セキュリティ運用エージェントGuardDuty-Operatorを作って社内に配ってみた @ JAWS-UG SRE支部

ηΩϡϦςΟӡ༻ΤʔδΣϯτ (VBSE%VUZ0QFSBUPSΛ ࡞ͬͯࣾ಺ʹ഑ͬͯΈͨ 4JN4UB !TIJNBHBKJ +"846(43& ू·ΕʂԶͨͪͷ࡞ͬͨ࠷ڧͷӡ༻"HFOUେ-5େձ KBXTVH@TSF

ࣗݾ঺հ +BQBO"845PQ&OHJOFFS +BQBO"MM"84$FSUJGJDBUJPOT&OHJOFFS "84$PNNVOJUZ#VJMEFS ࡛ۄˠࡳຈˠਆಸ઒ˠࡳຈ 4JN4UBʢΦϯϥΠϯͷ͕ͨ͢ʣ ,%%*ΞδϟΠϧ։ൃηϯλʔגࣜձࣾʢ,"(ʣ ϓϥοτϑΥʔϜΤϯδχΞϦϯά෦ ઓུاը෦ 4FSWFSMFTT
ΧάΧά !TIJNBHBKJ 5XJUUFS

௚ۙͷొஃ༧ఆ ίετ࡟ݮπʔϧ/"54DIFEVMFSͷ࿩ ηΩϡϦςΟӡ༻ΤʔδΣϯτ (VBSE%VUZ0QFSBUPSͷ࿩ ʢԾʣ഑৴தʹۓٸ஍਒଎ใΛड৴ͨ͠Βʜͳ࿩

"HFOEB • (VBSE%VUZʹؔ͢Δ೰Έ • ,"(ͷ1MBUGPSN&OHJOFFSJOHͱLBHUPPMT • (VBSE%VUZ4VNNBSJ[FSͷ঺հ • #FESPDL"HFOU$PSFͷొ৔ •
(VBSE%VUZ0QFSBUPSͷ঺հ • ࡞ͬͯ഑ͬͯ෼͔ͬͨ՝୊ • ·ͱΊ

(VBSE%VUZ ͪΌΜͱӡ༻Ͱ͖ͯ·͔͢ʁ

(VBSE%VUZͱͦͷ௨஌ • $MPVE5SBJMͳͲͷΞΫςΟϏςΟͳͲΛݩʹҟৗΛ؂ࢹ͠ɺ "84ΞΧ΢ϯτʹ࣮ࡍʹى͖͍ͯΔڴҖΛݕग़ͯ͠௨஌ • 4FDVSJUZ)VCͱ͍ͬͨʮΞΧ΢ϯτͷηΩϡϦςΟෆඋʯͰͳ͘ ʮΞΧ΢ϯτʹൃੜͨ͠ڴҖͦͷ΋ͷʯ͕ಧ͘ͷͰɺ ௨஌͞ΕͨΒ͙͢ʹରԠ͠ͳ͚Ε͹ͳΒͳ͍ ˠͰ͸(VBSE%VUZ͔Βͷ௨஌͸ͲΜͳײ͡Ͱಧ͘ʁ

ʮ&$ͷϩʔϧೝূ৘ใ͕"84֎͔Βར༻͞Εͨʯ ͱ͍͏ڴҖͷ௨஌ ΠϕϯτΛͦͷ··௨஌͢Δͱ ˡͷΑ͏ͳ௕͍௕͍+40/͕ಧ͘ &WFOU#SJEHF -BNCEBͳͲͰ੔ܗ͸Ͱ͖Δ͕ ։ൃऀʹͱͬͯ͸ೝ஌ෛՙ͕ߴ͘ ʮԿ͕ى͖͍ͯͯɺͲ͏͢Ε͹͍͍ʁʯΛ ൑அɾ࣮ߦͰ͖Δਓ͸গͳ͍ ˣ
ೝ஌ෛՙΛԼ͛ͯ ୭Ͱ΋ཧղɾରԠͰ͖ΔΑ͏ʹ͍ͨ͠ʂ ͜Μͳײ͡

,"(ͷ 1MBUGPSN&OHJOFFSJOHͱ LBHUPPMT

,"(ͷ1MBUGPSN&OHJOFFSJOHͱLBHUPPMT • ։ൃνʔϜͷೝ஌ෛՙΛܰݮ͢ΔηϧϑαʔϏεπʔϧΛ LBHUPPMTͱͯࣾ͠಺Ͱల։ • (JU)VC&OUFSQSJTFͷϦϙδτϦʹͯΠϯφʔιʔεͱͯ͠ఏڙ • ୭Ͱ΋ίϯτϦϏϡʔτ0, • ηΩϡϦςΟɺΨόφϯεɺίετ࡟ݮɺ։ൃ؀ڥͳͲ͍Ζ͍Ζ
• ίετ࡟ݮܥπʔϧͷͭ/"54DIFEVMFSʹ͍ͭͯ͸ Ұࡢ೔ʢ݄ʣͷ+"846(ࡳຈºळాࢧ෦ίϥϘʹ͓ͯ࿩͠·ͨ͠ • ຊ೔঺հͷ(VBSE%VUZ4VNNBSJ[FS0QFSBUPS͸ηΩϡϦςΟܥͷπʔϧ

(VBSE%VUZ0QFSBUPSͷલ਎ (VBSE%VUZ4VNNBSJ[FSͷ঺հ

(VBSE%VUZ4VNNBSJ[FSͷ֓ཁ • (VBSE%VUZͷݕ஌಺༰Λ#FESPDLʢ$MBVEF4POOFUʣʹ౉ͯ͠ ཁ໿͔ͤͯ͞ΒϢʔβʔʹ௨஌͢Δπʔϧ • ม਺ΛೖΕͯγΣϧεΫϦϓτΛ࣮ߦ͢Δ͚ͩͰ୭Ͱ΋؆୯ʹσϓϩΠ • 4UFQ'VODUJPOTͰ׬݁ɺ-BNCEBϨεͰϝϯςφϯεָ͕ • 4FDVSJUZ)VCͰϚϧνΞΧ΢ϯτͷ(VBSE%VUZΛू໿͍ͯ͠Ε͹
୯Ұͷ؅ཧΞΧ΢ϯτʹσϓϩΠ͢Δ͚ͩͰ0, • #FESPDLͷϞσϧ͸୯७ʹݺͼग़͚ͩ͢ͳͷͰɺϞσϧͷ஌ࣝʹґଘ ʢ3"(΍"84υΩϡϝϯτͷࢀর͸͠ͳ͍ʣ

AWS Cloud GuardDuty Step Functions Bedrock SNS Invoke Execute EventBridge
User Threats E-Mail Publish Slack Security Hub ᶃ(VBSE%VUZͷΠϕϯτΛ௚઀र͏ ᶄ4FDVSJUZ)VCʹू໿͞ΕͨΠϕϯτΛर͏ ͷͲͪΒ͔Λબ୒ͯ͠σϓϩΠՄೳ (VBSE%VUZ4VNNBSJ[FSͷߏ੒ (VBSE%VUZͷݕ஌಺༰Λཁ໿ͯ͠4MBDLʹ௨஌

#FESPDL"HFOU$PSFͷొ৔

#FESPDL"HFOU$PSF ࡞੒ͨ͠ੜ੒"*ΤʔδΣϯτΛσϓϩΠ͢ΔͨΊͷϓϥοτϑΥʔϜ 4USBOETͳͲΛ ίϯςφԽ ձ࿩ͷهԱ Մ؍ଌੑ˕ ଟ࠼ͳπʔϧͱ ҆શͳར༻ IUUQTHJUIVCDPNBXTMBCTBNB[POCFESPDLBHFOUDPSFTBNQMFTCMPCNBJOUVUPSJBMTJNBHFTBHFOUDPSF@PWFSWJFXQOH

#FESPDL"HFOU$PSFͷొ৔ʹΑΔϞνϕʔγϣϯ • (VBSE%VUZʹΑΔݕ஌ͷ୯७ͳཁ໿͚ͩͰͳ͘ɺʮࠓͲΜͳঢ়ଶʁʯ ʮͲ͏ରॲ͢Ε͹͍͍ͷʁʯ·Ͱ"*͕౿ΈࠐΊΔΑ͏ʹͳΓͦ͏ • 4USBOET"HFOUT #FESPDL"HFOU$PSFͷ૊Έ߹Θ͕ͤ ࠓޙελϯμʔυʹͳΔ͜ͱΛݟӽ͠ɺ൚༻తʹ࠶ར༻Ͱ͖Δ "*ΤʔδΣϯτͷςϯϓϨʔτΛ࡞͓͖͍ͬͯͨ •
ಛʹΠϕϯτۦಈΤʔδΣϯτʢ"NCJFOU"HFOUʣ͕ྲྀߦͬͯͨͷͰ ϊ΢ϋ΢ͷशಘͱࣾ಺΁ͷڞ༗Λ͍ͨ͠ ˠηΩϡϦςΟӡ༻ΤʔδΣϯτ(VBSE%VUZ0QFSBUPSΛ։ൃɾࣾ಺ల։

(VBSE%VUZ0QFSBUPSͷ঺հ

(VBSE%VUZ0QFSBUPSͷ֓ཁ • (VBSE%VUZͷݕ஌಺༰Λ#FESPDL"HFOU$PSFʢ4USBOETʣʹ౉ͯ͠ ௐࠪ͠ɺৄࡉ΍ਪ঑͞ΕΔίϚϯυΛؚΊͯϢʔβʔʹ௨஌͢Δπʔϧ • ϩʔΧϧ·ͨ͸$MPVE4IFMMͰ$%,Λ࢖ͬͯ୭Ͱ΋؆୯ʹσϓϩΠ ˠEFQMPZUJNFCVJME౥ࡌͰίϯςφΠϝʔδͷϏϧυΛΦϑϩʔυ • 4FDVSJUZ)VCͰϚϧνΞΧ΢ϯτͷ(VBSE%VUZΛू໿͍ͯ͠Ε͹ ୯Ұͷ؅ཧΞΧ΢ϯτʹσϓϩΠ͢Δ͚ͩͰ0,
• ݱࡏͷϦιʔεͷঢ়گ΍࠷৽ͷ"84υΩϡϝϯτΛࢀর͠ɺ ΑΓৄࡉͰ࣮֬ͳ৘ใΛ௨஌͢Δ͜ͱ͕Ͱ͖Δ

(VBSE%VUZ0QFSBUPSͷߏ੒ AWS Cloud ECR AgentCore Runtime AWS API MCP Slack
Lambda AWS Knowledge MCP SNS Strands Agents GuardDuty EventBridge (VBSE%VUZͷݕ஌಺༰Λৄࡉௐࠪͯ͠4MBDLʹ௨஌ SNS Security Hub ᶃ(VBSE%VUZͷΠϕϯτΛ௚઀र͏ ᶄ4FDVSJUZ)VCʹू໿͞ΕͨΠϕϯτΛर͏ ͷͲͪΒ͔Λબ୒ͯ͠σϓϩΠՄೳ

(VBSE%VUZͷݕ஌಺༰Λৄࡉௐࠪͯ͠4MBDLʹ௨஌ %FW0QT"HFOUͷΑ͏ʹਪ঑$-*ίϚϯυͳͲΛग़ྗ (VBSE%VUZ0QFSBUPSͷߏ੒

࡞ͬͨ"*ΤʔδΣϯτΛ ࣾ಺Ͱ഑ͬͯΈͨ

ηϧϑαʔϏεπʔϧͱͯ͠εΫϥϜνʔϜʹల։ Platform Team User User User GitHub Enterprise (JU)VC&OUFSQSJTFͰ$%,ςϯϓϨʔτΛ഑෍ ཧ૝

ηϧϑαʔϏεπʔϧͱͯ͠εΫϥϜνʔϜʹల։ Platform Team User User User GitHub Enterprise (JU)VC&OUFSQSJTFͰ$%,ςϯϓϨʔτΛ഑෍ ݱ࣮

࢖ͬͯ͘ΕΔνʔϜ͕ ͍ͳ͍ʜ ʢ࣌఺ʣ

࡞ͬͯ഑ͬͯ෼͔ͬͨ՝୊ • πʔϧ͸࡞ͬͯ഑ͬͨΒऴΘΓͰ͸ͳ͘ɺ࢖ΘΕͳ͍ͱՁ஋͕ͳ͍ • (VBSE%VUZͷݕ஌ػձͷগͳ͞ˍϑΟʔυόοΫͷෆ଍Ͱ վળϧʔϓ͕ճΒͳ͘ͳͬͯ͠·͏ • ஌ΒͤΔର࿩ʢʹࣾ಺ϚʔέςΟϯάʣ͍ͩ͡ • ฉ͖ʹ͍͘ର࿩ʢʹ֤νʔϜͱʮ՝୊ײʯʮຊ౰ʹඞཁͳ΋ͷʯ
ʮηΩϡϦςΟ؍ʯΛ͢Γ߹ΘͤΔ͜ͱʣ΋͍ͩ͡ • ηϧϑαʔϏεͷ"*ΤʔδΣϯτπʔϧΛల։͢Δࡍ͸ ʮ࠷ॳͷҰาΛ౿Έग़ͤ͞ΔͨΊͷಋઢʯͷઃܭ͕ॏཁ

·ͱΊ

·ͱΊ • ηΩϡϦςΟ໘Ͱॏཁ͕ͩೝ஌ෛՙͷߴ͍(VBSE%VUZͷݕ஌಺༰Λ "*ʢΤʔδΣϯτʣπʔϧܦ༝ͰཧղͰ͖Δܗࣜʹͯ͠௨஌ • (VBSE%VUZ4VNNBSJ[FS0QFSBUPS͍ͣΕ΋ɺ؆୯ʹσϓϩΠՄೳͳ ηϧϑαʔϏεπʔϧͱͯࣾ͠಺ఏڙ • ͔͠͠ɺ࡞ͬͯఏڙ͚ͨͩ͠Ͱ͸࢖ΘΕͣɺվળ΋͞Εͳ͍ •
πʔϧΛ࢖ͬͯ΋Β͏ͨΊͷʮ஌ΒͤΔର࿩ʯʮฉ͖ʹ͍͘ର࿩ʯ͕ 1MBUGPSN&OHJOFFSJOHͰ͸͍ͩ͡ʂ

5IBOLZPVʂ

セキュリティ運用エージェントGuardDuty-Operatorを作って社内に配ってみた @ ...

セキュリティ運用エージェントGuardDuty-Operatorを作って社内に配ってみた @ JAWS-UG SRE支部

SimSta

More Decks by SimSta

Featured

Transcript