Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
[JAWS-UG Osaka]セキュリティ、ネットワークまわりのちょいテク
Search
maru1981
February 06, 2020
Technology
0
2.1k
[JAWS-UG Osaka]セキュリティ、ネットワークまわりのちょいテク
maru1981
February 06, 2020
Tweet
Share
More Decks by maru1981
See All by maru1981
re:Growth2023 OSAKA 「Amazon ElastiCache Serverless」のご紹介
maru1981
0
25k
データ分析のためのAWS Well-Architected -Data Analytics Lens-
maru1981
0
1.9k
「データレイク」という言葉だけ知ってる人がAWS Lake Formationをはじめてみる/DevelopersIO2021 DECADE Try AWS Lake Formation for the first time
maru1981
1
2.3k
AWS環境見直しの第一歩「AWS請求代行サービス」のご紹介/Classmethod Members
maru1981
0
1k
AWSではじめるBlockchain/[DevelopersIO 2019 in OSAKA]Blockchain starting with AWS
maru1981
0
1.9k
AWSではじめるBlockchain/Blockchain starting with AWS
maru1981
0
1.4k
[HIGOBASHI.AWS] #9 re:Invent 2018 の新サービス紹介(AWSインフラ編)
maru1981
0
980
[HIGOBASHI.AWS] #6 CloudFront を使ってみよう!/ Let's use CloudFront
maru1981
0
1.5k
Other Decks in Technology
See All in Technology
Dylib Hijacking on macOS: Dead or Alive?
patrickwardle
0
460
Zephyr(RTOS)にEdge AIを組み込んでみた話
iotengineer22
1
330
AI AgentをLangflowでサクッと作って、1日働かせてみた!
yano13
1
150
【SORACOM UG Explorer 2025】さらなる10年へ ~ SORACOM MVC 発表
soracom
PRO
0
130
SCONE - 動画配信の帯域を最適化する新プロトコル
kazuho
1
370
Copilot Studio ハンズオン - 生成オーケストレーションモード
tomoyasasakimskk
0
220
Biz職でもDifyでできる! 「触らないAIワークフロー」を実現する方法
igarashikana
7
3.3k
AIとともに歩んでいくデザイナーの役割の変化
lycorptech_jp
PRO
0
870
AIプロダクトのプロンプト実践テクニック / Practical Techniques for AI Product Prompts
saka2jp
0
110
AWS DMS で SQL Server を移行してみた/aws-dms-sql-server-migration
emiki
0
220
AWS UG Grantでグローバル20名に選出されてre:Inventに行く話と、マルチクラウドセキュリティの教科書を執筆した話 / The Story of Being Selected for the AWS UG Grant to Attending re:Invent, and Writing a Multi-Cloud Security Textbook
yuj1osm
1
130
入院医療費算定業務をAIで支援する:包括医療費支払い制度とDPCコーディング (公開版)
hagino3000
0
110
Featured
See All Featured
Designing Experiences People Love
moore
142
24k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
285
14k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
Learning to Love Humans: Emotional Interface Design
aarron
274
41k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
249
1.3M
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
658
61k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
1.7k
A better future with KSS
kneath
239
18k
Imperfection Machines: The Place of Print at Facebook
scottboms
269
13k
GraphQLの誤解/rethinking-graphql
sonatard
73
11k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Raft: Consensus for Rubyists
vanstee
140
7.2k
Transcript
ηΩϡϦςΟɺωοτϫʔΫ ·ΘΓͷͪΐ͍ςΫ Marumo Atsushi
KBXTVH KBXTVHPTBLB
εϥΠυޙͰೖख͢Δ͜ͱ͕ग़དྷ·͢ͷͰ ൃදதͷ༰ΛϝϞ͢Δඞཁ͋Γ·ͤΜɻ ࣸਅࡱӨΛ͢Δ߹ ϑϥογϡɾγϟολʔԻ͕ग़ͳ͍Α͏ʹྀ͍ͩ͘͝͞ Attention
ࣗݾհ ؙໟಞ࢙ Ϋϥεϝιουגࣜձࣾ "84ࣄۀຊ෦ίϯαϧςΟϯά෦ ιϦϡʔγϣϯΞʔΩςΫτ ʢϚϧϞΞπγʣ "84ೝఆࢿ֨ף ͖ͳ"84αʔϏε w
$MPVE'SPOU w 5SBOTJU(BUFXBZ w .BOBHFE#MPDLDIBJO
݄ؒສ17ΛތΔٕज़ϒϩά%FWFMPQFST*0
݄ؒສ17ΛތΔٕज़ϒϩά%FWFMPQFST*0 ௨ࢉ ຊʂ ؒ ຊʂ ݄ؒ ຊʂ
None
80ਓ 736ຊ
ຊͷςʔϚ "84ͷηΩϡϦςΟɺωοτϫʔΫ ·ΘΓͷʮͪΐ͍ςΫʯ
ຊͷςʔϚ ࢸۃͷϒϩάهࣄΛఴ͑ͯ ʢৄࡉͳઆ໌ল͘ͷͰؾʹͳͬͨͷΛޙ͔Βख़ಡʣ
Security & Network
ͪΐ͍ςΫ̍ ؆୯ʹઃఆͰ͖Δ "84ͷൃݟత౷੍
͜Ε͚ͩͬͱ͍ͯཉ͍͠"84αʔϏε̐બ w"84$MPVE5SBJM w"NB[PO(VBSE%VUZ w"84$POpH w4*"."DDFTT"OBMZ[FS
$MPVE5SBJM w"84ͷ"1*ʹର͢Δૢ࡞ϩά w"84ΞΧϯτʹରͯ͠ʮ୭͕ʯʮ͍ͭʯʮԿΛ͔ͨ͠ʯ wશϦʔδϣϯͰ༗ޮԽʢίϯιʔϧͰ؆୯ʹઃఆʣ wϩάੳʹ"UIFOB$MPVE8BUDI-PHT*OTJHIUT wҟৗͳ"1*ίʔϧ$MPVE5SBJM*OTJHIUTͰݕग़
$MPVE5SBJM*OTJHIUT w௨ৗͱҟͳΔΞΫςΟϏςΟΛݕग़ wରॻ͖ࠐΈཧΠϕϯτ w ʢॻ͖ࠐΈཧΠϕϯτ͋ͨΓʣ https://dev.classmethod.jp/cloud/aws/aws-cloudtrail-announces-cloudtrail-insights/
(VBSE%VUZ w͓ʹ&$ͱ*".ΞΧϯτؔ࿈ͷൃݟత౷੍ w"84ʹ͓͚Δෆ৹ͳΞΫςΟϏςΟΛݕ w$MPVE5SBJMFWFOUMPHT w71$'MPX-PHT w%/4MPHT wશϦʔδϣϯͰ༗ޮԽ https://dev.classmethod.jp/cloud/aws/set-guardduty-all-region/
(VBSE%VUZʢ͜͜ͷΞοϓσʔτɹɹʣ w߈ܸऀʹՃ୲ͯ͠ͳ͍͔ https://dev.classmethod.jp/cloud/aws/guardduty-devect-new-findings-of-dos-attack/ w"ENJOͳͲͷಛݖΛׂΓͯΑ͏ͱ ͯ͠ͳ͍͔ https://dev.classmethod.jp/cloud/aws/guardduty-can-now-detect-privilege-escalation/ wݕग़݁ՌͰഁغ͞ΕΔ https://dev.classmethod.jp/cloud/aws/guardduty-supports-exporting-findings-to-an- amazon-s3-bucket/
Ͱ͓ߴ͍ΜͰ͠ΐɾɾɾʁ wίεύ࠷ڧ w71$ϑϩʔϩάͱ%/4ϩάੳɹ(#ʙ w$MPVE5SBJMΠϕϯτੳɹ Πϕϯτʙ wฐࣾͰཧΞΧϯτͷҎ্͕"84ར༻අͷҎԼ wҎ্ͷΞΧϯτ͕"84ར༻අͷҎԼ
ͦΕͰෆ҆ͱ͍͏ͳΒ wؒͷແྉτϥΠΞϧͰ࣮ࡍͷར༻අΛ֬ೝ
"84$POpH w"84ϦιʔεͷมߋཤྺΛه wλΠϜϥΠϯͰมߋ༰͕֬ೝͰ͖Δ
͓҆͘ͳΓ·ͨ͠ w݄Ҏ߱ɺैྔ՝ۚϞσϧʹมߋ wධՁ͋ͨΓʙ https://dev.classmethod.jp/cloud/aws/recommend-config-rules-for-all-user/
ඇ४ڌϦιʔεΛࣗಈम෮Ͱ͖ΔΑ͏ʹͳΓ·ͨ͠ w44."VUPNBUJPOͱ࿈ܞͨࣗ͠ಈम෮ wैདྷ$MPVE8BUDI&WFOUTˠ-BNCEBͷ࡞ΓࠐΈ https://dev.classmethod.jp/cloud/aws/auto-recovery-restricted-ssh-without-lambda/
4*"."DDFTT"OBMZ[FS w֎෦ϓϦϯγύϧ͔ΒΞΫηεՄೳͳϦιʔε͕ର wજࡏతͳϦεΫΛஅʢ߈ܸΛݕग़͢ΔͷͰͳ͍ʣ wαϙʔτ͞ΕΔϦιʔε w4όέοτ w*".ϩʔϧ w,.4Ωʔ w-BNCEBؔͱ-BNCEBϨΠϠʔ w424Ωϡʔ
4*"."DDFTT"OBMZ[FS wແྉͰར༻Մೳʂ
શϦʔδϣϯͰ༗ޮԽͯ͠͠·͓͏ https://dev.classmethod.jp/cloud/aws/create-analyzer-all-region/ wશϦʔδϣϯͰ༗ޮʹ͢Δ w4"DDFTT"OBMZ[FS*"."DDFTT"OBMZ[FSΛ༗ޮԽʹ͢Δͱར༻Ͱ͖·͢
͓Εͳ͘ ݕग़͢Δ͚ͩͰຬ͠ͳ͍Ͱɻ ௨ͪΌΜͱΓ·͠ΐ͏ɻ
ͪΐ͍ςΫ̎ ؆୯ʹνΣοΫͰ͖Δ ηΩϡϦςΟɾίϯϓϥΠΞϯε
ίϯϓϥΠΞϯεɿ$*4#FODINBSL w$*4-JOVY"QBDIFͳͲ༷ʑͳηΩϡϦςΟج४Λ࡞ ͍ͯ͠Δஂମ w$*4"84'PVOEBUJPOT#FODINBSLͱͯ͠"84ͷηΩϡ ϦςΟνΣοΫͷ۩ମతͳ߲Λఆٛ wฐࣾఏڙͷηΩϡϦςΟνΣοΫπʔϧ ʰJOTJHIUXBUDIʱͰແྉஅՄೳ
*OTJHIUXBUDI wʮখ͞ͳൃݟΛେ͖ͳ҆৺ʹʯΛίϯηϓτʹ"84ڥ Λஅ͠ϨϙʔτΛग़ྗ͢Δπʔϧ https://insightwatch.io/
ͨ͘͞ΜͷܯࠂͰͨΜ͚Ͳɾɾɾ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen2/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen3/ https://dev.classmethod.jp/cloud/aws/insightwatch_challenge_allgreen4/
ͪΐ͍ςΫ̏ ήʔτܕ͔Β ΨʔυϨʔϧܕ
ैདྷͷηΩϡϦςΟͷߟ͑ํ w࠷ۙɺ"84͕ൃ৴ͯ͠Δϝοηʔδ wैདྷͷηΩϡϦςΟήʔτΩʔύత w·ͣϒϩοΫ w༰Λ֬ೝ͕ͯ͠ͳ͚Εͱ͓͢ wྲྀΕΛͱΊΔ͜ͱɺϏδωεͷεϐʔυΛಷΒͤΔ
ηΩϡϦςΟͰϏδωεʹ ϒϨʔΩΛ͔͚͍͚ͯͳ͍ ͲΜͳʹεϐʔυΛग़ͯ҆͠શͳ ΨʔυϨʔϧͷΑ͏ͳηΩϡϦςΟΛ
ΨʔυϨʔϧతͳηΩϡϦςΟͱ wΨʔυϨʔϧతͳηΩϡϦςΟΛ࣮ݱ͢ΔҰྫ w"840SHBOJ[BUJPOTͷαʔϏείϯτϩʔϧϙϦγʔ w"84*".1FSNJTTJPOTCPVOEBSZ w1FSNJTTJPOTCPVOEBSZ w௨ৗͷ*".ϙϦγʔʹ"/%݅ΛՃ͑ͯɺڐՄൣғΛ ݶఆ͢ΔϙϦγʔ wڥքൣғͳ͔Ͱࣗ༝ʹͤͯ͋͛͞Δ
1FSNJTTJPOTCPVOEBSZ wઃఆΛؒҧ͑Δͱ͍ΖΜͳݖݶΛ ࣦ͏ͷͰઃఆ৻ॏʹ https://dev.classmethod.jp/cloud/aws/iam-permissions-boundary/
w*".ϙϦγʔγϡϛϨʔλʹରԠ͠·ͨ͠ wࣄલʹγϛϡϨʔγϣϯͰӨڹൣғΛ֬ೝ ҆͝৺͍ͩ͘͞ https://dev.classmethod.jp/cloud/aws/iam-policy-simulator-now-simulates-permissions-boundary/
ͪΐ͍ςΫ̐ *.%4ͷ ηΩϡϦςΟڧԽ
*.%4ʢΠϯελϯεϝλσʔλαʔϏεʣ w&$Πϯελϯεϝλσʔλ wʹ)551ϦΫΤετ༷ͯ͠ʑͳϝλ σʔλʹΞΫηεͰ͖Δ w*".ϩʔϧ͜ͷϝλσʔλ͔ΒΫϨσϯγϟϧΛऔಘ w8"'ͳͲͷެ։αʔόʹ͋Δ੬ऑੑͱΈ߹Θͤͯɺෆਖ਼ ʹ&$ͷϝλσʔλ͔ΒΫϨσϯγϟϧΛऔಘ͠ѱ༻͢Δ ͜ͱ͕Մೳ
ࣄނࣄྫ ʰpiyologʱɿhttps://piyolog.hatenadiary.jp/entry/2019/08/06/062154
*.%4W https://dev.classmethod.jp/cloud/aws/ec2-imdsv2-release/ w7ͷΞΫηεʹ5PLFO͕ඞཁ w7ΛແޮԽͰ͖ΔʢσϑΥϧτซ༻ʣ wϝλσʔλαʔϏεࣗମΛແޮԽͰ͖ΔɹʜFUD
͋ΘͤͯಡΈ͍ͨ ʰಙؙߒͷهʱɿhttps://blog.tokumaru.org/2019/12/defense-ssrf-amazon-ec2-imdsv2.html w*.%4W443'߈ܸͷࠜຊతͳղܾͰͳ͍ w͕ɺ443'߈ܸͷ؇ࡦͱͯ͠ҰఆͷޮՌظͰ͖Δ
ͪΐ͍ςΫ̑ ͏͔ͬΓ࿙ӮΛࢭ
HJUTFDSFUTͬͯ·͔͢ʁ w"84ΞΫηεΩʔͷ࿙ӮͰҰ൪ଟ͍ύλʔϯ wHJUDPNNJUʹIPPL͢ΔػೳΛ༗ޮʹ͠ͱ͚ɺΞΫηε ΩʔγʔΫϨοτΩʔͷύλʔϯΛݕग़ɾ્ࢭͯ͘͠ΕΔ https://dev.classmethod.jp/cloud/aws/startup-git-secrets/
͋ΘͤͯಡΈ͍ͨ w*".ͷجຊ࠷খݖݶ w։ൃݕূຊ൪ڥͷڥͷϝϦοτɺσϝϦοτ https://dev.classmethod.jp/cloud/aws/account-and-vpc-dividing-pattern/
ͪΐ͍ςΫ̒ ֎෦ͱͷτϥϑΟοΫΛ ΠϯϥΠϯࠪ
*OHSFTTSPVUF w*(8ɺ7(8ʹϧʔτ ςʔϒϧͷઃఆ͕Մೳ wૹ৴ઌ71$ͷ $*%3ൣғͷΈ w*%4*14ΞϓϥΠΞϯ εͷϦμΠϨΫτ Λγϯϓϧʹ࣮
͋ΘͤͯಡΈ͍ͨ https://dev.classmethod.jp/cloud/aws/what-is-vpc-ingress-routing/
71$ؒτϥϑΟοΫͷΠϯϥΠϯࠪʢ5(8ʣ https://www.slideshare.net/AmazonWebServicesJapan/20191113-aws-black-belt-online-seminar-aws-transit-gateway?ref=https://aws.amazon.com/jp/blogs/news/webinar-bb-aws-transit-gateway-2019/
·ͱΊ
·ͱΊ wൃݟత౷੍ͷ̐αʔϏεઃఆ͠Α͏ʢ௨·ͰΔʣ wʮ*OTJHIUXBUDIʯͰίϯϓϥΠΞϯεΛνΣοΫ wڥքൣғʢΨʔυϨʔϧʣͷͳ͔Ͱࣗ༝Λߴ͘ w*.%4͕ѱ༻͞ΕΔ͜ͱ͓ͬͯ͘ wΞΫηεΩʔHJUDPNNJUͰ͖ͳ͍Α͏ʹ͢Δ wΠϯϥΠϯࠪΛγϯϓϧʹߏங
͜Ε͚֮ͩ͑ͯؼͬͯ΄͍͠ɺͪΐ͍ςΫ ͍͍ͩͨͷ͜ͱ %FWFMPQFST*0ʹॻ͍ͯΔ
None