ECS on Fargate のセキュリティ対策は何をやるべき？開発者目線で考える/security-for-ecs-on-fargate-secjawsdays

&$4PO'BSHBUFͷηΩϡϦςΟରࡦ͸ԿΛ΍Δ べ ͖ʁ ։ൃऀ໨ઢ で ߟ͑Δ ࠤ౻ஐथ $9ࣄۀຊ෦ΞʔΩςΫτνʔϜ

ࣗݾ঺հ ࠤ౻ஐथ $9ࣄۀຊ෦ΞʔΩςΫτνʔϜϚωʔδϟʔ +"846($%,ࢧ෦ӡӦ झຯɿδϜɺಈըࢹௌʢ7$5ʣ ޷͖ͳ"84αʔϏεɿ-BNCEBɺ$%, !UNL !UPNPLJ

ΞδΣϯμ w ཧ૝తͳঢ়ଶͱΑ͋͘Δ໰୊ w ຊൃදͷର৅ͱࠓճͷ໨తΛ֬ೝ w ੹೚ڞ༗Ϟσϧʹ͍͓ͭͯ͞Β͍ w ίϯςφηΩϡϦςΟपΓʹؔ͢ΔυΩϡϝϯτͷ֬ೝ
w &$4PO'BSHBUF༻ʹϨΠϠʔΛ෼͚ରࡦΛ੔ཧ

࣮͸ ҎԼͷ%FW%BZͰͷൃදͷଓฤͰ͢ɻ։ൃΛ΍ΔͳΒͪ͜Β΋ੋඇʂ IUUQTEFWDMBTTNFUIPEKQBSUJDMFTJEFBMBOESFBMJUZXIFOJNQMFNFOUJOHDJDEGPSFDTPOGBSHBUFXJUIBXTDEL

ཧ૝తͳঢ়ଶͱݱ࣮ʹ͋Γ͕ͪͳ໰୊ ཧ૝తͳঢ়ଶɿνʔϜʹηΩϡϦςΟͷઐ໳Ո͕͓Γɺࢿۚ΋५୔ͰΤϯδχΞ΋ଟ਺ ݱ࣮ʹ͋Γ͕ͪͳ໰୊ɿ w ίϯςφʹৄ͍͠ ηΩϡϦςΟͷઐ໳Ո͕͍ͳ͍ɺԼख͢Ε͹྆ํʜ w ࣗࣾPS͓٬༷ͷηΩϡϦςΟνΣοΫγʔτ͸͋Δ͕Ϋϥ΢υ΍ίϯςφʹద͍ͯ͠ͳ͍ w
"844FDVSJUZ)VCʹΑΔݕ஌͚ͩͩͱ଍Γͳ͍ͷͰ͸ʁ w ۀքతʹ1$*%44΄Ͳͷݫ͍͠ج४Λຬͨ͢ඞཁ͸ͳ͍ w ௐ΂Δͱ,VCFSOFUFTͷ࿩͸݁ߏग़ͯ͘Δ͚Ͳɺ&$4PO'BSHBUFͩͱԿΛ͢΂͖ʁ

ର৅ͱ໨ඪ ຊൃදͷର৅ͱ͢Δํ w &$4PO'BSHBUFͷߏ੒Λݕ౼͍ͯ͠Δ࢖༻͍ͯ͠Δํ w ઌ΄Ͳͷϖʔδͷݱ࣮ʹ͋Γ͕ͪͳ໰୊ʹ౰͍ͨͬͯΔํ ൃදࢿྉΛݟͨޙͷ໨ඪ w ίϯςφηΩϡϦςΟʹؔͯ֬͠ೝ͢΂͖ࢿྉΛ஌Δ
w ֤ྖҬ͝ͱʹͲͷΑ͏ͳڴҖରࡦ͕͋Δ͔ͱϢʔβଆͷ੹຿Λ஌Δ w શͯͷ߲໨΁ରࡦ͢ΔͷͰ͸ͳ͘ͲͷϦεΫΛରࡦ͢Δ͔ϦεΫΛड༰͢Δ͔ 1+ʹԠͯ͡બ୒ग़དྷΔΑ͏ʹͳΔ

੹೚ڞ༗Ϟσϧͷ͓͞Β͍ "84ʹ͸ɺϢʔβଆͱ"84ଆͷηΩϡϦςΟ੹೚ʹؔ͢ΔϞσϧ͕ଘࡏ ʮ"84Ϋϥ΢υηΩϡϦςΟ੹೚ڞ༗ϞσϧʯIUUQTBXTBNB[PODPNKQCMPHTBXTBVUIPSKCBSSQBHF

੹೚ڞ༗Ϟσϧͷ͓͞Β͍ &$4PO&$ͱൺֱͨ͠৔߹ͷ&$4PO'BSHBUFͷ੹೚ڞ༗Ϟσϧ ʮ"NB[PO&MBTUJD$POUBJOFS4FSWJDFͷϕετϓϥΫςΟεΨΠυηΩϡϦςΟ੹೚ڞ༗Ϟσϧʯ   IUUQTEPDTBXTBNB[PODPNKB@KQ"NB[PO&$4MBUFTUCFTUQSBDUJDFTHVJEFTFDVSJUZTIBSFEIUNM

"84ͷ&$4ηΩϡϦςΟʹؔ͢ΔυΩϡϝϯτ ʮ"NB[PO&$4ͷϕετϓϥΫςΟεΨΠυηΩϡϦςΟλεΫͱίϯςφͷηΩϡϦςΟʯ˞ ෼͔Γ΍͘͢ରࡦ͕ॻ͔Ε͍ͯΔ͕   ݸਓతʹࢥͬͨ՝୊ɿ w ରࡦͷ෼ྨ͕ͳ͍ͷͰ࠷ॳͲͷྖҬͷ࿩͔ एׯ෼͔Γʹ͍͘  
Πϝʔδͦͷ΋ͷ ϨδετϦ λεΫ w ηΩϡϦςΟରࡦ࣮ࢪʹΑΔ෭࡞༻ʹ   ৮ΕΒΕ͍ͯͳ͍ͷͰίϯςφॳ৺ऀ͸   ݫ͍͠ʁʢ3FBE0OMZ$POUBJOFSͳͲʣ w ৔ॴʹΑͬͯ&$4PO&$&$4PO 'BSHBUFͷ࿩͕ࠞࡏ ˞IUUQTEPDTBXTBNB[PODPNKB@KQ"NB[PO&$4MBUFTUCFTUQSBDUJDFTHVJEFTFDVSJUZUBTLTDPOUBJOFSTIUNM

"84ͷ&$4ηΩϡϦςΟʹؔ͢ΔυΩϡϝϯτ $POUBJOFS#VJME-FOT ެ։   "848FMM"SDIJUFDUFE'SBNFXPSLͷ؍఺ͰίϯςφΛѻ͏৔߹ͷߟྀ఺͕هࡌ IUUQTEPDTBXTBNB[PODPNKB@KQXFMMBSDIJUFDUFEMBUFTUDPOUBJOFS CVJMEMFOTDPOUBJOFSCVJMEMFOTIUNM ݪจ ཁ໿هࣄ
IUUQTEFWDMBTTNFUIPEKQBSUJDMFTBXTXFMMBSDIJUFDUFE DPOUBJOFSMFOT

&$4PO'BSHBUFͰݕ౼͢ΔηΩϡϦςΟઃܭ Ϣʔβ͕࢖༻͍ͯ͠ΔαʔϏεࢹ఺ͰίϯςφͰͷ ΞλοΫαʔϑΣΠεΛཧղͯ͠ݕ౼ "84ͷ੹೚ڞ༗Ϟσϧͱಉ༷ʹɺϢʔβଆͱ"84 ଆͷ੹೚෦෼Λ෼͚ͯߟ͑΍͘͢͢ΔͨΊɺҎԼͭ ͷࢿྉΛݩʹӈهͷਤͰϨΠϠʔΛ෼཭ ʮ/*454QFDJBM1VCMJDBUJPO   ΞϓϦέʔγϣϯίϯςφηΩϡϦςΟΨΠυʯ˞
  ʢҎ߱/*4541ͱهࡌʣ   ʮ&$4'BSHBUFʹ͓͚ΔڴҖͷϞσϦϯάʯ˞ ҰൠతͳڴҖϞσϦϯά͸্هࢿྉͰ͞Ε͍ͯΔͷ ͰରࡦΛ੔ཧ͠ɺ1+಺ͰରԠՄೳͳ΋ͷΛ֬ೝ ˞IUUQTXXXJQBHPKQGJMFTQEG ˞IUUQTXXXTDTLKQTQTZTEJHCMPHDPOUBJOFS@TFDVSJUZFDT@GBSHBUFIUNM "84ͷ੹೚ྖҬ Ϣʔβͷ੹೚ྖҬ /FUXPSL *NBHF 3FHJTUSZ $POUBJOFS 0SDIFTUSBUPS )PTU04 $POUBJOFS3VOUJNF "QQMJDBUJPO

&$4PO'BSHBUFͰݕ౼͢ΔηΩϡϦςΟઃܭ ઌ΄ͲͷϨΠϠʔʹ"84ͷαʔϏε ΍ઃܭͳͲʹϚοϐϯάͯ͠ΈΔɻ ʢ"QQ෦෼͸&$ͳͲΛ࢖͏৔߹ͱ ಉ͡ରԠ͕ඞཁͳͨΊলུʣ ͦΕͧΕͷαʔϏεઃܭʹରͯ͠ ϢʔβଆͰऔΕΔରࡦΛߟ͑Δɻ &$4 'BSHBUF
&$3 &$44FSWJDF5BTLͳͲ %PDLFSGJMF 71$ͳͲ /FUXPSL *NBHF 3FHJTUSZ $POUBJOFS 0SDIFTUSBUPS )PTU04 $POUBJOFS3VOUJNF "QQMJDBUJPO "84 *".

*".෦෼ &$4 'BSHBUF &$3 &$44FSWJDF5BTLͳͲ %PDLFSGJMF 71$ͳͲ /FUXPSL *NBHF
3FHJTUSZ $POUBJOFS 0SDIFTUSBUPS )PTU04 $POUBJOFS3VOUJNF "QQMJDBUJPO "84 *".

*".෦෼ /*4541͔ΒҾ༻   અʹ௚઀Ϋϥ΢υ޲͚ͷ߲͸ͳ͍ͨΊؔ࿈෦෼Λൈਮ w ະঝೝίϯςφ w ʮ૊৫͸ɺ։ൃɺςετɺຊ൪ɺ͓ΑͼͦͷଞͷγφϦΦʹରͯ͠ݸผͷ؀ڥΛߏங͠ɺͦΕ ͧΕͷ؀ڥͰɺίϯςφͷσϓϩΠ͓Αͼ؅ཧͱ͍ͬͨΞΫςΟϏςΟʹର͢Δ໾ׂϕʔεͷΞ
Ϋηε੍ޚΛఏڙ͢ΔͨΊͷ۩ମతͳ੍ޚΛߦ͏͜ͱ͕๬·͍͠ɻʯ w ʮΞΫςΟϏςΟͷ໌֬ͳ؂ࠪূ੻Λఏڙ͢ΔͨΊʹɺ͢΂ͯͷίϯςφ࡞੒͸ɺݸʑͷϢʔ β*%ʹؔ࿈෇͚ͯϩάʹه࿥͢Δ͜ͱ͕๬·͍͠ɻʯ

*".෦෼ ΁ͷରࡦɿΞΧ΢ϯτ෼཭ূ੻ݖݶ؅ཧ "84$MPVE5SBJM$PO fi HΛ༗ޮԽ͠؂ࠪূ੻Λ࢒͠ɺίϯςφΠϝʔδ࡞੒ऀΛ໌֬Խ ίϯςφ্Ͱ࠷খݖݶͷઃܭݪଇΛߟྀͯ͠ઃܭ w &$45BTL&YFDVUJPO3PMF w
&$45BTLࣗମΛ࣮ߦ͢Δࡍ΍BXTMPHTϩάυϥΠόʔΛར༻͢Δϩάͷه࿥ͳͲͰ   &$4ͷίϯςφΤʔδΣϯτ͕ར༻͢Δϩʔϧ w &$45BTL3PMF w ίϯςφͷதͷΞϓϦ͕"84αʔϏε΁ͷΞΫηεʹ࢖༻͢Δϩʔϧ   &$4&YFDͷϩάه࿥Ͱ΋ར༻˞ w $*$%Λ࣮ߦ͢Δج൫ʹ༩͑Δϩʔϧͷݖݶ΋࠷খݶΛҙࣝ ˞ʮ&$4&YFDͷϩάه࿥͸λεΫϩʔϧͰߦΘΕΔͨΊ஫ҙ͠Α͏ʯIUUQTEFWDMBTTNFUIPEKQBSUJDMFTFDTFYFDVTFUBTLSPMFGPSMPHHJOH

/FUXPSL෦෼ &$4 'BSHBUF &$3 &$44FSWJDF5BTLͳͲ %PDLFSGJMF 71$ͳͲ /FUXPSL *NBHF

/FUXPSL෦෼ /*4541͔ΒҾ༻   અʹ௚઀/FUXPSLͷઅ͸ͳ͍ͨΊؔ࿈෦෼Λൈਮ w ίϯςφ͔Βͷແ੍ݶωοτϫʔΫΞΫηε w ʮ૊৫͸ɺίϯςφ͕ૹ৴͢Δ֎޲͚ͷωοτϫʔΫτϥϑΟοΫ FHSFTTOFUXPSLUSB
ff i D Λ੍ޚ͢Δ͜ͱ͕๬·͍͠ɻʯ w ʮΠϯό΢ϯυϙʔτͱϓϩηεϙʔτͷόΠϯσΟϯάͷ྆ํΛؚΉɺద੾ͳίϯςφωοτ ϫʔΩϯάαʔϑΣεͷࣗಈܾఆɻʯ w ʮ૊৫ͷωοτϫʔΫ಺ͷ༧ظ͠ͳ͍τϥϑΟοΫϑϩʔɺϙʔτεΩϟϯɺ·ͨ͸જࡏతʹة ݥͳѼઌ΁ͷΞ΢τό΢ϯυΞΫηεͳͲͷωοτϫʔΫͷҟৗͷݕ஌ɻʯ

/FUXPSL෦෼ ΁ͷରԠɿ&$ͳͲͷΠϯϑϥߏஙͱಉ༷ͳ෦෼ͱίϯςφಛ༗ͷ෦෼Λೝࣝͯ͠ઃܭ ֤1+͝ͱͷηΩϡϦςΟཁ݅ʹԠͯ͡ҎԼΛ࣮ࢪ w "-#͔ΒίϯςφɺίϯςφؒͳͲ௨৴͸ηΩϡϦςΟάϧʔϓͰ੍ޚ w ίϯςφ͸جຊ1SJWBUF4VCOFU͔*TPMBUFE4VCOFUʹ഑ஔ͠&-#ܦ༝ͰΞΫηε w 71$֎ͷ"84αʔϏε΁ͷΦʔϓϯͳΞΫηεΛڐՄ͠ͳ͍৔߹͸71$&OEQPJOUΛ׆༻˞
w (VBSE%VUZΛ࢖͍71$'MPX-PHT΍%/4ϩά౳ͷ৘ใ͔ΒͷڴҖݕ஌Λ༗ޮԽ w ηΩϡϦςΟج४͕ҟͳΔίϯςφ͸71$Λ෼཭ w ௨৴࣌ৗ࣌҉߸Խ͕ඞཁͰ͋Ε͹ɺίϯςφؒ௨৴Λ҉߸Խ w ίϯςφ͔Β֎෦ͷજࡏతʹةݥͳѼઌ΁ͷΞ΢τό΢ϯυ௨৴Λݕ஌͍ͨ͠৔߹͸   "RVB4FDVSJUZ΍4ZTEJH౳ͷηΩϡϦςΟ੡඼ͷ׆༻΋ݕ౼ ˞ ίετ؍఺Ͱͷ71$&OEQPJOUͷར༻΋ཁݕ౼

/FUXPSL෦෼ "84ͷηΩϡϦςΟؔ࿈αʔϏεͰઃఆมߋݕ஌Λ࣮ࢪ͠ϛεΛ๷ࢭ w "844FDVSJUZ)VC w "84'PVOEBUJPOBM4FDVSJUZ#FTU1SBDUJDFTίϯτϩʔϧ$*4"84'PVOEBUJPOT#FODINBSLඪ४ w <&$>71$ͷσϑΥϧτͷ4FDVSJUZ(SPVQͰ͸*OCPVOE0VUCPVOE5SB ffi
DΛڐՄ͠ͳ͍ඞཁ͕͋Γ·͢   ˠجຊσϑΥϧτͷ4FDVSJUZ(SPVQ͸࢖༻͠ͳ͍ w <&$>4FDVSJUZ(SPVQ͸ڐՄ͞Εͨϙʔτʹରͯ͠ແ੍ݶͷண৴τϥϑΟοΫͷΈΛڐՄ͢Δඞཁ͕͋Γ·͢FUDʜ w "NB[PO(VBSE%VUZ w $MPVE5SBJMɺ71$'MPX-PHTɺ%/4ϩάͳͲ͔Β௨ৗͷϦΫΤετͱҟͳΔಈ͖Λ࡯஌ͯ͠௨஌ ্هͷΠϕϯτΛ"NB[PO4/4ܦ༝Ͱ4MBDLʹ௨஌͠ৗʹؾ෇͘Α͏ʹઃఆ

3FHJTUSZ෦෼ &$4 'BSHBUF &$3 &$44FSWJDF5BTLͳͲ %PDLFSGJMF 71$ͳͲ /FUXPSL *NBHF

3FHJTUSZ෦෼ /*4541͔ΒҾ༻ ϨδετϦ΁ͷηΩϡΞͰͳ͍઀ଓ w ʮ૊৫͸ɺ҉߸Խ͞ΕͨνϟωϧͰͷΈϨδετϦʹ઀ଓ͢ΔΑ͏ɺ։ൃπʔϧɺΦʔέετϨʔ λɺ͓ΑͼίϯςφϥϯλΠϜΛઃఆ͢Δͷ͕๬·͍͠ɻʯ ෆे෼ͳೝূɾೝՄ੍ݶ w ʮϨδετϦ΁ͷॻ͖ࠐΈΞΫηε͸͢΂ͯೝূΛඞཁͱ͢Δͷ͕๬·͍͠ɻʯ
΁ͷରࡦɿ&$3΁ΞΫηεͰ͖ΔϢʔβͷݖݶΛ੍ݶ ɹ&$3΁ͷΞΫηε͸*".ʹΑΓ੍ޚ͞Ε͍ͯΔͷͰɺ*".ͷݖݶ੍ޚΛߟྀ w Ϣʔβ͕*".ϩʔϧͷݖݶͰΠϝʔδΛϓογϡ͢Δ৔߹ɺϓογϡઌϦϙδτϦΛ੍ݶ w $*$%؀ڥ͔Βϓογϡ͢Δ৔߹΋ɺϓογϡઌϦϙδτϦΛ੍ݶ ˞IUUQTEPDTBXTBNB[PODPNKB@KQ"NB[PO&$4MBUFTUCFTUQSBDUJDFTHVJEFTFDVSJUZUBTLTDPOUBJOFSTIUNM

3FHJTUSZ෦෼ /*4541͔ΒҾ༻ ϨδετϦ಺ͷݹ͍Πϝʔδ w ʮ΋͏࢖༻͢Δ͜ͱ͕ͳ͍ɺ੬ऑੑ͕͋ͬͯ҆શͰ͸ͳ͍Πϝʔδͷొ࿥Λ࡟আ͢Δ͜ͱʯ w ʮ࢖༻͢ΔΠϝʔδͷݸผͷόʔδϣϯΛಛఆ͢ΔΠϛϡʔλϒϧͳ໊લΛ࢖༻ͯ͠Πϝʔδʹ ΞΫηε͢Δ͜ͱ͕๬·͍͠ɻʯ "NB[PO&$4ͷϕετϓϥΫςΟεΨΠυλεΫͱίϯςφͷηΩϡϦςΟ
w "NB[PO&$3ͰλάͷΠϛϡʔλϏϦςΟΛ༗ޮԽ˞   ߈ܸऀ͕ಉ͡λάͰΠϝʔδͷ৵֐͞ΕͨόʔδϣϯΛQVTI͢Δ͜ͱΛ๷͙   ˞IUUQTEPDTBXTBNB[PODPNKB@KQ"NB[PO&$4MBUFTUCFTUQSBDUJDFTHVJEFTFDVSJUZUBTLTDPOUBJOFSTIUNM

3FHJTUSZ෦෼ ΁ͷରԠɿϨδετϦ಺ͷݹ͍Πϝʔδͷ࡟আ w "NB[PO&$3ͷϥΠϑαΠΫϧϙϦγʔΛ࢖༻͠ɺOੈ୅લͷΠϝʔδ͸࡟আͳͲͰରॲ w ݱঢ়Ͱ͸ʮ"NB[PO&$4ͷλεΫͰ࢖༻தͷΠϝʔδ͸อޢʯͳͲߴ౓ͳઃఆ͸Ͱ͖ͳ͍   ࢖༻தΠϝʔδ͕ফ͑ΔͱλεΫ͕ىಈͰ͖ͳ͘ͳΔͷͰ஫ҙ ରॲͰ͖Δ044΋͋Δ˞
˞࢖༻தΠϝʔδ࡟আͷରࡦͱͯ͠࢖༻Ͱ͖Δ044IUUQTUFDICMPHLBZBDDPNFDSNPTT const repository = new ecr.Repository(this, `${id}-repository`, { repositoryName: `sample-repo`, imageScanOnPush: true, imageTagMutability: ecr.TagMutability.IMMUTABLE, }); repository.addLifecycleRule({ maxImageCount: 5 }); // 5ੈ୅อ࣋

3FHJTUSZ෦෼ɿΠϛϡʔλϒϧλάͰى͖Δ໰୊ ΁ͷରԠɿΠϛϡʔλϒϧͳλά໊ͷΈڐՄ Πϛϡʔλϒϧͳλά໊ͷΑ͋͘Δ෇͚ํ w Πϝʔδλάʹ(JU)VCͳͲͷίϛοτϋογϡΛ࢖༻͠ιʔεͱΠϝʔδΛ࿈ಈ w ηϚϯςΟοΫόʔδϣχϯάΛ࢖༻   ֎෦഑෍ͷ৔߹͸ɺߋ৽Λ෼͔Γ΍͘͢͢ΔͨΊύοέʔδͷΑ͏ʹόʔδϣϯ൪߸Λ෇͚Δ
  (JU)VCͷ3FMFBTF5BHΛ࢖ͬͯΔ৔߹ɺҰகͤ͞ΔͱτϨʔε͠΍͍͢ $*$%ͷதͰίϛοτϋογϡͷλάΛ෇༩͢Δํ๏ͷྫ w "84$PEF#VJMEͷ৔߹ɿ$0%&#6*-%@3&40-7&%@4063$&@7&34*0/ఆ਺Λऔಘ w (JU)VC"DUJPOTͷ৔߹ɿHJUIVCTIBͰίϛοτϋογϡΛऔಘ  

*NBHF෦෼ &$4 'BSHBUF &$3 &$44FSWJDF5BTLͳͲ %PDLFSGJMF 71$ͳͲ /FUXPSL *NBHF

*NBHF෦෼ /*4541͔ΒҾ༻ Πϝʔδͷ੬ऑੑ w ʮैདྷͷ੬ऑੑ؅ཧπʔϧ͸ɺϗετͷ଱ٱੑ΍ΞϓϦͷߋ৽ϝΧχζϜ΍ස౓ʹ͍ͭͯଟ͘ͷԾఆΛ͍ͯ͠ Δ͕ɺͦΕΒ͸ίϯςφԽ͞ΕͨϞσϧͱ͸ࠜຊతʹͣΕ͍ͯΔɻ͜ΕΒͷπʔϧ͸ɺίϯςφ಺ͷ੬ऑੑΛ ݕ஌Ͱ͖ͳ͍͜ͱ͕ଟ͘ɺޡͬͨ҆৺ײΛ΋ͨΒ͢ɻʯ w ʮΠϝʔδͷϕʔεϨΠϠ͚ͩͰͳ͘ɺ૊৫͕࢖༻͍ͯ͠ΔΞϓϦέʔγϣϯϑϨʔϜϫʔΫ΍ΧελϜιϑτ
΢ΣΞͳͲɺΠϝʔδͷ͢΂ͯͷϨΠϠʹ͓͚Δ੬ऑੑͷՄࢹੑɻʯ w ʮ૊৫͸ϏϧυͱσϓϩΠͷϓϩηεͷ֤ஈ֊ʹ͓͍ͯʮ඼࣭ήʔτʯΛ࡞੒͠૊৫ͷ੬ऑੑϙϦγʔͱߏ੒ ϙϦγʔΛຬͨ͢ΠϝʔδͷΈ͕ਐߦΛڐՄ͞ΕΔ͜ͱΛ࣮֬ʹ͢Δ͜ͱ͕๬·͍͠ɻʯ ຒΊࠐ·ΕͨϚϧ΢ΣΞ w ʮຒΊࠐ·ΕͨϚϧ΢ΣΞ͕ͳ͍͔ɺ͢΂ͯͷΠϝʔδΛܧଓతʹϞχλϦϯά͢Δ͜ͱ͕๬·͍͠ɻʯ

*NBHF෦෼ʢ*NBHF4DBOฤʣ ΁ͷରԠɿΠϝʔδεΩϟϯʢ*OTQFDUPS7ͳͲʣΛ࢖༻͢Δ Πϝʔδ΍Πϯετʔϧͨ͠ύοέʔδͷ੬ऑੑ΁ରԠ͢ΔͨΊΠϝʔδεΩϟφΛ࢖༻ *OTQFDUPS7ͱ͸ʢίϯςφؔ࿈෦෼ͷΈʣ w "NB[PO&$3ʹQVTI͞ΕͨίϯςφΠϝʔδΛࣗಈతʹεΩϟϯ w Πϝʔδιϑτ΢ΣΞύοέʔδΛݕग़͠੬ऑੑ͕ͳ͍͔֬ೝ
w ੬ऑੑ%#ͷҰ෦ͱͯ͠4OZLͷ৘ใΛ࢖༻˞ w "NB[PO&$3શମͰܧଓεΩϟϯΛઃఆ͢ΔͱҎԼͷλΠϛϯάͰεΩϟϯ˞ w Πϝʔδϓογϡ࣌ w "NB[PO*OTQFDUPS಺෦ͷ੬ऑੑ%#ߋ৽࣌ ˞IUUQTBXTBNB[PODPNKQBCPVUBXTXIBUTOFXBNB[POJOTQFDUPSDPOUJOVBMWVMOFSBCJMJUZNBOBHFNFOU ˞IUUQTEPDTBXTBNB[PODPNJOTQFDUPSMBUFTUVTFSFOBCMFEJTBCMFTDBOOJOHFDSIUNM "NB[PO*OTQFDUPS

*NBHF෦෼ʢ*NBHF4DBOฤʣ *OTQFDUPS7ͷεΩϟϯ݁Ռ͸ɺҎԼͷྲྀΕͰߋ৽࣌ʹࣗಈ௨஌Մೳ   &WFOU#SJEHF΁ͷ௨஌͸ৗʹྲྀΕ͍ͯΔͷͰɺ&WFOU#SJEHFˠ4/4ˠ$IBUCPUͷྲྀΕ͚ͩ࡞੒ // InspectorV2Findings via SecurityHub new
cwe.Rule(this, 'InspectorV2ViaSecurityHub', { description: 'CloudWatch Event Rule to …’, enabled: true, eventPattern: { source: ['aws.securityhub'], detailType: ['Security Hub Findings - Imported'], detail: { findings: { ProductName: ['Inspector'], Severity: { Label: ['CRITICAL', ‘HIGH'], // είΞ7.0Ҏ্͸௨஌ }, }, }, }, targets: [new cwet.SnsTopic(secTopic)], }); "NB[PO *OTQFDUPS "NB[PO 4/4 "84 $IBUCPU "84 4FDVSJUZ)VC "NB[PO &WFOU#SJEHF ੬ऑੑൃݟ Πϕϯτ௨஌ ϧʔϧ߹க ௨஌

*NBHF෦෼ /*4541͔ΒҾ༻ ϥϯλΠϜιϑτ΢ΣΞ಺ͷ੬ऑੑ w ʮίϯςφϥϯλΠϜ͸ɺ੬ऑੑ͕஫ҙਂ͘ϞχλϦϯά͞Εɺ໰୊͕ݕ஌͞Εͨ৔߹ʹ͸ਝ଎ ʹमਖ਼͞Εͳ͚Ε͹ͳΒͳ͍ɻʯ w ʮπʔϧΛ࢖༻ͯ͠ɺσϓϩΠ͞ΕͨϥϯλΠϜͷڞ௨੬ऑੑࣝผࢠʢ$7&ʣͷ੬ऑੑΛ୳͠ɺ ϦεΫͷ͋ΔΠϯελϯεΛΞοϓάϨʔυ͠ɺΦʔέετϨʔλ͕ద੾ʹϝϯςφϯε͞Εͨ
ϥϯλΠϜ΁ͷσϓϩΠͷΈΛڐՄ͢Δ͜ͱΛ࣮֬ͱ͢Δ͜ͱ͕๬·͍͠ɻʯ

*NBHF෦෼ʢ*NBHF4DBO $*$%ʣ ޙ൒΁ͷରԠɿ$*$%ʹΠϝʔδεΩϟϯΛ૊ΈࠐΈɺ$%ܦ༝ͰͷΈσϓϩΠ ։ൃݕূຊ൪؀ڥ͢΂ͯʹεΩϟϯΛઃఆ͠ɺ։ൃ؀ڥͰ੬ऑੑΛఠग़ޙʹ൓ө͠։ൃ؀ڥΛ඼࣭ ήʔτͱͯ͠࢖༻ɻ৽نͰݕ஌͞Εͨ੬ऑੑ͸࣮૷࡞ۀʹ૊ΈࠐΈରॲ ։ൃऀʹ඼࣭ήʔτͷྲྀΕΛڧ੍తʹ४ڌͤ͞Δ৔߹͸ɺ$*$%ʹ5SJWZͳͲΛ૊ࠐΜͰΠϝʔδʹ   ੬ऑੑؚ͕·ΕΔ৔߹$*Λࣦഊͤ͞Δ "NB[PO&$3
։ൃ؀ڥ "NB[PO&$3 ݕূ؀ڥ "NB[PO&$3 ຊ൪؀ڥ 3FQMJDBUJPO 1VTI "84$PEF#VJME Πϝʔδͷ੬ऑੑݕ஌ 03 BOE NPSF 03

*NBHF෦෼ /*4541͔ΒҾ༻ Πϝʔδઃఆͷෆ۩߹ w ʮ૊৫͸ɺηΩϡΞͳઃఆͷϕετϓϥΫςΟε΁ͷ४ڌΛݕূ͓Αͼ࣮ࢪ͢ΔͨΊͷπʔϧͱ ϓϩηεΛ࠾༻͢Δ͜ͱ͕๬·͍͠ɻྫ͑͹ɺΠϝʔδ͸ඇಛݖϢʔβͱ࣮ͯ͠ߦ͞ΕΔΑ͏ઃ ఆ͢Δ͜ͱ͕๬·͍͠ɻʯ ຒΊࠐ·Εͨฏจͷൿີ৘ใ w
ʮൿີ৘ใ͸Πϝʔδͷ֎ʹอଘ͠ɺ࣮ߦ࣌ʹಈతʹఏڙ͞ΕΔͷ͕๬·͍͠ʯ

*NBHF෦෼ʢ%PDLFS fi MFฤʣ ΁ͷରԠɿ%PDLFS fi MFͷ੬ऑੑΛEPDLMF΍5SJWZͳͲͰνΣοΫ %PDLFS fi MFࣗମͷهड़಺༰͕ηΩϡΞʹͳ͍ͬͯΔ͔νΣοΫ
https://aquasecurity.github.io/trivy/v0.29.2/docs/miscon fi guration/scanning/ https://github.com/goodwithtech/dockle

*NBHF෦෼ʢ%PDLFS fi MFฤʣ ΁ͷରԠɿػີ৘ใ͸4FDSFU.BOBHFS44.1BSBNFUFS4UPSFʹอଘ "NB[PO &$3 $PEF 3FQP "844FDSFUT.BOBHFS
"844ZTUFNT.BOBHFS Parameter Store "84 "QQ$POGJH *NBHF ؀ڥݻ༗৘ใࢀর ೝূ৘ใࢀর ػೳࠩҟࢀর 1VTI

$POUBJOFS෦෼ &$4 'BSHBUF &$3 &$44FSWJDF5BTLͳͲ %PDLFSGJMF 71$ͳͲ /FUXPSL *NBHF

$POUBJOFS෦෼ w ʮίϯςφ͸ɺϧʔτϑΝΠϧγεςϜΛಡΈऔ Γઐ༻ϞʔυͰ࣮ߦ͢Δ͜ͱ͕๬·͍͠ɻʯ w ʮҎԼͷΑ͏ͳΠϕϯτΛؚΉ࣮ߦ࣌ͷҟৗΛݕ ஌͠ɺ๷ࢭͰ͖Δ͜ͱ͕๬·͍͠ɻʯ w ແޮͳɺ·ͨ͸༧ظͤ͵ϓϩηεͷ࣮ߦ
w ແޮͳɺ·ͨ༧ظͤ͵γεςϜίʔϧ w อޢ͞ΕͨઃఆϑΝΠϧͱόΠφϦͷมߋ w ༧ظͤ͵৔ॴ΍ϑΝΠϧλΠϓ΁ͷॻ͖ࠐΈ w ༧ظͤ͵ωοτϫʔΫϦεφʔͷ࡞੒ w ༧ظͤ͵ωοτϫʔΫͷѼઌʹૹ৴͞Εͨτϥ ϑΟοΫ w Ϛϧ΢ΣΞͷอଘ·ͨ͸࣮ߦ /*4541͔ΒҾ༻ʢؔ࿈෦෼ͱ൑அ߲ͨ͠ͷΈʣ ΞϓϦͷ੬ऑੑ

$POUBJOFS෦෼ w ʮίϯςφ͸ɺϧʔτϑΝΠϧγεςϜΛಡΈऔ Γઐ༻ϞʔυͰ࣮ߦ͢Δ͜ͱ͕๬·͍͠ɻʯ w ʮҎԼͷΑ͏ͳΠϕϯτΛؚΉ࣮ߦ࣌ͷҟৗΛݕ ஌͠ɺ๷ࢭͰ͖Δ͜ͱ͕๬·͍͠ɻʯ w ແޮͳɺ·ͨ͸༧ظͤ͵ϓϩηεͷ࣮ߦ
w ແޮͳɺ·ͨ༧ظͤ͵γεςϜίʔϧ w อޢ͞ΕͨઃఆϑΝΠϧͱόΠφϦͷมߋ w ༧ظͤ͵৔ॴ΍ϑΝΠϧλΠϓ΁ͷॻ͖ࠐΈ w ༧ظͤ͵ωοτϫʔΫϦεφʔͷ࡞੒   ˠ'BSHBUFଆͰ؅ཧ˞ w ༧ظͤ͵ωοτϫʔΫͷѼઌʹૹ৴͞Εͨτϥ ϑΟοΫ   ˠ/FUXPSL෦෼ࢀর w Ϛϧ΢ΣΞͷอଘ·ͨ͸࣮ߦ /*4541͔ΒҾ༻ʢؔ࿈෦෼ͱ൑அ߲ͨ͠ͷΈʣ ΞϓϦͷ੬ऑੑ ˞IUUQTBXTBNB[PODPNKQCMPHTOFXTVOEFSUIFIPPEGBSHBUFEBUBQMBOF

$POUBJOFS෦෼ʢϑΝΠϧॻ͖ࠐΈʣ "NB[PO&$4ͷϕετϓϥΫςΟεΨΠυλεΫͱίϯςφͷηΩϡϦςΟ w ʮಡΈऔΓઐ༻ͷϧʔτϑΝΠϧγεςϜΛ࢖༻͢Δʯ w ίϯςφͷϧʔτϑΝΠϧγεςϜ΁ͷॻ͖ࠐΈΛېࢭ͠ҎԼΛ๷ࢭ w ߈ܸऀ͕ϑΝΠϧγεςϜ΁Ϛϧ΢ΣΞΛॻ͖ࠐΈɺѱҙͷ͋ΔϓϩηεΛ࣮ߦͯ͠σʔ λͷྲྀग़΍վ͟ΜͳͲΛ࣮ࢪ
w "844FDVSJUZ)VCͰະઃఆͷίϯςφΛݕ஌Մೳ w <&$4>&$4ίϯςφ͸ɺϧʔτϑΝΠϧγεςϜ΁ͷಡΈऔΓઐ༻ΞΫηεʹ੍ݶ͢Δ ඞཁ͕͋Γ·͢˞ ˞IUUQTEPDTBXTBNB[PODPNKB@KQTFDVSJUZIVCMBUFTUVTFSHVJEFTFDVSJUZIVCTUBOEBSETGTCQDPOUSPMTIUNMGTCQFDT serviceTaskDefinition .addContainer(`${id}-ServiceTaskContainerDefinition`, { image, … readonlyRootFilesystem: true, // ಡΈऔΓઐ༻ })

$POUBJOFS෦෼ʢϑΝΠϧॻ͖ࠐΈʣ ΁ͷରԠɿϧʔτϑΝΠϧγεςϜΛಡΈऔΓઐ༻ʹมߋ ϧʔτϑΝΠϧγεςϜΛಡΈऔΓઐ༻ʹͨ͠৔߹ͷ஫ҙ఺ w ਖ਼نͷ04΍ϓϩηεͷॻ͖ࠐΈ΋ېࢭ͞ΕΔͨΊɺ༗ޮԽ࣌ʹॻ͖ࠐΈΤϥʔʹͳΔةݥੑ w &$4&YFDͳͲͷπʔϧ΋௨ৗ͸࢖༻ෆՄ ஫ҙ఺ͷճආࡦ w
Ұ෦ͷσΟϨΫτϦΛϚ΢ϯτͯ͠ݶఆతʹॻ͖ࠐΈڐՄྖҬΛ࡞ΓɺͲ͏ͯ͠΋ॻ͖ࠐΈ͕   ඞཁͳػೳʹ͍ͭͯ͸Ϛ΢ϯτઌʹॻ͖ࠐΉ w &$4&YFDͷྫɿʮ6TJOH&$4&YFDXJUISFBEPOMZSPPU fi MFTZTUFNDPOUBJOFSTʯ˞ w $POUBJOFS*OTJHIUTμογϡϘʔυΛλεΫϨϕϧͰ֬ೝ͠ɺ4UPSBHF8SJUF#ZUFTͰ   ॻ͖ࠐΈ͕ൃੜͯ͠ͳ͍͜ͱΛ֬ೝ͔ͯ͠ΒಡΈऔΓઐ༻ʹมߋ˞ ˞IUUQTUPSJTJPVTJOHFDTFYFDXJUISFBEPOMZSPPU fi MFTZTUFNFOBCMFEDPOUBJOFST ˞ৄ͍͠৘ใɿʲ4FDVSJUZ)VCम෮खॱʳ<&$4>&$4ίϯςφ͸ɺϧʔτϑΝΠϧγεςϜ΁ͷΞΫηεΛಡΈऔΓઐ༻ʹ੍ݶ͢Δඞཁ͕͋Γ·͢

$POUBJOFS෦෼ʢϑΝΠϧॻ͖ࠐΈͷকདྷͷر๬ʣ কདྷతʹ͸"NB[PO(VBSE%VUZͷ.BMXBSF1SPUFDUJPOʹ΋ظ଴ʂʂ   ʢݱࡏ͸"NB[PO&$4PO"84'BSHBUF͸αϙʔτ֎˞ʣ "NB[PO(VBSE%VUZ.BMXBSF1SPUFDUJPOͷػೳ ʮ৵֐͞ΕͨՄೳੑ͕͋Δ"NB[PO&$Πϯελϯε͓ΑͼίϯςφϫʔΫϩʔυʹΞλον   ɹ͞Εͨ&#4ϘϦϡʔϜ্ͷϚϧ΢ΣΞΛεΩϟϯͯ͠ݕग़ʯ কདྷతʹ͸ίϯςφΛ3FBE0OMZԽͯ͠ɺ࠷௿ݶϚ΢ϯτͨ͠Օॴ͚ͩεΩϟϯɻෆ৹ͳಈ࡞Λ
  ݕ஌ͯ͠௨஌΍ରॲ͕Ͱ͖Δͱخ͍͠ "NB[PO(VBSE%VUZ ˞IUUQTEPDTBXTBNB[PODPNKB@KQHVBSEEVUZMBUFTUVHNBMXBSFQSPUFDUJPOIUNM

$POUBJOFS෦෼ w ʮίϯςφ͸ɺϧʔτϑΝΠϧγεςϜΛಡΈऔ Γઐ༻ϞʔυͰ࣮ߦ͢Δ͜ͱ͕๬·͍͠ɻʯ w ʮҎԼͷΑ͏ͳΠϕϯτΛؚΉ࣮ߦ࣌ͷҟৗΛݕ ஌͠ɺ๷ࢭͰ͖Δ͜ͱ͕๬·͍͠ɻʯ w ແޮͳɺ·ͨ͸༧ظͤ͵ϓϩηεͷ࣮ߦ˞
w ແޮͳɺ·ͨ༧ظͤ͵γεςϜίʔϧ w อޢ͞ΕͨઃఆϑΝΠϧͱόΠφϦͷมߋ w ༧ظͤ͵৔ॴ΍ϑΝΠϧλΠϓ΁ͷॻ͖ࠐΈ w ༧ظͤ͵ωοτϫʔΫϦεφʔͷ࡞੒   ˠ'BSHBUFଆͰ؅ཧ w ༧ظͤ͵ωοτϫʔΫͷѼઌʹૹ৴͞Εͨτϥ ϑΟοΫ   ˠ/FUXPSL෦෼ࢀর w Ϛϧ΢ΣΞͷอଘ·ͨ͸࣮ߦ /*4541͔ΒҾ༻ʢؔ࿈෦෼ͱ൑அ߲ͨ͠ͷΈʣ ΞϓϦͷ੬ऑੑ ˞3FBE0OMZίϯςφͰ΋ϥΠϒϥϦͷ੬ऑੑʹΑͬͯ৵֐͞ΕΔྫIUUQTXXXTDTLKQTQTZTEJHCMPHTZTEJH@TFDVSFSFBEPOMZIUNM

$POUBJOFS෦෼ʢίϯςφϥϯλΠϜʣ લड़·ͰͷηΩϡϦςΟઃఆΛߦͬͯ΋ɺҎԼͷΑ͏ͳঢ়گ͕ൃੜ͢ΔՄೳੑ͸͋Δ w ΞϓϦέʔγϣϯͷಠ࣮ࣗ૷෦෼ʹؚ·ΕΔ੬ऑੑΛѱ༻ͯ͠༧ظͤ͵ϓϩηεͷ࣮ߦ w θϩσΠ߈ܸͰϥΠϒϥϦͷະ஌ͷ੬ऑੑΛѱ༻͠ɺҙਤͤͣ֎෦΁ػີ৘ใΛૹ৴ γεςϜن໛ʹΑͬͯ͸্ه΁ͷରࡦͷͨΊෆ৹ͳಈ࡞ͷݕ஌΍؂ࠪূ੻Λ࢒͢ඞཁ͕͋Δ৔߹΋ 'BMDPͳͲϥϯλΠϜʹ͓͚ΔಈతͳৼΔ෣͍Λݕ஌͢ΔπʔϧΛݕ౼͢Δ͔ఆظతͳίϯςφͷ  
ఀࢭىಈɺ·ͨ͸঎༻੡඼ 4ZTEJH΍"RVB4FDVSJUZɺ1SJTNB$MPVEͳͲ ͷ࢖༻Λݕ౼   ˠ࠷ۙঢ়گ͕গ͠มΘͬͨ ิ଍ɿ্هରࡦΛߨͯ͡΋ΞϓϦέʔγϣϯϨΠϠ಺Ͱ׬݁͢Δ߈ܸ͸ରࡦෆՄೳͳͷͰɺϖωτ ϨʔγϣϯςετͳͲ͸มΘΒͣʹඞཁ

$POUBJOFS෦෼ʢίϯςφϥϯλΠϜʣ 'BMDPΛ࢖ͬͯΈͨྫᶃ   &$4Ͱ࢖͏৔߹ͷ໰୊఺͕هࡌ "84͕ఏڙ͢Δαϯϓϧ࣮૷   ʢ೥݄ʹެ։ʣ IUUQTTQFBLFSEFDLDPNUPCBDIJ DPOUBJOFSTFDVSJUZXJUIPTTUPPMT
TMJEF ʮOSSͰ࢝ΊΔίϯςφηΩϡϦςΟʯ 'BMDPΛ࢖ͬͯΈͨྫᶄ   ଎౓΍ϝϯςφϯε౳ͷ   ໰୊఺͕هࡌ IUUQTHJUIVCDPNBXTTBNQMFTBXT GBSHBUFGBMDPFYBNQMFT IUUQTQBQFSESPQCPYDPNEPD&$4 'BSHBUF$Z$"V#N0HF#*:RC ʮECS FargateͰ΋ແྉͰূ੻؅ཧ͍ͨ͠ʯ 'BSHBUF্ͰͷγεςϜίʔϧΛ؂ࢹํ๏ʹ͍ͭͯݴٴ࣮૷͍ͯ͠Δ৘ใ ΑΓલͷ࿩

$POUBJOFS෦෼ʢίϯςφϥϯλΠϜʣ "84'BSHBUF্ͷಉ͡&$4λεΫ಺ͷ͢΂ͯͷίϯςφͰϓϩηε*% 1*% ໊લۭؒΛ   ڞ༗Ͱ͖ΔΑ͏ʹͳΓ·ͨ͠ʂʢ6QEBUF ࠓճͷػೳͰαΠυΧʔ͔ΒγεςϜίʔϧͷ؂ࢹ΍ϓϩηεͷ؂ࢹɺఀࢭɺ࠶ىಈ͕Ͱ͖ΔΑ͏ʹ ͳΓ·ͨ͠ʂࠓޙ"84͔ηΩϡϦςΟاۀ͔Βূ੻ͷऩू΍ҟৗݕग़ˠఀࢭͷػೳ͕ग़Δ͔΋ʁ
https://aws.amazon.com/jp/blogs/containers/announcing- additional-linux-controls-for-amazon-ecs-tasks-on-aws-fargate/ https://dev.classmethod.jp/articles/ecs-on-fargate-support-shared-pid-namespace/

$POUBJOFS෦෼ʢίϯςφϥϯλΠϜ4ZTEJHʣ 4ZTEJH4FDVSFͰγεςϜίʔϧΛར༻ͨ͠ίϯςφ্ͷڴҖݕ஌͕Մೳ Πϝʔδ಺ͷ੬ऑੑͱγεςϜίʔϧΛ෼ੳ͠ɺ࣮ࡍʹ࢖ΘΕ͍ͯΔػೳͷ੬ऑ͚ͩτϦΞʔδ΍   ىಈ࣌ͷίϯςφΠϝʔδʹͳ͔࣮ͬͨߦՄೳϑΝΠϧͷ%-ɺߋ৽ɺมߋͳͲͷݕ஌͕Մೳ IUUQTEFWDMBTTNFUIPEKQBSUJDMFTTZTEJHDPNQPOFOUFDTPOGBSHBUF

$POUBJOFS෦෼ʢίϯςφϥϯλΠϜ4ZTEJHʣ IUUQTEFWDMBTTNFUIPEKQBSUJDMFTTZTEJHDPNQPOFOUFDTPOGBSHBUF 4ZTEJH4FDVSFͰγεςϜίʔϧΛར༻ͨ͠ίϯςφ্ͷڴҖݕ஌͕Մೳ Πϝʔδ಺ͷ੬ऑੑͱγεςϜίʔϧΛ෼ੳ͠ɺ࣮ࡍʹ࢖ΘΕ͍ͯΔػೳͷ੬ऑ͚ͩτϦΞʔδ΍   ىಈ࣌ͷίϯςφΠϝʔδʹͳ͔࣮ͬͨߦՄೳϑΝΠϧͷ%-ɺߋ৽ɺมߋͳͲͷݕ஌͕Մೳ

4QFDJBM5IBOLT🎈 ຊࢿྉ͸ҎԼͷํʑʹϨϏϡʔ͍͖ͨͩ·ͨ͠🎉   w ͔ͨ͘ʹ͞Μʢ$MBTTNFUIPEʣ w ᐩ઒݈ଠ࿠͞Μʢ$MBTTNFUIPEʣ   ͞Βʹ಺༰ྑ͘͢Δ͜ͱ͕ग़དྷ·ͨ͠ʂຊ౰ʹ͋Γ͕ͱ͏͍͟͝·͢🙏

·ͱΊ w ίϯςφηΩϡϦςΟͷݕ౼ʹඞཁͳࢿྉΛ঺հ w ࢿྉ͔Β&$4PO'BSHBUFͰߟྀ͢΂͖ϨΠ ϠʔͰ੔ཧ w ֤ϨΠϠʔͷதͰඞཁͳରࡦΛӈͷਤͰఏࣔ w
Ϣʔβଆͷ੹೚ൣғΛ֬ೝ w ίϯςφϥϯλΠϜηΩϡϦςΟͷର৅ൣғʹ ͍ͭͯ֬ೝ w େ఍ͷରࡦ͸"84੡඼͚ͩͰ΋ҰԠ࣮ࢪՄೳ w ηΩϡϦςΟରࡦͷޮ཰Խ΍ίϯςφ಺ͷ؂ࠪূ ੻ಈతݕ஌͕ඞཁͰ͋Ε͹঎༻੡඼Λݕ౼ "84ͷ੹೚ྖҬ Ϣʔβͷ੹೚ྖҬ /FUXPSL *NBHF 3FHJTUSZ $POUBJOFS 0SDIFTUSBUPS )PTU04 $POUBJOFS3VOUJNF "QQMJDBUJPO

෇࿥ɿ/*4541Ͱର৅֎ͱ߲ͨ͠໨ͷཧ༝ /*4541ͷষͰର৅֎ͱߟ߲͑ͨ໨Ϧετɻ֤ࣗͰ΋͝ݕ౼͍ͩ͘͞ w ৴པͰ͖ͳ͍Πϝʔδͷ࢖༻ w ઌʹ৴པͰ͖ΔΠϝʔδΛอূ͢Δ૊৫࡞Γ͕ඞཁɻͳ͓Πϝʔδॺ໊ʹ&$4͸ະରԠ˞ w ΦʔέετϨʔλͷରࡦ w
ΦʔέετϨʔλ͸"84ଆͷ؅ཧൣғͱ੔ཧ w ηΩϡΞͰͳ͍ίϯςφϥϯλΠϜͷઃఆ w ΑΓຊ߲໨͸ಛݖϞʔυͷར༻ʹΑΔϗετ΁ͷΞΫηεͷݒ೦Ͱ͋Γɺ&$4PO'BSHBUFͰ͸ಛ ݖϞʔυ QSJWJMFHFENPEF ʹͳΕͳ͍ͷͰ"84ଆͷ؅ཧൣғͱ੔ཧ˞ w ϗετ04ͷରࡦ w ϗετ04ଆͷઃఆ͸"84ଆͷ؅ཧൣғͱ੔ཧ ˞IUUQTBXTBNB[PODPNKQBCPVUBXTXIBUTOFXBXTDPOUBJOFSJNBHFTJHOJOH ˞QSJWJMFHFENPEFͱSPPUݖݶͷҧ͍ͷղઆʮʲ4FDVSJUZ)VCम෮खॱʳ<&$4>&$4ίϯςφ͸ɺඇಛݖͱ࣮ͯ͠ߦ͢Δඞཁ͕͋Γ·͢ʯ ɹɹIUUQTEFWDMBTTNFUIPEKQBSUJDMFTTFDVSJUZIVCGTCQSFNFEJBUJPOFDT

෇࿥ɿίϯςφϥϯλΠϜͱ͍͏໊લͷൣғ ίϯςφϥϯλΠϜͱ͍͏ݴ༿͕සൟʹ࢖ΘΕΔ͕ɺ͍͔ͭ͘ύλʔϯ͕͋Γจ຺͔ΒͲΕͷ࿩Λ͠ ͍ͯΔͷ͔ਪଌ͕ඞཁ w ߴϨΠϠʔίϯςφϥϯλΠϜʢ'BSHBUFͳΒ$POUBJOFSE˞ ʣ w Ϣʔβ΍ଞͷϓϩάϥϜͷ໋ྩͰɺίϯςφ΍/8ͷ؅ཧΛ࣮ߦ˞
w ௿ϨΠϠʔίϯςφϥϯλΠϜʢ'BSHBUFͳΒSVOD˞ ʣ w ίϯςφΛ࣮ߦ͢ΔϓϩηεΛɺϗετ͔Β෼཭࣮ͯ͠ߦ˞ w ୯ʹίϯςφϥϯλΠϜͱݺΜͰ͍Δ࣌ w ্هͷ௿ߴϨΠϠʔίϯςφϥϯλΠϜͷ͜ͱɻ΋͘͠͸ɺ௿ϨΠϠʔίϯςφϥϯλΠϜ ͕࡞ͬͨɺΞϓϦ͕ಈ͍͍ͯΔίϯςφͷϓϩηε ˞IUUQTBXTBNB[PODPNKQCMPHTOFXTVOEFSUIFIPPEGBSHBUFEBUBQMBOF ˞ӈهͷॻ੶Λࢀߟʹهࡌʮجૅ͔ΒֶͿίϯςφηΩϡϦςΟ%PDLFSΛ௨ͯ͠ཧղ͢Δίϯςφͷ߈ܸྫͱରࡦʯ

෇࿥ɿίϯςφϥϯλΠϜͱ͍͏໊લͷൣғ ίϯςφϥϯλΠϜ಺ͷϢʔβͷ੹೚ൣғʢ੺࿮෦෼ʣ ˞IUUQTBXTBNB[PODPNKQCMPHTOFXTVOEFSUIFIPPEGBSHBUFEBUBQMBOF ίϯςφϥϯλΠϜηΩϡϦςΟͱ͍ ͏৔߹͸ɺίϯςφͷϓϩηεΛର৅ ͱ͢Δ৔߹͕ଟ͍ʢݸਓͷײ૝ʣ &$4PO'BSHBUFͩͱ$POUBJOFSFE ͱSVOD͸ɺ"84ͷ؅ཧൣғͳͷͰ੺ ࿮෦෼ʹؔ࿈͢ΔՕॴͷΈߟྀ

෇࿥ɿ$POUBJOFS෦෼ʢকདྷͷر๬ʣ 'BSHBUFͷF#1' FYUFOEFE#FSLFMFZ1BDLFU'JMUFS ରԠʹظ଴ʂݱঢ়ϩʔυϚοϓ্ʹ   JTTVF͸্͕͍ͬͯΔ͕3FTFBSDIJOHˠࠓ೥8F`SF8PSLJOH0O*Uʹͳͬͨʂ QUSBDFʹΑΔ଎౓௿Լͷ໰୊˞ͷӨڹΛड͚ͣʹ؂ࢹূ੻؅ཧ͕Ͱ͖Δ੡඼ͷબ୒ࢶ͕૿͑΍͘͢ ͳΔͷͰੋඇ👍Ͱ౤ථ ˞IUUQTXXXTDTLKQTQTZTEJHCMPHDPOUBJOFS@TFDVSJUZBXT@GBSHBUFQUSBDFME@QSFMPBEIUNM
IUUQTHJUIVCDPNBXTDPOUBJOFSTSPBENBQJTTVFT

ECS on Fargate のセキュリティ対策は何をやるべき？開発者目線で考える/security-for-ecs-on-fargate-secjawsdays

ECS on Fargate のセキュリティ対策は何をやるべき？開発者目線で考える/security-for-ecs-on-fargate-secjawsdays

tomoki10

More Decks by tomoki10

Other Decks in Technology

Featured

Transcript

&$4PO'BSHBUFͷηΩϡϦςΟରࡦ͸ԿΛ΍Δ べ ͖ʁ ։ൃऀ໨ઢ で ߟ͑Δ ࠤ౻ஐथ $9ࣄۀຊ෦ΞʔΩςΫτνʔϜ

ࣗݾ঺հ ࠤ౻ஐथ $9ࣄۀຊ෦ΞʔΩςΫτνʔϜϚωʔδϟʔ +"846($%,ࢧ෦ӡӦ झຯɿδϜɺಈըࢹௌʢ7$5ʣ ޷͖ͳ"84αʔϏεɿ-BNCEBɺ$%, !UNL !UPNPLJ

ΞδΣϯμ w ཧ૝తͳঢ়ଶͱΑ͋͘Δ໰୊ w ຊൃදͷର৅ͱࠓճͷ໨తΛ֬ೝ w ੹೚ڞ༗Ϟσϧʹ͍͓ͭͯ͞Β͍ w ίϯςφηΩϡϦςΟपΓʹؔ͢ΔυΩϡϝϯτͷ֬ೝ

࣮͸ ҎԼͷ%FW%BZͰͷൃදͷଓฤͰ͢ɻ։ൃΛ΍ΔͳΒͪ͜Β΋ੋඇʂ IUUQTEFWDMBTTNFUIPEKQBSUJDMFTJEFBMBOESFBMJUZXIFOJNQMFNFOUJOHDJDEGPSFDTPOGBSHBUFXJUIBXTDEL

ର৅ͱ໨ඪ ຊൃදͷର৅ͱ͢Δํ w &$4PO'BSHBUFͷߏ੒Λݕ౼͍ͯ͠Δ࢖༻͍ͯ͠Δํ w ઌ΄Ͳͷϖʔδͷݱ࣮ʹ͋Γ͕ͪͳ໰୊ʹ౰͍ͨͬͯΔํ ൃදࢿྉΛݟͨޙͷ໨ඪ w ίϯςφηΩϡϦςΟʹؔͯ֬͠ೝ͢΂͖ࢿྉΛ஌Δ

੹೚ڞ༗Ϟσϧͷ͓͞Β͍ "84ʹ͸ɺϢʔβଆͱ"84ଆͷηΩϡϦςΟ੹೚ʹؔ͢ΔϞσϧ͕ଘࡏ ʮ"84Ϋϥ΢υηΩϡϦςΟ੹೚ڞ༗ϞσϧʯIUUQTBXTBNB[PODPNKQCMPHTBXTBVUIPSKCBSSQBHF

੹೚ڞ༗Ϟσϧͷ͓͞Β͍ &$4PO&$ͱൺֱͨ͠৔߹ͷ&$4PO'BSHBUFͷ੹೚ڞ༗Ϟσϧ ʮ"NB[PO&MBTUJD$POUBJOFS4FSWJDFͷϕετϓϥΫςΟεΨΠυηΩϡϦςΟ੹೚ڞ༗Ϟσϧʯ   IUUQTEPDTBXTBNB[PODPNKB@KQ"NB[PO&$4MBUFTUCFTUQSBDUJDFTHVJEFTFDVSJUZTIBSFEIUNM

"84ͷ&$4ηΩϡϦςΟʹؔ͢ΔυΩϡϝϯτ ʮ"NB[PO&$4ͷϕετϓϥΫςΟεΨΠυηΩϡϦςΟλεΫͱίϯςφͷηΩϡϦςΟʯ˞ ෼͔Γ΍͘͢ରࡦ͕ॻ͔Ε͍ͯΔ͕   ݸਓతʹࢥͬͨ՝୊ɿ w ରࡦͷ෼ྨ͕ͳ͍ͷͰ࠷ॳͲͷྖҬͷ࿩͔ एׯ෼͔Γʹ͍͘

"84ͷ&$4ηΩϡϦςΟʹؔ͢ΔυΩϡϝϯτ $POUBJOFS#VJME-FOT ެ։   "848FMM"SDIJUFDUFE'SBNFXPSLͷ؍఺ͰίϯςφΛѻ͏৔߹ͷߟྀ఺͕هࡌ IUUQTEPDTBXTBNB[PODPNKB@KQXFMMBSDIJUFDUFEMBUFTUDPOUBJOFS CVJMEMFOTDPOUBJOFSCVJMEMFOTIUNM ݪจ ཁ໿هࣄ

&$4PO'BSHBUFͰݕ౼͢ΔηΩϡϦςΟઃܭ ઌ΄ͲͷϨΠϠʔʹ"84ͷαʔϏε ΍ઃܭͳͲʹϚοϐϯάͯ͠ΈΔɻ ʢ"QQ෦෼͸&$ͳͲΛ࢖͏৔߹ͱ ಉ͡ରԠ͕ඞཁͳͨΊলུʣ ͦΕͧΕͷαʔϏεઃܭʹରͯ͠ ϢʔβଆͰऔΕΔରࡦΛߟ͑Δɻ &$4 'BSHBUF

".෦෼ &$4 'BSHBUF &$3 &$44FSWJDF5BTLͳͲ %PDLFSGJMF 71$ͳͲ /FUXPSL NBHF

".෦෼ /4541͔ΒҾ༻   અʹ௚઀Ϋϥ΢υ޲͚ͷ߲͸ͳ͍ͨΊؔ࿈෦෼Λൈਮ w ະঝೝίϯςφ w ʮ૊৫͸ɺ։ൃɺςετɺຊ൪ɺ͓ΑͼͦͷଞͷγφϦΦʹରͯ͠ݸผͷ؀ڥΛߏங͠ɺͦΕ ͧΕͷ؀ڥͰɺίϯςφͷσϓϩΠ͓Αͼ؅ཧͱ͍ͬͨΞΫςΟϏςΟʹର͢Δ໾ׂϕʔεͷΞ

*".෦෼ ΁ͷରࡦɿΞΧ΢ϯτ෼཭ূ੻ݖݶ؅ཧ "84$MPVE5SBJM$PO fi HΛ༗ޮԽ͠؂ࠪূ੻Λ࢒͠ɺίϯςφΠϝʔδ࡞੒ऀΛ໌֬Խ ίϯςφ্Ͱ࠷খݖݶͷઃܭݪଇΛߟྀͯ͠ઃܭ w &$45BTL&YFDVUJPO3PMF w

/FUXPSL෦෼ &$4 'BSHBUF &$3 &$44FSWJDF5BTLͳͲ %PDLFSGJMF 71$ͳͲ /FUXPSL *NBHF

/FUXPSL෦෼ /*4541͔ΒҾ༻   અʹ௚઀/FUXPSLͷઅ͸ͳ͍ͨΊؔ࿈෦෼Λൈਮ w ίϯςφ͔Βͷແ੍ݶωοτϫʔΫΞΫηε w ʮ૊৫͸ɺίϯςφ͕ૹ৴͢Δ֎޲͚ͷωοτϫʔΫτϥϑΟοΫ FHSFTTOFUXPSLUSB

/FUXPSL෦෼ "84ͷηΩϡϦςΟؔ࿈αʔϏεͰઃఆมߋݕ஌Λ࣮ࢪ͠ϛεΛ๷ࢭ w "844FDVSJUZ)VC w "84'PVOEBUJPOBM4FDVSJUZ#FTU1SBDUJDFTίϯτϩʔϧ$4"84'PVOEBUJPOT#FODINBSLඪ४ w <&$>71$ͷσϑΥϧτͷ4FDVSJUZ(SPVQͰ͸OCPVOE0VUCPVOE5SB ffi

3FHJTUSZ෦෼ &$4 'BSHBUF &$3 &$44FSWJDF5BTLͳͲ %PDLFSGJMF 71$ͳͲ /FUXPSL *NBHF

NBHF෦෼ &$4 'BSHBUF &$3 &$44FSWJDF5BTLͳͲ %PDLFSGJMF 71$ͳͲ /FUXPSL NBHF

NBHF෦෼ʢNBHF4DBOฤʣ *OTQFDUPS7ͷεΩϟϯ݁Ռ͸ɺҎԼͷྲྀΕͰߋ৽࣌ʹࣗಈ௨஌Մೳ   &WFOU#SJEHF΁ͷ௨஌͸ৗʹྲྀΕ͍ͯΔͷͰɺ&WFOU#SJEHFˠ4/4ˠ$IBUCPUͷྲྀΕ͚ͩ࡞੒ // InspectorV2Findings via SecurityHub new

*NBHF෦෼ʢ%PDLFS fi MFฤʣ ΁ͷରԠɿ%PDLFS fi MFͷ੬ऑੑΛEPDLMF΍5SJWZͳͲͰνΣοΫ %PDLFS fi MFࣗମͷهड़಺༰͕ηΩϡΞʹͳ͍ͬͯΔ͔νΣοΫ

*NBHF෦෼ʢ%PDLFS fi MFฤʣ ΁ͷରԠɿػີ৘ใ͸4FDSFU.BOBHFS44.1BSBNFUFS4UPSFʹอଘ "NB[PO &$3 $PEF 3FQP "844FDSFUT.BOBHFS

$POUBJOFS෦෼ &$4 'BSHBUF &$3 &$44FSWJDF5BTLͳͲ %PDLFSGJMF 71$ͳͲ /FUXPSL *NBHF

$POUBJOFS෦෼ w ʮίϯςφ͸ɺϧʔτϑΝΠϧγεςϜΛಡΈऔ Γઐ༻ϞʔυͰ࣮ߦ͢Δ͜ͱ͕๬·͍͠ɻʯ w ʮҎԼͷΑ͏ͳΠϕϯτΛؚΉ࣮ߦ࣌ͷҟৗΛݕ ஌͠ɺ๷ࢭͰ͖Δ͜ͱ͕๬·͍͠ɻʯ w ແޮͳɺ·ͨ͸༧ظͤ͵ϓϩηεͷ࣮ߦ

$POUBJOFS෦෼ w ʮίϯςφ͸ɺϧʔτϑΝΠϧγεςϜΛಡΈऔ Γઐ༻ϞʔυͰ࣮ߦ͢Δ͜ͱ͕๬·͍͠ɻʯ w ʮҎԼͷΑ͏ͳΠϕϯτΛؚΉ࣮ߦ࣌ͷҟৗΛݕ ஌͠ɺ๷ࢭͰ͖Δ͜ͱ͕๬·͍͠ɻʯ w ແޮͳɺ·ͨ͸༧ظͤ͵ϓϩηεͷ࣮ߦ

$POUBJOFS෦෼ w ʮίϯςφ͸ɺϧʔτϑΝΠϧγεςϜΛಡΈऔ Γઐ༻ϞʔυͰ࣮ߦ͢Δ͜ͱ͕๬·͍͠ɻʯ w ʮҎԼͷΑ͏ͳΠϕϯτΛؚΉ࣮ߦ࣌ͷҟৗΛݕ ஌͠ɺ๷ࢭͰ͖Δ͜ͱ͕๬·͍͠ɻʯ w ແޮͳɺ·ͨ͸༧ظͤ͵ϓϩηεͷ࣮ߦ˞

$POUBJOFS෦෼ʢίϯςφϥϯλΠϜʣ 'BMDPΛ࢖ͬͯΈͨྫᶃ   &$4Ͱ࢖͏৔߹ͷ໰୊఺͕هࡌ "84͕ఏڙ͢Δαϯϓϧ࣮૷   ʢ೥݄ʹެ։ʣ IUUQTTQFBLFSEFDLDPNUPCBDIJ DPOUBJOFSTFDVSJUZXJUIPTTUPPMT

4QFDJBM5IBOLT🎈 ຊࢿྉ͸ҎԼͷํʑʹϨϏϡʔ͍͖ͨͩ·ͨ͠🎉   w ͔ͨ͘ʹ͞Μʢ$MBTTNFUIPEʣ w ᐩ઒݈ଠ࿠͞Μʢ$MBTTNFUIPEʣ   ͞Βʹ಺༰ྑ͘͢Δ͜ͱ͕ग़དྷ·ͨ͠ʂຊ౰ʹ͋Γ͕ͱ͏͍͟͝·͢🙏

·ͱΊ w ίϯςφηΩϡϦςΟͷݕ౼ʹඞཁͳࢿྉΛ঺հ w ࢿྉ͔Β&$4PO'BSHBUFͰߟྀ͢΂͖ϨΠ ϠʔͰ੔ཧ w ֤ϨΠϠʔͷதͰඞཁͳରࡦΛӈͷਤͰఏࣔ w

෇࿥ɿ/4541Ͱର৅֎ͱ߲ͨ͠໨ͷཧ༝ /4541ͷষͰର৅֎ͱߟ߲͑ͨ໨Ϧετɻ֤ࣗͰ΋͝ݕ౼͍ͩ͘͞ w ৴པͰ͖ͳ͍Πϝʔδͷ࢖༻ w ઌʹ৴པͰ͖ΔΠϝʔδΛอূ͢Δ૊৫࡞Γ͕ඞཁɻͳ͓Πϝʔδॺ໊ʹ&$4͸ະରԠ˞ w ΦʔέετϨʔλͷରࡦ w

෇࿥ɿίϯςφϥϯλΠϜͱ͍͏໊લͷൣғ ίϯςφϥϯλΠϜͱ͍͏ݴ༿͕සൟʹ࢖ΘΕΔ͕ɺ͍͔ͭ͘ύλʔϯ͕͋Γจ຺͔ΒͲΕͷ࿩Λ͠ ͍ͯΔͷ͔ਪଌ͕ඞཁ w ߴϨΠϠʔίϯςφϥϯλΠϜʢ'BSHBUFͳΒ$POUBJOFSE˞ ʣ w Ϣʔβ΍ଞͷϓϩάϥϜͷ໋ྩͰɺίϯςφ΍/8ͷ؅ཧΛ࣮ߦ˞