Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
セキュリティ担当者から見た re:Invent と AWS Security Hub / Im...
Search
Hokuto Hoshi
December 20, 2018
Technology
4.3k
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub
Hokuto Hoshi
December 20, 2018
More Decks by Hokuto Hoshi
See All by Hokuto Hoshi
AIとともに歩む情報セキュリティ / Information Security with AI
kanny
5
4.9k
開発も運用もビジネス部門も! クラウドで実現する「つらくない」統制とセキュリティ / Effortless Governance and Security Enabled by the Cloud
kanny
5
4.9k
転生CISOサバイバル・ガイド / CISO Career Transition Survival Guide
kanny
4
2.7k
Connecting organisation with Technology
kanny
0
380
Why Slack - 5 years of Cookpad with Slack
kanny
0
190
Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders
kanny
7
2.8k
自由でセキュアな環境のつくりかた / Building free and secure cloud environment
kanny
1
5.3k
事例でわかる、AWS 運用を支える サポート活用方法と エンタープライズサポートという選択 / AWS Enterprise Support and Cookpad
kanny
2
2.6k
AWS で加速する機械学習 / Accelerate Machine Learning with AWS
kanny
1
1.1k
Other Decks in Technology
See All in Technology
グローバルチームと挑むプロダクト開発
sansantech
PRO
1
140
Text-to-SQLをAgentCoreで実現し、生成されるSQLの精度を定量的に評価する
yakumo
2
400
作る力から、見極める力へ — AI時代に広がるエンジニアの価値と役割
rince
0
390
AWS Summit Japan 2026の振り返りと2027へ向けて / AWS Summit Japan 2026 Recap and Prospects for 2027
kaminashi
1
180
組織における AI-DLC 実践
askul
0
290
本当の”仕事”を手放せる未来が見えた
mu7889yoon
0
210
AI Agentをシステムに組み込む前にゆるく向き合ってみる
hayama17
0
190
“全部コピーしない”ファイルデータの活用 : — FSx for ONTAP × S3 Tables × Icebergで作るメタデータカタログ
yoshiki0705
0
270
ループエンジニアリングでE2Eテストを実践
noriyukitakei
0
200
Terraform 101 (初心者向け) 資料
shuadachi
0
160
Why is RC4 still being used?
tamaiyutaro
0
270
SRE歴2ヶ月でも開発6年の知見を活かして、チームで止まっていた環境改善を前に進めた話
a_ono
0
170
Featured
See All Featured
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.3k
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
mfonobong
2
450
The Cult of Friendly URLs
andyhume
79
6.9k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
17k
Navigating Algorithm Shifts & AI Overviews - #SMXNext
aleyda
1
1.3k
Agile Actions for Facilitating Distributed Teams - ADO2019
mkilby
0
220
エンジニアに許された特別な時間の終わり
watany
107
250k
First, design no harm
axbom
PRO
2
1.2k
Neural Spatial Audio Processing for Sound Field Analysis and Control
skoyamalab
0
350
Mind Mapping
helmedeiros
PRO
1
270
The Invisible Side of Design
smashingmag
301
52k
A designer walks into a library…
pauljervisheath
211
24k
Transcript
ηΩϡϦςΟ୲ऀ͔Βݟͨ re:Invent ͱ AWS Security Hub Hokuto Hoshi Head of
Infrastructure, Cookpad Inc.
[email protected]
ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ ΠϯϑϥετϥΫνϟʔ෦ ෦
݉ ίʔϙϨʔτΤϯδχΞϦϯά෦ ݉ ࠪҕһձ ࠪิॿऀ • SRE, ηΩϡϦςΟΤϯδχΞ • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional) • AWS ར༻ྺ8͘Β͍
https://kanny.me/
ΠϯϑϥετϥΫνϟʔ෦ • શαʔϏε͕ར༻͢ΔΠϯϑϥڥͮ͘Γ • SRE (Site Reliability Engineering) άϧʔϓ •
σʔλج൫άϧʔϓ • ηΩϡϦςΟάϧʔϓ
ηΩϡϦςΟάϧʔϓ • 3໊ • αʔϏεࣾγεςϜͳͲձࣾʹ͓͚Δ͋ΒΏΔใηΩϡϦ ςΟରࡦͦͷӡ༻ʹैࣄ • γεςϜͷઃܭߏஙɺ࣮ࡍͷӡ༻·Ͱߦ͏
Full-AWS since 2011 ~1,400 EC2 instances 200+ ECS Services Over
3 regions 15,000+ requests/sec
re:Invent ͱࣗ • 2013͔ΒຖࢀՃ • 2012·ֶͩੜόΠτͩͬͨ • 2017Ͱొஃ • ػցֶशϫʔΫϩʔυΛίϯςφͰ࣮ߦ͢Δ
• ࠓͰ6ճ • ϥεϕΨε7ճ
ΫοΫύουͱ re:Invent • 2012͔Βຖෳ໊ࢀՃ • ΠϯϑϥܥͰͳ͘αʔϏε։ൃऀͷࢀՃऀΛ૿͍ͯ͠Δ • ࠓࢀՃऀͷ8ׂҎ্
ηΩϡϦςΟܥηογϣϯ, ϫʔΫγϣοϓ • ຖ͕ͩେྔ • ΑΓߴͳτϐοΫʹߦ͘΄Ͳ “ίʔυΛॻ͍ͯࣗͨͪͰ࡞͍ͬͯ͘” ͷ͕ଟ͍ • AWS
ηΩϡϦςΟαʔϏεͷհ͚ͩͰͳ͘ AWS αʔϏεΛͬͯΑΓྑ͍ηΩϡϦςΟγ εςϜΛͭ͘Δ • ࣗͷҎ֎ͷϫʔΫγϣοϓͳͲʹग़͍ͯΔΤϯδχΞଟ͍ • ηΩϡϦςΟΤϯδχΞ͕ DynamoDB ઃܭͷϫʔΫγϣοϓʹग़͍ͯΔͳͲ • εϥΠυಈըެ։͞Ε͍ͯ·͢
Security Jam • AWS ্ͰηΩϡϦςΟରࡦΠϯγσϯτϨεϙϯεΛମݧͯ͠ ͍͘Πϕϯτ • ָͦ͠͏ͳͷʹຖճ GameDay ͱඃͬͯ͠·͍
ࢀՃͰ͖͍ͯͳ͍… (ಉ྅ᐌָ͔ͬͨ͘͠ͱͷ͜ͱ) • ຊͰΔ͔ GameDay ͱ࣌ؒΛͣΒ͍ͯͩ͘͠͞!!!
Expo • ηΩϡϦςΟͷϓϩόΠμʑ૿Ճ͍ͯ͠Δ • ࠓίϯςφηΩϡϦςΟ͕ଟ͔ͬͨҹ • SIEM, ΠϕϯτϚωδϝϯτͳͲ
ࠓͷൃද • ͍Ζ͍Ζ͋Γ·ͨ͠Ͷ • ML, IoT, Robot ͳͲ͋Γͭͭݎ࣮ͳྖҬʹେྔϦϦʔε
ൃද (ηΩϡϦςΟ) https://aws.amazon.com/jp/new/reinvent/
ηΩϡϦςΟͷൃදগͳ͘ͳ͍ʁʁʁ • ηΩϡϦςΟΛλʔήοτʹͨ͠ͷ͔֬ʹগͳ͍ • ͕ɺηΩϡϦςΟγεςϜͷߏஙͳͲʹ͑Δͷͨ͘͞Μ • “ηΩϡϦςΟ” λά͕͍ͭͨαʔϏε͚͕ͩ AWS ηΩϡϦςΟͰͳ͍
https://speakerdeck.com/mizutani/security-log-search
ηΩϡϦςΟγεςϜʹ͑Δ or ͑ͦ͏ͳ ϦϦʔεͱײΛհ (ݸਓͷݟղͰ͢)
CloudWatch Logs Insights • CW Logs ͷϩάʹର͠ߜΓࠐΈूܭɺੳ͕Մೳʹ • JSON ͳͲʹରԠͰ͖Δ
• ৽όοΫΤϯυʹΑΔരݕࡧ • େྔͷϩάσʔλʹରͯ͠ഒҎ্͍ (࣮ࡍʹͬͯ·͢) • γεςϜϩάΞΫηεϩάͳͲͷετϨʔδͱͯ͠༗ྗީิʹ • ͨͩ͠Ձ֨ཁ֬ೝ
S3 Object Lock • S3 Object ΛҰఆ or ແظݶͰ্ॻ͖/আͰ͖ͳ͘ͳΔػೳ •
࠷ڧͷϞʔυͰ root account Ͱ͢Βআෆೳʹ • MFA Delete ʹΘΔબࢶʹͳΔ • ֤छॏཁϩάͷอ࣋ʹར༻Մೳ • ޡരʹҙ
S3 Glacier ͷػೳڧԽ • ໊শมߋͱಉ࣌ʹ৭ʑग़ͨ • S3 Glacier ετϨʔδΫϥεͷૹ •
ΫϩεϦʔδϣϯϨϓϦέʔγϣϯͷ Glacier ରԠ • ෮ݩ௨ɺ෮ݩΞοϓ • S3 Glacier Deep Archive • ͔͞Έ͕ͪͳηΩϡϦςΟؔ࿈ϩάͷظόοΫΞοϓʹ͑Δ • ΫοΫύουͰ Lifecycle Ͱ Glacier ૹΓʹ͍ͯ͠·͢
S3 Intelligent Tiering • S3 Standard ͱ Standard-IA (ස) ΛࣗಈͰߦ͖དྷͰ͖Δ
• Athena ͳͲΛϩάݕࡧʹ͍ͬͯΔέʔεͰศར • ϑϧεΩϟϯ͢Δͱҙຯ͕ͳ͘ͳΔͷͰϢʔεέʔεઃܭ͕େࣄ
KMS Custom Key Store • KMS ͷΩʔετΞͱͯ͠ CloudHSM ͕͑ΔΑ͏ʹ •
ߟ͑ΒΕΔ༻్ • Ͳ͏ͯ͠ΩʔετΞΛ͢Δඞཁ͕͋Δ • KMS Λ௨ͯ͠Ͱͳ͘ CloudHSM ଆ͔Β伴ͷࠪΛ͍ͨ͠ • զʑʹར༻༻్͕ͳ͍Ͱ͢…
AWS Control Tower • લͷൃදͰઆ໌͕͋ͬͨͷͰجຊઆ໌লུ • େྔΞΧϯτΛཧ͢ΔڥԼͰ͔ͳΓศརͦ͏ • ΧδϡΞϧʹ AWS
ΞΧϯτΛ࡞Γ͘͢ͳΔ
AWS Security Hub • લͷൃදͰઆ໌͕͋ͬͨͷͰجຊઆ໌লུ • ͏গ͠۷ΓԼ͛ͯɺͲͷΑ͏ʹ׆༻͍͔ͨ͠Λ͠·͢
ηΩϡϦςΟγεςϜͷجຊํ • ༷ʑͳιϑτΣΞαʔϏεΛηϯαʔͱͯ͠͏ • ηϯαʔ͔ΒͷϩάΞϥʔτΛूͯ͠ཧ͢Δ • ͦΕͧΕͷཧίϯιʔϧʹϩάΠϯͯ͠…ͱ͍͏ͷ ΘΕͳ͍γεςϜΛੜΉ͚ͩͳͷͰΊΔ • ຊʹඞཁͳஅʹूதͰ͖ΔΈΛͭ͘Δ
(ࣗಈԽ)
ΞʔΩςΫνϟ֓ཁ ύʔτ͚ ϩάϑΝΠϧઃஔͷ ΠϕϯτΛݕग़ Lambda Lambda Lambda Kinesis Stream S3
S3 Athena ϧʔϧΛ༻͍ͨ Ξϥʔτͷݕ Ξϥʔτͷൃใ ϩάͷม EC2 Elasticsearch Service ߴͰΠϯλϥΫςΟϒͳ ظతϩάͷݕࡧ ظؒʹΘͨΔ ϩάͷݕࡧ GHE PagerDuty Slack Ξϥʔτͷൃใɾཧ Ξϥʔτͷௐࠪ EC2 instances ͦͷଞϓϩμΫτ Kinesis Stream Kinesis Stream ϩάऩूύʔτ ϩάॲཧύʔτ Ξϥʔτॲཧύʔτ CloudWatch Logs/ Event, GuardDuty, CloudTrail
֓ཁ • ༷ʑͳϑΥʔϚοτͷϩάΞϥʔτΛ S3 ʹऩू • AWS αʔϏεͱͯ͠ GuardDuty ͳͲΛར༻
• ऩूͨ͠ϩάɾΞϥʔτΛਖ਼نԽͯ͠ Graylog / S3 ʹೖ • Ωϟονͨ͠Ξϥʔτਖ਼نԽͯ͠ GitHub (Enterprise) ʹىථ • ՄೳͳݶΓͷॳظௐࠪΛࣗಈͰߦ͏ • PagerDuty, Slack ͷൃใߦ͏
͞Βʹվળ͍ͨ͠ϙΠϯτ • Ξϥʔτͷਖ਼نԽ͕ͪΐͬͱେม (ࣗͨͪͰ࡞Δ) • ΞϥʔτࣗମͷूܭɺՄࢹԽ • ࣗಈԽΛߋʹਐΊΔ • ௐࠪɺରԠ
• ظతͳੳ
Ξϥʔτਖ਼نԽ • ରԠ͍ͯ͠ΔαʔϏεͰ͋Εਖ਼نԽෆཁ • ଞγεςϜʹΞϥʔτΛॻ͖ࠐΈ͍ͨ߹ Security Hub ΛڬΉ͜ͱͰ ॲཧΛڞ௨ԽͰ͖Δ •
Ξϥʔτʹ͍ͭͯ “ͱΓ͋͑ͣ Security Hub ʹಥͬࠐΉ” ͜ͱ͕ Ͱ͖ΔΑ͏ʹͳΔ • ࠓޙ৽نʹηΩϡϦςΟαʔϏε͕ग़͖ͯͯૉૣ͘౷߹Ͱ͖Δ
Amazon Security Finding Format • ηΩϡϦςΟΞϥʔτʹٻΊΒΕͦ͏ͳ߲Ұ௨ΓΧόʔ • EC2 Πϯελϯε ͳͲ
AWS ݻ༗ͷϑΟʔϧυ༻ҙ • ࠓͷஈ֊Ͱ AWS ϦιʔεΛओʹఆ͍ͯ͠ΔΑ͏ʹݟ͑Δ • ͏ͪΐͬͱ৭ʑͳϦιʔεʹରͯ͑͠Δͱ͏Ε͍͠… • ৄࡉ Security Hub ͷυΩϡϝϯτΛࢀর
ूܭɺՄࢹԽ • Insights Ͱ͋ΔఔՄೳ • Findings ΛϑΟϧλͨ݁͠Ռ (Group by ͳͲՄೳ)
• άϥϑΧελϜͰ͖ͨΒخ͍͚͠Ͳɻɻ • ظతʹոͦ͠͏ͳϦιʔεΛݟ͚ͭΔͷʹ༗ޮ
ࣗಈԽ • CW Events ʹΠϕϯτΛૹ৴Ͱ͖Δ • Finding, Insights, Standards •
Lambda function Step Function ΛݺͿ͜ͱ͕Ͱ͖Δ • ϩάऩूͱඥ͚, Ϩϐϡςʔγϣϯௐࠪ, ݕମௐࠪ, ΠϯελϯεͷίϚϯυൃߦͳͲͳΜͰ͋Γ
ͦͷଞͷྑ͍ػೳ • ϚϧνΞΧϯτରԠ • Control Tower Ͱ৽ن࡞࣌ʹશηΩϡϦςΟαʔϏε༗ޮԽ + Security Hub
ͷૹ৴͕Ͱ͖ΔΑ͏ʹͳΔͱ͏Ε͍͠ • ηΩϡϦςΟඪ४ͷνΣοΫ • ࣮ମ Config Rules ͷू߹ମ (ݱࡏ CIS AWS foundation benchmark ͷΈ) • ͜ΕΧελϜ͕࡞ΕΔͱྑ͍
ͦͷଞ͜͏ͳͬͯ͘ΕΔͱخ͍͠ • Findings ͦͷͷͷΞοϓσʔτ (ଐੑͷՃͳͲ) • ࣗಈԽʹΑΔௐࠪ݁ՌͳͲΛՃ͓͖͍ͯͨ͠ (ݱঢ়ςΩετͷΈ) • Πϕϯτཧπʔϧͱͷ࿈ܞ
• ͋Δ͍ Security Hub ͕ࣗཧπʔϧʹͳΔ • ୲ऀɺௐࠪঢ়گɺݟղɺetc • AWS WAF ࿈ܞ • Ξϥʔτ͕͔ͳΓଟ͘ͳΔͣͳͷͰɺͦͷ··දࣔͯ͠΄͘͠ͳ͍͕…
·ͱΊ
ࠓճͷൃදʹ͍ͭͯ • ͙͢ʹ͑Δͷଟ͘ྑ͔ͬͨͱࢥ͏ • ηΩϡϦςΟʹϑΥʔΧεͨ͠ͷଟ͘ͳ͍͕ɺ ηΩϡϦςΟʹ׆͔͢͜ͱ͕Ͱ͖ΔαʔϏεػೳ͕ग़͍ͯΔ • Control Tower, Security
Hub ੵۃతʹར༻͍ͨ͠
͜Ε͔Βͷ AWS ηΩϡϦςΟ • (طʹͦ͏ͳ͍ͬͯΔ͕) ಛఆͷαʔϏειϑτΣΞΛ ͏͚ͩͰͳ͘ɺ͍ࢹͰηΩϡϦςΟγεςϜΛઃܭ࣮ͯ͢͠Δ • AWS ͕ఏڙ͍ͯ͠ΔύʔπʹΑͬͯ࡞Γ͍͢ڥ͋Δ
• ͦ͏͍ͬͨͷ͕ఏڙ͞Ε͍ͯΔͱࢥ͏͠ɺ͍ͯͬͯ͠΄͍͠
PR
࣍ੈͷηΩϡϦςΟڥΛҰॹʹͭ͘Δ ΤϯδχΞΛืू͍ͯ͠·͢ https://cookpad.jobs/
Fin.