Upgrade to Pro — share decks privately, control downloads, hide ads and more …

UnConfig - AWS Configの幻想との戦い#secjaws #secjaws14

Avatar for fnifni fnifni
August 28, 2019
Technology
1k
0

UnConfig - AWS Configの幻想との戦い#secjaws #secjaws14

AWS Config Streamから人為的な変更操作通知を抽出して、利用者情報を付加した内容をSlackに通知する概念実証コードを紹介しています。

Avatar for fnifni

fnifni

August 28, 2019

More Decks by fnifni

See All by fnifni
生成AIのガバナンスの全体像と現実解
Avatar for fnifni fnifni
2
450
生成AIのガバナンスとこれから
Avatar for fnifni fnifni
0
180
AWS re:Inforce 2024 に コミュニティから登壇してきた話
Avatar for fnifni fnifni
0
56
COM224: How organizations are actually applying AWS security best practices
Avatar for fnifni fnifni
0
74
BsidesTokyo2024_AWSセキュリティの ベストプラクティスに関する 利用実態調査のレポートの紹介
Avatar for fnifni fnifni
0
87
re:Inforce2024-recap_英語力ゴミカスでもフル英語登壇を乗り切る成功メソッド
Avatar for fnifni fnifni
0
130
信頼ルールはGoogle Drive共有の孫の手になるか?
Avatar for fnifni fnifni
0
390
ゼロトラスト導入支援ってどんなことやってるの?
Avatar for fnifni fnifni
0
93
ログの話
Avatar for fnifni fnifni
0
75

Other Decks in Technology

See All in Technology
情シスがMCP環境導入時に打ちのめされる認可の崖
Avatar for OpenID Foundation Japan oidfj
0
460
oracle-to-databricks-migration-with-llm-and-dbt
Avatar for case-k-git casek
0
170
freee-mcpを Local→Remote で出してわかった MCP認可実装のリアル
Avatar for てらら terara
3
640
類似画像検索モデルの開発ノウハウ
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
4
890
大規模環境でどのように監視を実現する?
Avatar for Yuto Obayashi yuobayashi
1
150
AI時代に求められる思考のパラダイムシフト
Avatar for NRI Netcom nrinetcom
PRO
1
160
Javaコミュニティをもっと楽しむための9箇条
Avatar for Sugiyama Takaaki takasyou
0
180
AI時代の私の技術インプットとアウトプット術
Avatar for tonkotsuboy_com tonkotsuboy_com
12
6.5k
TypeScriptとAngular Signal で実現する保守性の高いアプリケーション設計 - 3層アーキテクチャによる責務分離の実践(たつかわ) https://2026.tskaigi.org/talks/10
Avatar for Nealle nealle
1
360
TSKaigi 2026 - enumよ、さようなら
Avatar for teamLab teamlab
PRO
3
560
ビジュアルプログラミングIoTLT vol.23
Avatar for 1ft-seabass 1ftseabass
PRO
0
130
Kaggle未経験社員をメダリストに育てる「AIドラゴン桜」
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
600

Featured

See All Featured
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
225
10k
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
Avatar for r-kagaya rkaga
61
44k
The B2B funnel & how to create a winning content strategy
Avatar for Katarina Dahlin katarinadahlin
PRO
1
370
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
21
1.5k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
35
3.5k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
32
2.9k
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
247
13k
Are puppies a ranking factor?
Avatar for Jono Alderson jonoalderson
1
3.4k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
333
22k
The Hidden Cost of Media on the Web [PixelPalooza 2025]
Avatar for Tammy Everts tammyeverts
2
310
We Are The Robots
Avatar for Honza Javorek honzajavorek
0
230
How to Think Like a Performance Engineer
Avatar for Harry Roberts csswizardry
28
2.6k

Transcript

  1. UnConfig Until XXX turns into gold. At S-JAWS # 14

    2019.08.28

  2. ͏Μ͜Μ;͙͌ AWS Configͷݬ૝ͱͷઓ͍ S-JAWS # 14 ʹͯ 2019.08.24

  3. Who am I !? (͓લ୭Α?) • Hirokazu YoshidaˏCloud Native Inc.


    Security Engineer • Community
 - Security-JAWS • Favorite AWS Service https://www.fnifni.net/

  4. Attention • ຊηογϣϯ͸ɺݸਓͷݟղʹجͮ͘΋ͷͰ͢ • ॴଐ͢ΔاۀɺஂମͷҙݟΛ୅ද͢Δ΋ͷͰ͸ ͋Γ·ͤΜ

  5. ͱ͍͏Θ͚Ͱ ຊ୊

  6. AWS Config ༗ޮʹ͍ͯ͠·͔͢ʁ

  7. ࠷ߴͰ͢Ͷ

  8. AWS Config ׆༻͍ͯ͠·͔͢ʁ

  9. What is AWS Config ? • AWSϦιʔεͷΠϯϕϯτϦ/ߏ੒؅ཧͷͨΊͷϑϧϚ ωʔδυαʔϏε • AWSϦιʔεͷߏ੒มߋΛϩΪϯά

    • ߏ੒৘ใͷεφοϓγϣοτΛs3อ؅ • ߏ੒มߋͷ௥੻΍ηΩϡϦςΟ෼ੳɺτϥϒϧγϡʔ ςΟϯάɺίϯϓϥΠΞϯε४ڌΛ༰қʹ͢Δ https://aws.amazon.com/jp/blogs/news/webinar-bb-aws-config-2019/

  10. AWS Config Features • Snapshot
 - ͋Δ࣌఺ͰͷConfiguration Itemͷू߹(s3อ؅)
 - Config

    Rulesͷ൑ఆλΠϛϯάͷҰͭ • History
 - ϦιʔελΠϓͷू߹ɻઃఆཤྺΛs3όέοτʹอଘ • Stream
 - Ϧιʔε࡞੒/มߋ/࡟আʹ൐͍࡞੒͞ΕɺSNS΁௨஌Մ https://aws.amazon.com/jp/blogs/news/webinar-bb-aws-config-2019/

  11. ߏ੒؅ཧ/؂ࠪܥͷ੕ ༗ޮʹ͠ͳ͍ख͸ͳ͍

  12. ࠓ೔ͷςʔϚ

  13. AWS Configʹ๊͘ ؁͍ݬ૝ΛͿͬ͜Θ͢ˑ

  14. ͱ͋Δ͓୊ ҆ఆͨ͠AWS؀ڥ͕͋ΔͷͰ มߋΛݕ஌͍ͨ͠ͷͰ͢Α

  15. ๊͘ݬ૝1 StreamΛ௨஌ͯ͠ ϑΟϧλ͢Ε͹͍͍

  16. ๊͘ݬ૝2 SnapShotͷDiffΛऔΕ͹͍͍

  17. What you can learn by doing it • དྷΔͷ͸มߋ௨஌͚ͩͰ͸ͳ͍
 -

    Config SnapShot/Historyͷऔಘ௨஌
 - Config RulesͷධՁ݁Ռ/NOT_APPLICABLE௨஌ • ͢΂ͯͷมߋ௨஌͕དྷΔ
 - AWS͕ߦ͏ૢ࡞΋มߋ͸͢΂ͯ௨஌͞ΕΔ

  18. AWS Changes Example • ELBͷεέʔϧin/out/retirementʹ܎Δॾมߋ
 - NIC࡟আ/࡞੒ɺSecurity GroupͷAttach • ৽ػೳ௥Ճʹ൐͏EC2ͷଐੑ௥Ճ


    - Capacity Reservationͷ௥Ճ • EC2ىಈ࣌ͷManagedInstanceInventory࡞੒

  19. ;͊ͬ ͏Μࠞͬ͜͡ͱΔ΍Μ͚ʂ ͠Όʔͳ͍ɺϑΟϧλ͢Δ͔

  20. an inconvenient fact • ໊݅ͰͷϑΟϧλʹ͸ݶք͕͋Δ • มߋ৘ใ͸ɺϦιʔεຖʹεΩʔϚ͕όϥόϥ
 - Resources໊ΛऔΔͷ΋Ұۤ࿑ •

    ͦ΋ͦ΋ConfigͰऩू͞ΕΔ৘ใʹ͸ɺ
 มߋऀͷ৘ใ͸هࡌ͞Εͳ͍

  21. ͱ͋Δ͓୊ʢ࠶ܝʣ ҆ఆͨ͠AWS؀ڥ͕͋ΔͷͰ (ਓҝతͳ)มߋΛݕ஌͍ͨ͠ ͷͰ͢Α

  22. ͋ɺ٧Μͩʁ

  23. ͍΍ͪΐͬͱ଴ͯ Config Timeline͕͋ͬͨΖ

  24. Config TimeLine

  25. ͜ΕɺͲ͏΍ͬͯΜͶΜ

  26. Ask an Expert (2 minutes) • Configuration ItemͷtimestampͱResources TypeΛΩʔʹɺCloudTrailΛLookupͯ͠ΔΜ Ͱ͢Α

  27. cloudtrail lookup-events • աڈ90೔ͷCloudTrailΠϕϯτΛࢀরͰ͖Δ • ࣌ؒൣғͱ୯ҰଐੑͰߜΓࠐΈ
 AccessKeyId, EventId, EventName, EventSource,

    Username, ReadOnly, ResourceName, ResourceType https://docs.aws.amazon.com/ja_jp/awscloudtrail/latest/ userguide/view-cloudtrail-events-cli.html

  28. ΑΖ͍͠ ͳΒ͹࣮૷ͩ

  29. manual-changes-detector-poc

  30. Output

  31. Link Destination

  32. Use Case • ҆ఆͨ͠؀ڥ΁ͷϢʔβʔʹඥͮ͘มߋૢ࡞ Λݕग़͍ͨ͠ • Terraform΍CloudFormationͳͲίʔυͰͷ σϓϩΠΛӡ༻ϧʔϧͱ͍ͯ͠Δ؀ڥͰɺͦ ΕҎ֎ͷϢʔβʔʹΑΔมߋΛݕग़͍ͨ͠

  33. GithubͰެ։͍ͯ͠·͢

  34. Attention • ֓೦࣮ূίʔυͰ͢
 - ຊ൪ϫʔΫϩʔυͰ͸ɺঢ়گʹԠͨ͡վम΍ௐ੔Λ
 ඞཁͱ͠·͢(MIT LicenseͰ͢ɻ͝ར༻͸ܭըతʹ) • ݱ࣌఺ͷ׬੒౓͸60%
 -

    ਵ࣌ߋ৽͠·͢ͷͰஆ͔͘ݟक͍ͬͯͩ͘͞ • Pull Requestେ׻ܴʂ

  35. Summary • Config StreamΛ࢖͑͹”౎߹Α͍͍͘ײ͡ʹ”
 มߋΛ௥͏͜ͱ͕Ͱ͖Δ͸ݬ૝ • “Կ͔͋ͬͨΒ௥͑·͢"͔ΒҰาલ΁ • ࠔͬͨ࣌͸ɺExpertʹฉ͘ͷ΋ख

  36. Thank You !