Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JAWS DAYS 2017 Security-JAWS発表資料

Tmorinaga
March 11, 2017

JAWS DAYS 2017 Security-JAWS発表資料

#jawsdays #jawsug #secjaws

Tmorinaga

March 11, 2017
Tweet

More Decks by Tmorinaga

Other Decks in Technology

Transcript

  1. Security-JAWS • 2016/04 ൃ଍ • ӡӦ͸10ਓ • ୈҰճ͸2016/05։࠵ • هࣄʹ΋͍͖ͯͨͩ͠·ͨ͠


    http://ascii.jp/elem/000/001/164/1164664/ • ܧଓͯ͠ɺ3ϲ݄ʹҰճͷϖʔεͰ։࠵த
  2. Security-JAWS •͜Ε·ͰͷϝΠϯλΠ τϧ • AWSͰͷVPCɾIAMϑϧ׆༻ज़
 ʢϦΫϧʔτςΫϊϩδʔζ ٶ࡚͞Μʣ • ͱ͋Δ਍அһͱAWS ʢऱ࡚͞Μʣ

    • Managing Privacy and Security Risk 
 ʢFINOVATORS େٱอ͞Μʣ • Ubiquitous Encryption on AWS
 ʢAWS Eugene͞ΜˍPedro͞Μʣ • AWS Compliance Quick Startͷ͝঺հ
 ʢAWSJ দຊ͞Μʣ • CloudHSMͬͯ݁ہͳʹʁ~ϋʔυ΢ΣΞ͕ ඞཁͳΘ͚~ʢAWSJ ُా͞Μʣ • AWS IAMͱOpenAMΛ࿈ܞͯ͠ΞΧ΢ϯτ؅ ཧΛޮ཰Խͯ͠ΈͨɹʢΦʔδε૯ݚ ࢯೄ͞ Μʣ • Amazon InspectorΛิ׬͢Δ - VulsͱOWASP Dependency-CheckΛ૊Έ߹Θͤͯϓϩάϥ ϛϯάݴޠϥΠϒϥϦͷ੬ऑੑεΩϟϯ݁ՌΛ ೔ຊޠԽɺSlack௨஌Ͱ͖ΔΑ͏ʹͯ͠Έͨ
 ʢϑϡʔνϟʔΞʔΩςΫτ ਆށ͞Μʣ • Deep Dive on AWS ShieldʢAWSJ ۅࢁ͞ Μʣ • AWSʹ͓͚ΔWAFಋೖʹ͍ͭͯ 
 ʢNECιϦϡʔγϣϯΠϊϕʔλ ࢁਫ͞Μʣ • WordPress goes Serverless. - ShifterͰ࢝ΊΔ WordPressͷηΩϡΞͳӡ༻ - 
 ʢσδλϧΩϡʔϒ খլ͞Μʣ
  3. Security-JAWS •͜Ε·ͰͷϝΠϯλΠ τϧ • AWSͰͷVPCɾIAMϑϧ׆༻ज़
 ʢϦΫϧʔτςΫϊϩδʔζ ٶ࡚͞Μʣ • ͱ͋Δ਍அһͱAWS ʢऱ࡚͞Μʣ

    • Managing Privacy and Security Risk 
 ʢFINOVATORS େٱอ͞Μʣ • Ubiquitous Encryption on AWS
 ʢAWS Eugene͞ΜˍPedro͞Μʣ • AWS Compliance Quick Startͷ͝঺հ
 ʢAWSJ দຊ͞Μʣ • CloudHSMͬͯ݁ہͳʹʁ~ϋʔυ΢ΣΞ͕ ඞཁͳΘ͚~ʢAWSJ ُా͞Μʣ • AWS IAMͱOpenAMΛ࿈ܞͯ͠ΞΧ΢ϯτ؅ ཧΛޮ཰Խͯ͠ΈͨɹʢΦʔδε૯ݚ ࢯೄ͞ Μʣ • Amazon InspectorΛิ׬͢Δ - VulsͱOWASP Dependency-CheckΛ૊Έ߹Θͤͯϓϩάϥ ϛϯάݴޠϥΠϒϥϦͷ੬ऑੑεΩϟϯ݁ՌΛ ೔ຊޠԽɺSlack௨஌Ͱ͖ΔΑ͏ʹͯ͠Έͨ
 ʢϑϡʔνϟʔΞʔΩςΫτ ਆށ͞Μʣ • Deep Dive on AWS ShieldʢAWSJ ۅࢁ͞ Μʣ • AWSʹ͓͚ΔWAFಋೖʹ͍ͭͯ 
 ʢNECιϦϡʔγϣϯΠϊϕʔλ ࢁਫ͞Μʣ • WordPress goes Serverless. - ShifterͰ࢝ΊΔ WordPressͷηΩϡΞͳӡ༻ - 
 ʢσδλϧΩϡʔϒ খլ͞Μʣ ͝ొஃ͍͖ͨͩ ͋Γ͕ͱ͏ ͍͟͝·ͨ͠ʂʂ ͝ొஃ͍͖ͨͩ ͋Γ͕ͱ͏ ͍͟͝·ͨ͠ʂʂ
  4. Amazon VPC • ύϒϦοΫΫϥ΢υ্ʹ࿦ཧతʹಠཱͨࣗࣾ͠ઐ༻ͷΫϥ΢υ؀ڥΛ ࡞੒͢Δػೳ • ࠓ͸VPC͕ඪ४ʹ(ੲ͸ҧ͍·ͨ͠)
 ੲͷ໊࢒ɺClassic EC2 AWS

    cloud RDS DB 
 instance standby 
 (Multi-AZ) Web Server #1 RDS DB instance Web Server #2 Availability Zone #1 Availability Zone #2
  5. Public subnet
 Private subnet • Public subnet
 Πϯλʔωοτʹ௚઀઀ଓՄೳͳαϒ ωοτ(ެ։αʔό͕ஔ͚ΔɺEIPͱͷ ඥ෇͚΋Ͱ͖Δ)

    • Private subnet
 Πϯλʔωοτ͔Β௚઀઀ଓ͞Εͨ͘ ͳ͍Πϯελϯεʹ࢖༻
 NATήʔτ΢ΣΠΛܦ༝ͯ͠಺ˠ֎ͷ
 Πϯλʔωοτ௨৴͸Մೳ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24
  6. ηΩϡϦςΟάϧʔϓ
 ωοτϫʔΫACL • ηΩϡϦςΟάϧʔϓ
 Πϯελϯεʹରͯ͠ద༻
 εςʔτϑϧ • ωοτϫʔΫACL
 αϒωοτ୯ҐͰͷΞΫηε੍ޚ ʹ࢖༻


    εςʔτϨε AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24
  7. εςʔτϑϧͱεςʔτϨε • ͱͯ΋ݹయతͳ࿩͚ͩͲɺͪΌΜͱઆ໌͠ͳ͍ͱ఻ΘΒͳ͍ Source…203.0.113.100:25284 Destination…198.51.100.100:80 ϙʔτ80൪/઀ଓݩAnyͱ ઃఆ͓͚ͯ͠͹ ໭Γͷ௨৴΋ΑΖͯ͘͘͠͠ΕΔ →εςʔτϑϧ ΫϥΠΞϯτˠαʔόͷϧʔϧͱ

    αʔόˠΫϥΠΞϯτͷ௨৴ϧʔϧΛ ྆ํ໌ࣔతʹॻ͍͓ͯ͘ඞཁ͕͋Δ →εςʔτϨε ํ޲ ϙʔτϓϩτί ϧ ΞυϨε Մ൱ 0VUˠ*O UDQ  "MMPX *Oˠ0VU  UDQ  "MMPX ํ޲ ϙʔτϓϩτί ϧ ΞυϨε Մ൱ 0VUˠ*O UDQ  "MMPX NAT഑ԼͷΫϥΠΞϯτͷ Source Port͸ϋΠϙʔτ (1024ʙ65535)͔Β ϥϯμϜʹઃఆ͞ΕΔ
  8. VPN/Direct Connect • Webαʔό/DBαʔόͷϝϯςφϯε ͸ϓϥΠϕʔτωοτϫʔΫܦ༝Ͱߦ ͍͍ͨ • Πϯλʔωοτʹެ։͠ͳ͍ࣾ಺γε ςϜΛAWSʹஔ͘৔߹ɺࣄۀॴͱ AWSؒͷηΩϡΞͳ௨৴ܦ࿏Λ֬อ͠

    ͍ͨ(৔߹ʹΑͬͯ͸඼࣭ΛߴΊ͍ͨ) • طଘͷࣾ಺γεςϜ͕σʔληϯλʔ ʹ͋ΓɺAWSΛطଘγεςϜͷ֦ுϦ ιʔεͱͯ͠࢖༻͢ΔΑ͏ͳ৔߹ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24
  9. VPN/Direct Connect • VPCͷ֤αϒωοτͱ
 Ծ૝ϓϥΠϕʔτήʔτ΢ΣΠΛ
 ઀ଓ • Ϣʔβʔ͸VPNͷઃఆΛߦ͏͔
 Direct Connectͷख഑Λ͢Δ

    AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24 virtual private gateway
  10. VPN • VPNͷ৔߹ɺAWSଆʹ͸
 2ͭͷVPNΤϯυϙΠϯτ͕
 ༻ҙ͞ΕΔ • Ϣʔβʔ͸ɺͦΕͧΕͷ
 VPNΤϯυϙΠϯτͱ
 VPN઀ଓΛߦ͏
 


    
 • ͭ·Γɺ2ͭͷτϯωϧ͕
 ඪ४Ͱඞཁʂ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24 virtual private gateway Customer Gateway
  11. VPN • VPN઀ଓ࣌ͷϧʔςΟϯά
 ʢ1ʣ໌ࣔతʹࢦఆ͢ΔελςΟοΫϧʔ ςΟϯά
 ʢ2ʣBGPʹΑΔμΠφϛοΫϧʔςΟϯά
 ͷͲͪΒ͔Λબ୒ • VPN઀ଓͷରԠػث৘ใ
 FAQʹࡌ͍ͬͯ·͢


    https://aws.amazon.com/jp/vpc/faqs/ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24 virtual private gateway Customer Gateway
  12. ࣗݾ঺հ • ٢ߐ ॠ(@Typhon666_death) • ࢓ࣄɿ๭ηΩϡϦςΟઐ໳ձࣾʹͯɺ
 ηΩϡϦςΟΤϯδχΞ/ίϯαϧλϯτ/ΞφϦετ • ׆ಈίϛϡχςΟɿ •

    Security-JAWS ӡӦϝϯόʔ • JAWS-UG ϥ΢υϩοΫࢧ෦(ඇެࣜ) ӡӦϝϯόʔ • OWASP Japan Promotion Teamϝϯόʔ • AISECjp ӡӦϝϯόʔ • શ೴ΞʔΩςΫνϟएखͷձ ӡӦϝϯόʔ • 2016೥8݄ JAWS-UGϝϯόʔͰॻ͍ͨຊͰ ͸ɺҎԼΛ୲౰ • Glacier • VPCϐΞϦϯάΛ࢖ͬͨݡ͍WAFͷར ༻ํ๏ͱϩά෼ੳΛ୲౰(PDFͷΈ)
  13. DDoS • DDoSಈըʢը૾͸ from China to USAʣ
 https://www.youtube.com/watch?v=1wq6LIjPHkk • DDoS

    (Distributed Denial of Service)ɿෳ਺ͷNWʹ෼ࢄ͢Δେྔͷίϯϐϡʔλ͕Ұ੪ʹಛఆͷ NW΍ίϯϐϡʔλ΁઀ଓཁٻΛૹग़͠ɺ
 ௨৴༰ྔΛ͋;Εͤͯ͞ػೳΛఀࢭͤͯ͞͠·͏߈ܸ
  14. DDoS • DDoSͷछྨɿ • L3/L4ʢInfrastrutureʣ • L7ʢApplicationʣ • DDoSͷΑ͏ͳେྔͷτϥϑΟοΫʹର͢Δखஈɿ •

    DDoSରࡦʢैདྷͷରࡦํ๏ͩͱɺ͓ۚΛֻ͚ࣺͯ͗͢ΔՄೳੑ΋͋Δʣ • DDoSΛ͋͑ͯड͚Δʢམͪͯ΋͍͍αΠτͰ͋Ε͹ɺ์ஔ͢Δͷ΋Ұͭʣ
  15. The Forrester Wave™: 
 DDoS Services Providers, Q3 2015 •

    https://www.forrester.com/report/The+Forrester+Wave+DDoS+Services+Providers+Q3+2015/-/E-RES119802
  16. AWS Shield • AWS Shieldɿ2016/12 re:InventʹͯϦϦʔε • ར༻ํ๏ɿCloudFrontʹͯShield ΦϓγϣϯΛ༗ޮԽ •

    ߏ੒ɿShieldͷޙΖ͸AWSͰ΋ɺΦϯϓϨͰ΋ରࡦՄೳ • ๷ޚର৅ɿCloudFrontɺELBɺALBɺRoute53 • ؂ࢹɿৗʹϞχλϦϯάͯ͠ϕʔεϥΠϯͷ࡞੒ɺҟৗݕग़ AWS Shield
  17. AWS Shield • ར༻ྉۚɿ • BasicɿແྉͰར༻Մೳ • Advancedɿ1೥ؒͷར༻ίϛοτɺֹ݄$3,000ʴDataTransferFeeɺDRT෇ • අ༻੥ٻɿDDoSΛड͚ͯ΋֘౰௨৴จͷࢧ෷͍͸ෆཁʢBilling

    Protectionʣ • DRT(DDoS Response Team)ɿWAFͷνϡʔχϯά΍WAFͷϧʔϧ࡞੒(ࣄલঝೝ༗Γ)΋΍Δ • ؙ౤͛͸ବ໨Ͱ͢ɻ • CloudFront͑͞ೖ͍ͬͯΔͳΒɺಋೖ͓͔ͯ͠ͳ͍ख͸ͳ͍ʂ AWS Shield
  18. AWS WAF • AWS WAFɿ2015/12 ʹ৽͘͠ϦϦʔε͞Εͨػೳ • AWS WAFͰͰ͖Δ͜ͱɿΧελϜϧʔϧʢIPΞυϨε੍ݶ/จࣈྻ੍ݶʣɺ
 SQLI/XSSͱ͍ͬͨجຊతͳWebΞϓϦέʔγϣϯ޲͚ରࡦ͕ՄೳͳWAF

    • ߏ੒ɿCloudFrontɺELBɺALBʹ࢓ࠐΊΔϚωʔδυWAF • ಋೖɿ؆୯(WAFػೳΛΞλον͢Δ) • ӡ༻ɿෳࡶͳϧʔϧͷӡ༻Λ͠ͳͯ͘΋͍͍
 ʢ㱻ٯʹݴ͍׵͑Ε͹෺଍Γͳ͗͢͞Δɻࡉ͔ʹઃఆ͠ɺνϡʔχϯάΛ͢ΔͱͳΔͱDRTʹґཔ͕ඞਢͱͳ Δʣ • ࢒೦ɿWAFͦͷ΋ͷͷ͖Ίࡉ͔͍ઃఆ͕Ͱ͖ͳ͍ɻϧʔϧΛਖ਼نදݱͰ͔͚ͳ͍ɻ AWS WAF
  19. ߏ੒ൺֱɿAWS WAF vs WAF on AWS 
 vs SaaS WAF

    vs Cloud WAF ˞ݸਓͷओ؍΋
 ೖͬͯ·͢ ᶃ"84 8"' ᶄ8"'PO "84 ᶅ4BB4 8"' ᶆ$MPVE 8"' උߟ %%P4ಋೖ $'༗ ˕ ˕ ˕ ˕ ᶃᶄᶅᶆ ΄΅ 4IJFMEҰ୒Ͱྑͦ͞͏ %%P4ಋೖ $'ແ  ˚ ˚ ̋ʁ ᶄᶅ$'ಋೖʹ੾Γସ͑Δʹ͸গ͠େม
 ᶆ%%P4ରࡦ༗ͳΒಋೖ͸໰୊ͳ͠ 8"'ಋೖ ˕˚ ˚ ̋ ̋ ᶃ$'༗ͳΒ8"'ಋೖ͸؆୯
 ᶃ$'ແͳΒ$'ʹಋೖͷίετ͕͔͔Δ ᶄ8"'ઐ༻71$Λ༻ҙ͢Δ౳ͷҠߦݕ౼
 ᶅᶆਖ਼ৗ֬ೝͷ্ɺ%/4੾Γସ͑ 8"'ӡ༻ ̋ ˚ ˕ ˕ ᶅᶆ೚ͤΒΕΔͱ͍͏ҙຯͰ˕ ίετ໘ ˕ ˚ ̋ ̋ ᶄϥΠηϯε͸΍͸Γߴ͍
  20. ߏ੒ൺֱɿAWS WAF vs WAF on AWS 
 vs SaaS WAF

    vs Cloud WAF ᶃ"84 8"' ᶄ8"'PO "84 ᶅ4BB4 8"' ᶆ$MPVE 8"' උߟ ύϑΥʔϚϯε໘ ˕ ˕ ̋ ̋ ᶄ8"'͕εέʔϧ͢ΔͳΒ໰୊ͳ͠
 ᶅᶆখن໛τϥϑΟοΫʹ޲͍ͯΔײ͡ ηΩϡϦςΟ໘ ˚ ̋ʙ˕ ̋ʙ˕ ̋ʙ˕ ᶃ෺଍Γͳ͍
 ᶄᶅᶆ8"'ͷධՁʹґଘ ࣍ท ૯߹݁Ռ ʁ ʁ ʁ ʁ ࣗࣾͰ΍ΔʁଞࣾͰ΍Δʁ ࣗ͝਎Ͱߟ͑ͯΈ͍ͯͩ͘͞
  21. Amazon Web Services – 
 DDoSʹର͢ΔAWSͷϕετϓϥΫςΟε • গ͠ࢿྉ͸ݹ͍͕೔ຊޠ༁ͷDDoSϗ ϫΠτϖʔύʔ΋͋Δɻ
 ˞WAFαϯυΠονʴWAFΦʔτε

    έʔϧʢEDoSରࡦʹ͸ͳ͍ͬͯͳ ͍ʣ • Super Defense in Depthͳߏ੒ɿ
 CF(withWAF/Shield)→ELB
 →IPS→ELB→WAF
 →ELB→EC2withίϯςϯπվ᜵ݕ஌ • https://d0.awsstatic.com/International/ja_JP/ Whitepapers/DDoS%20White%20Paper.pdf
  22. DDoSରࡦɺWAFಋೖ
 ͦͷޙ͸ʁ • ༗ޮʹͨ͠Β͓ΘΓͰ͸ͳ͘ɺΠϯγσϯτϨεϙϯεͷϑϩʔΛݕ౼ɻ • Πϯγσϯτͱؾͮͨ͘Ίʹ͸ʁ • Ϧιʔε؂ࢹ౳Λߦ͏ɻ • ϩάऔಘ͸ඞਢ

    • Ͱ͖ΔͷͳΒɺϩάΛ༻͍ͨ૬ؔ෼ੳʢwith SIEMʣ • DDoSରॲͷઓज़ͱઓུ
 https://www.slideshare.net/nakatomoorg/ddos-69640523/1 • ্هࢿྉ͔ΒΠϯγσϯτϨεϙϯεͷͨΊͷ४උ΍͍·࢝ΊΒΕΔ͜ͱ͕·ͱ·ͬͯͯΘ͔Γ΍͍͢ɻ

  23. DDoSରࡦɺWAFಋೖ
 ͦͷલʹʁ • ઃܭஈ֊ͰͷηΩϡϦςΟʹ͍ͭͯߟ͑Α͏ • ϦϦʔεલWebΞϓϦέʔγϣϯ਍அ͸΍ΊΑ͏ • ΩʔϫʔυɿSecurity by Design(SdP)ɺDevSecOps

    • ࠷ۙɺOWASP Japan ChapterϦʔμʔԬా͞Μͷهࣄ͕
 ಺༰ͱͯ͠ͱͯ΋·ͱ·͍ͬͯΔ΋ͷͰͨ͠ͷͰɺ
 ͥͻɺಡΜͰΈ͍ͯͩ͘͞ɻ ʮηΩϡΞ։ൃʯ͸ͳͥਁಁ͠ͳ͍ͷ͔ʁʕʕ%FW4FD0QTΛ๦͛Δlͭͷఢz  
 IUUQXXXBUNBSLJUDPKQBJUBSUJDMFTOFXT@IUNM

  24. ࣗݾ঺հ • ৿Ӭ େࢤ (@morimoritaitai) • ձࣾɿΫϥεϝιουגࣜձࣾ AWSࣄۀ෦ • ৬छɿιϦϡʔγϣϯΞʔΩςΫτ

    • झຯ : ήʔϜ(શൠ) / ञ ʢমயϝΠϯʣ/ Χϝϥ • ڵຯ : Security / OpsࣗಈԽ • ޷͖ͳαʔϏεɿConfig /CloudTrail ͳͲ྘ܥ • AWSೝఆࢿ֨5ף
  25. ݱࡏରԠ͍ͯ͠ΔAWSϦιʔε • 2017/3/11ݱࡏ Resource Type Resource Amazon Redshift Cluster Cluster

    parameter group Cluster security group Cluster snapshot Cluster subnet group Event subscription Amazon Relational Database Service (RDS) RDS DB instance RDS DB security group RDS DB snapshot RDS DB subnet group Event subscription Amazon Simple Storage Service (S3) Amazon S3 bucket Amazon Virtual Private Cloud (VPC) Customer gateway Internet gateway Network access control list (ACL) Route table Subnet Virtual private cloud (VPC) VPN connection VPN gateway Resource Type Resource AWS Certificate Manager certificate AWS CloudTrail Trail Amazon Elastic Block Store Amazon EBS volume Amazon Elastic Compute Cloud (EC2) EC2 Dedicated hosts EC2 Elastic IP EC2 instance EC2 network interface EC2 security group Amazon EC2 Systems Manager Managed instance inventory Elastic Load Balancing (ELB) Application load balancer AWS Identity and Access Management (IAM) IAM user IAM group IAM role IAM customer managed policy
  26. ݱࡏରԠ͍ͯ͠ΔAWSϦιʔε • 2017/3/11ݱࡏ Resource Type Resource Amazon Redshift Cluster Cluster

    parameter group Cluster security group Cluster snapshot Cluster subnet group Event subscription Amazon Relational Database Service (RDS) RDS DB instance RDS DB security group RDS DB snapshot RDS DB subnet group Event subscription Amazon Simple Storage Service (S3) Amazon S3 bucket Amazon Virtual Private Cloud (VPC) Customer gateway Internet gateway Network access control list (ACL) Route table Subnet Virtual private cloud (VPC) VPN connection VPN gateway Resource Type Resource AWS Certificate Manager certificate AWS CloudTrail Trail Amazon Elastic Block Store Amazon EBS volume Amazon Elastic Compute Cloud (EC2) EC2 Dedicated hosts EC2 Elastic IP EC2 instance EC2 network interface EC2 security group Amazon EC2 Systems Manager Managed instance inventor Elastic Load Balancing (ELB) Application load balancer AWS Identity and Access Management (IAM) IAM user IAM group IAM role IAM customer managed policy Α͔ͭ͘͏αʔϏε͸΄΅ରԠࡁΈ Α͔ͭ͘͏αʔϏε͸΄΅ରԠࡁΈ
  27. AWS Config Rulesͱ͸ • AWS ConfigͰه࿥ͨ͠ઃఆ͕ਖ਼͍͔͠Λ൑ఆ͢Δ ϧʔϧΛઃఆͰ͖Δ • ྫ͑͹ɺ •

    ηΩϡϦςΟάϧʔϓ͕ϑϧΦʔϓϯ • MFAઃఆ͍ͯ͠ͳ͍ • ACMͷূ໌ॻͷ༗ޮظݶ͕͋ͱগ͠
  28. ϧʔϧͷछྨ • Ϛωʔδυϧʔϧ • AWS͕ఏڙ͍ͯ͠Δϧʔϧ • ͋Δ͋Δͳ΋ͷΛ༻ҙͯ͘͠Ε͍ͯ·͢ • ΧελϜϧʔϧ •

    ࣗ෼Ͱࣗ༝ʹ࡞ΕΔϧʔϧ • ൑ఆ͢Δػߏ͸LambdaͰ࡞੒ • LambdaͳͷͰ࡞Γ͜Ί͹૬౰͍Ζ͍Ζग़དྷΔ
  29. ఏڙ͞Ε͍ͯΔϚωʔδυϧʔϧ • Compute • approved-amis-by-id • approved-amis-by-tag • desired-instance-tenancy •

    desired-instance-type • ebs-optimized-instance • ec2-instance-detailed-monitoring-enabled • ec2-instances-in-vpc • ec2-managedinstance-applications-blacklisted • ec2-managedinstance-applications-required • ec2-managedinstance-inventory-blacklisted • ec2-managedinstance-platform-check • ec2-volume-inuse-check • eip-attached • encrypted-volumes • restricted-common-ports • restricted-ssh • Management Tools • cloudtrail-enabled • required-tags • Database • db-instance-backup-enabled • dynamodb-throughput-limit-check • rds-multi-az-support • rds-storage-encrypted • redshift-cluster-configuration-check • redshift-cluster-maintenancesettings-check • Security, Identity & Compliance • acm-certificate-expiration-check • iam-password-policy • iam-user-group-membership-check • iam-user-no-policies-check • root-account-mfa-enabled • Storage • s3-bucket-logging-enabled • s3-bucket-ssl-requests-only • s3-bucket-versioning-enabled IUUQEPDTBXTBNB[PODPNKB@KQDPOpHMBUFTUEFWFMPQFSHVJEFNBOBHFESVMFTCZBXTDPOpHIUNM