クラウド脆弱性の傾向とShisho Cloudの活用

Transcript

1. Ϋϥ΢υ੬ऑੑͷ܏޲ͱShisho Cloudͷ׆༻ ʮ2025/03/17 Ϋϥ΢υΛ׆༻͢Δ։ൃ૊৫ͷ࣮ફతηΩϡϦςΟରࡦ ʙ੬ऑੑ਍அͱDB΁ͷΞΫηε੍ޚʙʯ ϑΝΠϯσΟגࣜձࣾ ϓϩμΫτ։ൃ෦/SRE ҆ୡ ྋ(@adachin0817)

2. ࣗݾ঺հ

3. 3 ࣗݾ঺հ ҆ୡ ྋ(@adachin0817) ɾϑΝΠϯσΟ(ג) / ϓϩμΫτ։ൃ෦/Senior SRE ɾBlog: blog.adachin.me/wiki.adachin.me

   ɾTechBull(ΤϯδχΞίϛϡχςΟ) techbull.cloud ɹɾSRE/ΤϯδχΞͷϝϯλϦϯά ྦྷܭ300໊↑ ɹɾίϛϡχςΟϚωʔδϟʔ ɾ͔ͭͯ͸OSS൛VulsͷίϯτϦϏϡʔλʔ΍Πϕϯτओ࠵ͳͲ ɾ89೥ੜ·Εɺ౦ژ౎଍ཱ۠ग़਎Ͱ࡛ۄݝय़೔෦ࢢ͕஍ݩ ɾϑϨϯνϒϧυοάͷࣂ͍ओͰ΋͋Δ

4. 4

5. ԣஅSREνʔϜͷҐஔ͚ͮͱϛογϣϯ

6. ԣஅSREνʔϜͷҐஔ͚ͮͱϛογϣϯ • ԣஅSREνʔϜ ◦ ڈ೥͔ΒνʔϜͱ্ཱ͓ͯͪ͛ͯ͠Γɺݱࡏ͸4໊Ͱ׆ಈ͍ͯ͠Δ • SREͷଘࡏҙٛ ◦ SRE͸ಓΛ࡞ΔͨΊʹଘࡏ͢Δ(։ൃͷεϐʔυͱ҆શੑΛཱ྆) ◦

   ϦεΫΛड͚ೖΕɺ؅ཧ͢Δ(ো֐ͷϦεΫΛ࠷খݶʹ཈͑ͭͭɺޮ཰తͳӡ༻Λ໨ࢦ͢) ◦ SLOΛܭଌ͢Δ(৴པੑͷόϥϯεΛऔΔͨΊͷج४Λࡦఆ) ◦ τΠϧͷ࡟ݮͱࣗಈԽ(Ձ஋ͷߴ͍ۀ຿ʹूதͰ͖Δ؀ڥΛఏڙ) ◦ ϓϩμΫτͷࢧԉ(։ൃεϐʔυͱ৴པੑͷόϥϯεΛอͭͨΊʹٕज़ࢧԉ) ◦ ηΩϡϦςΟͷՄࢹԽͱڧԽ (જࡏతͳϦεΫΛൃݟ͠ɺγεςϜΛΑΓ҆શͳঢ়ଶʹอͭ) • ୹ظϛογϣϯ ◦ ʮϑΝΠϯσΟͷࣄۀ੒௕Λࢧ͑ΔͨΊʹɺSRE૊৫ͷ͋Γํͷཱ֬ʯ • தظϛογϣϯ ◦ ʮࣾһશһ͕ࣄۀ੒௕ʹूதͰ͖ΔΑ͏ͳ࢓૊ΈΛߏங͠ɺ҆શʹఏڙʯ 6

7. ৄ͍͠औΓ૊Έʹ͍ͭͯ͸Findy Tech BlogΛࢀߟʹʂ 7

8. ۙ೥ͷ੬ऑੑʹ͍ͭͯ

9. ۙ೥ͷ੬ऑੑ͸೥ʑ૿Ճ͍ͯ͠Δ 9 ࢀߟ: https://www.first.org/epss/data_stats https://blog.adachin.me/archives/53851 https://vuls.biz/blog/articles/20240822a/

10. ߈ܸܦ࿏ͱ૊৫ͷηΩϡϦςΟରԠྗ 10 ࢀߟ: https://vuls.biz/blog/articles/20240822a/

11. Top Threats to Cloud Computing 2024 Ϋϥ΢υॏେڴҖϨϙʔτ

12. Top Threats to Cloud Computing 2024 • 2024೥ Ϋϥ΢υॏେڴҖϨϙʔτ ◦

    CSA(Ϋϥ΢υηΩϡϦςΟΞϥΠΞϯε)ຊ෦ ◦ 2೥ʹҰ౓ڴҖϨϙʔτΛެ։ ◦ 500ਓҎ্ͷۀքઐ໳ՈΛର৅ʹಛఆ • ՝୊ ◦ ॱҐ͕Լ͕͓ͬͯΓݒ೦͞ΕΔ΋ͷͰ͸ͳ͍ ◦ ઃఆϛεͱෆे෼ͳมߋ؅ཧ ◦ IAMʹΑΔΞΫηε؅ཧ ◦ ηΩϡΞͰ͸ͳ͍ΠϯλʔϑΣʔε΍API ◦ Ϋϥ΢υηΩϡϦςΟͷΞʔΩςΫνϟ ͱઓུͷܽ೗ 12 ࢀߟ: https://www.cloudsecurityalliance.jp/site/?p=35829

13. Top Threats to Cloud Computing 2024 • ࠓޙͷݟ௨͠ ◦ AIΛؚΉΑΓߴ౓Խͳ߈ܸ

    ◦ αϓϥΠνΣʔϯͷϦεΫ ◦ ਐԽ͢Δن੍ͷঢ়گ ◦ Ransomware-as-a-Service(RaaS) • ରࡦ ◦ SDLC(ιϑτ΢ΣΞ։ൃϥΠϑαΠΫϧ)Λ௨ͨ͡ AIͷ౷߹ ◦ AIΛ׆༻ͨ͠ηΩϡϦςΟπʔϧ ◦ θϩτϥετηΩϡϦςΟϞσϧ ◦ ࣗಈԽͱΦʔέετϨʔγϣϯ ◦ ηΩϡϦςΟεΩϧͷ֨ࠩ 13 ࢀߟ: https://www.cloudsecurityalliance.jp/site/?p=35829

14. Ϋϥ΢υηΩϡϦςΟʹऔΓ૊ΉୈҰา

15. Ϋϥ΢υηΩϡϦςΟʹऔΓ૊ΉࡍͷୈҰา • ηΩϡϦςΟ਍அͱݱঢ়೺Ѳ / CSPM(Cloud Security Posture Management) ◦ ઃఆϛε΍੬ऑͳϦιʔεΛՄࢹԽ͠ɺ༏ઌ͢΂͖ϦεΫΛಛఆ

    ◦ ૣظରԠͰηΩϡϦςΟΠϯγσϯτΛະવʹ๷͙ • ηΩϡϦςΟ؂ࢹͱΞϥʔτͷઃఆ ◦ ҟৗͳϩάΠϯ΍ڴҖΛϦΞϧλΠϜʹݕग़ ◦ ඞཁͳΞϥʔτΛద੾ʹઃఆ͠ɺਝ଎ͳରԠΛՄೳʹ • TrivyΛ׆༻ͨ͠ηΩϡϦςΟεΩϟϯ ◦ ط஌ͷ؀ڥʹର͢Δ਍அͱɺ৽نߏங࣌ͷࣗಈεΩϟϯΛCIԽ • ηΩϡϦςΟϩάͷՄࢹԽ ◦ AWS WAFɺCloudTrailɺGuardDutyͷঢ়ଶΛઃఆ͢Δ͚ͩͰͳ͘ՄࢹԽɾ෼ੳ ◦ ҟৗݕ஌ͷਫ਼౓Λ޲্ͤ͞ɺରԠεϐʔυΛਐΊΔ • ηΩϡϦςΟڭҭͱҙࣝ޲্ ◦ νʔϜશମͷηΩϡϦςΟҙࣝΛߴΊΔ͜ͱ͕େ੾ ◦ ࠷৽ͷڴҖ΍ରࡦํ๏Λڞ༗͢Δ৔Λઃ͚Δ 15

16. Ϋϥ΢υηΩϡϦςΟڧԽʹ͓͚ΔπʔϧબఆͷΞϓϩʔν • ౰ॳͷܭը: AWS Security Hub Λ׆༻ͨ͠ηΩϡϦςΟ؅ཧΛݕ౼ ◦ AWS OrganizationsͰ؅ཧ͍ͯ͠ΔͨΊɺ਺ेݸҎ্ͷΫϩεΞΧ΢ϯτ͕ଘࡏ

    ◦ σʔλ෼ੳͰ͸GCP΋ར༻͍ͯ͠ΔͨΊɺҰݩ؅ཧ͕Ͱ͖ͣɺҰ؏ੑ͕อͯͳ͍ ◦ ༷ʑͳαʔϏε͕ಈ࡞͢ΔͨΊɺෳࡶʹͳΓ΍͘͢ɺίετ͕ߴ͘ͳΓ΍͍͢ ◦ ૢ࡞ੑɺධՁ݁Ռͷࢹೝੑ͕ѱ͘ɺτϦΞʔδͷूܭʹ޻਺͕͔͔Δ ◦ ରԠํ๏ͷυΩϡϝϯτ͕ӳޠͩΒ͚ͰΤϯδχΞ͕ૉૣ͘ରԠͰ͖ͳ͍ • ༷ʑͳΫϥ΢υηΩϡϦςΟπʔϧΛࢼݧಋೖ ◦ ػೳ΍ૢ࡞ੑɺίετύϑΥʔϚϯεͷ؍఺͔Βൺֱݕ౼ ◦ Shisho Cloud͕࠷΋ཁ݅ʹద߹͠ɺಋೖͷܾఆʹ🎉 16

17. Shisho Cloudͷಋೖ

18. Shisho Cloudͷ࢖͍΍͢͞ • Simple is the best ◦ ϚϧνΫϥ΢υͷҰݩ؅ཧ ◦

    ηΩϡϦςΟઐ໳஌͕ࣝͳͯ͘΋ରԠՄೳ ◦ ϦεΫͷଈ࣌ՄࢹԽ ◦ ೔ຊޠରԠͷஸೡͳϨϙʔτ ◦ ಋೖͷ༰қ͞ͱݕग़݁Ռͷ଎͞ ◦ े෼ʹ४උ͞ΕͯΔϚωʔδυϙϦγʔ ◦ ϫʔΫϑϩʔʹΑΔΧελϚΠζੑͷߴ͞ ◦ Ձ͕͍֨҆ 18

19. Shisho Cloudͷӡ༻ϙΠϯτ • ηΩϡϦςΟΨΠυϥΠϯϙϦγʔͷ࡞੒ ◦ ࢛൒ظ͝ͱʹ༏ઌ౓ͷߴ͍IssueΛ͢΂ͯରԠ͢Δ͜ͱΛ໨ඪʹઃఆ • ηΩϡϦςΟ؂ࢹͱΞϥʔτͷઃఆ ◦ ֤ϓϩδΣΫτʹઐ༻ͷSlackνϟϯωϧΛ࡞੒

    ◦ ؔ܎ऀΛר͖ࠐΉ࢓૊ΈΛߏங ◦ Embedded SRE޲͚ʹ৘ใڞ༗ͷ৔Λઃ͚Δ ◦ τϦΞʔδ͞ΕͨΞϥʔτ͸͢΂ͯରԠ͢Δඞཁ͸ͳ͘ɺ༏ઌ౓͔ΒߜΔ • ηΩϡϦςΟରԠͷܗ֚ԽΛ๷͗ɺνʔϜͷཱࣗΛଅਐ ◦ ηΩϡϦςΟରԠͷܗ֚ԽΛ๷͗ɺνʔϜͷཱࣗΛଅਐ 19

20. Shisho Cloudͷӡ༻՝୊ • ৽نΠϯϑϥߏங࣌ʹຖճΞϥʔτͷޡݕ஌͕ൃੜ ◦ Terraform ͰશΠϯϑϥΛ؅ཧ͍ͯ͠Δ͕ɺ؀ڥ͝ͱͷ౷Ұϧʔϧ͕ͳ͍ ◦ ෛՙςετ؀ڥ΍৽نΠϯϑϥ؀ڥͷςϯϓϨʔτԽ͕ະ੔උ ◦

    ηΩϡϦςΟϙϦγʔ͕؀ڥ͝ͱʹ౷Ұ͞Ε͓ͯΒͣɺෆཁͳΞϥʔτ͕ൃੜ ◦ Slack ௨஌͕ଟൃ͠ɺϊΠζͰຒ·ͬͯ͠·͏ • ॏཁͳ௨஌ݕ஌ ◦ Critical / High ͷΞϥʔτ͸ Slack Ͱϝϯγϣϯ෇͖௨஌ ◦ ϊΠζΛݮΒ͠ɺରԠ͢΂͖ΞϥʔτʹूதͰ͖Δ؀ڥΛߏங 20

21. Findy ToolsͰ΋ϨϏϡʔ͍ͯ͠·͢ʂ 21

22. ηΩϡϦςΟϩάج൫

23. ηΩϡϦςΟϩάج൫ • Amazon Security Lakeͷ׆༻ ◦ AWS಺ͰϦΞϧλΠϜʹԿ͕ى͖͍ͯΔ͔൑அͰ͖ͳ͍ ◦ ηΩϡϦςΟपΓͷϞχλϦϯάڧԽ ◦

    CloudTrailɺWAFɺVPC Flow LogɺRoute53 (DNS Query)Λର৅ʹՄࢹԽ͠෼ੳ ◦ Security LakeͰ؆୯ʹҰݩ؅ཧ͕Մೳ ◦ ݄਺ສԁఔ౓Ͱ࣮૷ՄೳͰίεύ͕ྑ͍ ◦ Amazon Managed GrafanaͰμογϡϘʔυԽ 23

24. WAF Log • WAF(Web ACL) ◦ Request by Country(ࠃผͷϦΫΤετ਺) ◦

    Heat map ◦ Bar graph ◦ Total Request(શϦΫΤετͷूܭ) ◦ WAF Rule Request(WAFϧʔϧ͝ͱͷϦΫΤετ਺) ◦ Access Ranking(IPΞυϨε΍URL͝ͱͷϦΫΤετ਺) ◦ WAF Analytics Logs(෼ੳ༻ͷϩά/ϒϩοΫ৘ใͳͲ) 24

25. CloudTrail Log • CloudTrail ◦ Total Event Count(શΠϕϯτ਺) ◦ Total

    Errors(શΤϥʔ਺) ◦ Event History(Πϕϯτཤྺ) ◦ Top Event Names(Πϕϯτ໊) ◦ Total Event Source(Πϕϯτൃੜݩ) ◦ Top Users(ϢʔβʔϥϯΩϯά) ◦ Total Source IP(ૢ࡞ݩͷIPΞυϨε) ◦ S3 Access Denied(S3ͰΞΫηεڋ൱͞Εͨճ਺) ◦ EC2 Change Event Count(EC2ͷઃఆมߋճ਺) ◦ VPC Change Event Count(VPCͷઃఆมߋճ਺) ◦ Security Group Change Event Count(SGͷઃఆมߋճ਺) ◦ Error Event(෼ੳ༻ΤϥʔΠϕϯτ) 25

26. खಈ ੬ऑੑ਍அ

27. खಈ ੬ऑੑ਍அ࣮ࢪ • GMO Flatt Security x WebΞϓϦέʔγϣϯ਍அ ◦ 2023೥ʙ

    ࣮ࢪࡁΈ ◦ SQLΠϯδΣΫγϣϯ ◦ XSSɺೝূɾೝՄͷ໰୊ͳͲ ◦ ༷ʑͳ੬ऑੑ਍அʹରԠ͍ͯ͠Δ ◦ ใࠂॻ/Ϩϙʔτ΋ඇৗʹݟ΍͍͢ ◦ ΞϑλʔαʔϏε΋ॆ࣮͍ͯ͠Δ 27

28. Findy Team+ SOC2 Type1

29. Findy Team+ SOC2 Type1Λऔಘ 29

30. ·ͱΊ

31. ·ͱΊ • Ϋϥ΢υηΩϡϦςΟपΓ͸ՄࢹԽͯ͠ܧଓతʹ෼ੳͱରࡦΛ͢Δ͜ͱ • Shisho Cloud/ϫʔΫϑϩʔͷΧελϚΠζΛ׆͔͖͠Εͯͳ͍ ◦ ඞཁʹԠͯ͡૊৫ݻ༗ͷϙϦγʔΛઃఆ͠ɺӡ༻ʹద༻͢Δ ◦ AWSΞΧ΢ϯτͷ൑ఆج४Λ໌֬Խ͠ɺCritical,HighϨϕϧͷݕ஌࿙ΕΛ๷ࢭ

    ◦ طଘΞϥʔτͷվमͱ୨Է͠ • ηΩϡϦςΟϩάج൫ͷ෼ੳ ◦ Security LakeΛ༻͍ͨج൫͸Ͱ͖ͨͷͰɺ෼ੳΛਐΊ͍ͯ͘ ◦ μογϡϘʔυͷΧελϚΠζ΍ఆظతͳৼΓฦΓΛ࣮ࢪ͠ɺӡ༻վળΛਤΔ ◦ SQLͷ݁Ռ͔ΒBedrockͰ෼ੳ༧ఆ 31

32. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ