Upgrade to Pro — share decks privately, control downloads, hide ads and more …

セキュリティ担当者から見た re:Invent と AWS Security Hub / Im...

Hokuto Hoshi
December 20, 2018

セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub

Hokuto Hoshi

December 20, 2018
Tweet

More Decks by Hokuto Hoshi

Other Decks in Technology

Transcript

  1. ੕ ๺ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ
 ΠϯϑϥετϥΫνϟʔ෦ ෦௕


    ݉ ίʔϙϨʔτΤϯδχΞϦϯά෦
 ݉ ؂ࠪҕһձ ؂ࠪิॿऀ • SRE, ηΩϡϦςΟΤϯδχΞ • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional) • AWS ར༻ྺ͸8೥͘Β͍
  2. ηΩϡϦςΟܥηογϣϯ, ϫʔΫγϣοϓ • ຖ೥͕ͩେྔ • ΑΓߴ౓ͳτϐοΫʹߦ͘΄Ͳ “ίʔυΛॻ͍ͯࣗ෼ͨͪͰ࡞͍ͬͯ͘” ΋ͷ͕ଟ͍ • AWS

    ηΩϡϦςΟαʔϏεͷ঺հ͚ͩͰͳ͘ AWS αʔϏεΛ࢖ͬͯΑΓྑ͍ηΩϡϦςΟγ εςϜΛͭ͘Δ • ࣗ෼ͷ෼໺Ҏ֎ͷϫʔΫγϣοϓͳͲʹग़͍ͯΔΤϯδχΞ΋ଟ͍ • ηΩϡϦςΟΤϯδχΞ͕ DynamoDB ઃܭͷϫʔΫγϣοϓʹग़͍ͯΔͳͲ • εϥΠυ΍ಈը͸ެ։͞Ε͍ͯ·͢
  3. Security Jam • AWS ্ͰηΩϡϦςΟରࡦ΍ΠϯγσϯτϨεϙϯεΛମݧͯ͠ ͍͘Πϕϯτ • ָͦ͠͏ͳͷʹຖճ GameDay ͱඃͬͯ͠·͍


    ࢀՃͰ͖͍ͯͳ͍… (ಉ྅ᐌָ͔ͬͨ͘͠ͱͷ͜ͱ) • ೔ຊͰ΍Δ͔ GameDay ͱ࣌ؒΛͣΒ͍ͯͩ͘͠͞!!!
  4. CloudWatch Logs Insights • CW Logs ͷϩάʹର͠ߜΓࠐΈ΍ूܭɺ෼ੳ͕Մೳʹ • JSON ͳͲʹ΋ରԠͰ͖Δ

    • ৽όοΫΤϯυʹΑΔര଎ݕࡧ • େྔͷϩάσʔλʹରͯ͠΋਺ഒҎ্଎͍ (࣮ࡍʹ࢖ͬͯ·͢) • γεςϜϩά΍ΞΫηεϩάͳͲͷετϨʔδͱͯ͠༗ྗީิʹ • ͨͩ͠Ձ֨͸ཁ֬ೝ
  5. S3 Object Lock • S3 Object ΛҰఆ or ແظݶͰ্ॻ͖/࡟আͰ͖ͳ͘ͳΔػೳ •

    ࠷ڧͷϞʔυͰ͸ root account Ͱ͢Β࡟আෆೳʹ • MFA Delete ʹ୅ΘΔબ୒ࢶʹͳΔ • ֤छॏཁϩάͷอ࣋ʹར༻Մೳ • ޡരʹ͸஫ҙ
  6. S3 Glacier ͷػೳڧԽ • ໊শมߋͱಉ࣌ʹ৭ʑग़ͨ • S3 Glacier ετϨʔδΫϥε΁ͷ௚ૹ •

    ΫϩεϦʔδϣϯϨϓϦέʔγϣϯͷ Glacier ରԠ • ෮ݩ௨஌ɺ෮ݩ଎౓Ξοϓ • S3 Glacier Deep Archive • ͔͞Έ͕ͪͳηΩϡϦςΟؔ࿈ϩάͷ௕ظόοΫΞοϓʹ࢖͑Δ • ΫοΫύουͰ΋ Lifecycle Ͱ Glacier ૹΓʹ͍ͯ͠·͢
  7. S3 Intelligent Tiering • S3 Standard ͱ Standard-IA (௿ස౓) ΛࣗಈͰߦ͖དྷͰ͖Δ

    • Athena ͳͲΛϩάݕࡧʹ࢖͍ͬͯΔέʔεͰ͸ศར • ϑϧεΩϟϯ͢Δͱҙຯ͕ͳ͘ͳΔͷͰϢʔεέʔε΍ઃܭ͕େࣄ
  8. KMS Custom Key Store • KMS ͷΩʔετΞͱͯ͠ CloudHSM ͕࢖͑ΔΑ͏ʹ •

    ߟ͑ΒΕΔ༻్ • Ͳ͏ͯ͠΋ΩʔετΞΛ෼཭͢Δඞཁ͕͋Δ • KMS Λ௨ͯ͠Ͱͳ͘ CloudHSM ଆ͔Β௚઀伴ͷ؂ࠪΛ͍ͨ͠ • զʑʹ͸ར༻༻్͕ͳ͍Ͱ͢…
  9. ΞʔΩςΫνϟ֓ཁ ύʔτ෼͚ ϩάϑΝΠϧઃஔͷ ΠϕϯτΛݕग़ Lambda Lambda Lambda Kinesis Stream S3

    S3 Athena ϧʔϧΛ༻͍ͨ Ξϥʔτͷݕ஌ Ξϥʔτͷൃใ ϩάͷม׵ EC2 Elasticsearch Service ߴ଎ͰΠϯλϥΫςΟϒͳ ୹ظతϩάͷݕࡧ ௕ظؒʹΘͨΔ ϩάͷݕࡧ GHE PagerDuty Slack Ξϥʔτͷൃใɾ؅ཧ Ξϥʔτͷௐࠪ EC2 instances ͦͷଞϓϩμΫτ Kinesis Stream Kinesis Stream ϩάऩूύʔτ ϩάॲཧύʔτ Ξϥʔτॲཧύʔτ CloudWatch Logs/ Event, GuardDuty, CloudTrail
  10. ֓ཁ • ༷ʑͳϑΥʔϚοτͷϩά΍ΞϥʔτΛ S3 ʹऩू • AWS αʔϏεͱͯ͠͸ GuardDuty ͳͲΛར༻

    • ऩूͨ͠ϩάɾΞϥʔτΛਖ਼نԽͯ͠ Graylog / S3 ʹ౤ೖ • Ωϟονͨ͠Ξϥʔτ͸ਖ਼نԽͯ͠ GitHub (Enterprise) ʹىථ • ՄೳͳݶΓͷॳظௐࠪΛࣗಈͰߦ͏ • PagerDuty, Slack ΁ͷൃใ΋ߦ͏
  11. Ξϥʔτਖ਼نԽ • ରԠ͍ͯ͠ΔαʔϏεͰ͋Ε͹ਖ਼نԽෆཁ • ଞγεςϜʹΞϥʔτΛॻ͖ࠐΈ͍ͨ৔߹΋ Security Hub ΛڬΉ͜ͱͰ ॲཧΛڞ௨ԽͰ͖Δ •

    Ξϥʔτʹ͍ͭͯ͸ “ͱΓ͋͑ͣ Security Hub ʹಥͬࠐΉ” ͜ͱ͕
 Ͱ͖ΔΑ͏ʹͳΔ • ࠓޙ৽نʹηΩϡϦςΟαʔϏε͕ग़͖ͯͯ΋ૉૣ͘౷߹Ͱ͖Δ
  12. Amazon Security Finding Format • ηΩϡϦςΟΞϥʔτʹٻΊΒΕͦ͏ͳ߲໨͸Ұ௨ΓΧόʔ • EC2 Πϯελϯε ͳͲ

    AWS ݻ༗ͷϑΟʔϧυ΋༻ҙ • ࠓͷஈ֊Ͱ͸ AWS ಺ϦιʔεΛओʹ૝ఆ͍ͯ͠ΔΑ͏ʹݟ͑Δ • ΋͏ͪΐͬͱ৭ʑͳϦιʔεʹରͯ͠࢖͑Δͱ͏Ε͍͠… • ৄࡉ͸ Security Hub ͷυΩϡϝϯτΛࢀর
  13. ूܭɺՄࢹԽ • Insights Ͱ͋Δఔ౓Մೳ • Findings ΛϑΟϧλͨ݁͠Ռ (Group by ͳͲ΋Մೳ)

    • άϥϑ΋ΧελϜͰ͖ͨΒخ͍͚͠Ͳɻɻ • ௕ظతʹոͦ͠͏ͳϦιʔεΛݟ͚ͭΔͷʹ΋༗ޮ
  14. ࣗಈԽ • CW Events ʹΠϕϯτΛૹ৴Ͱ͖Δ • Finding, Insights, Standards •

    Lambda function ΍ Step Function ΛݺͿ͜ͱ͕Ͱ͖Δ • ϩάऩूͱඥ෇͚, Ϩϐϡςʔγϣϯௐࠪ, ݕମௐࠪ, 
 Πϯελϯε΁ͷίϚϯυൃߦͳͲͳΜͰ΋͋Γ
  15. ͦͷଞͷྑ͍ػೳ • ϚϧνΞΧ΢ϯτରԠ • Control Tower Ͱ৽ن࡞੒࣌ʹશηΩϡϦςΟαʔϏε༗ޮԽ + Security Hub

    ΁ͷૹ৴͕Ͱ͖ΔΑ͏ʹͳΔͱ͏Ε͍͠ • ηΩϡϦςΟඪ४ͷνΣοΫ • ࣮ମ͸ Config Rules ͷू߹ମ (ݱࡏ͸ CIS AWS foundation benchmark ͷΈ) • ͜Ε΋ΧελϜ͕࡞ΕΔͱྑ͍
  16. ͦͷଞ͜͏ͳͬͯ͘ΕΔͱخ͍͠ • Findings ͦͷ΋ͷͷΞοϓσʔτ (ଐੑͷ௥ՃͳͲ) • ࣗಈԽʹΑΔௐࠪ݁ՌͳͲΛ෇Ճ͓͖͍ͯͨ͠ (ݱঢ়ςΩετͷΈ) • Πϕϯτ؅ཧπʔϧͱͷ࿈ܞ

    • ͋Δ͍͸ Security Hub ࣗ਎͕؅ཧπʔϧʹͳΔ • ୲౰ऀɺௐࠪঢ়گɺݟղɺetc • AWS WAF ࿈ܞ • Ξϥʔτ͕͔ͳΓଟ͘ͳΔ͸ͣͳͷͰɺͦͷ··දࣔ͸ͯ͠΄͘͠ͳ͍͕…
  17. PR