Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
自由でセキュアな環境のつくりかた / Building free and secure clo...
Search
Hokuto Hoshi
November 08, 2018
Technology
1
5.1k
自由でセキュアな環境のつくりかた / Building free and secure cloud environment
Hokuto Hoshi
November 08, 2018
Tweet
Share
More Decks by Hokuto Hoshi
See All by Hokuto Hoshi
開発も運用もビジネス部門も! クラウドで実現する「つらくない」統制とセキュリティ / Effortless Governance and Security Enabled by the Cloud
kanny
5
4.1k
転生CISOサバイバル・ガイド / CISO Career Transition Survival Guide
kanny
4
2.3k
Connecting organisation with Technology
kanny
0
310
Why Slack - 5 years of Cookpad with Slack
kanny
0
140
Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders
kanny
7
2.7k
セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub
kanny
2
4.3k
事例でわかる、AWS 運用を支える サポート活用方法と エンタープライズサポートという選択 / AWS Enterprise Support and Cookpad
kanny
2
2.5k
AWS で加速する機械学習 / Accelerate Machine Learning with AWS
kanny
1
1.1k
クックパッドのログをいい感じにしているアーキテクチャ / Logging architecture at Cookpad
kanny
23
15k
Other Decks in Technology
See All in Technology
後進育成のしくじり〜任せるスキルとリーダーシップの両立〜
matsu0228
7
2.5k
自動テストのコストと向き合ってみた
qa
0
180
AI Agentと MCP Serverで実現する iOSアプリの 自動テスト作成の効率化
spiderplus_cb
0
500
LLM時代にデータエンジニアの役割はどう変わるか?
ikkimiyazaki
1
570
20250929_QaaS_vol20
mura_shin
0
110
神回のメカニズムと再現方法/Mechanisms and Playbook for Kamikai scrumat2025
moriyuya
4
570
AIAgentの限界を超え、 現場を動かすWorkflowAgentの設計と実践
miyatakoji
0
140
20201008_ファインディ_品質意識を育てる役目は人かAIか___2_.pdf
findy_eventslides
1
460
How to achieve interoperable digital identity across Asian countries
fujie
0
120
Pure Goで体験するWasmの未来
askua
1
180
Why React!?? Next.jsそしてReactを改めてイチから選ぶ
ypresto
10
4.5k
動画データのポテンシャルを引き出す! Databricks と AI活用への奮闘記(現在進行形)
databricksjapan
0
150
Featured
See All Featured
Rebuilding a faster, lazier Slack
samanthasiow
84
9.2k
Into the Great Unknown - MozCon
thekraken
40
2.1k
Become a Pro
speakerdeck
PRO
29
5.5k
Building Adaptive Systems
keathley
43
2.8k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
890
Typedesign – Prime Four
hannesfritz
42
2.8k
Bash Introduction
62gerente
615
210k
Speed Design
sergeychernyshev
32
1.1k
Reflections from 52 weeks, 52 projects
jeffersonlam
352
21k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
How to Ace a Technical Interview
jacobian
280
24k
Transcript
ࣗ༝ͰηΩϡΞͳڥͷ ͭ͘Γ͔ͨ Hokuto Hoshi Head of Infrastructure, Cookpad Inc.
[email protected]
ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ ΠϯϑϥετϥΫνϟʔ෦ ෦
݉ ίʔϙϨʔτΤϯδχΞϦϯά෦ ݉ ࠪҕһձ ࠪิॿऀ • SRE, ηΩϡϦςΟΤϯδχΞ • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional)
https://speakerdeck.com/kanny
None
Ϩγϐ ສ ࠃͷ݄ؒར༻ऀ ສਓ
ରԠݴޠ ݴޠΧࠃ ւ֎ͷ݄ؒར༻ऀ ສਓ
৽͍͠औΓΈ • cookpadTV https://www.cookpad.tv/ • Cookpad DO! https://cookpad.do/ • OiCy
https://oicy.cookpad.com/ • komerco https://komer.co/ • etc…
ΫοΫύουͱΫϥυ • 2011ʹ DC ͔ΒશҠߦ͠ϑϧΫϥυԽ • ଟ͘ͷαʔϏε͕ AWS ͰՔಇ •
Ұ෦ͷαʔϏε Google Firebase ্ͰՔಇ
എܠ • ػೳɺࣄۀͳͲ৽͍͠औΓΈΛՃ͍ͨ͠
࣌ͷ৫ߏ • ࣄۀ෦ + ػೳԣஅ෦ॺ (e.g. Πϯϑϥ෦) • ΠϯϑϥͷཧશͯΠϯϑϥ෦͕ߦ͏ (=
AWS ͷཧશͯΠϯϑϥ෦) • AWS ʹؔ͢ΔϊϋશͯΠϯϑϥ෦ʹू • ηΩϡϦςΟରࡦ΄΅Πϯϑϥ෦͕ओಋ ࣄۀ෦ Πϯϑϥ෦ ࣄۀ෦ ࣄۀ෦
தԝཧͷݶք • ςετ༻ΠϯελϯεϦιʔεΛ࡞Δͷʹ Πϯϑϥ෦Ͱ࡞ۀΛߦ͏ඞཁ͕͋ͬͨ • ηΩϡϦςΟͷϨϏϡʔ • ʮͦͦ AWS ͷྑ͞Λࡴͯ͠ΔͷͰʁʁʁʁʁʁʯ
• αʔϏεͷ҆ఆੑηΩϡϦςΟΛଛͳΘͣʹ࣮ݱ͍ͨ͠
ཧํͷస • ݖݶͱΛ֤։ൃऀʹҠৡ͢Δํʹγϑτ • ཧ͖͢෦Λ͓͑ͯ͞Ҡৡ͍ͯ͘͠
։ൃऀ༻ΞΧϯτ • ։ൃऀͰ͋Ε୭Ͱࣗ༝ʹར༻Ͱ͖Δ AWS ΞΧϯτ • ຊ൪ͷ AWS ΞΧϯτͱ͞Ε͍ͯΔ •
AWS IAM ͷۭؒΛׂ͢Δ͜ͱ͕Ͱ͖Δ • ϩάΠϯ SAML ܦ༝
ݖݶཧ • ඞཁͳαʔϏεͷ Admin ݖݶΛ͘༩ • “ಛఆαʔϏεͷΈڐՄ͠ ͳ͍” ϙϦγʔ \
7FSTJPO 4UBUFNFOU< \ &⒎FDU"MMPX /PU"DUJPO< DMPVEUSBJM DPOpH EJSFDUDPOOFDU SPVUF SPVUFEPNBJOT BXTQPSUBM.PEJGZ"DDPVOU BXTQPSUBM.PEJGZ#JMMJOH BXTQPSUBM.PEJGZ1BZNFOU.FUIPET JBN$SFBUF6TFS FD$SFBUF7QD > 3FTPVSDF ^ > ^
ϩάͷه • CloudTrail, VPC Flow Logs • AWS શମͷ API
ϩά VPC ͷ௨৴ϩάΛهͰ͖Δ • ຊ൪ΞΧϯτͷ S3 όέοτʹอ࣋ • ϩάͷมߋআͰ͖ͳ͘ͳΔ
ϩάͷੳ • Graylog ʹऔΓࠐΈੳͰ͖ΔΑ͏ʹ https://speakerdeck.com/mizutani/ohuisuawshuan-jing-wosekiyuritei-jian-shi-surutamefalserokushou-ji
AWS Config • EC2 ֤छϦιʔεͷมߋཤྺΛهͰ͖Δ
͍ํ • Output ઌΛຊ൪ΞΧϯτ (CloudTrail ͱಉ͡) ʹηοτͯ͠༗ޮԽ • “͜Εมߋͨ͠ͷ୭ͩΖ͏ʁ” Λ୳͢ࡍʹར༻
• ಛఆͷΠϯελϯεηΩϡϦςΟάϧʔϓͳͲʹඥ͚ͮͯ୳ͤΔ ͷͰศར
AWS Config Rules • ઃఆมߋΛτϦΨͱͯ͠ lambda function ͰઃఆΛνΣοΫͰ͖Δ • ηΩϡϦςΟάϧʔϓͷΠϯλʔωοτղ์ͳͲΛνΣοΫ
• Fail ͨ͠߹ Slack ͳͲʹ௨ͤ͞Δ • શαʔϏεରԠͯ͠΄͍͠…
None
awslabs/aws-config-rules • ศརϨϙδτϦ • https://github.com/awslabs/aws-config-rules • Config Rules ʹ͑Δ Lambda
function ͕͍Ζ͍Ζ͋Δ • EBS ҉߸Խ͞Ε͍ͯΔ͔ʁ • IAM Ϣʔβͷ MFA ༗ޮԽʁ • etc…
Amazon GuardDuty • CloudTrail VPC FlowLog Λੳͯ͠Ξϥʔτ • Ξϥʔτͷྫ
• ීஈΘΕͳ͍ IP ͔Βͷ API ίʔϧ • Πϯελϯεͷ௨৴ઌ͕͍ͭͱҧ͏ • Πϯελϯεͷ௨৴ઌ͕ C&C ͬΆ͍αʔό
ΫοΫύουͰͷ͍ํ • Ξϥʔτ GitHub -> PagerDuty ܦ༝Ͱൃใ͠ ηΩϡϦςΟνʔϜ͕ࢹ • ௐࠪੳʹ
CloudTrail Config Λ͏ • ϩά Graylog ʹੵ • ͪΐͬͱաහͳͷ͕࠷ۙͷΈ
ωοτϫʔΫߏ • ౿Έ SSH αʔό͕͋Δ VPC (ຊ൪ΞΧϯτ) ͔Β VPC Peering
ܦ༝ͰଓͰ͖ΔΑ͏ʹ͢Δ • ౿ΈΛू (TOTP FIDO U2F ʹରԠ͍ͯͯ͠ศར) • Name λάΛͬͨਖ਼Ҿ͖ɺٯҾ͖Λఏڙ
https://speakerdeck.com/kanny/machine-learning-ops-at-cookpad
։ൃऀΞΧϯτͷಛ • “Λະવʹ͙” ͜ͱΑΓ “Λ͋ͱ͔ΒͰ͍͍ͷͰݕग़ Ͱ͖Δ” ରࡦʹϑΥʔΧε • ΞΧϯτʹٻΊΒΕΔॊೈੑͳͲ͔Βߟ͑ͨ݁Ռ •
AWS αʔϏεΛׂͱૉʹͬͨߏ • ͜͏͍͏ͱ͜Ζ·ͰͰ͖ΔΑ͏ʹͳͬͨɺͱ͍͑Δ
࣮ࡍͷӡ༻ • ։ൃऀΞΧϯτ͔ΒͷΞϥʔτଟ͘ͳ͍ঢ়گ • ར༻ͷ૯ྔଟ͍ • EC2 ΠϯελϯεΛىಈͯ͠ͷ࣮ݧ • AWS
৽αʔϏεͳͲͷݕূ
·ͱΊ • ηΩϡϦςΟͱࣗ༝͞Λཱ྆ͤͨ͞։ൃڥΛͭ͘Δ • ͍ΘΏΔ “ηΩϡϦςΟଆ” ͕Ͳ͏ߟ͑ΒΕΔ͔ʹΑͬͯ ࣮ݱͰ͖Δࣗ༝͕มΘͬͯ͘Δ • AWS
αʔϏεΛϑϧʹͬͯΈΔ͚ͩͰׂͱ৭ʑͰ͖Δ • ʮ͏ͪͰ͜͏͍͏ײ͡ʯͳͲ͕͋Εڭ͑ͯ΄͍͠Ͱ͢
PR
We’re Hiring!!! • Software Engineer (Security) • Software Engineer (Site
Reliability) • ͦͷଞͷϙδγϣϯ͍Ζ͍Ζ͋Γ·͢ • https://cookpad.jobs/
Q?