セキュリティ系アップデート全体像と AWS Organizations 新ポリシー「宣言型ポリシー」を紹介 / reGrowth 2024 Security

ηΩϡϦςΟܥΞοϓσʔτͷશମ૾ 0SHBOJ[BUJPOTͷ৽ϙϦγʔΛ঺հ

SFHSPXUI@PTBLB ࣗݾ঺հ ઒ݪ੐େ LBXBIBSBNBTBIJSP ˔ $MBTTNFUIPE"84ࣄۀຊ෦ ίϯαϧςΟϯά෦ ˔ d"845PQ&OHJOFFST ˔
SF*OWFOUݱ஍ࢀՃ ˓ ,3BDF͕૘շͰͨ͠

SFHSPXUI@PTBLB ࠓ೔࿩͢͜ͱ ˔ ηΩϡϦςΟܥΞοϓσʔτΛ͓͞Β͍ ˔ "840SHBOJ[BUJPOTͷΞϓσΛ঺հ ˔ ↳ એݴܕϙϦγʔΛਂງΓ ˔
↳ ͜Ε͔Βͷ༧๷తΨʔυϨʔϧ

ηΩϡϦςΟܥΞοϓσʔτ ͬ͘͟Γͱ͓͞Β͍

SFHSPXUI@PTBLB ߋ৽ͷ͋ͬͨ"84αʔϏε ˞༧બམؚͪΉ

SFHSPXUI@PTBLB ߋ৽ͷ͋ͬͨ"84αʔϏε ˞༧બམؚͪΉ <"843FTPVSDF&YQMPSFS> ɾػೳ֦ॆɻηΩϡϦςΟ΍ίετͷ৘ใΛҰݩతʹݕࡧɾ؅ཧՄೳʹ <"844ZTUFNT.BOBHFS> ɾϚϧνΞΧ΢ϯτϚϧνϦʔδϣϯͷϊʔυ೺Ѳɺ؅ཧ͕ҰݩԽ <"844FDVSJUZ-BLF> ɾ৽͍͠ύʔτφʔೝఆ "NB[PO4FDVSJUZ-BLF3FBEZ4QFDJBMJ[BUJPO͕ൃද
ɾ0QFO4FBSDI4FSWJDFͱͷ [FSP&5-౷߹Λαϙʔτ <"84$MPVE5SBJM> ɾػೳڧԽɻแׅతͳμογϡϘʔυ௥ՃͱΫϩεΞΧ΢ϯτͰͷσʔλετΞڞ༗ ɾ"*ػೳΛ௥ՃɻࣗવݴޠͰͷΫΤϦੜ੒ͱΫΤϦ݁Ռͷཁ໿ػೳ <*"."DDFTT"OBMZ[FS> ɾະ࢖༻ΞΫηε෼ੳʹͯɺΞΧ΢ϯτ*%΍ϩʔϧλάʹΑΔείʔϓબ୒͕Մೳʹ

SFHSPXUI@PTBLB ߋ৽ͷ͋ͬͨ"84αʔϏε ˞༧બམؚͪΉ <"84*".> ɾ0SHBOJ[BUJPOTͷϝϯόʔΞΧ΢ϯτͷϧʔτΞΫηε ΛҰݩ؅ཧՄೳʹ <"840SHBOJ[BUJPOT> ɾએݴܕϙϦγʔ %FDMBSBUJWFQPMJDZ ͕௥Ճ
ɾ3$1 3FTPVSDFDPOUSPMQPMJDZ ͕௥Ճ <"84$POUSPM5PXFS> ɾએݴܕϙϦγʔΛ࢖༻ͨ͠༧๷ίϯτϩʔϧ͕௥Ճ ɾ3$1Λ࢖༻ͨ͠༧๷ίϯτϩʔϧ͕௥Ճ ɾ"84#BDLVQͱ౷߹ɻਪ঑όοΫΞοϓઃఆΛҰׅద ༻Մೳʹ

SFHSPXUI@PTBLB ߋ৽ͷ͋ͬͨ"84αʔϏε ˞༧બམؚͪΉ <"NB[PO71$> ɾ71$ͷϒϩοΫύϒϦοΫΞΫηε #1" Λൃද ɾ$MPVE'SPOU͕71$ΦϦδϯʹରԠ <"84/FUXPSL'JSFXBMM> ɾ)551ɺ26*$ɺ1PTUHSF42-ͳͲͷ৽ϓϩτίϧݕ
ग़ʹରԠ <"847FSJGJFE"DDFTT> ɾ5$1΍44)ɺ3%1ͳͲͷඇ)551 4 Ϧιʔε΁ͷθϩ τϥετΞΫηε͕Մೳʹ

SFHSPXUI@PTBLB ߋ৽ͷ͋ͬͨ"84αʔϏε ˞༧બམؚͪΉ <"NB[PO(VBSE%VUZ> ɾߴ౓ͳڴҖݕग़ػೳ͕௥Ճɻෳ਺εςʔδͷ߈ܸΛࣗಈݕग़ <"844FDVSJUZ*ODJEFOU3FTQPOTF> ɾ༗ਓͰηΩϡϦςΟΠϯγσϯτʹରԠͯ͘͠ΔαʔϏε͕(" ˞࠷௿ֹ݄ྉۚ υϧ͔Β ɾ"844FDVSJUZ*ODJEFOU3FTQPOTFͷ৽͍͠ύʔτφʔϓϩάϥϜ

"840SHBOJ[BUJPOTͷ ΞοϓσʔτΛ঺հ

"840SHBOJ[BUJPOTΛ ͞Βͬͱ͓͞Β͍

SFHSPXUI@PTBLB 0SHBOJ[BUJPOT͸ϚϧνΞΧ΢ϯτ؅ཧͰ໾ཱͭαʔϏε <ओͳಛ௃> ˔ શ"84ΞΧ΢ϯτͷ੥ٻΛू໿ ˔ "84ΞΧ΢ϯτΛ֊૚Խͯ͠؅ཧɺ੍ޚ ˔ ͞·͟·ͳ"84αʔϏεͱ࿈ܞ ը૾Ҿ༻"840SHBOJ[BUJPOTͷ֓೦ͱ༻ޠ
"840SHBOJ[BUJPOT

SFHSPXUI@PTBLB ֤छ ϙϦγʔΛ࢖ͬͯෳ਺ΞΧ΢ϯτΛ੍ޚͰ͖Δ ˔ 4$1 4FSWJDFDPOUSPMQPMJDZ ˔ λάϙϦγʔ ˔ όοΫΞοϓϙϦγʔ
˔ ࢖͑ΔϙϦγʔͷৄࡉ͸ҎԼΛࢀর ˠ5FSNJOPMPHZBOEDPODFQUTGPS"840SHBOJ[BUJPOT "840SHBOJ[BUJPOT

"840SHBOJ[BUJPOTͷ SF*OWFOUΞοϓσʔτ

SFHSPXUI@PTBLB SF*OWFOUʹͯɺͭͷ৽ϙϦγʔ͕ొ৔ʂ ˔ <OFX>3$1 3FTPVSDFDPOUSPMQPMJDZ ˔ <OFX>એݴܕϙϦγʔ %FDMBSBUJWFQPMJDZ

એݴܕϙϦγʔ %FDMBSBUJWF1PMJDZ

SFHSPXUI@PTBLB αʔϏεϨϕϧͰ l๬·͍͠ઃఆz Λఆٛద༻Ͱ͖Δ ˔ એݴܕϙϦγʔ͸৽͍͠ʮαʔϏεϨϕϧ ͷϙϦγʔʯ ˔ ૊৫಺ͷ"84ΞΧ΢ϯτʹ͓͍ͯɺಛఆ αʔϏεଐੑΛඪ४ԽͰ͖Δ
˔ ΤϥʔϝοηʔδΛΧελϚΠζՄೳ <ݱࡏαϙʔτ͍ͯ͠Δଐੑ> ˔ 71$ ˓ 71$ϒϩοΫύϒϦοΫΞΫηε ˔ &$ ˓ γϦΞϧίϯιʔϧΞΫηε ˓ ".*ϒϩοΫύϒϦοΫΞΫηε ˓ ڐՄ͞Εͨ".*ͷར༻ ˓ *.%4ͷσϑΥϧτઃఆ ˔ &#4 ˓ εφοϓγϣοτͷϒϩοΫύϒϦοΫΞΫηε

SFHSPXUI@PTBLB ਺ΫϦοΫͰ؆୯ʹઃఆͰ͖Δ ը૾Ҿ༻ʲΞοϓσʔτʳ৽ͨʹൃද͞ΕͨEFDMBSBUJWFQPMJDJFTʢએݴܕϙϦγʔʣΛͨΊͯ͠Έͨ "84SF*OWFOUc%FWFMPQFST*0

ͦ΋ͦ΋એݴతͬͯͳΜͩΖ͏ʁ

SFHSPXUI@PTBLB ʮ݁ہԿ͕͍ͨ͠ͷ͔ʯͱ͍͏໨త͚ͩΛઆ໌͢Δ͜ͱ Ҿ༻એݴతʁ %FDMBSBUJWF Ͳ͏͍͏͜ͱʁ !)JSPZVLJ@04",* 2JJUB

SFHSPXUI@PTBLB l&#4εφοϓγϣοτͷϒϩοΫύϒϦοΫΞΫηεz Λྫʹߟ͑ͯΈΔ &#4εφοϓγϣοτΛύϒϦοΫʹͨ͘͠ͳ͍Μ΍ʂ ໨త

SFHSPXUI@PTBLB ʙએݴܕϙϦγʔ͕ͳ͍ͱ͖ʙ &#4εφοϓγϣοτΛύϒϦοΫʹͨ͘͠ͳ͍Μ΍ʂ ໨త ˞ͳ͍Ͱ͢ ໨తͷୡ੒ํ๏

SFHSPXUI@PTBLB ʙએݴܕϙϦγʔ͕͋Δͱ͖ʙ &#4εφοϓγϣοτΛύϒϦοΫʹͨ͘͠ͳ͍Μ΍ʂ ໨త ໨తͷୡ੒ํ๏

͜Ε͔Βͷ༧๷తΨʔυϨʔϧ

SFHSPXUI@PTBLB ࠓ೥ɺओཁͳ༧๷తΨʔυϨʔϧ͕Ұؾʹ૿͑ͨʂ ͜Ε·Ͱͷ<"84ͷ༧๷తΨʔυϨʔϧͱ͍͑͹> ˔ 4$1 4FSWJDFDPOUSPMQPMJDZ ͜Ε͔Βͷ<"84ͷ༧๷తΨʔυϨʔϧͱ͍͑͹> ˔ 4$1 4FSWJDFDPOUSPMQPMJDZ
˔ 3$1 3FTPVSDFDPOUSPMQPMJDZ ˔ એݴܕϙϦγʔ %FDMBSBUJWFQPMJDZ

SFHSPXUI@PTBLB <Πϝʔδ>͜Ε·Ͱͷ༧๷తΨʔυϨʔϧ

SFHSPXUI@PTBLB <Πϝʔδ>༧๷తΨʔυϨʔϧͷ͜Ε͔Β

SFHSPXUI@PTBLB <Πϝʔδ>༧๷తΨʔυϨʔϧͷ͜Ε͔Β ˞3$1͕αϙʔτ͍ͯ͠ΔαʔϏε ɾ4 ɾ454 ɾ,.4 ɾ424 ɾ4FDSFUT.BOBHFS ˞એݴܕϙϦγʔͷαϙʔτൣғ ɾ71$ϒϩοΫύϒϦοΫΞΫηε
ɾ&$γϦΞϧίϯιʔϧΞΫηε ɾ&$".*ϒϩοΫύϒϦοΫΞΫηε ɾ&$ڐՄ͞Εͨ".*ͷར༻ ɾ&$*.%4ͷσϑΥϧτઃఆ ɾ&#4εφοϓγϣοτͷϒϩοΫύϒϦοΫΞΫηε

͓ΘΓʹ

SFHSPXUI@PTBLB ࿩ͨ͜͠ͱ ˔ ηΩϡϦςΟܥΞοϓσʔτΛ͓͞Β͍ ˔ "840SHBOJ[BUJPOTͷΞϓσΛ঺հ ˔ ↳ એݴܕϙϦγʔΛਂງΓ ˓
αʔϏεϨϕϧͰʮ๬·͍͠ઃఆʯΛఆٛద༻ ˓ ਺ΫϦοΫͰ؆୯ʹઃఆͰ͖Δ ˔ ↳ ͜Ε͔Βͷ༧๷తΨʔυϨʔϧ ˓ ·ͣ͸ એݴܕϙϦγʔ<OFX>Λద༻Ͱ͖ͳ͍͔ ˓ ࣍ʹैདྷ௨Γ 4$1Λ࢖͏ ˓ ิ׬తʹ 3$1<OFX>Λ࢖͏

SFHSPXUI@PTBLB ࢀߟ ˔ 4JNQMJGZHPWFSOBODFXJUIEFDMBSBUJWFQPMJDJFTc"84/FXT#MPH ˔ <Ξοϓσʔτ>"840SHBOJ[BUJPOTͰએݴܕϙϦγʔ EFDMBSBUJWFQPMJDJFT ͕ར༻Մೳʹͳ Γ·ͨ͠ "84SF*OWFOUc%FWFMPQFST*0
˔ ʲΞοϓσʔτʳ৽ͨʹൃද͞ΕͨEFDMBSBUJWFQPMJDJFTʢએݴܕϙϦγʔʣΛͨΊͯ͠Έͨ "84SF*OWFOUc%FWFMPQFST*0 ˔ એݴతʁ %FDMBSBUJWF Ͳ͏͍͏͜ͱʁ !)JSPZVLJ@04",* 2JJUB

SFHSPXUI@PTBLB ࢀߟ • 識別 ◦ Introducing the Amazon Security Lake
Ready Specialization - AWS ◦ Amazon OpenSearch Service zero-ETL integration with Amazon Security Lake - AWS ◦ Find security, compliance, and operating metrics in AWS Resource Explorer - AWS ◦ AWS CloudTrail Lake launches enhanced analytics and cross-account data access - AWS ◦ AWS CloudTrail Lake enhances log analysis with AI-powered features - AWS ◦ The new AWS Systems Manager experience: Simplifying node management - AWS ◦ Customize scope of IAM Access Analyzer unused access analysis - AWS • 防御 ◦ Centrally manage root access in AWS Identity and Access Management (IAM) - AWS ◦ Amazon Web Services announces declarative policies - AWS ◦ Introducing resource control policies (RCPs) to centrally restrict access to AWS resources - AWS ◦ AWS Control Tower launches managed controls using declarative policies - AWS ◦ AWS Control Tower launches configurable managed controls implemented using resource control policies - AWS ◦ AWS Control Tower adds prescriptive backup plans to landing zone capabilities - AWS ◦ AWS announces Block Public Access for Amazon Virtual Private Cloud - AWS ◦ Amazon CloudFront announces VPC origins - AWS ◦ AWS Network Firewall expands the list of supported protocols and keywords in firewall rules - AWS ◦ AWS Verified Access now supports secure access to resources over non-HTTP(S) protocols (Preview) - AWS • 検知/対応 ◦ AWS announces AWS Security Incident Response for general availability - AWS ◦ Respond and recovery more quickly with AWS Security Incident Response Partners - AWS ◦ Amazon GuardDuty introduces GuardDuty Extended Threat Detection - AWS

セキュリティ系アップデート全体像と AWS Organizations 新ポリシー「宣言型ポリ...

セキュリティ系アップデート全体像と AWS Organizations 新ポリシー「宣言型ポリシー」を紹介 / reGrowth 2024 Security

MasahiroKawahara

More Decks by MasahiroKawahara

Other Decks in Technology

Featured

Transcript

ηΩϡϦςΟܥΞοϓσʔτͷશମ૾ 0SHBOJ[BUJPOTͷ৽ϙϦγʔΛ঺հ

SFHSPXUI@PTBLB ࣗݾ঺հ ઒ݪ੐େ LBXBIBSBNBTBIJSP ˔ $MBTTNFUIPE"84ࣄۀຊ෦ ίϯαϧςΟϯά෦ ˔ d"845PQ&OHJOFFST ˔

SFHSPXUI@PTBLB ࠓ೔࿩͢͜ͱ ˔ ηΩϡϦςΟܥΞοϓσʔτΛ͓͞Β͍ ˔ "840SHBOJ[BUJPOTͷΞϓσΛ঺հ ˔ ↳ એݴܕϙϦγʔΛਂງΓ ˔

ηΩϡϦςΟܥΞοϓσʔτ ͬ͘͟Γͱ͓͞Β͍

SFHSPXUI@PTBLB ߋ৽ͷ͋ͬͨ"84αʔϏε ˞༧બམؚͪΉ

SFHSPXUI@PTBLB ߋ৽ͷ͋ͬͨ"84αʔϏε ˞༧બམؚͪΉ <"84*".> ɾ0SHBOJ[BUJPOTͷϝϯόʔΞΧ΢ϯτͷϧʔτΞΫηε ΛҰݩ؅ཧՄೳʹ <"840SHBOJ[BUJPOT> ɾએݴܕϙϦγʔ %FDMBSBUJWFQPMJDZ ͕௥Ճ

SFHSPXUI@PTBLB ߋ৽ͷ͋ͬͨ"84αʔϏε ˞༧બམؚͪΉ <"NB[PO71$> ɾ71$ͷϒϩοΫύϒϦοΫΞΫηε #1" Λൃද ɾ$MPVE'SPOU͕71$ΦϦδϯʹରԠ <"84/FUXPSL'JSFXBMM> ɾ)551ɺ26*$ɺ1PTUHSF42-ͳͲͷ৽ϓϩτίϧݕ

"840SHBOJ[BUJPOTͷ ΞοϓσʔτΛ঺հ

"840SHBOJ[BUJPOTΛ ͞Βͬͱ͓͞Β͍

SFHSPXUI@PTBLB 0SHBOJ[BUJPOT͸ϚϧνΞΧ΢ϯτ؅ཧͰ໾ཱͭαʔϏε <ओͳಛ௃> ˔ શ"84ΞΧ΢ϯτͷ੥ٻΛू໿ ˔ "84ΞΧ΢ϯτΛ֊૚Խͯ͠؅ཧɺ੍ޚ ˔ ͞·͟·ͳ"84αʔϏεͱ࿈ܞ ը૾Ҿ༻"840SHBOJ[BUJPOTͷ֓೦ͱ༻ޠ

SFHSPXUI@PTBLB ֤छ ϙϦγʔΛ࢖ͬͯෳ਺ΞΧ΢ϯτΛ੍ޚͰ͖Δ ˔ 4$1 4FSWJDFDPOUSPMQPMJDZ ˔ λάϙϦγʔ ˔ όοΫΞοϓϙϦγʔ

"840SHBOJ[BUJPOTͷ SF*OWFOUΞοϓσʔτ

SFHSPXUI@PTBLB SF*OWFOUʹͯɺͭͷ৽ϙϦγʔ͕ొ৔ʂ ˔ <OFX>3$1 3FTPVSDFDPOUSPMQPMJDZ ˔ <OFX>એݴܕϙϦγʔ %FDMBSBUJWFQPMJDZ

એݴܕϙϦγʔ %FDMBSBUJWF1PMJDZ

SFHSPXUI@PTBLB αʔϏεϨϕϧͰ l๬·͍͠ઃఆz Λఆٛద༻Ͱ͖Δ ˔ એݴܕϙϦγʔ͸৽͍͠ʮαʔϏεϨϕϧ ͷϙϦγʔʯ ˔ ૊৫಺ͷ"84ΞΧ΢ϯτʹ͓͍ͯɺಛఆ αʔϏεଐੑΛඪ४ԽͰ͖Δ

SFHSPXUI@PTBLB ਺ΫϦοΫͰ؆୯ʹઃఆͰ͖Δ ը૾Ҿ༻ʲΞοϓσʔτʳ৽ͨʹൃද͞ΕͨEFDMBSBUJWFQPMJDJFTʢએݴܕϙϦγʔʣΛͨΊͯ͠Έͨ "84SFOWFOUc%FWFMPQFST0

ͦ΋ͦ΋એݴతͬͯͳΜͩΖ͏ʁ

SFHSPXUI@PTBLB ʮ݁ہԿ͕͍ͨ͠ͷ͔ʯͱ͍͏໨త͚ͩΛઆ໌͢Δ͜ͱ Ҿ༻એݴతʁ %FDMBSBUJWF Ͳ͏͍͏͜ͱʁ !)JSPZVLJ@04",* 2JJUB

SFHSPXUI@PTBLB l&#4εφοϓγϣοτͷϒϩοΫύϒϦοΫΞΫηεz Λྫʹߟ͑ͯΈΔ &#4εφοϓγϣοτΛύϒϦοΫʹͨ͘͠ͳ͍Μ΍ʂ ໨త

SFHSPXUI@PTBLB ʙએݴܕϙϦγʔ͕ͳ͍ͱ͖ʙ &#4εφοϓγϣοτΛύϒϦοΫʹͨ͘͠ͳ͍Μ΍ʂ ໨త ˞ͳ͍Ͱ͢ ໨తͷୡ੒ํ๏

SFHSPXUI@PTBLB ʙએݴܕϙϦγʔ͕͋Δͱ͖ʙ &#4εφοϓγϣοτΛύϒϦοΫʹͨ͘͠ͳ͍Μ΍ʂ ໨త ໨తͷୡ੒ํ๏

͜Ε͔Βͷ༧๷తΨʔυϨʔϧ

SFHSPXUI@PTBLB ࠓ೥ɺओཁͳ༧๷తΨʔυϨʔϧ͕Ұؾʹ૿͑ͨʂ ͜Ε·Ͱͷ<"84ͷ༧๷తΨʔυϨʔϧͱ͍͑͹> ˔ 4$1 4FSWJDFDPOUSPMQPMJDZ ͜Ε͔Βͷ<"84ͷ༧๷తΨʔυϨʔϧͱ͍͑͹> ˔ 4$1 4FSWJDFDPOUSPMQPMJDZ

SFHSPXUI@PTBLB <Πϝʔδ>͜Ε·Ͱͷ༧๷తΨʔυϨʔϧ

SFHSPXUI@PTBLB <Πϝʔδ>༧๷తΨʔυϨʔϧͷ͜Ε͔Β

SFHSPXUI@PTBLB <Πϝʔδ>༧๷తΨʔυϨʔϧͷ͜Ε͔Β ˞3$1͕αϙʔτ͍ͯ͠ΔαʔϏε ɾ4 ɾ454 ɾ,.4 ɾ424 ɾ4FDSFUT.BOBHFS ˞એݴܕϙϦγʔͷαϙʔτൣғ ɾ71$ϒϩοΫύϒϦοΫΞΫηε

͓ΘΓʹ

SFHSPXUI@PTBLB ࿩ͨ͜͠ͱ ˔ ηΩϡϦςΟܥΞοϓσʔτΛ͓͞Β͍ ˔ "840SHBOJ[BUJPOTͷΞϓσΛ঺հ ˔ ↳ એݴܕϙϦγʔΛਂງΓ ˓

SFHSPXUI@PTBLB ࢀߟ ˔ 4JNQMJGZHPWFSOBODFXJUIEFDMBSBUJWFQPMJDJFTc"84/FXT#MPH ˔ <Ξοϓσʔτ>"840SHBOJ[BUJPOTͰએݴܕϙϦγʔ EFDMBSBUJWFQPMJDJFT ͕ར༻Մೳʹͳ Γ·ͨ͠ "84SFOWFOUc%FWFMPQFST0

SFHSPXUI@PTBLB ࢀߟ • 識別 ◦ Introducing the Amazon Security Lake