Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JAWS DAYS 2017 Security-JAWS発表資料

JAWS DAYS 2017 Security-JAWS発表資料

#jawsdays #jawsug #secjaws

C97900102deff1d3359eb64c9a00b080?s=128

Tmorinaga

March 11, 2017
Tweet

Transcript

  1. AWS SECURITY DEATH \m/
 ʙηΩϡ伸༷͔Βͷ͓ࠂ͛ʙ 4FDVSJUZ+"84 େتଟར࠸ ٢ߐॠ ৿Ӭେࢤ

  2. ͸͡Ίʹ • ηΩϡ伸༷͔Β͓ࠂ͕͛͋ͬͨͷͰ͓͠Βͤ͠·͢ɻAWSʹ͓͚Δ ωοτϫʔΫͷجຊ͔ΒɺAWS WAF/AWS Shield/AWS Config౳ͷ ηΩϡϦςΟػೳʹ͍ͭͯ΍͞͠Ίʹ঺հ͠·͢ɻ • ͳ͓ɺηΩϡ伸༷ͱ͸ɺ

  3. None
  4. ͸͡Ίʹ • Ͱ͸ͳ͘ɺӡӦϝϯόʔେ஛ըഢʹΑͬͯ߱ྟ͠·ͨ͠

  5. CZେ஛ըഢ

  6. ಺༰ • ͔͜͜Β͸ਅ໘໨ʹҎԼ͕୲౰͠·͢ɻ • AWSʹ͓͚ΔωοτϫʔΫͷجຊ → େتଟ • AWS WAF/AWS

    Shield → ٢ߐ • AWS Config → ৿Ӭ
  7. Security-JAWS • 2016/04 ൃ଍ • ӡӦ͸10ਓ • ୈҰճ͸2016/05։࠵ • هࣄʹ΋͍͖ͯͨͩ͠·ͨ͠


    http://ascii.jp/elem/000/001/164/1164664/ • ܧଓͯ͠ɺ3ϲ݄ʹҰճͷϖʔεͰ։࠵த
  8. Security-JAWS •͜Ε·ͰͷϝΠϯλΠ τϧ • AWSͰͷVPCɾIAMϑϧ׆༻ज़
 ʢϦΫϧʔτςΫϊϩδʔζ ٶ࡚͞Μʣ • ͱ͋Δ਍அһͱAWS ʢऱ࡚͞Μʣ

    • Managing Privacy and Security Risk 
 ʢFINOVATORS େٱอ͞Μʣ • Ubiquitous Encryption on AWS
 ʢAWS Eugene͞ΜˍPedro͞Μʣ • AWS Compliance Quick Startͷ͝঺հ
 ʢAWSJ দຊ͞Μʣ • CloudHSMͬͯ݁ہͳʹʁ~ϋʔυ΢ΣΞ͕ ඞཁͳΘ͚~ʢAWSJ ُా͞Μʣ • AWS IAMͱOpenAMΛ࿈ܞͯ͠ΞΧ΢ϯτ؅ ཧΛޮ཰Խͯ͠ΈͨɹʢΦʔδε૯ݚ ࢯೄ͞ Μʣ • Amazon InspectorΛิ׬͢Δ - VulsͱOWASP Dependency-CheckΛ૊Έ߹Θͤͯϓϩάϥ ϛϯάݴޠϥΠϒϥϦͷ੬ऑੑεΩϟϯ݁ՌΛ ೔ຊޠԽɺSlack௨஌Ͱ͖ΔΑ͏ʹͯ͠Έͨ
 ʢϑϡʔνϟʔΞʔΩςΫτ ਆށ͞Μʣ • Deep Dive on AWS ShieldʢAWSJ ۅࢁ͞ Μʣ • AWSʹ͓͚ΔWAFಋೖʹ͍ͭͯ 
 ʢNECιϦϡʔγϣϯΠϊϕʔλ ࢁਫ͞Μʣ • WordPress goes Serverless. - ShifterͰ࢝ΊΔ WordPressͷηΩϡΞͳӡ༻ - 
 ʢσδλϧΩϡʔϒ খլ͞Μʣ
  9. Security-JAWS •͜Ε·ͰͷϝΠϯλΠ τϧ • AWSͰͷVPCɾIAMϑϧ׆༻ज़
 ʢϦΫϧʔτςΫϊϩδʔζ ٶ࡚͞Μʣ • ͱ͋Δ਍அһͱAWS ʢऱ࡚͞Μʣ

    • Managing Privacy and Security Risk 
 ʢFINOVATORS େٱอ͞Μʣ • Ubiquitous Encryption on AWS
 ʢAWS Eugene͞ΜˍPedro͞Μʣ • AWS Compliance Quick Startͷ͝঺հ
 ʢAWSJ দຊ͞Μʣ • CloudHSMͬͯ݁ہͳʹʁ~ϋʔυ΢ΣΞ͕ ඞཁͳΘ͚~ʢAWSJ ُా͞Μʣ • AWS IAMͱOpenAMΛ࿈ܞͯ͠ΞΧ΢ϯτ؅ ཧΛޮ཰Խͯ͠ΈͨɹʢΦʔδε૯ݚ ࢯೄ͞ Μʣ • Amazon InspectorΛิ׬͢Δ - VulsͱOWASP Dependency-CheckΛ૊Έ߹Θͤͯϓϩάϥ ϛϯάݴޠϥΠϒϥϦͷ੬ऑੑεΩϟϯ݁ՌΛ ೔ຊޠԽɺSlack௨஌Ͱ͖ΔΑ͏ʹͯ͠Έͨ
 ʢϑϡʔνϟʔΞʔΩςΫτ ਆށ͞Μʣ • Deep Dive on AWS ShieldʢAWSJ ۅࢁ͞ Μʣ • AWSʹ͓͚ΔWAFಋೖʹ͍ͭͯ 
 ʢNECιϦϡʔγϣϯΠϊϕʔλ ࢁਫ͞Μʣ • WordPress goes Serverless. - ShifterͰ࢝ΊΔ WordPressͷηΩϡΞͳӡ༻ - 
 ʢσδλϧΩϡʔϒ খլ͞Μʣ ͝ొஃ͍͖ͨͩ ͋Γ͕ͱ͏ ͍͟͝·ͨ͠ʂʂ ͝ొஃ͍͖ͨͩ ͋Γ͕ͱ͏ ͍͟͝·ͨ͠ʂʂ
  10. AWS SECURITY DEATH ʘmʗ
 ʙηΩϡ伸༷͔Βͷ͓ࠂ͛ʙ Security-JAWS େتଟ ར࠸ AWSʹ͓͚ΔωοτϫʔΫͷجຊ

  11. ࣗݾ঺հ • େتଟ ར࠸(https://ookita.biz/) • ࢓ࣄɿճઢαʔϏεɾVPNɾF/W͕ઐ໳ͷ
 ωοτϫʔΫΤϯδχΞ • ׆ಈίϛϡχςΟɿ •

    Security-JAWS ӡӦϝϯόʔ • JAWS-UG ԣ඿ࢧ෦ ӡӦϝϯόʔ • KUSANAGI-UG౦ژ ୅ද
  12. ηΩϡϦςΟઐ໳ࢧ෦ͳͷʹ ԿͰωοτϫʔΫͷ࿩ͳͷʁ • Ϋϥ΢υ͸ωοτϫʔΫͷ޲͜͏ʹ͋Δ
 →ωοτϫʔΫ௒େࣄʂʂ • Ϋϥ΢υͱ͸͍͑ɺωοτϫʔΫͷجૅΛཧղ͍ͯ͠ͳ͍ͱ
 ηΩϡϦςΟΛߟྀͨ͠ద੾ͳγεςϜߏங͕Ͱ͖ͳ͍ͷ͸
 ΦϯϓϨϛεͱมΘΒͳ͍ •

    ҰํͰΫϥ΢υಠࣗͷ࡞๏΋͋Δ
  13. ࠓճΈͳ͞Μʹ ͓͸ͳ͢͠Δ͜ͱ • AWSʹ͓͚ΔωοτϫʔΫઃܭͷجຊ
 (VPC/ηΩϡϦςΟάϧʔϓ౳) • AWS VPCͱͷηΩϡΞͳ઀ଓ
 (VPN/Direct Connect/֤ࣾαʔϏε౳)

  14. Amazon VPC • ύϒϦοΫΫϥ΢υ্ʹ࿦ཧతʹಠཱͨࣗࣾ͠ઐ༻ͷΫϥ΢υ؀ڥΛ ࡞੒͢Δػೳ • ࠓ͸VPC͕ඪ४ʹ(ੲ͸ҧ͍·ͨ͠)
 ੲͷ໊࢒ɺClassic EC2 AWS

    cloud RDS DB 
 instance standby 
 (Multi-AZ) Web Server #1 RDS DB instance Web Server #2 Availability Zone #1 Availability Zone #2
  15. Public subnet
 Private subnet • Public subnet
 Πϯλʔωοτʹ௚઀઀ଓՄೳͳαϒ ωοτ(ެ։αʔό͕ஔ͚ΔɺEIPͱͷ ඥ෇͚΋Ͱ͖Δ)

    • Private subnet
 Πϯλʔωοτ͔Β௚઀઀ଓ͞Εͨ͘ ͳ͍Πϯελϯεʹ࢖༻
 NATήʔτ΢ΣΠΛܦ༝ͯ͠಺ˠ֎ͷ
 Πϯλʔωοτ௨৴͸Մೳ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24
  16. ηΩϡϦςΟάϧʔϓ
 ωοτϫʔΫACL • ηΩϡϦςΟάϧʔϓ
 Πϯελϯεʹରͯ͠ద༻
 εςʔτϑϧ • ωοτϫʔΫACL
 αϒωοτ୯ҐͰͷΞΫηε੍ޚ ʹ࢖༻


    εςʔτϨε AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24
  17. εςʔτϑϧͱεςʔτϨε • ͱͯ΋ݹయతͳ࿩͚ͩͲɺͪΌΜͱઆ໌͠ͳ͍ͱ఻ΘΒͳ͍ Source…203.0.113.100:25284 Destination…198.51.100.100:80 ϙʔτ80൪/઀ଓݩAnyͱ ઃఆ͓͚ͯ͠͹ ໭Γͷ௨৴΋ΑΖͯ͘͘͠͠ΕΔ →εςʔτϑϧ ΫϥΠΞϯτˠαʔόͷϧʔϧͱ

    αʔόˠΫϥΠΞϯτͷ௨৴ϧʔϧΛ ྆ํ໌ࣔతʹॻ͍͓ͯ͘ඞཁ͕͋Δ →εςʔτϨε ํ޲ ϙʔτϓϩτί ϧ ΞυϨε Մ൱ 0VUˠ*O UDQ  "MMPX *Oˠ0VU  UDQ  "MMPX ํ޲ ϙʔτϓϩτί ϧ ΞυϨε Մ൱ 0VUˠ*O UDQ  "MMPX NAT഑ԼͷΫϥΠΞϯτͷ Source Port͸ϋΠϙʔτ (1024ʙ65535)͔Β ϥϯμϜʹઃఆ͞ΕΔ
  18. VPN/Direct Connect • Webαʔό/DBαʔόͷϝϯςφϯε ͸ϓϥΠϕʔτωοτϫʔΫܦ༝Ͱߦ ͍͍ͨ • Πϯλʔωοτʹެ։͠ͳ͍ࣾ಺γε ςϜΛAWSʹஔ͘৔߹ɺࣄۀॴͱ AWSؒͷηΩϡΞͳ௨৴ܦ࿏Λ֬อ͠

    ͍ͨ(৔߹ʹΑͬͯ͸඼࣭ΛߴΊ͍ͨ) • طଘͷࣾ಺γεςϜ͕σʔληϯλʔ ʹ͋ΓɺAWSΛطଘγεςϜͷ֦ுϦ ιʔεͱͯ͠࢖༻͢ΔΑ͏ͳ৔߹ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24
  19. VPN/Direct Connect • VPCͷ֤αϒωοτͱ
 Ծ૝ϓϥΠϕʔτήʔτ΢ΣΠΛ
 ઀ଓ • Ϣʔβʔ͸VPNͷઃఆΛߦ͏͔
 Direct Connectͷख഑Λ͢Δ

    AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24 virtual private gateway
  20. VPN • VPNͷ৔߹ɺAWSଆʹ͸
 2ͭͷVPNΤϯυϙΠϯτ͕
 ༻ҙ͞ΕΔ • Ϣʔβʔ͸ɺͦΕͧΕͷ
 VPNΤϯυϙΠϯτͱ
 VPN઀ଓΛߦ͏
 


    
 • ͭ·Γɺ2ͭͷτϯωϧ͕
 ඪ४Ͱඞཁʂ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24 virtual private gateway Customer Gateway
  21. VPN • VPN઀ଓ࣌ͷϧʔςΟϯά
 ʢ1ʣ໌ࣔతʹࢦఆ͢ΔελςΟοΫϧʔ ςΟϯά
 ʢ2ʣBGPʹΑΔμΠφϛοΫϧʔςΟϯά
 ͷͲͪΒ͔Λબ୒ • VPN઀ଓͷରԠػث৘ใ
 FAQʹࡌ͍ͬͯ·͢


    https://aws.amazon.com/jp/vpc/faqs/ AWS cloud Public subnet #2 10.0.3.0/24 Availability Zone #1 Availability Zone #2 Internet gateway VPC NAT gateway Public subnet #1 10.0.1.0/24 Private subnet #2 10.0.4.0/24 Private subnet #1 10.0.2.0/24 virtual private gateway Customer Gateway
  22. Direct Connect • ͓٬༷ڌ఺ͱAWSؒΛઐ༻ઢ઀ଓ • ͓٬༷୐಺ʙ઀ଓϙΠϯτ(Equinix TY2)
 →Ұൠతʹ͸௨৴ΩϟϦΞʹख഑͢Δ • ઀ଓϙΠϯτʙAWS


    →AWS͕ఏڙ
  23. Direct Connect • ෺ཧ઀ଓͱ࿦ཧ઀ଓʹ෼͔ΕΔ • ௨৴ΩϟϦΞʹΑΓαʔϏεܗଶ͸
 ҟͳΔ͕ɺ͓͓·͔ʹ͸ઐ༻ܕͱڞ༻ܕ
 ͕͋Δ

  24. ௨৴ࣄۀऀผ
 ιϦϡʔγϣϯϥΠϯφοϓ • TOKAIίϛϡχέʔγϣϯζ
 ͔ͳΓॆ࣮ͨ͠ϥΠϯφοϓ
 ઐ༻ܕɾڞ༻ܕɾϚωʔδυVPNͳͲ
 http://www.broadline.ne.jp/aws/ • Colt(چKVH)
 ଳҬʹΑͬͯVLAN෼͚͕Ͱ͖Δ͔Ͱ͖ͳ͍͔͕ܾ·Δ


    http://asia.colt.net/ja/services/network/ethernet-services/colt- cloud-connectivity-services/#etherxen-aws
  25. ௨৴ࣄۀऀผ
 ιϦϡʔγϣϯϥΠϯφοϓ • TOKAIίϛϡχέʔγϣϯζ

  26. ௨৴ࣄۀऀผ
 ιϦϡʔγϣϯϥΠϯφοϓ • Colt(چKVH)

  27. ௨৴ࣄۀऀผ
 ιϦϡʔγϣϯϥΠϯφοϓ • NTTίϛϡχέʔγϣϯζɾKDDIɾιϑτόϯΫ
 ࣗࣾͷڌ఺ؒωοτϫʔΫαʔϏεͷΦϓγϣϯͱͯ͠ఏڙ
 ڞ༻ܕͰ͋Δ͜ͱ͕ଟͦ͏ͳײ͡ • USENɾNUROɾέΠΦϓςΟίϜ౳
 ࣗࣾͰDirect ConnectͷઃඋΛอ༗͓ͯ͠Βͣ


    αʔϏεϥΠϯφοϓʹ΋༻ҙ͞Ε͍ͯͳ͍௨৴ࣄۀऀͷ৔߹
 ϚωʔδυVPNαʔϏεͷΦϓγϣϯͱͯ͠ఏڙ͞Ε͍ͯΔ͜ͱ͕ଟ ͍
  28. ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠

  29. ࣗݾ঺հ • ٢ߐ ॠ(@Typhon666_death) • ࢓ࣄɿ๭ηΩϡϦςΟઐ໳ձࣾʹͯɺ
 ηΩϡϦςΟΤϯδχΞ/ίϯαϧλϯτ/ΞφϦετ • ׆ಈίϛϡχςΟɿ •

    Security-JAWS ӡӦϝϯόʔ • JAWS-UG ϥ΢υϩοΫࢧ෦(ඇެࣜ) ӡӦϝϯόʔ • OWASP Japan Promotion Teamϝϯόʔ • AISECjp ӡӦϝϯόʔ • શ೴ΞʔΩςΫνϟएखͷձ ӡӦϝϯόʔ • 2016೥8݄ JAWS-UGϝϯόʔͰॻ͍ͨຊͰ ͸ɺҎԼΛ୲౰ • Glacier • VPCϐΞϦϯάΛ࢖ͬͨݡ͍WAFͷར ༻ํ๏ͱϩά෼ੳΛ୲౰(PDFͷΈ)
  30. DDoS • DDoSಈըʢը૾͸ from China to USAʣ
 https://www.youtube.com/watch?v=1wq6LIjPHkk • DDoS

    (Distributed Denial of Service)ɿෳ਺ͷNWʹ෼ࢄ͢Δେྔͷίϯϐϡʔλ͕Ұ੪ʹಛఆͷ NW΍ίϯϐϡʔλ΁઀ଓཁٻΛૹग़͠ɺ
 ௨৴༰ྔΛ͋;Εͤͯ͞ػೳΛఀࢭͤͯ͞͠·͏߈ܸ
  31. DDoS • DDoSͷछྨɿ • L3/L4ʢInfrastrutureʣ • L7ʢApplicationʣ • DDoSͷΑ͏ͳେྔͷτϥϑΟοΫʹର͢Δखஈɿ •

    DDoSରࡦʢैདྷͷରࡦํ๏ͩͱɺ͓ۚΛֻ͚ࣺͯ͗͢ΔՄೳੑ΋͋Δʣ • DDoSΛ͋͑ͯड͚Δʢམͪͯ΋͍͍αΠτͰ͋Ε͹ɺ์ஔ͢Δͷ΋Ұͭʣ
  32. The Forrester Wave™: 
 DDoS Services Providers, Q3 2015 •

    https://www.forrester.com/report/The+Forrester+Wave+DDoS+Services+Providers+Q3+2015/-/E-RES119802
  33. AWS Shield • AWS Shieldɿ2016/12 re:InventʹͯϦϦʔε • ར༻ํ๏ɿCloudFrontʹͯShield ΦϓγϣϯΛ༗ޮԽ •

    ߏ੒ɿShieldͷޙΖ͸AWSͰ΋ɺΦϯϓϨͰ΋ରࡦՄೳ • ๷ޚର৅ɿCloudFrontɺELBɺALBɺRoute53 • ؂ࢹɿৗʹϞχλϦϯάͯ͠ϕʔεϥΠϯͷ࡞੒ɺҟৗݕग़ AWS Shield
  34. AWS Shield • ར༻ྉۚɿ • BasicɿແྉͰར༻Մೳ • Advancedɿ1೥ؒͷར༻ίϛοτɺֹ݄$3,000ʴDataTransferFeeɺDRT෇ • අ༻੥ٻɿDDoSΛड͚ͯ΋֘౰௨৴จͷࢧ෷͍͸ෆཁʢBilling

    Protectionʣ • DRT(DDoS Response Team)ɿWAFͷνϡʔχϯά΍WAFͷϧʔϧ࡞੒(ࣄલঝೝ༗Γ)΋΍Δ • ؙ౤͛͸ବ໨Ͱ͢ɻ • CloudFront͑͞ೖ͍ͬͯΔͳΒɺಋೖ͓͔ͯ͠ͳ͍ख͸ͳ͍ʂ AWS Shield
  35. WAF • WAFɿϨΨγʔͳFW΍IDS/IPSͰ͸๷͙͜ͱ͕Ͱ͖ͳ͍ෆਖ਼ͳ߈ܸ͔Β WebΞϓϦέʔγϣϯΛ๷ޚ͢ΔFW • ಋೖཧ༝ɿWebΞϓϦέʔγϣϯͷ੬ऑੑΛಥ͘߈ܸ΍σʔλ࿙Ӯʹͭ ͳ͕Δ߈ܸΛ๷͙͔ΒɻPCI-DSS 6.6ʹ΋WAFಋೖʹ͍ͭͯ໌ه͞Ε͍ͯΔ
 
 


    1$*%44४ڌΛୡ੒͢ΔͨΊͷ༏ઌతͳΞϓϩʔν
 IUUQTXXXQDJTFDVSJUZTUBOEBSETPSHEPDVNFOUT1SJPSJUJ[FE"QQSPBDIGPS1$*@%44W@KBKQQEG
  36. Apache Struts2 ͷ੬ऑੑ
 (CVE-2017-5638)(S2-045) ౎੫ࢧ෷͍αΠτ͔ΒΧʔυ৘ใສ݅௒͕ྲྀग़͔
 IUUQXXXJUNFEJBDPKQCVTJOFTTBSUJDMFTOFXTIUNM
 
 "QBDIF4USVUTͷ੬ऑੑରࡦʹ͍ͭͯ $7& 4

    
 IUUQTXXXJQBHPKQTFDVSJUZDJBESWVMTUSVUTIUNM
  37. Apache Struts2 ͷ੬ऑੑ
 (CVE-2017-5638)(S2-045) 
 ෆਖ਼ΞΫηεʹؔ͢Δ͝ใࠂͱ৘ใྲྀग़ͷ͓࿳ͼ
 IUUQTDPSQHNPQHDPNOFXT@FNIUNM @HB • IPAͷ৘ใެ։Λ΋ͬͯɺਝ଎ʹWAFʹͯःஅΛߦ͍ෆਖ਼ΞΫηεௐࠪΛߦͬͨɻ

    • ࿙Ӯͨ͜͠ͱ͸·͍ͣ࿩Ͱ͸͋Δ͕ɺਝ଎ͳରԠͷ಺༰ͱͯ͠͸ɺධՁ͞ΕΔ΂͖
  38. AWS WAF • AWS WAFɿ2015/12 ʹ৽͘͠ϦϦʔε͞Εͨػೳ • AWS WAFͰͰ͖Δ͜ͱɿΧελϜϧʔϧʢIPΞυϨε੍ݶ/จࣈྻ੍ݶʣɺ
 SQLI/XSSͱ͍ͬͨجຊతͳWebΞϓϦέʔγϣϯ޲͚ରࡦ͕ՄೳͳWAF

    • ߏ੒ɿCloudFrontɺELBɺALBʹ࢓ࠐΊΔϚωʔδυWAF • ಋೖɿ؆୯(WAFػೳΛΞλον͢Δ) • ӡ༻ɿෳࡶͳϧʔϧͷӡ༻Λ͠ͳͯ͘΋͍͍
 ʢ㱻ٯʹݴ͍׵͑Ε͹෺଍Γͳ͗͢͞Δɻࡉ͔ʹઃఆ͠ɺνϡʔχϯάΛ͢ΔͱͳΔͱDRTʹґཔ͕ඞਢͱͳ Δʣ • ࢒೦ɿWAFͦͷ΋ͷͷ͖Ίࡉ͔͍ઃఆ͕Ͱ͖ͳ͍ɻϧʔϧΛਖ਼نදݱͰ͔͚ͳ͍ɻ AWS WAF
  39. ߏ੒ൺֱɿAWS WAF vs WAF on AWS 
 vs SaaS WAF

    vs Cloud WAF ˞ݸਓͷओ؍΋
 ೖͬͯ·͢ ᶃ"84 8"' ᶄ8"'PO "84 ᶅ4BB4 8"' ᶆ$MPVE 8"' උߟ %%P4ಋೖ $'༗ ˕ ˕ ˕ ˕ ᶃᶄᶅᶆ ΄΅ 4IJFMEҰ୒Ͱྑͦ͞͏ %%P4ಋೖ $'ແ  ˚ ˚ ̋ʁ ᶄᶅ$'ಋೖʹ੾Γସ͑Δʹ͸গ͠େม
 ᶆ%%P4ରࡦ༗ͳΒಋೖ͸໰୊ͳ͠ 8"'ಋೖ ˕˚ ˚ ̋ ̋ ᶃ$'༗ͳΒ8"'ಋೖ͸؆୯
 ᶃ$'ແͳΒ$'ʹಋೖͷίετ͕͔͔Δ ᶄ8"'ઐ༻71$Λ༻ҙ͢Δ౳ͷҠߦݕ౼
 ᶅᶆਖ਼ৗ֬ೝͷ্ɺ%/4੾Γସ͑ 8"'ӡ༻ ̋ ˚ ˕ ˕ ᶅᶆ೚ͤΒΕΔͱ͍͏ҙຯͰ˕ ίετ໘ ˕ ˚ ̋ ̋ ᶄϥΠηϯε͸΍͸Γߴ͍
  40. ߏ੒ൺֱɿAWS WAF vs WAF on AWS 
 vs SaaS WAF

    vs Cloud WAF ᶃ"84 8"' ᶄ8"'PO "84 ᶅ4BB4 8"' ᶆ$MPVE 8"' උߟ ύϑΥʔϚϯε໘ ˕ ˕ ̋ ̋ ᶄ8"'͕εέʔϧ͢ΔͳΒ໰୊ͳ͠
 ᶅᶆখن໛τϥϑΟοΫʹ޲͍ͯΔײ͡ ηΩϡϦςΟ໘ ˚ ̋ʙ˕ ̋ʙ˕ ̋ʙ˕ ᶃ෺଍Γͳ͍
 ᶄᶅᶆ8"'ͷධՁʹґଘ ࣍ท ૯߹݁Ռ ʁ ʁ ʁ ʁ ࣗࣾͰ΍ΔʁଞࣾͰ΍Δʁ ࣗ͝਎Ͱߟ͑ͯΈ͍ͯͩ͘͞
  41. Amazon Web Services – 
 DDoSʹର͢ΔAWSͷϕετϓϥΫςΟε • গ͠ࢿྉ͸ݹ͍͕೔ຊޠ༁ͷDDoSϗ ϫΠτϖʔύʔ΋͋Δɻ
 ˞WAFαϯυΠονʴWAFΦʔτε

    έʔϧʢEDoSରࡦʹ͸ͳ͍ͬͯͳ ͍ʣ • Super Defense in Depthͳߏ੒ɿ
 CF(withWAF/Shield)→ELB
 →IPS→ELB→WAF
 →ELB→EC2withίϯςϯπվ᜵ݕ஌ • https://d0.awsstatic.com/International/ja_JP/ Whitepapers/DDoS%20White%20Paper.pdf
  42. (2016)Gartner: Magic Quadrant for 
 Web Application Firewalls • https://www.gartner.com/doc/reprints?id=1-3BZK2PZ&ct=160720&st=sb

  43. DDoSରࡦɺWAFಋೖ
 ͦͷޙ͸ʁ • ༗ޮʹͨ͠Β͓ΘΓͰ͸ͳ͘ɺΠϯγσϯτϨεϙϯεͷϑϩʔΛݕ౼ɻ • Πϯγσϯτͱؾͮͨ͘Ίʹ͸ʁ • Ϧιʔε؂ࢹ౳Λߦ͏ɻ • ϩάऔಘ͸ඞਢ

    • Ͱ͖ΔͷͳΒɺϩάΛ༻͍ͨ૬ؔ෼ੳʢwith SIEMʣ • DDoSରॲͷઓज़ͱઓུ
 https://www.slideshare.net/nakatomoorg/ddos-69640523/1 • ্هࢿྉ͔ΒΠϯγσϯτϨεϙϯεͷͨΊͷ४උ΍͍·࢝ΊΒΕΔ͜ͱ͕·ͱ·ͬͯͯΘ͔Γ΍͍͢ɻ

  44. DDoSରࡦɺWAFಋೖ
 ͦͷલʹʁ • ઃܭஈ֊ͰͷηΩϡϦςΟʹ͍ͭͯߟ͑Α͏ • ϦϦʔεલWebΞϓϦέʔγϣϯ਍அ͸΍ΊΑ͏ • ΩʔϫʔυɿSecurity by Design(SdP)ɺDevSecOps

    • ࠷ۙɺOWASP Japan ChapterϦʔμʔԬా͞Μͷهࣄ͕
 ಺༰ͱͯ͠ͱͯ΋·ͱ·͍ͬͯΔ΋ͷͰͨ͠ͷͰɺ
 ͥͻɺಡΜͰΈ͍ͯͩ͘͞ɻ ʮηΩϡΞ։ൃʯ͸ͳͥਁಁ͠ͳ͍ͷ͔ʁʕʕ%FW4FD0QTΛ๦͛Δlͭͷఢz  
 IUUQXXXBUNBSLJUDPKQBJUBSUJDMFTOFXT@IUNM

  45. ͓ΘΓʹ • ࠙਌ձʹ΋ࢀՃ͢Δ༧ఆͰ͢ɻ • ໊ࢗަ׵ɺEightަ׵ɺTwitterɺFacebookɺ
 LinkedinɺϝʔϧͰͷ໰߹ͤɺ໰୊͋Γ·ͤΜɻ • ૉఢͳηΩϡϦςΟϥΠϑΛɻ

  46. ࣍͸ AWS Config ʹ͍ͭͯ…

  47. ࣗݾ঺հ • ৿Ӭ େࢤ (@morimoritaitai) • ձࣾɿΫϥεϝιουגࣜձࣾ AWSࣄۀ෦ • ৬छɿιϦϡʔγϣϯΞʔΩςΫτ

    • झຯ : ήʔϜ(શൠ) / ञ ʢমயϝΠϯʣ/ Χϝϥ • ڵຯ : Security / OpsࣗಈԽ • ޷͖ͳαʔϏεɿConfig /CloudTrail ͳͲ྘ܥ • AWSೝఆࢿ֨5ף
  48. AWS Config

  49. AWS Configͱ͸ • ߏ੒؅ཧɺมߋ؅ཧͷͨΊͷαʔϏε • ߏ੒৘ใͷεφοϓγϣοτͷऔಘ • ߏ੒৘ใɺมߋཤྺͷݕࡧɺӾཡ • ࡞੒ɺมߋɺ࡟আ͞Εͨࡍͷ௨஌

    • AWSϦιʔεؒͷؔ܎ੑͷ֬ೝ
  50. ݱࡏରԠ͍ͯ͠ΔAWSϦιʔε • 2017/3/11ݱࡏ Resource Type Resource Amazon Redshift Cluster Cluster

    parameter group Cluster security group Cluster snapshot Cluster subnet group Event subscription Amazon Relational Database Service (RDS) RDS DB instance RDS DB security group RDS DB snapshot RDS DB subnet group Event subscription Amazon Simple Storage Service (S3) Amazon S3 bucket Amazon Virtual Private Cloud (VPC) Customer gateway Internet gateway Network access control list (ACL) Route table Subnet Virtual private cloud (VPC) VPN connection VPN gateway Resource Type Resource AWS Certificate Manager certificate AWS CloudTrail Trail Amazon Elastic Block Store Amazon EBS volume Amazon Elastic Compute Cloud (EC2) EC2 Dedicated hosts EC2 Elastic IP EC2 instance EC2 network interface EC2 security group Amazon EC2 Systems Manager Managed instance inventory Elastic Load Balancing (ELB) Application load balancer AWS Identity and Access Management (IAM) IAM user IAM group IAM role IAM customer managed policy
  51. ݱࡏରԠ͍ͯ͠ΔAWSϦιʔε • 2017/3/11ݱࡏ Resource Type Resource Amazon Redshift Cluster Cluster

    parameter group Cluster security group Cluster snapshot Cluster subnet group Event subscription Amazon Relational Database Service (RDS) RDS DB instance RDS DB security group RDS DB snapshot RDS DB subnet group Event subscription Amazon Simple Storage Service (S3) Amazon S3 bucket Amazon Virtual Private Cloud (VPC) Customer gateway Internet gateway Network access control list (ACL) Route table Subnet Virtual private cloud (VPC) VPN connection VPN gateway Resource Type Resource AWS Certificate Manager certificate AWS CloudTrail Trail Amazon Elastic Block Store Amazon EBS volume Amazon Elastic Compute Cloud (EC2) EC2 Dedicated hosts EC2 Elastic IP EC2 instance EC2 network interface EC2 security group Amazon EC2 Systems Manager Managed instance inventor Elastic Load Balancing (ELB) Application load balancer AWS Identity and Access Management (IAM) IAM user IAM group IAM role IAM customer managed policy Α͔ͭ͘͏αʔϏε͸΄΅ରԠࡁΈ Α͔ͭ͘͏αʔϏε͸΄΅ରԠࡁΈ
  52. Ϣʔεέʔε

  53. AWSϦιʔεͷߏ੒؅ཧ • ҰཡͰAWSϦιʔεΛ֬ೝग़དྷΔ • ࡟আ͞ΕͨϦιʔεʹ͍ͭͯ΋௥੻Մೳ

  54. ؂ࠪɺίϯϓϥΠΞϯε • ͍ͭɺͲͷΑ͏ʹมߋ͞Ε͔ͨΛه࿥͢ΔͷͰূ੻ͱͯ͠ར༻Մೳ • PCI DSSͷΑ͏ͳن֨ʹ४ڌ͢ΔͨΊʹ΋ඞཁ

  55. τϥϒϧγϡʔςΟϯά • ઃఆϛε͸ΠϯγσϯτൃੜݪҼͷͻͱͭ • ؔ࿈͢ΔAWSϦιʔε΋ḷΕΔͷͰτϥϒϧγϡʔτ͠΍͍͢

  56. ΰνϟΰνϟ͠΍͍͢AWSϦιʔεΛ ؆୯ʹʮݟ͑ΔԽʯग़དྷΔʂ

  57. Ͱ΋Configͬͯઃఆ΍ઃఆมߋΛݟ͑ΔԽ ͢Δ͚ͩͩΑͶʁ

  58. ݁ہͦΕ͕ਖ਼͍͠ઃఆ͔ ਓ͕ؒ൑அ͠ͳ͍ͱ͍͚ͳ͍ΑͶʁ

  59. ҆͝৺Լ͍͞ɻ

  60. ઃఆͷνΣοΫΛߦ͏αʔϏε ΋͋Γ·͢ʂ

  61. AWS Config Rules

  62. AWS Config Rulesͱ͸ • AWS ConfigͰه࿥ͨ͠ઃఆ͕ਖ਼͍͔͠Λ൑ఆ͢Δ ϧʔϧΛઃఆͰ͖Δ • ྫ͑͹ɺ •

    ηΩϡϦςΟάϧʔϓ͕ϑϧΦʔϓϯ • MFAઃఆ͍ͯ͠ͳ͍ • ACMͷূ໌ॻͷ༗ޮظݶ͕͋ͱগ͠
  63. ϧʔϧͷछྨ • Ϛωʔδυϧʔϧ • AWS͕ఏڙ͍ͯ͠Δϧʔϧ • ͋Δ͋Δͳ΋ͷΛ༻ҙͯ͘͠Ε͍ͯ·͢ • ΧελϜϧʔϧ •

    ࣗ෼Ͱࣗ༝ʹ࡞ΕΔϧʔϧ • ൑ఆ͢Δػߏ͸LambdaͰ࡞੒ • LambdaͳͷͰ࡞Γ͜Ί͹૬౰͍Ζ͍Ζग़དྷΔ
  64. ఏڙ͞Ε͍ͯΔϚωʔδυϧʔϧ • Compute • approved-amis-by-id • approved-amis-by-tag • desired-instance-tenancy •

    desired-instance-type • ebs-optimized-instance • ec2-instance-detailed-monitoring-enabled • ec2-instances-in-vpc • ec2-managedinstance-applications-blacklisted • ec2-managedinstance-applications-required • ec2-managedinstance-inventory-blacklisted • ec2-managedinstance-platform-check • ec2-volume-inuse-check • eip-attached • encrypted-volumes • restricted-common-ports • restricted-ssh • Management Tools • cloudtrail-enabled • required-tags • Database • db-instance-backup-enabled • dynamodb-throughput-limit-check • rds-multi-az-support • rds-storage-encrypted • redshift-cluster-configuration-check • redshift-cluster-maintenancesettings-check • Security, Identity & Compliance • acm-certificate-expiration-check • iam-password-policy • iam-user-group-membership-check • iam-user-no-policies-check • root-account-mfa-enabled • Storage • s3-bucket-logging-enabled • s3-bucket-ssl-requests-only • s3-bucket-versioning-enabled IUUQEPDTBXTBNB[PODPNKB@KQDPOpHMBUFTUEFWFMPQFSHVJEFNBOBHFESVMFTCZBXTDPOpHIUNM
  65. ΧελϜϧʔϧ • LambdaͰ൑ఆ෦෼Λهड़͢Δ • ࣗ෼ͰίʔυΛॻ͘ඞཁ͕͋ΔͷͰগ͠ϋʔυϧ͕ߴ͍

  66. AWS͕ΧελϜϧʔϧެ։ • 2017/3ݱࡏ34ͷϧʔϧ͕ެ։த • https://github.com/awslabs/aws-config-rules

  67. AWS ConfigΛ༗ޮԽͯ͠ՄࢹԽ Config RulesͰઃఆ஋νΣοΫ ࣗಈͰηΩϡϦςΟ/ΨόφϯεΛ୲อ͠·͠ΐ͏ʂ

  68. Configؔ࿈ϒϩάެ։ͯ͠·͢ɻ http://dev.classmethod.jp/referencecat/aws-config/

  69. ࠂ஌ • Ҏ্ͰൃදΛ͓ΘΓ·͢ɻ • Πϕϯτࠂ஌͸Doorkeeper(https://s-jaws.doorkeeper.jp/) • Twitterɿ@security_jaws
 ϋογϡλά͸#secjaws