Security-JAWS-Speciality-Study

ରࡦຊൃചه೦ "84ೝఆηΩϡϦςΟ߹֨ͷίπ લฤ /3*ωοτίϜגࣜձࣾɹ ࠤʑ໦୓࿠ 4FDVSJUZ+"84ୈճ #secjaws

ࠤʑ໦୓࿠ CMPHIUUQTCMPHUBLVSPTOFU 5XJUUFS!ELGK ࣗݾ঺հ #secjaws

+BQBO"1/"NCBTTBEPS બग़͞Ε·ͨ͠ ࣗݾ঺հ #secjaws

ೝఆηΩϡϦςΟࢼݧͷରࡦຊ ཁ఺੔ཧ͔Β߈ུ͢Δ ʰ"84ೝఆηΩϡϦςΟઐ໳஌ࣝʱ IUUQTBN[OUP1,4D( "84ೝఆηΩϡϦςΟઐ໳஌ࣝͷษڧͷ࢓ํͱ "84ͷηΩϡϦςΟͷΨΠυϒοΫͱͯࣥ͠චʢͨͭ͠΋Γʣ #secjaws

ࠓ೔࿩͢಺༰ "84ͷηΩϡϦςΟͷߟ͑ํͱೝఆࢼݧ "84ʹ͓͚Δ̏ͭͷηΩϡϦςΟͷ࣠ ॏ఺ڧԽྖҬ #secjaws

ຊ೔ͷΰʔϧ "84ͷηΩϡϦςΟͬͯɺ͜͏͍͏͜ͱ΍ΔΜͩΑͱ ಉ྅ʹ࿩ͤΔΑ͏ʹͳΔ 㱺ਓʹઆ໌͢Δͷ͕ɺཧղ΁ͷૣಓʂʂ *".ϕετϓϥΫςΟεʹ͍ͭͯϏσΦͰઆ໌͢Δ *".ͰͷηΩϡϦςΟͷϕετϓϥΫςΟε IUUQTEPDTBXTBNB[PODPNKB@KQ*".MBUFTU6TFS(VJEFCFTUQSBDUJDFTIUNM #secjaws

"84ͷηΩϡϦςΟͱೝఆࢼݧ

"84ೝఆηΩϡϦςΟɹઐ໳஌ࣝ ιϦϡʔγϣϯΞʔΩςΫτͱͷҧ͍ ιϦϡʔγϣϯ ΞʔΩςΫτ ηΩϡϦςΟ ઐ໳஌ࣝ ͲͷΑ͏ʹ࡞Δͷ͔ʁ ͲͷΑ͏ʹ҆શΛ ֬อ͢Δͷ͔ʁ #secjaws

ࢼݧൣғͱ഑఺ ߲൪ ෼໺ ׂ߹ ΠϯγσϯτରԠ ϩάͱ؂ࢹ
ΠϯϑϥετϥΫνϟͷ ηΩϡϦςΟ *%͓ΑͼΞΫηε؅ཧ σʔλอޢ ॏ఺߲໨ #secjaws

"84ͱηΩϡϦςΟ ͍Ζ͍Ζ΍Δ͜ͱ͕ଟͯ͘ɺ ΍΍͍͜͠ͱࢥͬͨ͜ͱ͋Γ·ͤΜ͔ શମ૾Λ೺Ѳ͢ΔͨΊʹɺͬ͘͟Γͱ ෼ྨͯ͠Έ·͠ΐ͏ #secjaws

ڊਓͷݞͷ্ʹཱͭ Ұ͔Βશ෦ࣗ෼Ͱߟ͑Δͱେม ϑϨʔϜϫʔΫʹ৐ͬͯɺ࠷খݶͷ࿑ྗͰ ·ͣ͸ఆੴΛ֮͑ͯɺਅࣅΔ͜ͱ͔Β࢝ΊΔ #secjaws

/*45αΠόʔηΩϡϦςΟϑϨʔϜϫʔΫ ෼ྨ ΧςΰϦʔ ಛఆ ʢ*EFOUJGZʣ ɾࢿ࢈؅ཧ ɾϏδωε؀ڥ ɾΨόφϯε ɾϦεΫΞηεϝϯτɺϦεΫΞηεϝϯτ؅ཧ ɾαϓϥΠνΣʔϯϦεΫϚωδϝϯτ
๷ޚ ʢ1SPUFDUʣ ɾΞΫηε੍ޚ ɾҙࣝ޲্͓ΑͼτϨʔχϯά ɾσʔληΩϡϦςΟ ɾ৘ใΛอޢ͢ΔͨΊͷϓϩηε͓Αͼखॱ ɾอक ɾอޢٕज़ ݕ஌ ʢ%FUFDUʣ ɾҟৗͱΠϕϯτ ɾηΩϡϦςΟͷܧଓతͳϞχλϦϯά ɾݕ஌ϓϩηε ରԠ ʢ3FTQPOEʣ ɾରԠܭըͷ࡞੒ ɾίϛϡχέʔγϣϯ ɾ෼ੳ ɾ௿ݮ ෮چ ʢ3FDPWFSʣ ɾ෮چܭըͷ࡞੒ ɾվળ ɾίϛχέʔγϣϯ IPA CSFίΞ https://www.ipa.go.jp/files/000071204.pdf

"848FMM"SDIJUFDUFEϑϨʔϜϫʔΫ ப ઃܭݪଇ ӡ༻্ͷ ༏लੑ ɾӡ༻Λίʔυͱͯ͠ӡ༻ ɾఆظతʹɺখن໛ͳɺݩʹ໭͢͜ͱ͕Ͱ͖ΔมߋΛద༻͢Δ ɾӡ༻खॱΛఆظతʹվળ͢Δ ɾো֐Λ༧૝͢Δ ɾ͋ΒΏΔӡ༻্ͷো֐͔ΒֶͿ
ηΩϡϦςΟ ɾڧݻͳೝূج൫ͷ࣮૷ ɾτϨαϏϦςΟʔͷ࣮ݱ ɾશϨΠϠʔ΁ͷηΩϡϦςΟͷద༻ ɾηΩϡϦςΟͷϕετϓϥΫςΟεͷࣗಈԽ ɾ఻ૹத͓Αͼอ؅தͷσʔλอޢ ɾσʔλʹਓͷखΛೖΕͳ͍ ɾηΩϡϦςΟΠϕϯτ΁ͷඋ͑ ৴པੑ ɾো֐͔Βࣗಈతʹ෮چ͢Δ ɾ෮چखॱΛςετ͢Δ ɾਫฏํ޲ʹεέʔϧͯ͠ू߹తͳϫʔΫϩʔυͷՄ༻ੑΛߴΊΔ ɾΩϟύγςΟʔΛײʹཔΒͳ͍ ɾࣗಈԽͰมߋΛ؅ཧ͢Δ ύϑΥʔϚϯεޮ཰ ɾߴ౓ͳςΫϊϩδʔΛ୭Ͱ΋࢖͑ΔΑ͏ʹ͢Δ ɾ͢෼Ͱάϩʔόϧʹల։͢Δ ɾαʔόʔϨεΞʔΩςΫνϟΛ࢓༷͢Δ ɾΑΓසൟʹ࣮ݧ͢Δ ɾϝΧχΧϧγϯύγʔΛߟྀ͢Δ ίετ࠷దԽ ɾΫϥ΢υͷࡒ຿؅ཧͷӡ༻ ɾফඅϞσϧΛಋೖ͢Δ ɾશମతͳޮ཰Λଌఆ͢Δ ɾඅ༻Λ෼ੳ͠ɺؼ݁ͤ͞Δ AWS Well-Architected ϑϨʔϜϫʔΫ https://aws.amazon.com/jp/architecture/well-architected/

"848FMM"SDIJUFDUFEϑϨʔϜϫʔΫ ப ઃܭݪଇ ӡ༻্ͷ ༏लੑ ɾӡ༻Λίʔυͱͯ͠ӡ༻ ɾఆظతʹɺখن໛ͳɺݩʹ໭͢͜ͱ͕Ͱ͖ΔมߋΛద༻͢Δ ɾӡ༻खॱΛఆظతʹվળ͢Δ ɾো֐Λ༧૝͢Δ ɾ͋ΒΏΔӡ༻্ͷো֐͔ΒֶͿ
ηΩϡϦςΟ ɾڧݻͳೝূج൫ͷ࣮૷ ɾτϨαϏϦςΟʔͷ࣮ݱ ɾશϨΠϠʔ΁ͷηΩϡϦςΟͷద༻ ɾηΩϡϦςΟͷϕετϓϥΫςΟεͷࣗಈԽ ɾ఻ૹத͓Αͼอ؅தͷσʔλอޢ ɾσʔλʹਓͷखΛೖΕͳ͍ ɾηΩϡϦςΟΠϕϯτ΁ͷඋ͑ ৴པੑ ɾো֐͔Βࣗಈతʹ෮چ͢Δ ɾ෮چखॱΛςετ͢Δ ɾਫฏํ޲ʹεέʔϧͯ͠ू߹తͳϫʔΫϩʔυͷՄ༻ੑΛߴΊΔ ɾΩϟύγςΟʔΛײʹཔΒͳ͍ ɾࣗಈԽͰมߋΛ؅ཧ͢Δ ύϑΥʔϚϯεޮ཰ ɾߴ౓ͳςΫϊϩδʔΛ୭Ͱ΋࢖͑ΔΑ͏ʹ͢Δ ɾ͢෼Ͱάϩʔόϧʹల։͢Δ ɾαʔόʔϨεΞʔΩςΫνϟΛ࢓༷͢Δ ɾΑΓසൟʹ࣮ݧ͢Δ ɾϝΧχΧϧγϯύγʔΛߟྀ͢Δ ίετ࠷దԽ ɾΫϥ΢υͷࡒ຿؅ཧͷӡ༻ ɾফඅϞσϧΛಋೖ͢Δ ɾશମతͳޮ཰Λଌఆ͢Δ ɾඅ༻Λ෼ੳ͠ɺؼ݁ͤ͞Δ AWS Well-Architected ϑϨʔϜϫʔΫ https://aws.amazon.com/jp/architecture/well-architected/ "84ͷϑϨʔϜϫʔΫʹԊͬͯઃܭ͞Ε͍ͯ Δɻߟ͑ํΛཧղ͍ͯ͠ΔͱɺͦΕʹԊͬͨ ղ౴ΛબͿͱਖ਼ղʹͳΔ͜ͱ΋͋Δɻ

ϑϨʔϜϫʔΫʹԊͬͯ ઃܭ͞Ε͍ͯΔ͔Λߟ͑Δ

ϑϨʔϜϫʔΫʹ౰ͯ͸ΊͯΈΔͱʁ Lambda Systems Manager Automation CloudFormation Organizations SCP IAM SNS
Config CloudWatch Inspector Macie GuardDuty Shield Firewall Manager WAF VPC ༧๷ ๷ޚ ݕ஌ ରԠ ෮چ ௨஌ ࣗಈԽ Lambda CloudWatch ௐࠪ CloudWatch CloudTrail ౷߹ Security Hub #secjaws

ΞʔΩςΫνϟʔผʹݟͯΈΔͱ Shield WAF CloudFront ELB ߈ܸରࡦ ର৅Ϧιʔε NACL Security Group
ωοτϫʔΫ๷ޚ ର৅Ϧιʔε ELB EC2 RDS KMS σʔλอޢ ର৅Ϧιʔε EC2 RDS S3 %%P4߈ܸ ΞϓϦέʔγϣϯ ߈ܸ ෆਖ਼ ωοτϫʔΫ ΞΫηε ෆਖ਼ ɹσʔλΞΫηε Inspector Systems Manager αʔόʔ؅ཧ Security Hub CloudTrail CloudWatch GuardDuty Config VPC Flow logs ՄࢹԽɾϞχλϦϯά ௨஌ ௨஌ SNS ௨஌ ӡ༻୲౰ ؂ࢹ ɾશϨΠϠʔ΁ͷηΩϡϦςΟͷద༻ ɾτϨαϏϦςΟʔͷ࣮ݱ #secjaws

γεςϜͷϨΠϠʔผʹ౰ͯ͸ΊΔͱ Ϛωδϝϯτ ίϯιʔϧ 71$Ծ૝ઐ༗ྖҬ &$04ྖҬ &#4ϩʔΧϧσΟεΫ 3%4σʔλϕʔε 4ετϨʔδ $MPVE8BUDI؂ࢹ %JSFDU$POOFDU/8
ηΩϡϦςΟͷରԠྫʢ๷ޚʣ ݕ஌ͷରԠྫ (VBSE%VUZ $POUSPM5PXFS 4FDVSJUZ)VC 'JSFXBMM.BOBHFS .BDJF 5SVTUFE"EWJTPS ɾ"84ΞΧ΢ϯτɿར༻੍ݶ ɾ*".Ϣʔβɿૢ࡞ݖݶͱ઀ଓݩ੍ݶ ɹར༻ՄೳϦιʔεʹର͢ΔΞΫηείϯτϩʔϧɺଟཁૉೝূͷಋೖ ɾຊ൪؀ڥɺ։ൃ؀ڥͱ͍ͬͨ؀ڥ୯ҐͰ71$ͷ෼཭ ɾαϒωοτ୯ҐͰͷ௨৴੍ޚɺϧʔςΟϯάઃఆ ɾ71$ϑϩʔϩάͷऔಘ ɾ4FDVSJUZ(SPVQʹΑΔαʔόؒ௨৴੍ޚ ɾ4ZTUFNT.BOBHFS౳Λར༻ͯ͠ͷɺαʔόঢ়ଶͷ೺ѲͱҰׅύον౰ͯ ɾαʔόͷϩάΠϯ؅ཧͷ࢓૊Έͱɺϩάू໿ͷ࢓૊Έͷಋೖ ɾ҉߸ԽΦϓγϣϯʹΑΔσΟεΫશମͷ҉߸Խ $MPVE5SBJMʹΑΔ "84ૢ࡞ཤྺ τϥϑΟοΫϩά ֤छΞϓϦέʔγϣϯϩά 04ϩάΠϯཤྺ %#؂ࠪϩά "84αʔϏε֤छʹΑΔ ϩάɾΞϥʔτ ݕࠪ͢Δ΂͖ϩά ɾઐ༻ઢʢ%9ʣ΍71/Λར༻ͨ͠ܦ࿏҆શͷ֬อ ɾ5SBOTJU(BUFXBZΛར༻ͨ͠71$ɾܦ࿏ͷ؅ཧ ɾܦ࿏ͷ৑௕ԽʹΑΔࣄۀܧଓੑͷ֬อ ɾDBMSͷػೳʹΑΔςʔϒϧશମʢදྖҬʣͷ҉߸Խ ɾDBʹର͢ΔΞΫηεݖݶͷ؅ཧ ɾ҉߸ԽΦϓγϣϯʹΑΔετϨʔδશମͷ҉߸Խ ɾΫϥΠΞϯταΠυ͸҉߸ԽΩʔʹΑΓσʔλΛอޢ ɾCloudWatchʹΑΔAWSͷ؂ࢹͱɺӡ༻؂ࢹιϑτ΢ΣΞΛར༻ͨ͠αʔ ϏεɺΞϓϦέʔγϣϯ؂ࢹͷซ༻ *OTQFDUPS "84ͷར༻ঢ়گͷ؂ࠪ "84ΞΧ΢ϯτͷઃఆͱΨόφϯε ηΩϡϦςΟʔΞϥʔτͷू໿ͱݕ஌ɾରԠ "84ͷෆਖ਼ར༻ͷݕ஌ 04ɺΞϓϦͷηΩϡϦςΟධՁ 'JSFXBMMͷҰݩ؅ཧͱݕ஌ɾରԠ 4಺ͷػີ৘ใͷݕग़ɺ෼ྨɺอޢ 0SHBOJ[BUJPOT #secjaws

༧๷త౷੍ͱൃݟత౷੍ ηΩϡϦςΟͷϕετϓϥΫςΟεͷҰͭ 0SHBOJ[BUJPO6OJU Automation AWS Systems Manager AWS Config Rule
ઃఆෆඋΛ ݕ஌ म෮ࢦࣔ ༧๷త౷੍ ൃݟత౷੍ SCP AWS Organizations SCPΛར༻ͯ͠ ΞΧ΢ϯτશମʹ ېࢭࣄ߲ͷઃఆ AWSΞΧ΢ϯτ IAM User ྫʣ SPPUϢʔβʔͷΞΫηεΩʔͷ ࡞੒Λېࢭ͢Δ ྫʣ *".Ϣʔβʔͷ.'"͕༗ޮʹ ͳ͍ͬͯΔ͔νΣοΫ͢Δ Ұ࣌తʹ IAMϢʔβʔͷ ແޮԽ #secjaws

͜ͷลΛҙࣝ͠ͳ͕Β ઃఆΛࣗ෼Ͱ΍Δͱ ഒཧղ͕ਐΉ

΋͏গ͠ղΓ΍͘͢͢ΔͨΊʹ "84্ͷγεςϜΛ෼ղ

"84ͱηΩϡϦςΟ "84ͷηΩϡϦςΟ͸̏ͭͷ࣠Ͱߟ͑Δ ᶃ"84಺ʹߏஙͨ͠ωοτϫʔΫͱαʔόʔͷηΩϡϦςΟ ᶄ"84ૢ࡞ʹؔ͢Δݖݶʢ*".ʣ ᶅηΩϡϦςΟΛҡ࣋؅ཧ͢ΔͨΊͷ"84αʔϏε AWS Management Console Role VPC
AWS Cloud Subnet Internet gateway Amazon Simple Storage Service (S3) VPN gateway Endpoints User ૢ࡞ݖݶ Instance Instance Instance AWS Lambda Role ᶄ ᶃ AWS Command Line Interface AWS Config AWS Systems Manager AWS Service Catalog AWS Trusted Advisor AWS CloudTrail ᶅ ηΩϡϦςΟΛҡ࣋ ؅ཧ͢ΔαʔϏε #secjaws

ᶃ"84಺ʹߏஙͨ͠ωοτϫʔΫͱ αʔόʔͷηΩϡϦςΟ ੹೚ڞ༗Ϟσϧͷ੺࿮ͷ෦෼ ઃܭͷߟ͑ํ͸ΦϯϓϨͱେ͖͘ҧΘͳ͍͕ɺઃఆͷ࢓ ํ͸"84ͷྲّྀʹै͏ඞཁ͕͋Δ IUUQTBXTBNB[PODPNKQDPNQMJBODFTIBSFESFTQPOTJCJMJUZNPEFM #secjaws

ᶄ"84ͷૢ࡞ʹؔ͢Δݖݶʢ*".ʣ "84ͷηΩϡϦςΟͷத֩ͷҰͭ ͲΜͳʹωοτϫʔΫ΍αʔόʔͷηΩϡϦςΟΛڧݻʹ ͍ͯͯ͠΋ɺ"84Λ௚઀ૢ࡞͞ΕΔͱ͕݀։͚ΒΕΔ "84ͷബ͍ຊɹ*".ͷϚχΞοΫͳ࿩ IUUQTCPPUIQNKBJUFNT #secjaws

ᶅηΩϡϦςΟΛҡ࣋؅ཧ͢Δ ɹͨΊͷ"84αʔϏε "84ಠࣗͷ෦෼ ར༻͠ͳͯ͘΋γεςϜΛηΩϡΞͳঢ়ଶΛҡ࣋Ͱ͖Δ͕ɺ ্ख͘׆༻͢ΔͱࣗྗͰ΍ΔΑΓഒָʹͳΔ "84ͷബ͍ຊᶘΞΧ΢ϯτηΩϡϦςΟͷϕʔγοΫηΦϦʔ IUUQTCPPUIQNKBJUFNT #secjaws

ॏ఺ڧԽྖҬ

ࢼݧൣғͱ഑఺ʢ࠶ܝʣ ߲൪ ෼໺ ׂ߹ ΠϯγσϯτରԠ ϩάͱ؂ࢹ
ΠϯϑϥετϥΫνϟͷ ηΩϡϦςΟ *%͓ΑͼΞΫηε؅ཧ σʔλอޢ ॏ఺߲໨ #secjaws

*".Λཧղ͢Δ "84ʹ͓͚Δ*%͓ΑͼΞΫηε؅ཧͷத৺͸*". ओཁػೳ͸ػೳͷΈͳͷͰɺಘҙ෼໺ʹ͢Δͱ༗ར #secjaws "NB[PO%ZOBNP%#ςʔϒϧ͔Β߲໨Λऔಘ͢Δ৽͍͠"84-BNCEBؔ਺ΛηΩϡϦςΟΤϯδχΞ͕ςετͨ͠ ࡍɺ͜ͷؔ਺͕σʔλΛ"NB[PO$MPVE8BUDI-PHTʹϩΪϯά͍ͯ͠ͳ͍͜ͱʹؾ෇͖·ͨ͠ɻ ͜ͷ-BNCEBؔ਺ʹΑͬͯ୅ߦ͞ΕΔϩʔϧʹɺ࣍ͷϙϦγʔׂ͕Γ౰ͯΒΕ͍ͯ·ͨ͠ɻ \ 7FSTJPO
4UBUFNFOU< \ 4JE%ZOBNP "DUJPO< EZOBNPEC(FU*UFN > &⒎FDU"MMPX 3FTPVSDF ^ ^ ͜ͷؔ਺͕ద੾ʹϩΪϯάͰ͖ΔΑ͏ʹ͢Δʹ͸ɺͲͷ࠷খݖݶϙϦγʔΛ௥Ճ͢Ε͹Α͍Ͱ͔͢ɻ αϯϓϧ໰୊ΑΓҾ༻

*".Λཧղ͢Δ #secjaws " \ 4JE-PHHJOH 3FTPVSDF
"DUJPO< MPHT > &⒎FDU"MMPX ^ # \ 4JE-PHHJOH 3FTPVSDF "DUJPO< MPHT$SFBUF-PH4USFBN > &⒎FDU"MMPX ^ $ \ 4JE-PHHJOH 3FTPVSDF "DUJPO< MPHT$SFBUF-PH(SPVQ MPHT$SFBUF-PH4USFBN MPHT1VU-PH&WFOUT > &⒎FDU"MMPX ^ % \ 4JE-PHHJOH 3FTPVSDF "DUJPO< MPHT$SFBUF-PH(SPVQ MPHT$SFBUF-PH4USFBN MPHT%FMFUF-PH(SPVQ MPHT%FMFUF-PH4USFBN MPHTHFU-PH&WFOUT MPHT1VU-PH&WFOUT > &⒎FDU"MMPX ^

,.4Λ࢖ͬͨݤ؅ཧͱ҉߸Խ σʔλอޢ͸ɺॏ఺෼໺ ҉߸Խͷख๏ʹ͍ͭͯͷཧղ͕ॏཁɻ·ͨܦ࿏ͷ҉߸Խͱ ͷ߹ٕͤͳͲ΋ཧղ͓ͯ͘͠ #secjaws ͋Δاۀ͕ࣾ಺Ϋϥ΢υηΩϡϦςΟϙϦγʔʹ͓͍ͯɺࣾ಺ͷ71$ʙ,.4ؒͷ௨৴͸͢΂ͯ"84಺Ͱߦ͍ɺ ύϒϦοΫαʔϏεΤϯυϙΠϯτΛ࢖༻ͯ͠͸ͳΒͳ͍ͱఆΊ͍ͯ·͢ɻ ࠷΋࣮֬ʹ͜ͷཁ݅Λຬͨ͢ʹ͸ɺͲ͏͢Ε͹Α͍Ͱ͔͢ ͭબ୒͍ͯͩ͘͠͞
ɻ " BXTTPVSDF7QDF৚݅Λɺࣾ಺ͷ71$ΤϯυϙΠϯτ*%Λࢀর͍ͯ͠Δ"84,.4ΩʔϙϦγʔʹ௥Ճ ͢Δɻ # 71$Πϯλʔωοτήʔτ΢ΣΠΛ71$͔Β࡟আ͠ɺԾ૝ϓϥΠϕʔτήʔτ΢ΣΠΛ71$ʹ௥Ճ͢Δ͜ ͱʹΑΓɺύϒϦοΫΠϯλʔωοτʹ௚઀઀ଓͰ͖ͳ͍Α͏ʹ͢Δɻ $ "84,.4ʹର͢Δ71$ΤϯυϙΠϯτΛ࡞੒͠ɺϓϥΠϕʔτ%/4Λ༗ޮԽ͢Δɻ % ,.4ͷΩʔΠϯϙʔτػೳΛ࢖༻ͯ͠ɺ"84,.4ΩʔΛ71/্ͰηΩϡΞʹసૹ͢Δɻ & BXT4PVSDF*Q৚݅Λ"84,.4ΩʔϙϦγʔʹ௥Ճ͢Δɻ αϯϓϧ໰୊ΑΓҾ༻

4ͱ&#4ͷσʔλอޢ σʔλอޢͱܦ࿏҉߸Խʹ͍ͭͯ #secjaws ͋Δاۀ͕ɺ"NB[PO4্ʹσʔλϨΠΫΛ࡞੒͠Α͏ͱ͍ͯ͠·͢ɻσʔλ͸ɺػີσʔλΛؚΉ਺ඦສݸͷ খن໛ϑΝΠϧ͔Β੒Γ·͢ɻηΩϡϦςΟνʔϜ͸ɺ͜ͷΞʔΩςΫνϟʹରͯ࣍͠ͷཁ݅ΛఆΊ͍ͯ·͢ɻ wૹ৴தσʔλΛ҉߸Խ͠ͳ͚Ε͹ͳΒͳ͍ɻ w֨ೲσʔλΛ҉߸Խ͠ͳ͚Ε͹ͳΒͳ͍ɻ wόέοτ͸ϓϥΠϕʔτͰͳ͚Ε͹ͳΒͳ͍ɻόέοτ͕ޡͬͯύϒϦοΫʹͳͬͨ৔߹ɺσʔλ͸ػີѻ ͍ͷ··Ͱͳ͚Ε͹ͳΒͳ͍ɻ
͜ΕΒͷཁ݅Λຬͨ͢ʹ͸ɺͲ͏͢Ε͹Α͍Ͱ͔͢ ͭબ୒͍ͯͩ͘͠͞ ɻ " "NB[PO4όέοτʹରͯ͠"&4҉߸ԽํࣜΛ༗ޮԽ͢Δɻʮ"NB[PO4Ͱ؅ཧ͞ΕΔΩʔΛ࢖༻ͨ͠ αʔόʔଆ҉߸Խʯ 44&4 Λ࢖༻͢Δɻ # 4όέοτʹରͯ͠σϑΥϧτͷ҉߸ԽํࣜΛ༗ޮԽ͢Δɻʮ"84,.4Ͱ؅ཧ͞ΕΔΩʔΛ࢖༻ͨ͠αʔ όʔଆ҉߸Խʯ 44&,.4 Λ࢖༻͢Δɻ $ 1VU0CKFDUϦΫΤετͷதʹBXT4FDVSF5SBOTQPSUؚ͕·Ε͍ͯͳ͍৔߹ʹڋ൱͢ΔόέοτϙϦ γʔΛ௥Ճ͢Δɻ % BXT4PVSDF*QΛ࢖༻ͯ͠ɺࣾ಺Πϯτϥωοτ͔ΒͷΞοϓϩʔυͱμ΢ϯϩʔυ͚ͩΛڐՄ͢Δόέο τϙϦγʔΛ௥Ճ͢Δɻ & "NB[PO.BDJFΛ༗ޮԽͯ͠ɺσʔλϨΠΫͷ4όέοτΛ؂ࢹ͠ɺόέοτʹมߋ͕Ճ͑ΒΕͨ৔߹ʹର ॲ͢Δɻ αϯϓϧ໰୊ΑΓҾ༻

·ͱΊ

ࠓ೔࿩ͨ͠ςʔϚ "84ͷηΩϡϦςΟͷߟ͑ํͱೝఆࢼݧ "84ʹ͓͚Δ̏ͭͷηΩϡϦςΟͷ࣠ ॏ఺ڧԽྖҬ #secjaws

Security-JAWS-Speciality-Study

Security-JAWS-Speciality-Study

Takuro SASAKI

More Decks by Takuro SASAKI

Other Decks in Technology

Featured

Transcript

ରࡦຊൃചه೦ "84ೝఆηΩϡϦςΟ߹֨ͷίπ લฤ /3*ωοτίϜגࣜձࣾɹ ࠤʑ໦୓࿠ 4FDVSJUZ+"84ୈճ #secjaws

ࠤʑ໦୓࿠ CMPHIUUQTCMPHUBLVSPTOFU 5XJUUFS!ELGK ࣗݾ঺հ #secjaws

+BQBO"1/"NCBTTBEPS બग़͞Ε·ͨ͠ ࣗݾ঺հ #secjaws

ೝఆηΩϡϦςΟࢼݧͷରࡦຊ ཁ఺੔ཧ͔Β߈ུ͢Δ ʰ"84ೝఆηΩϡϦςΟઐ໳஌ࣝʱ IUUQTBN[OUP1,4D( "84ೝఆηΩϡϦςΟઐ໳஌ࣝͷษڧͷ࢓ํͱ "84ͷηΩϡϦςΟͷΨΠυϒοΫͱͯࣥ͠චʢͨͭ͠΋Γʣ #secjaws

ࠓ೔࿩͢಺༰ "84ͷηΩϡϦςΟͷߟ͑ํͱೝఆࢼݧ "84ʹ͓͚Δ̏ͭͷηΩϡϦςΟͷ࣠ ॏ఺ڧԽྖҬ #secjaws

ຊ೔ͷΰʔϧ "84ͷηΩϡϦςΟͬͯɺ͜͏͍͏͜ͱ΍ΔΜͩΑͱ ಉ྅ʹ࿩ͤΔΑ͏ʹͳΔ 㱺ਓʹઆ໌͢Δͷ͕ɺཧղ΁ͷૣಓʂʂ ".ϕετϓϥΫςΟεʹ͍ͭͯϏσΦͰઆ໌͢Δ ".ͰͷηΩϡϦςΟͷϕετϓϥΫςΟε IUUQTEPDTBXTBNB[PODPNKB@KQ*".MBUFTU6TFS(VJEFCFTUQSBDUJDFTIUNM #secjaws

"84ͷηΩϡϦςΟͱೝఆࢼݧ

"84ೝఆηΩϡϦςΟɹઐ໳஌ࣝ ιϦϡʔγϣϯΞʔΩςΫτͱͷҧ͍ ιϦϡʔγϣϯ ΞʔΩςΫτ ηΩϡϦςΟ ઐ໳஌ࣝ ͲͷΑ͏ʹ࡞Δͷ͔ʁ ͲͷΑ͏ʹ҆શΛ ֬อ͢Δͷ͔ʁ #secjaws

ࢼݧൣғͱ഑఺ ߲൪ ෼໺ ׂ߹ ΠϯγσϯτରԠ ϩάͱ؂ࢹ

"84ͱηΩϡϦςΟ ͍Ζ͍Ζ΍Δ͜ͱ͕ଟͯ͘ɺ ΍΍͍͜͠ͱࢥͬͨ͜ͱ͋Γ·ͤΜ͔ શମ૾Λ೺Ѳ͢ΔͨΊʹɺͬ͘͟Γͱ ෼ྨͯ͠Έ·͠ΐ͏ #secjaws

ڊਓͷݞͷ্ʹཱͭ Ұ͔Βશ෦ࣗ෼Ͱߟ͑Δͱେม ϑϨʔϜϫʔΫʹ৐ͬͯɺ࠷খݶͷ࿑ྗͰ ·ͣ͸ఆੴΛ֮͑ͯɺਅࣅΔ͜ͱ͔Β࢝ΊΔ #secjaws

/45αΠόʔηΩϡϦςΟϑϨʔϜϫʔΫ ෼ྨ ΧςΰϦʔ ಛఆ ʢEFOUJGZʣ ɾࢿ࢈؅ཧ ɾϏδωε؀ڥ ɾΨόφϯε ɾϦεΫΞηεϝϯτɺϦεΫΞηεϝϯτ؅ཧ ɾαϓϥΠνΣʔϯϦεΫϚωδϝϯτ

"848FMM"SDIJUFDUFEϑϨʔϜϫʔΫ ப ઃܭݪଇ ӡ༻্ͷ ༏लੑ ɾӡ༻Λίʔυͱͯ͠ӡ༻ ɾఆظతʹɺখن໛ͳɺݩʹ໭͢͜ͱ͕Ͱ͖ΔมߋΛద༻͢Δ ɾӡ༻खॱΛఆظతʹվળ͢Δ ɾো֐Λ༧૝͢Δ ɾ͋ΒΏΔӡ༻্ͷো֐͔ΒֶͿ

"848FMM"SDIJUFDUFEϑϨʔϜϫʔΫ ப ઃܭݪଇ ӡ༻্ͷ ༏लੑ ɾӡ༻Λίʔυͱͯ͠ӡ༻ ɾఆظతʹɺখن໛ͳɺݩʹ໭͢͜ͱ͕Ͱ͖ΔมߋΛద༻͢Δ ɾӡ༻खॱΛఆظతʹվળ͢Δ ɾো֐Λ༧૝͢Δ ɾ͋ΒΏΔӡ༻্ͷো֐͔ΒֶͿ

ϑϨʔϜϫʔΫʹԊͬͯ ઃܭ͞Ε͍ͯΔ͔Λߟ͑Δ

ϑϨʔϜϫʔΫʹ౰ͯ͸ΊͯΈΔͱʁ Lambda Systems Manager Automation CloudFormation Organizations SCP IAM SNS

ΞʔΩςΫνϟʔผʹݟͯΈΔͱ Shield WAF CloudFront ELB ߈ܸରࡦ ର৅Ϧιʔε NACL Security Group

γεςϜͷϨΠϠʔผʹ౰ͯ͸ΊΔͱ Ϛωδϝϯτ ίϯιʔϧ 71$Ծ૝ઐ༗ྖҬ &$04ྖҬ &#4ϩʔΧϧσΟεΫ 3%4σʔλϕʔε 4ετϨʔδ $MPVE8BUDI؂ࢹ %JSFDU$POOFDU/8

༧๷త౷੍ͱൃݟత౷੍ ηΩϡϦςΟͷϕετϓϥΫςΟεͷҰͭ 0SHBOJ[BUJPO6OJU Automation AWS Systems Manager AWS Config Rule

͜ͷลΛҙࣝ͠ͳ͕Β ઃఆΛࣗ෼Ͱ΍Δͱ ഒཧղ͕ਐΉ

΋͏গ͠ղΓ΍͘͢͢ΔͨΊʹ "84্ͷγεςϜΛ෼ղ

"84ͱηΩϡϦςΟ "84ͷηΩϡϦςΟ͸̏ͭͷ࣠Ͱߟ͑Δ ᶃ"84಺ʹߏஙͨ͠ωοτϫʔΫͱαʔόʔͷηΩϡϦςΟ ᶄ"84ૢ࡞ʹؔ͢Δݖݶʢ*".ʣ ᶅηΩϡϦςΟΛҡ࣋؅ཧ͢ΔͨΊͷ"84αʔϏε AWS Management Console Role VPC

ᶃ"84಺ʹߏஙͨ͠ωοτϫʔΫͱ αʔόʔͷηΩϡϦςΟ ੹೚ڞ༗Ϟσϧͷ੺࿮ͷ෦෼ ઃܭͷߟ͑ํ͸ΦϯϓϨͱେ͖͘ҧΘͳ͍͕ɺઃఆͷ࢓ ํ͸"84ͷྲّྀʹै͏ඞཁ͕͋Δ IUUQTBXTBNB[PODPNKQDPNQMJBODFTIBSFESFTQPOTJCJMJUZNPEFM #secjaws

ᶄ"84ͷૢ࡞ʹؔ͢Δݖݶʢ".ʣ "84ͷηΩϡϦςΟͷத֩ͷҰͭ ͲΜͳʹωοτϫʔΫ΍αʔόʔͷηΩϡϦςΟΛڧݻʹ ͍ͯͯ͠΋ɺ"84Λ௚઀ૢ࡞͞ΕΔͱ͕݀։͚ΒΕΔ "84ͷബ͍ຊɹ".ͷϚχΞοΫͳ࿩ IUUQTCPPUIQNKBJUFNT #secjaws

ᶅηΩϡϦςΟΛҡ࣋؅ཧ͢Δ ɹͨΊͷ"84αʔϏε "84ಠࣗͷ෦෼ ར༻͠ͳͯ͘΋γεςϜΛηΩϡΞͳঢ়ଶΛҡ࣋Ͱ͖Δ͕ɺ ্ख͘׆༻͢ΔͱࣗྗͰ΍ΔΑΓഒָʹͳΔ "84ͷബ͍ຊᶘΞΧ΢ϯτηΩϡϦςΟͷϕʔγοΫηΦϦʔ IUUQTCPPUIQNKBJUFNT #secjaws

ॏ఺ڧԽྖҬ

ࢼݧൣғͱ഑఺ʢ࠶ܝʣ ߲൪ ෼໺ ׂ߹ ΠϯγσϯτରԠ ϩάͱ؂ࢹ

*".Λཧղ͢Δ #secjaws " \ 4JE-PHHJOH 3FTPVSDF

*".Λཧղ͢Δ #secjaws " \ 4JE-PHHJOH 3FTPVSDF

·ͱΊ

ࠓ೔࿩ͨ͠ςʔϚ "84ͷηΩϡϦςΟͷߟ͑ํͱೝఆࢼݧ "84ʹ͓͚Δ̏ͭͷηΩϡϦςΟͷ࣠ ॏ఺ڧԽྖҬ #secjaws