%P4ಋೖ $'ແ
    ˚ ˚ ̋ʁ
    ᶄᶅ$'ಋೖʹ੾Γସ͑Δʹ͸গ͠େม

    ᶆ%%P4ରࡦ༗ͳΒಋೖ͸໰୊ͳ͠
    8"'ಋೖ ˕˚ ˚ ̋ ̋
    ᶃ$'༗ͳΒ8"'ಋೖ͸؆୯

    ᶃ$'ແͳΒ$'ʹಋೖͷίετ͕͔͔Δ
    ᶄ8"'ઐ༻71$Λ༻ҙ͢Δ౳ͷҠߦݕ౼

    ᶅᶆਖ਼ৗ֬ೝͷ্ɺ%/4੾Γସ͑
    8"'ӡ༻ ̋ ˚ ˕ ˕ ᶅᶆ೚ͤΒΕΔͱ͍͏ҙຯͰ˕
    ίετ໘ ˕ ˚ ̋ ̋ ᶄϥΠηϯε͸΍͸Γߴ͍

    View Slide

  40. ߏ੒ൺֱɿAWS WAF vs WAF on AWS 

    vs SaaS WAF vs Cloud WAF
    ᶃ"84
    8"'
    ᶄ8"'PO
    "84
    ᶅ4BB4
    8"'
    ᶆ$MPVE
    8"'
    උߟ
    ύϑΥʔϚϯε໘ ˕ ˕ ̋ ̋
    ᶄ8"'͕εέʔϧ͢ΔͳΒ໰୊ͳ͠

    ᶅᶆখن໛τϥϑΟοΫʹ޲͍ͯΔײ͡
    ηΩϡϦςΟ໘ ˚ ̋ʙ˕ ̋ʙ˕ ̋ʙ˕
    ᶃ෺଍Γͳ͍

    ᶄᶅᶆ8"'ͷධՁʹґଘ ࣍ท

    ૯߹݁Ռ ʁ ʁ ʁ ʁ ࣗࣾͰ΍ΔʁଞࣾͰ΍Δʁ
    ࣗ͝਎Ͱߟ͑ͯΈ͍ͯͩ͘͞

    View Slide

  41. Amazon Web Services – 

    DDoSʹର͢ΔAWSͷϕετϓϥΫςΟε
    • গ͠ࢿྉ͸ݹ͍͕೔ຊޠ༁ͷDDoSϗ
    ϫΠτϖʔύʔ΋͋Δɻ

    ˞WAFαϯυΠονʴWAFΦʔτε
    έʔϧʢEDoSରࡦʹ͸ͳ͍ͬͯͳ
    ͍ʣ
    • Super Defense in Depthͳߏ੒ɿ

    CF(withWAF/Shield)→ELB

    →IPS→ELB→WAF

    →ELB→EC2withίϯςϯπվ᜵ݕ஌
    • https://d0.awsstatic.com/International/ja_JP/
    Whitepapers/DDoS%20White%20Paper.pdf

    View Slide

  42. (2016)Gartner: Magic Quadrant for 

    Web Application Firewalls
    • https://www.gartner.com/doc/reprints?id=1-3BZK2PZ&ct=160720&st=sb

    View Slide

  43. DDoSରࡦɺWAFಋೖ

    ͦͷޙ͸ʁ
    • ༗ޮʹͨ͠Β͓ΘΓͰ͸ͳ͘ɺΠϯγσϯτϨεϙϯεͷϑϩʔΛݕ౼ɻ
    • Πϯγσϯτͱؾͮͨ͘Ίʹ͸ʁ
    • Ϧιʔε؂ࢹ౳Λߦ͏ɻ
    • ϩάऔಘ͸ඞਢ
    • Ͱ͖ΔͷͳΒɺϩάΛ༻͍ͨ૬ؔ෼ੳʢwith SIEMʣ
    • DDoSରॲͷઓज़ͱઓུ

    https://www.slideshare.net/nakatomoorg/ddos-69640523/1
    • ্هࢿྉ͔ΒΠϯγσϯτϨεϙϯεͷͨΊͷ४උ΍͍·࢝ΊΒΕΔ͜ͱ͕·ͱ·ͬͯͯΘ͔Γ΍͍͢ɻ


    View Slide

  44. DDoSରࡦɺWAFಋೖ

    ͦͷલʹʁ
    • ઃܭஈ֊ͰͷηΩϡϦςΟʹ͍ͭͯߟ͑Α͏
    • ϦϦʔεલWebΞϓϦέʔγϣϯ਍அ͸΍ΊΑ͏
    • ΩʔϫʔυɿSecurity by Design(SdP)ɺDevSecOps
    • ࠷ۙɺOWASP Japan ChapterϦʔμʔԬా͞Μͷهࣄ͕

    ಺༰ͱͯ͠ͱͯ΋·ͱ·͍ͬͯΔ΋ͷͰͨ͠ͷͰɺ

    ͥͻɺಡΜͰΈ͍ͯͩ͘͞ɻ
    ʮηΩϡΞ։ൃʯ͸ͳͥਁಁ͠ͳ͍ͷ͔ʁʕʕ%FW4FD0QTΛ๦͛Δlͭͷఢz

    [email protected]

    View Slide

  45. ͓ΘΓʹ
    • ࠙਌ձʹ΋ࢀՃ͢Δ༧ఆͰ͢ɻ
    • ໊ࢗަ׵ɺEightަ׵ɺTwitterɺFacebookɺ

    LinkedinɺϝʔϧͰͷ໰߹ͤɺ໰୊͋Γ·ͤΜɻ
    • ૉఢͳηΩϡϦςΟϥΠϑΛɻ

    View Slide

  46. ࣍͸ AWS Config ʹ͍ͭͯ…

    View Slide

  47. ࣗݾ঺հ
    • ৿Ӭ େࢤ (@morimoritaitai)
    • ձࣾɿΫϥεϝιουגࣜձࣾ AWSࣄۀ෦
    • ৬छɿιϦϡʔγϣϯΞʔΩςΫτ
    • झຯ : ήʔϜ(શൠ) / ञ ʢমயϝΠϯʣ/ Χϝϥ
    • ڵຯ : Security / OpsࣗಈԽ
    • ޷͖ͳαʔϏεɿConfig /CloudTrail ͳͲ྘ܥ
    • AWSೝఆࢿ֨5ף

    View Slide

  48. AWS Config

    View Slide

  49. AWS Configͱ͸
    • ߏ੒؅ཧɺมߋ؅ཧͷͨΊͷαʔϏε
    • ߏ੒৘ใͷεφοϓγϣοτͷऔಘ
    • ߏ੒৘ใɺมߋཤྺͷݕࡧɺӾཡ
    • ࡞੒ɺมߋɺ࡟আ͞Εͨࡍͷ௨஌
    • AWSϦιʔεؒͷؔ܎ੑͷ֬ೝ

    View Slide

  50. ݱࡏରԠ͍ͯ͠ΔAWSϦιʔε
    • 2017/3/11ݱࡏ
    Resource Type Resource
    Amazon Redshift
    Cluster
    Cluster parameter group
    Cluster security group
    Cluster snapshot
    Cluster subnet group
    Event subscription
    Amazon Relational
    Database Service (RDS)
    RDS DB instance
    RDS DB security group
    RDS DB snapshot
    RDS DB subnet group
    Event subscription
    Amazon Simple Storage
    Service (S3)
    Amazon S3 bucket
    Amazon Virtual Private
    Cloud (VPC)
    Customer gateway
    Internet gateway
    Network access control list (ACL)
    Route table
    Subnet
    Virtual private cloud (VPC)
    VPN connection
    VPN gateway
    Resource Type Resource
    AWS Certificate Manager certificate
    AWS CloudTrail Trail
    Amazon Elastic Block Store Amazon EBS volume
    Amazon Elastic Compute
    Cloud (EC2)
    EC2 Dedicated hosts
    EC2 Elastic IP
    EC2 instance
    EC2 network interface
    EC2 security group
    Amazon EC2 Systems
    Manager
    Managed instance inventory
    Elastic Load Balancing (ELB) Application load balancer
    AWS Identity and Access
    Management (IAM)
    IAM user
    IAM group
    IAM role
    IAM customer managed policy

    View Slide

  51. ݱࡏରԠ͍ͯ͠ΔAWSϦιʔε
    • 2017/3/11ݱࡏ
    Resource Type Resource
    Amazon Redshift
    Cluster
    Cluster parameter group
    Cluster security group
    Cluster snapshot
    Cluster subnet group
    Event subscription
    Amazon Relational
    Database Service (RDS)
    RDS DB instance
    RDS DB security group
    RDS DB snapshot
    RDS DB subnet group
    Event subscription
    Amazon Simple Storage
    Service (S3)
    Amazon S3 bucket
    Amazon Virtual Private
    Cloud (VPC)
    Customer gateway
    Internet gateway
    Network access control list (ACL)
    Route table
    Subnet
    Virtual private cloud (VPC)
    VPN connection
    VPN gateway
    Resource Type Resource
    AWS Certificate Manager certificate
    AWS CloudTrail Trail
    Amazon Elastic Block Store Amazon EBS volume
    Amazon Elastic Compute
    Cloud (EC2)
    EC2 Dedicated hosts
    EC2 Elastic IP
    EC2 instance
    EC2 network interface
    EC2 security group
    Amazon EC2 Systems
    Manager
    Managed instance inventor
    Elastic Load Balancing (ELB) Application load balancer
    AWS Identity and Access
    Management (IAM)
    IAM user
    IAM group
    IAM role
    IAM customer managed policy
    Α͔ͭ͘͏αʔϏε͸΄΅ରԠࡁΈ
    Α͔ͭ͘͏αʔϏε͸΄΅ରԠࡁΈ

    View Slide

  52. Ϣʔεέʔε

    View Slide

  53. AWSϦιʔεͷߏ੒؅ཧ
    • ҰཡͰAWSϦιʔεΛ֬ೝग़དྷΔ
    • ࡟আ͞ΕͨϦιʔεʹ͍ͭͯ΋௥੻Մೳ

    View Slide

  54. ؂ࠪɺίϯϓϥΠΞϯε
    • ͍ͭɺͲͷΑ͏ʹมߋ͞Ε͔ͨΛه࿥͢ΔͷͰূ੻ͱͯ͠ར༻Մೳ
    • PCI DSSͷΑ͏ͳن֨ʹ४ڌ͢ΔͨΊʹ΋ඞཁ

    View Slide

  55. τϥϒϧγϡʔςΟϯά
    • ઃఆϛε͸ΠϯγσϯτൃੜݪҼͷͻͱͭ
    • ؔ࿈͢ΔAWSϦιʔε΋ḷΕΔͷͰτϥϒϧγϡʔτ͠΍͍͢

    View Slide

  56. ΰνϟΰνϟ͠΍͍͢AWSϦιʔεΛ
    ؆୯ʹʮݟ͑ΔԽʯग़དྷΔʂ

    View Slide

  57. Ͱ΋Configͬͯઃఆ΍ઃఆมߋΛݟ͑ΔԽ
    ͢Δ͚ͩͩΑͶʁ

    View Slide

  58. ݁ہͦΕ͕ਖ਼͍͠ઃఆ͔
    ਓ͕ؒ൑அ͠ͳ͍ͱ͍͚ͳ͍ΑͶʁ

    View Slide

  59. ҆͝৺Լ͍͞ɻ

    View Slide

  60. ઃఆͷνΣοΫΛߦ͏αʔϏε
    ΋͋Γ·͢ʂ

    View Slide

  61. AWS Config Rules

    View Slide

  62. AWS Config Rulesͱ͸
    • AWS ConfigͰه࿥ͨ͠ઃఆ͕ਖ਼͍͔͠Λ൑ఆ͢Δ
    ϧʔϧΛઃఆͰ͖Δ
    • ྫ͑͹ɺ
    • ηΩϡϦςΟάϧʔϓ͕ϑϧΦʔϓϯ
    • MFAઃఆ͍ͯ͠ͳ͍
    • ACMͷূ໌ॻͷ༗ޮظݶ͕͋ͱগ͠

    View Slide

  63. ϧʔϧͷछྨ
    • Ϛωʔδυϧʔϧ
    • AWS͕ఏڙ͍ͯ͠Δϧʔϧ
    • ͋Δ͋Δͳ΋ͷΛ༻ҙͯ͘͠Ε͍ͯ·͢
    • ΧελϜϧʔϧ
    • ࣗ෼Ͱࣗ༝ʹ࡞ΕΔϧʔϧ
    • ൑ఆ͢Δػߏ͸LambdaͰ࡞੒
    • LambdaͳͷͰ࡞Γ͜Ί͹૬౰͍Ζ͍Ζग़དྷΔ

    View Slide

  64. ఏڙ͞Ε͍ͯΔϚωʔδυϧʔϧ
    • Compute
    • approved-amis-by-id
    • approved-amis-by-tag
    • desired-instance-tenancy
    • desired-instance-type
    • ebs-optimized-instance
    • ec2-instance-detailed-monitoring-enabled
    • ec2-instances-in-vpc
    • ec2-managedinstance-applications-blacklisted
    • ec2-managedinstance-applications-required
    • ec2-managedinstance-inventory-blacklisted
    • ec2-managedinstance-platform-check
    • ec2-volume-inuse-check
    • eip-attached
    • encrypted-volumes
    • restricted-common-ports
    • restricted-ssh
    • Management Tools
    • cloudtrail-enabled
    • required-tags
    • Database
    • db-instance-backup-enabled
    • dynamodb-throughput-limit-check
    • rds-multi-az-support
    • rds-storage-encrypted
    • redshift-cluster-configuration-check
    • redshift-cluster-maintenancesettings-check
    • Security, Identity & Compliance
    • acm-certificate-expiration-check
    • iam-password-policy
    • iam-user-group-membership-check
    • iam-user-no-policies-check
    • root-account-mfa-enabled
    • Storage
    • s3-bucket-logging-enabled
    • s3-bucket-ssl-requests-only
    • s3-bucket-versioning-enabled
    IUUQEPDTBXTBNB[[email protected]

    View Slide

  65. ΧελϜϧʔϧ
    • LambdaͰ൑ఆ෦෼Λهड़͢Δ
    • ࣗ෼ͰίʔυΛॻ͘ඞཁ͕͋ΔͷͰগ͠ϋʔυϧ͕ߴ͍

    View Slide

  66. AWS͕ΧελϜϧʔϧެ։
    • 2017/3ݱࡏ34ͷϧʔϧ͕ެ։த
    • https://github.com/awslabs/aws-config-rules

    View Slide

  67. AWS ConfigΛ༗ޮԽͯ͠ՄࢹԽ
    Config RulesͰઃఆ஋νΣοΫ
    ࣗಈͰηΩϡϦςΟ/ΨόφϯεΛ୲อ͠·͠ΐ͏ʂ

    View Slide

  68. Configؔ࿈ϒϩάެ։ͯ͠·͢ɻ
    http://dev.classmethod.jp/referencecat/aws-config/

    View Slide

  69. ࠂ஌
    • Ҏ্ͰൃදΛ͓ΘΓ·͢ɻ
    • Πϕϯτࠂ஌͸Doorkeeper(https://s-jaws.doorkeeper.jp/)
    • Twitterɿ@security_jaws

    ϋογϡλά͸#secjaws

    View Slide