Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ECS on Fargate のセキュリティ対策は何をやるべき?開発者目線で考える/sec...

tomoki10
August 26, 2023

ECS on Fargate のセキュリティ対策は何をやるべき?開発者目線で考える/security-for-ecs-on-fargate-secjawsdays

以下のイベント「Security-JAWS DAYS」で発表した際の登壇資料です。
https://s-jaws.doorkeeper.jp/events/155024

tomoki10

August 26, 2023
Tweet

More Decks by tomoki10

Other Decks in Technology

Transcript

  1. ର৅ͱ໨ඪ  ຊൃදͷର৅ͱ͢Δํ w &$4PO'BSHBUFͷߏ੒Λݕ౼͍ͯ͠Δ࢖༻͍ͯ͠Δํ w ઌ΄Ͳͷϖʔδͷݱ࣮ʹ͋Γ͕ͪͳ໰୊ʹ౰͍ͨͬͯΔํ ൃදࢿྉΛݟͨޙͷ໨ඪ w ίϯςφηΩϡϦςΟʹؔͯ֬͠ೝ͢΂͖ࢿྉΛ஌Δ

    w ֤ྖҬ͝ͱʹͲͷΑ͏ͳڴҖରࡦ͕͋Δ͔ͱϢʔβଆͷ੹຿Λ஌Δ w શͯͷ߲໨΁ରࡦ͢ΔͷͰ͸ͳ͘ͲͷϦεΫΛରࡦ͢Δ͔ϦεΫΛड༰͢Δ͔ 1+ʹԠͯ͡બ୒ग़དྷΔΑ͏ʹͳΔ
  2. "84ͷ&$4ηΩϡϦςΟʹؔ͢ΔυΩϡϝϯτ  ʮ"NB[PO&$4ͷϕετϓϥΫςΟεΨΠυηΩϡϦςΟλεΫͱίϯςφͷηΩϡϦςΟʯ˞ ෼͔Γ΍͘͢ରࡦ͕ॻ͔Ε͍ͯΔ͕ 
 ݸਓతʹࢥͬͨ՝୊ɿ w ରࡦͷ෼ྨ͕ͳ͍ͷͰ࠷ॳͲͷྖҬͷ࿩͔ एׯ෼͔Γʹ͍͘ 


    Πϝʔδͦͷ΋ͷ ϨδετϦ λεΫ  w ηΩϡϦςΟରࡦ࣮ࢪʹΑΔ෭࡞༻ʹ 
 ৮ΕΒΕ͍ͯͳ͍ͷͰίϯςφॳ৺ऀ͸ 
 ݫ͍͠ʁʢ3FBE0OMZ$POUBJOFSͳͲʣ w ৔ॴʹΑͬͯ&$4PO&$&$4PO 'BSHBUFͷ࿩͕ࠞࡏ ˞IUUQTEPDTBXTBNB[PODPNKB@KQ"NB[PO&$4MBUFTUCFTUQSBDUJDFTHVJEFTFDVSJUZUBTLTDPOUBJOFSTIUNM
  3. &$4PO'BSHBUFͰݕ౼͢ΔηΩϡϦςΟઃܭ  Ϣʔβ͕࢖༻͍ͯ͠ΔαʔϏεࢹ఺ͰίϯςφͰͷ ΞλοΫαʔϑΣΠεΛཧղͯ͠ݕ౼ "84ͷ੹೚ڞ༗Ϟσϧͱಉ༷ʹɺϢʔβଆͱ"84 ଆͷ੹೚෦෼Λ෼͚ͯߟ͑΍͘͢͢ΔͨΊɺҎԼͭ ͷࢿྉΛݩʹӈهͷਤͰϨΠϠʔΛ෼཭ ʮ/*454QFDJBM1VCMJDBUJPO 
 ΞϓϦέʔγϣϯίϯςφηΩϡϦςΟΨΠυʯ˞

    
 ʢҎ߱/*4541ͱهࡌʣ 
 ʮ&$4'BSHBUFʹ͓͚ΔڴҖͷϞσϦϯάʯ˞  ҰൠతͳڴҖϞσϦϯά͸্هࢿྉͰ͞Ε͍ͯΔͷ ͰରࡦΛ੔ཧ͠ɺ1+಺ͰରԠՄೳͳ΋ͷΛ֬ೝ ˞IUUQTXXXJQBHPKQGJMFTQEG ˞IUUQTXXXTDTLKQTQTZTEJHCMPHDPOUBJOFS@TFDVSJUZFDT@GBSHBUFIUNM "84ͷ੹೚ྖҬ Ϣʔβͷ੹೚ྖҬ /FUXPSL *NBHF 3FHJTUSZ $POUBJOFS 0SDIFTUSBUPS )PTU04 $POUBJOFS3VOUJNF "QQMJDBUJPO
  4. *".෦෼  &$4 'BSHBUF &$3 &$44FSWJDF5BTLͳͲ %PDLFSGJMF 71$ͳͲ /FUXPSL *NBHF

    3FHJTUSZ $POUBJOFS 0SDIFTUSBUPS )PTU04 $POUBJOFS3VOUJNF "QQMJDBUJPO "84 *".
  5. *".෦෼  /*4541͔ΒҾ༻ 
 અʹ௚઀Ϋϥ΢υ޲͚ͷ߲͸ͳ͍ͨΊؔ࿈෦෼Λൈਮ w ະঝೝίϯςφ w ʮ૊৫͸ɺ։ൃɺςετɺຊ൪ɺ͓ΑͼͦͷଞͷγφϦΦʹରͯ͠ݸผͷ؀ڥΛߏங͠ɺͦΕ ͧΕͷ؀ڥͰɺίϯςφͷσϓϩΠ͓Αͼ؅ཧͱ͍ͬͨΞΫςΟϏςΟʹର͢Δ໾ׂϕʔεͷΞ

    Ϋηε੍ޚΛఏڙ͢ΔͨΊͷ۩ମతͳ੍ޚΛߦ͏͜ͱ͕๬·͍͠ɻʯ w ʮΞΫςΟϏςΟͷ໌֬ͳ؂ࠪূ੻Λఏڙ͢ΔͨΊʹɺ͢΂ͯͷίϯςφ࡞੒͸ɺݸʑͷϢʔ β*%ʹؔ࿈෇͚ͯϩάʹه࿥͢Δ͜ͱ͕๬·͍͠ɻʯ
  6. *".෦෼  ΁ͷରࡦɿΞΧ΢ϯτ෼཭ূ੻ݖݶ؅ཧ "84$MPVE5SBJM$PO fi HΛ༗ޮԽ͠؂ࠪূ੻Λ࢒͠ɺίϯςφΠϝʔδ࡞੒ऀΛ໌֬Խ ίϯςφ্Ͱ࠷খݖݶͷઃܭݪଇΛߟྀͯ͠ઃܭ w &$45BTL&YFDVUJPO3PMF w

    &$45BTLࣗମΛ࣮ߦ͢Δࡍ΍BXTMPHTϩάυϥΠόʔΛར༻͢Δϩάͷه࿥ͳͲͰ 
 &$4ͷίϯςφΤʔδΣϯτ͕ར༻͢Δϩʔϧ w &$45BTL3PMF w ίϯςφͷதͷΞϓϦ͕"84αʔϏε΁ͷΞΫηεʹ࢖༻͢Δϩʔϧ 
 &$4&YFDͷϩάه࿥Ͱ΋ར༻˞ w $*$%Λ࣮ߦ͢Δج൫ʹ༩͑Δϩʔϧͷݖݶ΋࠷খݶΛҙࣝ ˞ʮ&$4&YFDͷϩάه࿥͸λεΫϩʔϧͰߦΘΕΔͨΊ஫ҙ͠Α͏ʯIUUQTEFWDMBTTNFUIPEKQBSUJDMFTFDTFYFDVTFUBTLSPMFGPSMPHHJOH
  7. /FUXPSL෦෼  &$4 'BSHBUF &$3 &$44FSWJDF5BTLͳͲ %PDLFSGJMF 71$ͳͲ /FUXPSL *NBHF

    3FHJTUSZ $POUBJOFS 0SDIFTUSBUPS )PTU04 $POUBJOFS3VOUJNF "QQMJDBUJPO "84 *".
  8. /FUXPSL෦෼  /*4541͔ΒҾ༻ 
 અʹ௚઀/FUXPSLͷઅ͸ͳ͍ͨΊؔ࿈෦෼Λൈਮ w ίϯςφ͔Βͷແ੍ݶωοτϫʔΫΞΫηε w ʮ૊৫͸ɺίϯςφ͕ૹ৴͢Δ֎޲͚ͷωοτϫʔΫτϥϑΟοΫ FHSFTTOFUXPSLUSB

    ff i D  Λ੍ޚ͢Δ͜ͱ͕๬·͍͠ɻʯ w ʮΠϯό΢ϯυϙʔτͱϓϩηεϙʔτͷόΠϯσΟϯάͷ྆ํΛؚΉɺద੾ͳίϯςφωοτ ϫʔΩϯάαʔϑΣεͷࣗಈܾఆɻʯ w ʮ૊৫ͷωοτϫʔΫ಺ͷ༧ظ͠ͳ͍τϥϑΟοΫϑϩʔɺϙʔτεΩϟϯɺ·ͨ͸જࡏతʹة ݥͳѼઌ΁ͷΞ΢τό΢ϯυΞΫηεͳͲͷωοτϫʔΫͷҟৗͷݕ஌ɻʯ
  9. /FUXPSL෦෼  ΁ͷରԠɿ&$ͳͲͷΠϯϑϥߏஙͱಉ༷ͳ෦෼ͱίϯςφಛ༗ͷ෦෼Λೝࣝͯ͠ઃܭ ֤1+͝ͱͷηΩϡϦςΟཁ݅ʹԠͯ͡ҎԼΛ࣮ࢪ w "-#͔ΒίϯςφɺίϯςφؒͳͲ௨৴͸ηΩϡϦςΟάϧʔϓͰ੍ޚ w ίϯςφ͸جຊ1SJWBUF4VCOFU͔*TPMBUFE4VCOFUʹ഑ஔ͠&-#ܦ༝ͰΞΫηε w 71$֎ͷ"84αʔϏε΁ͷΦʔϓϯͳΞΫηεΛڐՄ͠ͳ͍৔߹͸71$&OEQPJOUΛ׆༻˞

     w (VBSE%VUZΛ࢖͍71$'MPX-PHT΍%/4ϩά౳ͷ৘ใ͔ΒͷڴҖݕ஌Λ༗ޮԽ w ηΩϡϦςΟج४͕ҟͳΔίϯςφ͸71$Λ෼཭ w ௨৴࣌ৗ࣌҉߸Խ͕ඞཁͰ͋Ε͹ɺίϯςφؒ௨৴Λ҉߸Խ w ίϯςφ͔Β֎෦ͷજࡏతʹةݥͳѼઌ΁ͷΞ΢τό΢ϯυ௨৴Λݕ஌͍ͨ͠৔߹͸ 
 "RVB4FDVSJUZ΍4ZTEJH౳ͷηΩϡϦςΟ੡඼ͷ׆༻΋ݕ౼ ˞ ίετ؍఺Ͱͷ71$&OEQPJOUͷར༻΋ཁݕ౼
  10. /FUXPSL෦෼  "84ͷηΩϡϦςΟؔ࿈αʔϏεͰઃఆมߋݕ஌Λ࣮ࢪ͠ϛεΛ๷ࢭ w "844FDVSJUZ)VC w "84'PVOEBUJPOBM4FDVSJUZ#FTU1SBDUJDFTίϯτϩʔϧ$*4"84'PVOEBUJPOT#FODINBSLඪ४ w <&$>71$ͷσϑΥϧτͷ4FDVSJUZ(SPVQͰ͸*OCPVOE0VUCPVOE5SB ffi

    DΛڐՄ͠ͳ͍ඞཁ͕͋Γ·͢ 
 ˠجຊσϑΥϧτͷ4FDVSJUZ(SPVQ͸࢖༻͠ͳ͍ w <&$>4FDVSJUZ(SPVQ͸ڐՄ͞Εͨϙʔτʹରͯ͠ແ੍ݶͷண৴τϥϑΟοΫͷΈΛڐՄ͢Δඞཁ͕͋Γ·͢FUDʜ w "NB[PO(VBSE%VUZ w $MPVE5SBJMɺ71$'MPX-PHTɺ%/4ϩάͳͲ͔Β௨ৗͷϦΫΤετͱҟͳΔಈ͖Λ࡯஌ͯ͠௨஌ ্هͷΠϕϯτΛ"NB[PO4/4ܦ༝Ͱ4MBDLʹ௨஌͠ৗʹؾ෇͘Α͏ʹઃఆ
  11. 3FHJTUSZ෦෼  &$4 'BSHBUF &$3 &$44FSWJDF5BTLͳͲ %PDLFSGJMF 71$ͳͲ /FUXPSL *NBHF

    3FHJTUSZ $POUBJOFS 0SDIFTUSBUPS )PTU04 $POUBJOFS3VOUJNF "QQMJDBUJPO "84 *".
  12. 3FHJTUSZ෦෼  /*4541͔ΒҾ༻ ϨδετϦ΁ͷηΩϡΞͰͳ͍઀ଓ w ʮ૊৫͸ɺ҉߸Խ͞ΕͨνϟωϧͰͷΈϨδετϦʹ઀ଓ͢ΔΑ͏ɺ։ൃπʔϧɺΦʔέετϨʔ λɺ͓ΑͼίϯςφϥϯλΠϜΛઃఆ͢Δͷ͕๬·͍͠ɻʯ ෆे෼ͳೝূɾೝՄ੍ݶ w ʮϨδετϦ΁ͷॻ͖ࠐΈΞΫηε͸͢΂ͯೝূΛඞཁͱ͢Δͷ͕๬·͍͠ɻʯ

    ΁ͷରࡦɿ&$3΁ΞΫηεͰ͖ΔϢʔβͷݖݶΛ੍ݶ ɹ&$3΁ͷΞΫηε͸*".ʹΑΓ੍ޚ͞Ε͍ͯΔͷͰɺ*".ͷݖݶ੍ޚΛߟྀ w Ϣʔβ͕*".ϩʔϧͷݖݶͰΠϝʔδΛϓογϡ͢Δ৔߹ɺϓογϡઌϦϙδτϦΛ੍ݶ w $*$%؀ڥ͔Βϓογϡ͢Δ৔߹΋ɺϓογϡઌϦϙδτϦΛ੍ݶ ˞IUUQTEPDTBXTBNB[PODPNKB@KQ"NB[PO&$4MBUFTUCFTUQSBDUJDFTHVJEFTFDVSJUZUBTLTDPOUBJOFSTIUNM
  13. 3FHJTUSZ෦෼  ΁ͷରԠɿϨδετϦ಺ͷݹ͍Πϝʔδͷ࡟আ w "NB[PO&$3ͷϥΠϑαΠΫϧϙϦγʔΛ࢖༻͠ɺOੈ୅લͷΠϝʔδ͸࡟আͳͲͰରॲ w ݱঢ়Ͱ͸ʮ"NB[PO&$4ͷλεΫͰ࢖༻தͷΠϝʔδ͸อޢʯͳͲߴ౓ͳઃఆ͸Ͱ͖ͳ͍ 
 ࢖༻தΠϝʔδ͕ফ͑ΔͱλεΫ͕ىಈͰ͖ͳ͘ͳΔͷͰ஫ҙ ରॲͰ͖Δ044΋͋Δ˞

     ˞࢖༻தΠϝʔδ࡟আͷରࡦͱͯ͠࢖༻Ͱ͖Δ044IUUQTUFDICMPHLBZBDDPNFDSNPTT const repository = new ecr.Repository(this, `${id}-repository`, { repositoryName: `sample-repo`, imageScanOnPush: true, imageTagMutability: ecr.TagMutability.IMMUTABLE, }); repository.addLifecycleRule({ maxImageCount: 5 }); // 5ੈ୅อ࣋
  14. 3FHJTUSZ෦෼ɿΠϛϡʔλϒϧλάͰى͖Δ໰୊  ΁ͷରԠɿΠϛϡʔλϒϧͳλά໊ͷΈڐՄ Πϛϡʔλϒϧͳλά໊ͷΑ͋͘Δ෇͚ํ w Πϝʔδλάʹ(JU)VCͳͲͷίϛοτϋογϡΛ࢖༻͠ιʔεͱΠϝʔδΛ࿈ಈ w ηϚϯςΟοΫόʔδϣχϯάΛ࢖༻ 
 ֎෦഑෍ͷ৔߹͸ɺߋ৽Λ෼͔Γ΍͘͢͢ΔͨΊύοέʔδͷΑ͏ʹόʔδϣϯ൪߸Λ෇͚Δ

    
 (JU)VCͷ3FMFBTF5BHΛ࢖ͬͯΔ৔߹ɺҰகͤ͞ΔͱτϨʔε͠΍͍͢ $*$%ͷதͰίϛοτϋογϡͷλάΛ෇༩͢Δํ๏ͷྫ w "84$PEF#VJMEͷ৔߹ɿ$0%&#6*-%@3&40-7&%@4063$&@7&34*0/ఆ਺Λऔಘ w (JU)VC"DUJPOTͷ৔߹ɿHJUIVCTIBͰίϛοτϋογϡΛऔಘ 

  15. *NBHF෦෼  &$4 'BSHBUF &$3 &$44FSWJDF5BTLͳͲ %PDLFSGJMF 71$ͳͲ /FUXPSL *NBHF

    3FHJTUSZ $POUBJOFS 0SDIFTUSBUPS )PTU04 $POUBJOFS3VOUJNF "QQMJDBUJPO "84 *".
  16. *NBHF෦෼  /*4541͔ΒҾ༻ Πϝʔδͷ੬ऑੑ w ʮैདྷͷ੬ऑੑ؅ཧπʔϧ͸ɺϗετͷ଱ٱੑ΍ΞϓϦͷߋ৽ϝΧχζϜ΍ස౓ʹ͍ͭͯଟ͘ͷԾఆΛ͍ͯ͠ Δ͕ɺͦΕΒ͸ίϯςφԽ͞ΕͨϞσϧͱ͸ࠜຊతʹͣΕ͍ͯΔɻ͜ΕΒͷπʔϧ͸ɺίϯςφ಺ͷ੬ऑੑΛ ݕ஌Ͱ͖ͳ͍͜ͱ͕ଟ͘ɺޡͬͨ҆৺ײΛ΋ͨΒ͢ɻʯ w ʮΠϝʔδͷϕʔεϨΠϠ͚ͩͰͳ͘ɺ૊৫͕࢖༻͍ͯ͠ΔΞϓϦέʔγϣϯϑϨʔϜϫʔΫ΍ΧελϜιϑτ

    ΢ΣΞͳͲɺΠϝʔδͷ͢΂ͯͷϨΠϠʹ͓͚Δ੬ऑੑͷՄࢹੑɻʯ w ʮ૊৫͸ϏϧυͱσϓϩΠͷϓϩηεͷ֤ஈ֊ʹ͓͍ͯʮ඼࣭ήʔτʯΛ࡞੒͠૊৫ͷ੬ऑੑϙϦγʔͱߏ੒ ϙϦγʔΛຬͨ͢ΠϝʔδͷΈ͕ਐߦΛڐՄ͞ΕΔ͜ͱΛ࣮֬ʹ͢Δ͜ͱ͕๬·͍͠ɻʯ ຒΊࠐ·ΕͨϚϧ΢ΣΞ w ʮຒΊࠐ·ΕͨϚϧ΢ΣΞ͕ͳ͍͔ɺ͢΂ͯͷΠϝʔδΛܧଓతʹϞχλϦϯά͢Δ͜ͱ͕๬·͍͠ɻʯ
  17. *NBHF෦෼ʢ*NBHF4DBOฤʣ   ΁ͷରԠɿΠϝʔδεΩϟϯʢ*OTQFDUPS7ͳͲʣΛ࢖༻͢Δ Πϝʔδ΍Πϯετʔϧͨ͠ύοέʔδͷ੬ऑੑ΁ରԠ͢ΔͨΊΠϝʔδεΩϟφΛ࢖༻ *OTQFDUPS7ͱ͸ʢίϯςφؔ࿈෦෼ͷΈʣ w "NB[PO&$3ʹQVTI͞ΕͨίϯςφΠϝʔδΛࣗಈతʹεΩϟϯ w Πϝʔδιϑτ΢ΣΞύοέʔδΛݕग़͠੬ऑੑ͕ͳ͍͔֬ೝ

    w ੬ऑੑ%#ͷҰ෦ͱͯ͠4OZLͷ৘ใΛ࢖༻˞  w "NB[PO&$3શମͰܧଓεΩϟϯΛઃఆ͢ΔͱҎԼͷλΠϛϯάͰεΩϟϯ˞  w Πϝʔδϓογϡ࣌ w "NB[PO*OTQFDUPS಺෦ͷ੬ऑੑ%#ߋ৽࣌ ˞IUUQTBXTBNB[PODPNKQBCPVUBXTXIBUTOFXBNB[POJOTQFDUPSDPOUJOVBMWVMOFSBCJMJUZNBOBHFNFOU ˞IUUQTEPDTBXTBNB[PODPNJOTQFDUPSMBUFTUVTFSFOBCMFEJTBCMFTDBOOJOHFDSIUNM "NB[PO*OTQFDUPS
  18. *NBHF෦෼ʢ*NBHF4DBOฤʣ  *OTQFDUPS7ͷεΩϟϯ݁Ռ͸ɺҎԼͷྲྀΕͰߋ৽࣌ʹࣗಈ௨஌Մೳ 
 &WFOU#SJEHF΁ͷ௨஌͸ৗʹྲྀΕ͍ͯΔͷͰɺ&WFOU#SJEHFˠ4/4ˠ$IBUCPUͷྲྀΕ͚ͩ࡞੒ // InspectorV2Findings via SecurityHub new

    cwe.Rule(this, 'InspectorV2ViaSecurityHub', { description: 'CloudWatch Event Rule to …’, enabled: true, eventPattern: { source: ['aws.securityhub'], detailType: ['Security Hub Findings - Imported'], detail: { findings: { ProductName: ['Inspector'], Severity: { Label: ['CRITICAL', ‘HIGH'], // είΞ7.0Ҏ্͸௨஌ }, }, }, }, targets: [new cwet.SnsTopic(secTopic)], }); "NB[PO *OTQFDUPS "NB[PO 4/4 "84 $IBUCPU "84 4FDVSJUZ)VC "NB[PO &WFOU#SJEHF ੬ऑੑൃݟ Πϕϯτ௨஌ ϧʔϧ߹க ௨஌
  19. *NBHF෦෼ʢ%PDLFS fi MFฤʣ  ΁ͷରԠɿ%PDLFS fi MFͷ੬ऑੑΛEPDLMF΍5SJWZͳͲͰνΣοΫ %PDLFS fi MFࣗମͷهड़಺༰͕ηΩϡΞʹͳ͍ͬͯΔ͔νΣοΫ

    https://aquasecurity.github.io/trivy/v0.29.2/docs/miscon fi guration/scanning/ https://github.com/goodwithtech/dockle
  20. *NBHF෦෼ʢ%PDLFS fi MFฤʣ  ΁ͷରԠɿػີ৘ใ͸4FDSFU.BOBHFS44.1BSBNFUFS4UPSFʹอଘ "NB[PO &$3 $PEF 3FQP "844FDSFUT.BOBHFS

    "844ZTUFNT.BOBHFS Parameter Store "84 "QQ$POGJH *NBHF ؀ڥݻ༗৘ใࢀর ೝূ৘ใࢀর ػೳࠩҟࢀর 1VTI
  21. $POUBJOFS෦෼  &$4 'BSHBUF &$3 &$44FSWJDF5BTLͳͲ %PDLFSGJMF 71$ͳͲ /FUXPSL *NBHF

    3FHJTUSZ $POUBJOFS 0SDIFTUSBUPS )PTU04 $POUBJOFS3VOUJNF "QQMJDBUJPO "84 *".
  22. $POUBJOFS෦෼  w ʮίϯςφ͸ɺϧʔτϑΝΠϧγεςϜΛಡΈऔ Γઐ༻ϞʔυͰ࣮ߦ͢Δ͜ͱ͕๬·͍͠ɻʯ w ʮҎԼͷΑ͏ͳΠϕϯτΛؚΉ࣮ߦ࣌ͷҟৗΛݕ ஌͠ɺ๷ࢭͰ͖Δ͜ͱ͕๬·͍͠ɻʯ w ແޮͳɺ·ͨ͸༧ظͤ͵ϓϩηεͷ࣮ߦ

    w ແޮͳɺ·ͨ༧ظͤ͵γεςϜίʔϧ w อޢ͞ΕͨઃఆϑΝΠϧͱόΠφϦͷมߋ w ༧ظͤ͵৔ॴ΍ϑΝΠϧλΠϓ΁ͷॻ͖ࠐΈ w ༧ظͤ͵ωοτϫʔΫϦεφʔͷ࡞੒ w ༧ظͤ͵ωοτϫʔΫͷѼઌʹૹ৴͞Εͨτϥ ϑΟοΫ w Ϛϧ΢ΣΞͷอଘ·ͨ͸࣮ߦ /*4541͔ΒҾ༻ʢؔ࿈෦෼ͱ൑அ߲ͨ͠ͷΈʣ ΞϓϦͷ੬ऑੑ
  23. $POUBJOFS෦෼  w ʮίϯςφ͸ɺϧʔτϑΝΠϧγεςϜΛಡΈऔ Γઐ༻ϞʔυͰ࣮ߦ͢Δ͜ͱ͕๬·͍͠ɻʯ w ʮҎԼͷΑ͏ͳΠϕϯτΛؚΉ࣮ߦ࣌ͷҟৗΛݕ ஌͠ɺ๷ࢭͰ͖Δ͜ͱ͕๬·͍͠ɻʯ w ແޮͳɺ·ͨ͸༧ظͤ͵ϓϩηεͷ࣮ߦ

    w ແޮͳɺ·ͨ༧ظͤ͵γεςϜίʔϧ w อޢ͞ΕͨઃఆϑΝΠϧͱόΠφϦͷมߋ w ༧ظͤ͵৔ॴ΍ϑΝΠϧλΠϓ΁ͷॻ͖ࠐΈ w ༧ظͤ͵ωοτϫʔΫϦεφʔͷ࡞੒ 
 ˠ'BSHBUFଆͰ؅ཧ˞ w ༧ظͤ͵ωοτϫʔΫͷѼઌʹૹ৴͞Εͨτϥ ϑΟοΫ 
 ˠ/FUXPSL෦෼ࢀর w Ϛϧ΢ΣΞͷอଘ·ͨ͸࣮ߦ /*4541͔ΒҾ༻ʢؔ࿈෦෼ͱ൑அ߲ͨ͠ͷΈʣ ΞϓϦͷ੬ऑੑ ˞IUUQTBXTBNB[PODPNKQCMPHTOFXTVOEFSUIFIPPEGBSHBUFEBUBQMBOF
  24. $POUBJOFS෦෼ʢϑΝΠϧॻ͖ࠐΈʣ  "NB[PO&$4ͷϕετϓϥΫςΟεΨΠυλεΫͱίϯςφͷηΩϡϦςΟ w ʮಡΈऔΓઐ༻ͷϧʔτϑΝΠϧγεςϜΛ࢖༻͢Δʯ w ίϯςφͷϧʔτϑΝΠϧγεςϜ΁ͷॻ͖ࠐΈΛېࢭ͠ҎԼΛ๷ࢭ w ߈ܸऀ͕ϑΝΠϧγεςϜ΁Ϛϧ΢ΣΞΛॻ͖ࠐΈɺѱҙͷ͋ΔϓϩηεΛ࣮ߦͯ͠σʔ λͷྲྀग़΍վ͟ΜͳͲΛ࣮ࢪ

    w "844FDVSJUZ)VCͰະઃఆͷίϯςφΛݕ஌Մೳ w <&$4>&$4ίϯςφ͸ɺϧʔτϑΝΠϧγεςϜ΁ͷಡΈऔΓઐ༻ΞΫηεʹ੍ݶ͢Δ ඞཁ͕͋Γ·͢˞ ˞IUUQTEPDTBXTBNB[PODPNKB@KQTFDVSJUZIVCMBUFTUVTFSHVJEFTFDVSJUZIVCTUBOEBSETGTCQDPOUSPMTIUNMGTCQFDT serviceTaskDefinition .addContainer(`${id}-ServiceTaskContainerDefinition`, { image, … readonlyRootFilesystem: true, // ಡΈऔΓઐ༻ })
  25. $POUBJOFS෦෼ʢϑΝΠϧॻ͖ࠐΈʣ  ΁ͷରԠɿϧʔτϑΝΠϧγεςϜΛಡΈऔΓઐ༻ʹมߋ ϧʔτϑΝΠϧγεςϜΛಡΈऔΓઐ༻ʹͨ͠৔߹ͷ஫ҙ఺ w ਖ਼نͷ04΍ϓϩηεͷॻ͖ࠐΈ΋ېࢭ͞ΕΔͨΊɺ༗ޮԽ࣌ʹॻ͖ࠐΈΤϥʔʹͳΔةݥੑ w &$4&YFDͳͲͷπʔϧ΋௨ৗ͸࢖༻ෆՄ ஫ҙ఺ͷճආࡦ w

    Ұ෦ͷσΟϨΫτϦΛϚ΢ϯτͯ͠ݶఆతʹॻ͖ࠐΈڐՄྖҬΛ࡞ΓɺͲ͏ͯ͠΋ॻ͖ࠐΈ͕ 
 ඞཁͳػೳʹ͍ͭͯ͸Ϛ΢ϯτઌʹॻ͖ࠐΉ w &$4&YFDͷྫɿʮ6TJOH&$4&YFDXJUISFBEPOMZSPPU fi MFTZTUFNDPOUBJOFSTʯ˞  w $POUBJOFS*OTJHIUTμογϡϘʔυΛλεΫϨϕϧͰ֬ೝ͠ɺ4UPSBHF8SJUF#ZUFTͰ 
 ॻ͖ࠐΈ͕ൃੜͯ͠ͳ͍͜ͱΛ֬ೝ͔ͯ͠ΒಡΈऔΓઐ༻ʹมߋ˞ ˞IUUQTUPSJTJPVTJOHFDTFYFDXJUISFBEPOMZSPPU fi MFTZTUFNFOBCMFEDPOUBJOFST ˞ৄ͍͠৘ใɿʲ4FDVSJUZ)VCम෮खॱʳ<&$4>&$4ίϯςφ͸ɺϧʔτϑΝΠϧγεςϜ΁ͷΞΫηεΛಡΈऔΓઐ༻ʹ੍ݶ͢Δඞཁ͕͋Γ·͢
  26. $POUBJOFS෦෼  w ʮίϯςφ͸ɺϧʔτϑΝΠϧγεςϜΛಡΈऔ Γઐ༻ϞʔυͰ࣮ߦ͢Δ͜ͱ͕๬·͍͠ɻʯ w ʮҎԼͷΑ͏ͳΠϕϯτΛؚΉ࣮ߦ࣌ͷҟৗΛݕ ஌͠ɺ๷ࢭͰ͖Δ͜ͱ͕๬·͍͠ɻʯ w ແޮͳɺ·ͨ͸༧ظͤ͵ϓϩηεͷ࣮ߦ˞

    w ແޮͳɺ·ͨ༧ظͤ͵γεςϜίʔϧ w อޢ͞ΕͨઃఆϑΝΠϧͱόΠφϦͷมߋ w ༧ظͤ͵৔ॴ΍ϑΝΠϧλΠϓ΁ͷॻ͖ࠐΈ w ༧ظͤ͵ωοτϫʔΫϦεφʔͷ࡞੒ 
 ˠ'BSHBUFଆͰ؅ཧ w ༧ظͤ͵ωοτϫʔΫͷѼઌʹૹ৴͞Εͨτϥ ϑΟοΫ 
 ˠ/FUXPSL෦෼ࢀর w Ϛϧ΢ΣΞͷอଘ·ͨ͸࣮ߦ /*4541͔ΒҾ༻ʢؔ࿈෦෼ͱ൑அ߲ͨ͠ͷΈʣ ΞϓϦͷ੬ऑੑ ˞3FBE0OMZίϯςφͰ΋ϥΠϒϥϦͷ੬ऑੑʹΑͬͯ৵֐͞ΕΔྫIUUQTXXXTDTLKQTQTZTEJHCMPHTZTEJH@TFDVSFSFBEPOMZIUNM
  27. $POUBJOFS෦෼ʢίϯςφϥϯλΠϜʣ  'BMDPΛ࢖ͬͯΈͨྫᶃ 
 &$4Ͱ࢖͏৔߹ͷ໰୊఺͕هࡌ "84͕ఏڙ͢Δαϯϓϧ࣮૷ 
 ʢ೥݄ʹެ։ʣ IUUQTTQFBLFSEFDLDPNUPCBDIJ DPOUBJOFSTFDVSJUZXJUIPTTUPPMT

    TMJEF ʮOSSͰ࢝ΊΔίϯςφηΩϡϦςΟʯ 'BMDPΛ࢖ͬͯΈͨྫᶄ 
 ଎౓΍ϝϯςφϯε౳ͷ 
 ໰୊఺͕هࡌ IUUQTHJUIVCDPNBXTTBNQMFTBXT GBSHBUFGBMDPFYBNQMFT IUUQTQBQFSESPQCPYDPNEPD&$4 'BSHBUF$Z$"V#N0HF#*:RC ʮECS FargateͰ΋ແྉͰূ੻؅ཧ͍ͨ͠ʯ 'BSHBUF্ͰͷγεςϜίʔϧΛ؂ࢹํ๏ʹ͍ͭͯݴٴ࣮૷͍ͯ͠Δ৘ใ ΑΓલͷ࿩
  28. ·ͱΊ  w ίϯςφηΩϡϦςΟͷݕ౼ʹඞཁͳࢿྉΛ঺հ w ࢿྉ͔Β&$4PO'BSHBUFͰߟྀ͢΂͖ϨΠ ϠʔͰ੔ཧ w ֤ϨΠϠʔͷதͰඞཁͳରࡦΛӈͷਤͰఏࣔ w

    Ϣʔβଆͷ੹೚ൣғΛ֬ೝ w ίϯςφϥϯλΠϜηΩϡϦςΟͷର৅ൣғʹ ͍ͭͯ֬ೝ w େ఍ͷରࡦ͸"84੡඼͚ͩͰ΋ҰԠ࣮ࢪՄೳ w ηΩϡϦςΟରࡦͷޮ཰Խ΍ίϯςφ಺ͷ؂ࠪূ ੻ಈతݕ஌͕ඞཁͰ͋Ε͹঎༻੡඼Λݕ౼ "84ͷ੹೚ྖҬ Ϣʔβͷ੹೚ྖҬ /FUXPSL *NBHF 3FHJTUSZ $POUBJOFS 0SDIFTUSBUPS )PTU04 $POUBJOFS3VOUJNF "QQMJDBUJPO
  29. ෇࿥ɿ/*4541Ͱର৅֎ͱ߲ͨ͠໨ͷཧ༝  /*4541ͷষͰର৅֎ͱߟ߲͑ͨ໨Ϧετɻ֤ࣗͰ΋͝ݕ౼͍ͩ͘͞ w ৴པͰ͖ͳ͍Πϝʔδͷ࢖༻ w ઌʹ৴པͰ͖ΔΠϝʔδΛอূ͢Δ૊৫࡞Γ͕ඞཁɻͳ͓Πϝʔδॺ໊ʹ&$4͸ະରԠ˞ w ΦʔέετϨʔλͷରࡦ w

    ΦʔέετϨʔλ͸"84ଆͷ؅ཧൣғͱ੔ཧ w ηΩϡΞͰͳ͍ίϯςφϥϯλΠϜͷઃఆ w ΑΓຊ߲໨͸ಛݖϞʔυͷར༻ʹΑΔϗετ΁ͷΞΫηεͷݒ೦Ͱ͋Γɺ&$4PO'BSHBUFͰ͸ಛ ݖϞʔυ QSJWJMFHFENPEF ʹͳΕͳ͍ͷͰ"84ଆͷ؅ཧൣғͱ੔ཧ˞ w ϗετ04ͷରࡦ w ϗετ04ଆͷઃఆ͸"84ଆͷ؅ཧൣғͱ੔ཧ ˞IUUQTBXTBNB[PODPNKQBCPVUBXTXIBUTOFXBXTDPOUBJOFSJNBHFTJHOJOH ˞QSJWJMFHFENPEFͱSPPUݖݶͷҧ͍ͷղઆʮʲ4FDVSJUZ)VCम෮खॱʳ<&$4>&$4ίϯςφ͸ɺඇಛݖͱ࣮ͯ͠ߦ͢Δඞཁ͕͋Γ·͢ʯ ɹɹIUUQTEFWDMBTTNFUIPEKQBSUJDMFTTFDVSJUZIVCGTCQSFNFEJBUJPOFDT
  30. ෇࿥ɿίϯςφϥϯλΠϜͱ͍͏໊લͷൣғ  ίϯςφϥϯλΠϜͱ͍͏ݴ༿͕සൟʹ࢖ΘΕΔ͕ɺ͍͔ͭ͘ύλʔϯ͕͋Γจ຺͔ΒͲΕͷ࿩Λ͠ ͍ͯΔͷ͔ਪଌ͕ඞཁ w ߴϨΠϠʔίϯςφϥϯλΠϜʢ'BSHBUFͳΒ$POUBJOFSE˞ ʣ w Ϣʔβ΍ଞͷϓϩάϥϜͷ໋ྩͰɺίϯςφ΍/8ͷ؅ཧΛ࣮ߦ˞ 

    w ௿ϨΠϠʔίϯςφϥϯλΠϜʢ'BSHBUFͳΒSVOD˞ ʣ w ίϯςφΛ࣮ߦ͢ΔϓϩηεΛɺϗετ͔Β෼཭࣮ͯ͠ߦ˞  w ୯ʹίϯςφϥϯλΠϜͱݺΜͰ͍Δ࣌ w ্هͷ௿ߴϨΠϠʔίϯςφϥϯλΠϜͷ͜ͱɻ΋͘͠͸ɺ௿ϨΠϠʔίϯςφϥϯλΠϜ ͕࡞ͬͨɺΞϓϦ͕ಈ͍͍ͯΔίϯςφͷϓϩηε ˞IUUQTBXTBNB[PODPNKQCMPHTOFXTVOEFSUIFIPPEGBSHBUFEBUBQMBOF ˞ӈهͷॻ੶Λࢀߟʹهࡌʮجૅ͔ΒֶͿίϯςφηΩϡϦςΟ%PDLFSΛ௨ͯ͠ཧղ͢Δίϯςφͷ߈ܸྫͱରࡦʯ