BsidesTokyo2024_AWSセキュリティの ベストプラクティスに関する 利用実態調査のレポートの紹介

Transcript

1. Introduction of the AWS Security Best Practices Usage Survey Report

   I'm going to hit the best practices in the neighborhood ˒ Security-JAWS Management - Hirokazu Yoshida BSides Tokyo 2024 / 2024.3.30

2. AWSηΩϡϦςΟͷ ϕετϓϥΫςΟεʹؔ͢Δ ར༻࣮ଶௐࠪͷϨϙʔτͷ঺հ ಥܸ˒ྡͷϕετϓϥΫςΟε Security-JAWSӡӦ - ٢ాͻΖ͔ͣ BSides Tokyo 2024

   / 2024.3.30

3. Today's Speaker Materials • I will be speaking in Japanese,

   but most of what I say is written in the materials, so please enjoy looking at the materials at hand. https://bit.ly/sjaws-bsidestokyo-2024

4. Who am I !? Hirokazu Yoshida @ CloudNative Inc. Job

   : Security Engineer & Director Community : Security-JAWS Certi fi cation : ɹɹɹPIIP Recent work : ɹData Governance / Privacy / Security

5. What are : Security-JAWS ɹJapan AWS User Group ɹSecurity Specialty

   Chapters Community Size : 4,207 ɹThat’s a number of Security-JAWS ɹMember since 2016! ɹɹ(500+ people than last year)

6. What are : Objectives of Security JAWS Security is an

   important factor in utilizing Amazon Web Services (AWS). The purpose of Security-JAWS is to share information on how specialists in various fi elds such as attacks, auditing, and authentication are using AWS to make it even more secure.

7. What are : Security JAWS ͷ໨త Amazon Web Services(ҎԼAWS)Λ׆༻͢Δ ্ͰηΩϡϦςΟ͸ॏཁͳཁૉͰ͢ɻ

   Security-JAWSͰ͸ɺ߈ܸɺ؂ࠪɺೝূͳ Ͳɺ༷ʑͳ෼໺ͷεϖγϟϦετୡ͕ɺͲͷ Α͏ʹͯ͠AWSΛ׆༻͍ͯ͠Δͷ͔৘ใΛ ڞ༗͠ɺΑΓҰ૚AWSΛ҆શʹ࢖͑ΔΑ͏ʹ ͍ͯ͘͜͠ͱΛ໨తͱ͍ͯ͠·͢ɻ

8. What are : 4 regular study sessions a year ɹɹ32nd

   in February 2024 Held irregularly ɹCollaborative study sessions with ɹother JAWS chapters ɹCTF and hands-on training sessions ɹ2 Days Event (#30 Special Event)

9. Activities and roadmap for the past year 1 3 5

   6 4 2 02: Security-JAWS#28 with NISC 02: Release AWS Security Best Practices Usage Survey Report (Japanese) 03: AWS Security and Risk Management Forum 08: two AWS Security Hero are born from Security-JAWS 08: Security-JAWS#30 (Security JAWS DAYS “Conference Day” & “CTF Day”) 02: Security-JAWS#32 02: AWS Security Best Practices Usage Survey Report targeting Korians (Japanese) 03: mini Security-JAWS Start 04: Release AWS Security Best Practices Usage Survey Report (English) 05: Security-JAWS#29 10: Contribute to AWS Builders Flash 10: Award Winner “APJ User Group of the Year” at APJ Community Leaders Summit 2023 11: Security-JAWS#27 12: SecHack365 05: Security-JAWS#33 ??: Secret Collaboration 2023Q1 08: Security-JAWS#34 7 2023Q2 2023Q3 2023Q4 2024Q1 2024Q2 2024Q3~

10. 2023/10: Award Winner “APJ User Group of the Year” at

    APJ Community Leaders Summit 2023

11. Here's what we're introducing today

12. Here's what we're introducing today

13. Activities and roadmap for the past year 1 3 5

    6 4 2 02: Security-JAWS#28 with NISC 02: Release AWS Security Best Practices Usage Survey Report (Japanese) 03: AWS Security and Risk Management Forum 08: two AWS Security Hero are born from Security-JAWS 08: Security-JAWS#30 (Security JAWS DAYS “Conference Day” & “CTF Day”) 02: Security-JAWS#32 02: AWS Security Best Practices Usage Survey Report targeting Korians (Japanese) 03: mini Security-JAWS Start 04: Release AWS Security Best Practices Usage Survey Report (English) 05: Security-JAWS#29 10: Contribute to AWS Builders Flash 10: Award Winner “APJ User Group of the Year” at APJ Community Leaders Summit 2023 11: Security-JAWS#27 12: SecHack365 05: Security-JAWS#33 ??: Secret Collaboration 2023Q1 08: Security-JAWS#34 7 2023Q2 2023Q3 2023Q4 2024Q1 2024Q2 2024Q3~
14. None

15. Today’s Agenda • Introduction ~ Report Summary • Excerpts from

    the Japanese survey results • Korea-Japan Comparison • General Comments and Recommendations • FAQ

16. Today’s Agenda • Introduction ~ Report Summary • Excerpts from

    the Japanese survey results • Korea-Japan Comparison • General Comments and Recommendations • FAQ

17. Always felt a gap

18. There are many security best practices available from AWS. However,

    there is a persistent call for best practices to be shared.

19. Report Summary

20. Report Summary

21. We got a lot of cooperation. • Security-JAWS#22 participants •

    OWASP WASNight 2022 Spring • JAWS Core Members Slack • SNS ( X, facebook, LinkedIn etc…)

22. We got a lot of cooperation. • Security-JAWS#22 participants •

    OWASP WASNight 2022 Spring • JAWS Core Members Slack • SNS ( X, facebook, LinkedIn etc…) It is possible that this survey was answered by people who are relatively security-conscious.

23. Report Summary

24. Aim of the Question Structure • To ensure comprehensiveness, the

    questions are based on security best practices for each pillar of the AWS Well- Architected Framework. • Survey respondents can expect to gain insight and understanding of best practices by answering the questions.

25. Aim of the Question Structure • ઃ໰͸ɺ໢ཏੑΛ୲อ͢ΔͨΊʹɺ AWS Well-Architected Frameworkͷ֤பͷ

    ηΩϡϦςΟϕετϓϥΫςΟεΛ୊ࡐ͍ͯ͠Δ • Ξϯέʔτճ౴ऀ͸ɺઃ໰ʹճ౴͢Δ͜ͱͰɺϕετϓϥΫ ςΟε΁ͷཧղ΍ؾ͖ͮΛಘΒΕΔ͜ͱ͕ظ଴Ͱ͖Δߏ੒

26. What is AWS Well-Architected Framework? • It provides consistent best

    practices for evaluating the architecture and questions to assess how well the architecture adheres to AWS best practices. • The pillars of the AWS Well- Architected Framework Operational excellence Security Reliability Performance ef fi ciency Cost optimization Sustainability Identity and access management Detection Infrastructure protection Data protection Incident response https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html

27. What is AWS Well-Architected Framework? • ΞʔΩςΫνϟΛධՁ͢ΔͨΊͷҰ؏ͨ͠ϕετϓϥΫςΟε ΍ɺΞʔΩςΫνϟ͕ AWS ͷϕετϓϥΫςΟεʹͲΕ͚ͩ

    ४ڌ͍ͯ͠Δͷ͔ΛධՁ͢ΔͨΊͷ࣭໰Λఏڙ͍ͯ͠·͢ɻ • ϑϨʔϜϫʔΫͷப ӡ༻ͷ༏लੑ ηΩϡϦςΟ ৴པੑ ύϑΥʔϚϯεޮ཰ ίετ࠷దԽ αεςΟφϏϦςΟ IDͱΞΫηε؅ཧ ݕ஌ ΠϯϑϥετϥΫνϟอޢ σʔλอޢ ΠϯγσϯτରԠ https://docs.aws.amazon.com/ja_jp/wellarchitected/latest/framework/welcome.html

28. Report Summary n = 162

29. Trends in Attributes of Survey Respondents • The number of

    responses, 162, is not an extremely small number to assess trends and tendencies among AWS users. • Note that there is some bias in terms of company size, industry, and role of respondents.

30. Trends in Attributes of Survey Respondents • ճ౴਺͸162Ͱ͋ΓɺAWSϢʔβʔͷ܏޲΍܏޲Λ೺Ѳ͢Δ্ Ͱ͸ۃ୺ʹগͳ͍਺Ͱ͸ͳ͍ɻ •

    ͳ͓ɺճ౴ऀͷاۀن໛ɺۀछɺ໾ׂʹ͸एׯͷภΓ͕͋Δɻ

31. Report Summary • Over 130 pages. • 30 questions analyzed

    from multiple perspectives, 20 interesting trends for 16 questions. • Security-JAWS recommendations based on the insights gained from the analysis.

32. Report Summary • 130ϖʔδ௒ͷେϘϦϡʔϜ • 30ͷઃ໰Λෳ਺ͷ؍఺Ͱ෼ੳ͠ɺ 16ͷઃ໰ʹରͯ͠ڵຯਂ͍܏޲͕ݟΒΕͨ20ͷ෼ੳ݁ՌΛܝࡌ • ෼ੳͰಘΒΕͨಎ࡯Λ΋ͱʹɺSecurity-JAWS͔ΒͷఏݴΛ ·ͱΊͯ·͢

33. Today’s Agenda • Introduction ~ Report Summary • Excerpts from

    the Japanese survey results • Korea-Japan Comparison • General Comments and Recommendations • FAQ
34. None
35. None
36. None

37. About each document • FSBP is a list of controls

    provided by the AWS Security Hub. • AWS Security Best Practices is a collection of archived security best practices. It is not wrong to refer to them, but it is recommended to catch up on the latest best practices as well. • CAF outlines a framework for cloud deployments, which will be covered in detail in the AWS consultation.

38. About each document • FSBP͸ɺݱࡏ͸AWS Security Hub͕ఏڙ͢ΔίϯτϩʔϧͷϦετ • AWS Security

    Best Practices͸ɺΞʔΧΠϒ͞ΕͨηΩϡϦςΟϕε τϓϥΫςΟεूɻࢀর͢Δͷ͸ؒҧ͍ͬͯͳ͍͕ɺ࠷৽ͷϕετϓ ϥΫςΟε΋ΩϟονΞοϓ͢Δ͜ͱΛਪ঑͢Δɻ • CAF͸ɺΫϥ΢υಋೖʹ͓͚ΔϑϨʔϜϫʔΫͷ֓ཁΛࣔ͢ AWSʹΑΔίϯαϧςΟϯάʹͯͦͷৄࡉ͕ѻΘΕΔ
39. None
40. None
41. None
42. None
43. None
44. None
45. None
46. None
47. None
48. None

49. Today’s Agenda • Introduction ~ Report Summary • Excerpts from

    the Japanese survey results • Korea-Japan Comparison • General Comments and Recommendations • FAQ

50. Report Summary n = 22 Security Policy Of fi cer

    The number of responses is very small and does not provide an accurate picture of the actual status of AWS users as a whole. Note that there are some biases in terms of company size, industry, and roles of respondents.

51. Korea Japan AWS account is created from AWS Organizations AWS

    Organizations' Service Control Policy (SCP) prohibits dangerous operations. Using prede fi ned rule sets, such as AWS Control Tower guardrail settings and Baseline Environment on AWS. AWS account is created from AWS Organizations AWS Organizations' Service Control Policy (SCP) prohibits dangerous operations. Using prede fi ned rule sets, such as AWS Control Tower guardrail settings and Baseline Environment on AWS.

52. Please select the initiatives for applying "preventive Control” in the

    AWS environment. • In Korea, 30% of organizations responding to the survey create AWS accounts using AWS Organization, but little control is exercised by organizations of any size using Service Control Policy (SCP) or AWS Control Tower In Japan, the survey was completed by a number of organizations. • In Japan, half of the organizations that responded to the survey created accounts with AWS Organization, and about half of them use SCP or AWS Control Tower to control their AWS accounts.

53. glossary • AWS Organizations provides the ability to manage AWS

    accounts used by an organization. • Service Control Policy (SCP) provides centralized control over permissions and maximum available permissions for AWS accounts managed in AWS Organizations. • AWS ControlTower applies preventive and detective controls (guardrails) to AWS accounts managed in AWS Organizations to ensure that organizations and accounts do not deviate from best practices. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-CTower.html

54. glossary • AWS Organizations͸ɺ૊৫Ͱར༻͢ΔAWSΞΧ΢ϯτΛ؅ཧ͢ΔػೳΛఏڙ͢Δ • Service Control Policy (SCP) ͸ɺAWS

    OrganizationsͰ؅ཧ͢ΔAWSΞΧ΢ϯτ ʹରͯ͠ɺڐՄ΍࢖༻Մೳͳ࠷େΞΫηεڐՄΛҰݩతʹ੍ޚ͢Δ • AWS ControlTower͸ɺAWS OrganizationsͰ؅ཧ͢ΔAWSΞΧ΢ϯτʹରͯ͠ɺ ༧๷త͓Αͼݕग़త੍ޚ (ΨʔυϨʔϧ) Λద༻͠ɺ૊৫ͱΞΧ΢ϯτ͕ϕετϓϥ ΫςΟε͔Βҳ୤͠ͳ͍Α͏ʹ͢Δ https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-CTower.html

55. Preventative controls • Preventative controls are security controls that are

    designed to prevent an event from occurring. • Objective Segregation of duties – Preventative controls can establish logical boundaries that limit privileges, allowing permissions to perform only speci fi c tasks in designated accounts or environments. Access control – Preventative controls can consistently grant or deny access to resources and data in the environment. Enforcement – Preventative controls can help your company adhere to its policies, guidelines, and standards. https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-security-controls/preventative-controls.html

56. Preventative controls • ༧๷త౷੍͸ɺΠϕϯτͷൃੜΛ๷͙Α͏ʹઃܭ͞Εͨ ηΩϡϦςΟ੍ޚͰ͢ɻ • ໨త ৬຿ͷ෼཭ – ༧๷త੍ޚʹΑΓɺಛݖΛ੍ݶ͢Δ࿦ཧڥքΛཱ֬͠ɺࢦఆ͞

    ΕͨΞΧ΢ϯτ·ͨ͸؀ڥͰಛఆͷλεΫͷΈΛ࣮ߦ͢ΔݖݶΛڐՄͰ͖· ΞΫηε੍ޚ – ༧๷੍ޚʹΑΓɺ؀ڥ಺ͷϦιʔε͓Αͼσʔλ΁ͷΞΫη εΛҰ؏ͯ͠ڐՄ·ͨ͸ڋ൱Ͱ͖·͢ɻ ࢪߦ – ༧๷؅ཧ͸ɺاۀ͕ϙϦγʔɺΨΠυϥΠϯɺج४Λ९क͢Δͷʹ໾ ཱͪ·͢ɻ https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-security-controls/preventative-controls.html

57. Korea Japan

58. Please select which AWS services you use as “detective controls"

    • In South Korea, organizations are implementing heuristic controls mainly with AWS CloudTrail logs and Amazon Cloudwatch, but services that can be used simply by enabling them, such as Amazon GuardDuty and AWS Security Hub, were low. • In Japan, Amazon GuardDuty was used by 60% of respondents, and AWS Security Hub was used by more than 30% of organizations.

59. glossary • GuardDuty combines machine learning (ML), anomaly detection, and

    malicious fi le discovery, using both AWS and industry-leading third-party sources to help protect your AWS accounts, workloads, and data. • GuardDuty is capable of analyzing tens of billions of events across multiple AWS data sources. • including AWS CloudTrail logs, Amazon VPC Flow Logs, and DNS query logs.Amazon S3 data events, Amazon Aurora login events, and runtime activity for Amazon EKS, and Amazon ECS, AWS Fargate. https://aws.amazon.com/guardduty/features/

60. glossary • GuardDuty ͸ɺAWS ͱۀքΛϦʔυ͢ΔαʔυύʔςΟʔͷ྆ํͷιʔε Λ࢖༻ͯ͠ɺػցֶशɺҟৗݕ஌ɺωοτϫʔΫϞχλϦϯάɺѱҙͷ͋Δ ϑΝΠϧͷݕग़Λ૊Έ߹ΘͤͯɺAWS ্ͷϫʔΫϩʔυͱσʔλͷอޢΛࢧ ԉ͢Δ •

    GuardDuty ͸ɺAWS CloudTrail ϩάɺVPC Flow LogsɺAmazon EKS ؂ࠪ ϩά͓ΑͼγεςϜϨϕϧϩάɺDNS ΫΤϦϩάͳͲɺෳ਺ͷ AWS σʔλ ιʔεશମͰԿඦԯ݅΋ͷΠϕϯτΛ෼ੳ͢Δ https://aws.amazon.com/guardduty/features/

61. Detective controls • Detective controls are security controls that are

    designed to detect, log, and alert after an event has occurred. • Objective Detective controls help you improve security operations processes and quality processes. Detective controls help you meet regulatory, legal, or compliance obligations. Detective controls provide security operations teams with visibility to respond to security issues, including advanced threats that bypass the preventative controls. https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-security-controls/detective-controls.html Detective controls can help you identify the appropriate response to security issues and potential threats.

62. Detective controls • ൃݟత౷੍͸ɺΠϕϯτͷൃੜޙʹݕग़ɺه࿥ɺܯࠂ͢ΔΑ͏ ʹઃܭ͞ΕͨηΩϡϦςΟ੍ޚͰ͢ɻ • ໨త ݕग़੍ޚ͸ɺηΩϡϦςΟӡ༻ϓϩηεͱ඼࣭ϓϩηεͷվળʹ໾ཱͪ·͢ɻ ݕग़੍ޚ͸ɺن੍ɺ๏཯ɺ·ͨ͸ίϯϓϥΠΞϯεͷٛ຿ΛՌͨ͢ͷʹ໾ཱͪ·͢ɻ ݕग़੍ޚʹΑΓɺηΩϡϦςΟӡ༻νʔϜ͸ɺ༧๷੍ޚΛճආ͢Δߴ౓ͳڴҖͳͲͷηΩϡϦ

    ςΟ໰୊ʹରԠ͢ΔͨΊͷՄࢹੑΛఏڙ͠·͢ɻ https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-security-controls/detective-controls.html ݕग़੍ޚ͸ɺηΩϡϦςΟ໰୊΍જࡏతͳڴҖʹର͢Δద੾ͳରԠΛಛఆ͢Δͷʹ໾ཱͪ· ͢ɻ

63. Today’s Agenda • Introduction ~ Report Summary • Excerpts from

    the Japanese survey results • Korea-Japan Comparison • General Comments and Recommendations • FAQ

64. General Comments and Recommendations • Through the results of the

    questionnaire, some of the items taken up as best practices showed a high implementation rate regardless of business scale or industry. • On the other hand, even if it was listed as a best practice, the parts that were considered dif fi cult and the parts where the method was not widely used were generally low.

65. • Ξϯέʔτ݁ՌΛ௨ͯ͡ɺϕετϓϥΫςΟεͱͯ͠औΓ্͛ ΒΕΔ߲໨ͷҰ෦ʹ͍ͭͯ͸ɺࣄۀن໛ɾۀछ໰Θ࣮ͣࢪ཰͕ ߴ͍݁ՌͰ͋ͬͨɻ • ҰํͰɺϕετϓϥΫςΟεʹڍ͛ΒΕ͍ͯΔ΋ͷͰ΋ɺ೉͠ ͍ͱߟ͑ΒΕ͍ͯΔ෦෼΍ɺ΍Γํ͕ීٴ͍ͯ͠ͳ͍෦෼͸ɺ ૯ͯ͡௿ௐͰ͋ͬͨɻ General Comments

    and Recommendations

66. • From the perspective of data governance and data management,

    the next few parts were generally weak. • “Taking data sovereignty” including data disposal, control of cryptographic keys, and identi fi cation of critical data. • “Attack surface reduction” inside EC2. • Incident response training, etc. • These measures are important for managing important data on your own responsibility, so they should be implemented regardless of the scale of your business. General Comments and Recommendations

67. • σʔλΨόφϯεɾσʔλϚωδϝϯτͷ؍఺Ͱɺσʔλͷഇغ ΍҉߸伴ͷίϯτϩʔϧɾॏཁσʔλͷࣝผͳͲͷʮσʔλͷओ ݖΛѲΔʯ෦෼΍ɺEC2಺෦ʹ͓͚Δʮ߈ܸ໘ͷ࡟ݮʯɺΠϯγ σϯτରԠ܇࿅ͳͲز͔ͭͷ෦෼͸ɺ૯ͯ͡௿ௐͰ͋ͬͨɻ • ͜ΕΒͷࢪࡦ͸ɺॏཁͳσʔλΛࣗ਎ͷ੹೚ͱͯ͠؅ཧ͢Δ ্Ͱॏཁͳ΋ͷͰ͋ΔͨΊɺࣄۀن໛໰Θ࣮ͣࢪ͢Δ΂͖Ͱ ͋Δɻ General

    Comments and Recommendations

68. • Korea was signi fi cantly less likely to use

    services like Amazon GuardDuty and AWS Security Hub, which work to some extent by enabling features. • These can detect events and signs of a breach that are dif fi cult to fi nd with AWS CloudTrail and Amazon Cloudwatch. • We expect that organizational control will be used to deploy the use of these services to improve the security of the AWS environment. General Comments and Recommendations

69. • ؖࠃ͸ɺAmazon GuardDuty΍AWS Security HubͷΑ͏ʹɺػೳΛ༗ޮ ʹ͢Δ͜ͱͰ͋Δఔ౓ػೳ͢ΔαʔϏεΛར༻͢Δճ౴͕ஶ͘͠௿͔ͬ ͨɻ • ͜ΕΒ͸ɺAWS CloudTrailͱAmazon

    CloudwatchͰ͸ݟ͚ͭΔ͜ͱ͕ ೉͍͠ࣄ৅΍৵֐ͷ༧ஹΛݕग़Ͱ͖Δɻ • ૊৫తͳ౷੍ྗΛ׆͔ͯ͠ɺ͜ΕΒͷ׆༻Λల։͠ɺAWS؀ڥͷη ΩϡϦςΟΛ޲্͍ͯ͘͜͠ͱʹظ଴͢Δɻ General Comments and Recommendations

70. Today’s Agenda • Introduction ~ Report Summary • Excerpts from

    the Japanese survey results • Korea-Japan Comparison • General Comments and Recommendations • FAQ

71. FAQ • Q. What was the most dif fi cult

    thing? • A. Since the number of questions was 30, it was dif fi cult to increase the number of survey responses. The appeal at the event was able to convey the enthusiasm and we received many responses. On the other hand, simply asking people to spread the word, as we did in Korea, did not increase the number of responses.

72. FAQ • Q. I would like to fi ll out

    the survey • A. We are very happy to do so, but the survey is currently closed. We had plans to tabulate it globally, but we are at a standstill because we do not have the means to get enough responses.

73. FAQ • Q. I would like to read the full

    report. • A. Please access the QR code on the next slide! The report of the survey compiled in Korea is available in Japanese only.

74. • AWS Security Best Practices Usage Survey Report (English)