今年のアップデートで振り返るCDKセキュリティのシフトレフト/2024-cdk-security-shift-left

Transcript

1. 2024/12/18 ੡଄ϏδωεςΫϊϩδʔ෦ ࠤ౻ஐथ ࠓ೥ͷΞο プデ ʔτͰৼΓฦΔ CDKηΩϡϦςΟͷγϑτϨϑτ

2. ࣗݾ঺հ !UPNPLJ !UPNPLJ • ࠤ౻ஐथ • ੡଄ϏδωεςΫϊϩδʔ෦ • ΞʔΩςΫτνʔϜ •

   JAWS-UG CDKࢧ෦ ӡӦ • ޷͖ͳAWSαʔϏε -BNCEB $%, !UNL

3. ໨࣍ ࿩͢͜ͱ • ҎԼͷΞοϓσʔτͷৼΓฦΓ • AWS CDK Solutions Constructs Factories

   • CloudFormation HooksͷΞοϓσʔτ • CDKར༻ऀଆͷηΩϡϦςΟͷશମ૾ ಘΒΕΔ৘ใ • CDKηΩϡϦςΟͷશମ૾ͱγϑτϨϑτͷಈ͖

4. AWS CDK Solutions Constructsͱ͸ • CDKͷConstructΛ֦ுͨ͠΋ͷͰɺΑ͋͘ΔΞʔΩςΫνϟΛύλʔϯͱͯ͠ ఏڙ͍ͯ͠Δ • ͍ΘΏΔL3 Constructͷύλʔϯू

   • ྫ͑͹ҎԼͷΑ͏ʹAPI Gateway→DynamoDBͷߏ੒Λ؆୯ʹ࡞ΕΔ Amazon DynamoDB Amazon API Gateway

5. AWS CDK Solutions ConstructsͷҰ෦ • aws-alb-fargate • aws-alb-lambda • aws-apigateway-dynamodb

   • aws-apigateway-iot • aws-apigateway-kinesisstreams • aws-apigateway-lambda • aws-apigateway- sagemakerendpoint • aws-apigateway-sqs • aws-apigatewayv2websocket- sqs • aws-cloudfront-apigateway- lambda • aws-cloudfront-apigateway • aws-cloudfront-mediastore • aws-cloudfront-s3 • aws-cognito-apigateway- lambda • aws-constructs-factories • aws-dynamodbstreams-lambda- elasticsearch-kibana • aws-dynamodbstreams-lambda • aws-eventbridge- kinesisfirehose-s3 • aws-eventbridge- kinesisstreams • aws-eventbridge-lambda • aws-eventbridge-sns • aws-eventbridge-sqs • aws-eventbridge-stepfunctions • aws-fargate-dynamodb • aws-fargate-eventbridge • aws-fargate-kinesisfirehose • aws-fargate-kinesisstreams • aws-fargate-opensearch • aws-fargate-s3 • aws-fargate-secretsmanager • aws-iot-sqs • etc…

6. AWS CDK Solutions ConstructsͷҰ෦ • L3 ConstructͳͷͰॊೈੑ͸௿͘ͳΔ • ʮ্ཱ͕ͪ͛ૣ͍ˡˠޙ͔Βࡉ͔͍෦෼͕มߋ͠ʹ͍͘ʯͷτϨʔυΦϑ •

   มߋ͢Δ৔߹͸ɺL2 ConstructͰରԠͯ͠ͳ͍ϓϩύςΟΛݺͼग़͢Α͏ʹΤ εέʔϓϋονͷར༻͕ඞཁ • cdk-nagͳͲΛ࢖ͬͨηΩϡϦςΟରԠͷͨΊʹɺ্هͷΤεέʔϓϋον͕ඞཁ ʹͳΔ৔߹΋͋Δ • ֊૚͕૿͑ΔͷͰςετ/σόοά͕ෳࡶԽͯ͠ٯʹ͕͔͔࣌ؒΔՄೳੑ΋ • Solution Constructࣗମͷֶशίετ͕ඞཁʹͳΔ

7. AWS CDK Solutions Constructs Factoriesͷొ৔ https://aws.amazon.com/jp/blogs/devops/instant-well-architected-cdk-resources-with-solutions-constructs-factories/

8. ͬ͘͟Γ࿨༁ https://aws.amazon.com/jp/blogs/devops/instant-well-architected-cdk-resources-with-solutions-constructs-factories/ ௕೥ʹΘͨΓɺAWS Solutions Constructs͸ɺAmazon S3όέοτ͕AWS Lambdaؔ਺ΛτϦΨʔ͢ΔͳͲɺ 2ͭҎ্ͷAWSαʔϏεΛ࿈ܞ͢Δখن໛Ͱ૊Έ߹ΘͤՄೳͳύλʔϯΛఏڙ͢Δ͜ͱͰɺ਺ઍਓͷAWS Cloud Development

   Kit (CDK)Ϣʔβʔͷwell-architectedͳϫʔΫϩʔυͷ࡞੒ΛՃ଎͖ͯ͠·ͨ͠ɻ͜ͷؒɺ طଘͷSolutions Constructʹ߹க͠ͳ͍ϢʔεέʔεΛ͓࣋ͭ٬༷͔Βɺݸʑͷwell-architectedͳϦιʔεΛ ௚઀࡞੒͍ͨ͠ͱ͍͏ཁ๬͕دͤΒΕ͍ͯ·ͨ͠ɻSolutions Constructs FactoriesΛ࢖༻͢Δ͜ͱͰɺΫϥ ΠΞϯτ͸ɺSolutions Constructs͕େن໛ͳύλʔϯΛߏ੒͢Δࡍʹ࢖༻͍ͯ͠Δಉ͡಺෦ίʔυΛ࢖༻͠ ͯɺwell-architectedͳݸผϦιʔεΛ࡞੒Ͱ͖·͢ɻAWS CDKΛ࢖༻ͯ͠୯ҰͷAWSϦιʔεΛσϓϩΠ͢ Δ͜ͱ͸ଟ͘ͷ৔߹؆୯ͳ࡞ۀͰ͕͢ɺ͢΂ͯͷϕετϓϥΫςΟεʹैͬͯͦͷϦιʔεΛσϓϩΠ͢Δʹ ͸ɺΑΓଟ͘ͷ஌ࣝͱ࿑ྗ͕ඞཁͰ͢ɻྫ͑͹ɺద੾ʹߏ੒͞ΕͨS3όέοτʹ͸ɺόʔδϣχϯάɺ҉߸Խɺ ΞΫηεϩάه࿥ɺTLSίʔϧͷΈΛڐՄ͢ΔόέοτϙϦγʔɺϥΠϑαΠΫϧϙϦγʔؚ͕·Ε͍ͯΔ΂ ͖Ͱ͢ɻAWS Solutions ConstructsͷS3BucketFactory()ϝιου͸ɺS3ΞΫηεϩάΛอ࣋͢Δ௥Ճͷόέο τΛؚΉɺ͢΂ͯͷϕετϓϥΫςΟε͕ߏ੒͞Εͨ׬શͳwell-architectedͳCDK S3όέοτΛ࣮૷͠·͢ɻ

9. ͦΕͧΕͷߏ଄ͷ֓೦ਤ Solutions Constructs L2 ConstructΛଋͶͯར༻ Solution Constructs Factories ୯ମͷL2ΛΑΓηΩϡΞʹͯ͠ར༻ Solution

   Construct L2 Construct L2 Construct Solutions Constructs Factories L2 Construct L2 Construct Secure L2 Construct Secure L2 Construct Ϣʔβར༻෦෼ CDK಺෦ߏ଄෦෼

10. ίʔυྫ import * as cdk from 'aws-cdk-lib'; import { Construct

    } from 'constructs'; // Add this import statement: import { ConstructsFactories } from '@aws-solutions-constructs/aws- constructs-factories'; export class FactoriesBlogStack extends cdk.Stack { constructor(scope: Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); // Add these two lines const factories = new ConstructsFactories(this, 'constructs- factories'); const response = factories.s3BucketFactory('default-bucket', {}); response.s3Bucket.bucketArn; } }

11. AWS CDK Solutions Constructsͷྫ • s3BucketFactoryͰS3 BucketΛ࡞ͬͨ৔߹ҎԼ͕ࣗಈͰઃఆ͞ΕΔ • TLSΞΫηε͕༗ޮ •

    ΞΫηε ϩά͕༗ޮ • όʔδϣϯ؅ཧ͕༗ޮ • ͢΂ͯͷύϒϦοΫ ACL ͱϙϦγʔ͕ϒϩοΫ • AWS ϚωʔδυαʔόʔαΠυ҉߸Խ • 90೔ޙʹඇ࠷৽όʔδϣϯΛS3 GlacierʹҠߦ͢ΔϥΠϑαΠΫϧϙϦγʔ

12. CloudFormation HooksͷΞοϓσʔτ ৄࡉ͸ҎԼͷࢿྉΛνΣοΫ͍ͯͩ͘͠͞ https://dev.classmethod.jp/articles/iac-update-re-growth-2024-tokyo/

13. 13 • ैདྷ͸ΞΧ΢ϯτ಺ͷCloudFormation(Cfn) ͷ࡞੒/ߋ৽/࡟আૢ࡞ʹରͯ͠ɺΞΫγϣϯ ΍ϦιʔεݕࠪΛ௥ՃͰ͖ͨHooks • ैདྷΧελϜHookΛ࢖͏৔߹ɺCfnͱͯ͠ HookΛ࡞੒͠ɺCloudFormation Registryʹ ొ࿥͢Δඞཁ͕͋ͬͨ

    • ࠓճͷΞοϓσʔτͰLambdaΛ௚઀Hook ͱͯ͠ར༻͢Δ͜ͱ͕ՄೳʹͳΓɺςετ ΍σϓϩΠΛଞͷ։ൃϓϩηεͱ߹ΘͤΔ ͜ͱ͕Մೳʹͳͬͨʂ AWS CloudFormation Hooks ͕ΧελϜ AWS Lambda ؔ਺ͷαϙʔτΛ։࢝ https://aws.amazon.com/jp/blogs/devops/proactively-validate-your-aws-cloudformation-templates-with-aws-lambda/

14. 14 Hookʹઃఆͨ͠LambdaʹඈΜͰ͘ΔΠϕϯτྫ { "clientRequestToken": "XXXXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", "awsAccountId": "111111111111", "stackId": “arn:…”, …

    "actionInvocationPoint": "CREATE_PRE_PROVISION", "requestData": { "targetName": "AWS::S3::Bucket", "targetType": "AWS::S3::Bucket", "targetLogicalId": “Bucket”, … "targetModel": { "resourceProperties": { "PublicAccessBlockConfiguration": { "RestrictPublicBuckets": true, "IgnorePublicAcls": true }, "BucketName": "XXXXXXXXXXXXXXXXXXXXXXXXXXX", "VersioningConfiguration": { "Status": "Enabled" }, … https://aws.amazon.com/jp/blogs/devops/proactively-validate-your-aws-cloudformation-templates-with-aws-lambda/

15. 15 ΠϕϯτΛॲཧ͢ΔLambdaͷྫ def lambda_handler(event, context): … payload = { "clientRequestToken":

    clientRequestToken, "hookStatus": "SUCCESS", "errorCode": None, "message": message, "callbackContext": None, "callbackDelaySeconds": 0, } LOGGER.debug(payload) return payload … https://aws.amazon.com/jp/blogs/devops/proactively-validate-your-aws-cloudformation-templates-with-aws-lambda/

16. 16 • ैདྷϓϩάϥϛϯάݴޠͰͷ࣮૷͕ ඞཁͩͬͨCfn Hooks • ࠓճͷΞοϓσʔτͰGuard DSLΛ ॻ͘͜ͱͰHookͷ࡞੒͕Մೳʹʂ •

    Lambdaͷ؅ཧ͕ෆཁͰɺPolicy as CodeΛ࣮ݱͰ͖Δ • S3্ʹDSLΛஔ͍ͯ࢖༻ CloudFormation Guard υϝΠϯݻ༗ͷݴޠΛ࢖༻ͯ͠ AWS CloudFormation Hooks Λ࡞੒ https://aws.amazon.com/about-aws/whats-new/2024/11/author-aws-cloudformation-hooks-cloudformation-guard-domain-specific-language/

17. let aws_lambda_functions_inside_vpc = Resources.*[ Type == 'AWS::Lambda::Function' Metadata.cfn_nag.rules_to_suppress not exists

    or Metadata.cfn_nag.rules_to_suppress.*.id != "W89" Metadata.guard.SuppressedRules not exists or Metadata.guard.SuppressedRules.* != "LAMBDA_INSIDE_VPC" ] rule LAMBDA_INSIDE_VPC when %aws_lambda_functions_inside_vpc !empty { %aws_lambda_functions_inside_vpc.Properties.VpcConfig.SecurityGroupIds !empty %aws_lambda_functions_inside_vpc.Properties.VpcConfig.SubnetIds !empty << Violation: All AWS Lambda Functions must be configured with access to a VPC … >> } ྫɿVPC LambdaҎ֎Λېࢭ͢Δ৔߹ͷྫ https://github.com/aws-cloudformation/aws-guard-rules-registry/blob/main/rules/aws/lambda/lambda_inside_vpc.guard CloudFormation Guard υϝΠϯݻ༗ͷݴޠΛ࢖༻ͯ͠ AWS CloudFormation Hooks Λ࡞੒ 17

18. ηΩϡϦςΟͷγϑτϨϑτͱ͸ ։ൃϥΠϑαΠΫϧͷૣ͍ஈ֊ͰηΩϡϦςΟΛ૊ΈࠐΜͰɺ໰୊ͷૣظൃݟ΍ ख໭Γίετͷ࡟ݮɺ඼࣭޲্Λ໨ࢦ͢ߟ͑ํ Develop Build&Test Pre-Deployment Operations ιϑτ΢ΣΞ։ൃͷϥΠϑαΠΫϧ ίίΑΓ ઌͷϓϩηεͰࢭΊΔ

    ࢀߟɿhttps://www.youtube.com/watch?v=7cYzYWcDyiM

19. ηΩϡϦςΟͷγϑτϨϑτͱ͸ ։ൃϥΠϑαΠΫϧͷૣ͍ஈ֊ͰηΩϡϦςΟΛ૊ΈࠐΜͰɺ໰୊ͷૣظൃݟ΍ ख໭Γίετͷ࡟ݮɺ඼࣭޲্Λ໨ࢦ͢ߟ͑ํ ιϑτ΢ΣΞ։ൃͷϥΠϑαΠΫϧ CDK/CfnपΓͰ͜ͷ෦෼ͷπʔϧ͕৭ʑग़͍ͯΔͷͰվΊͯ੔ཧ Develop Build&Test Pre-Deployment Operations

20. ϑΣʔζ͝ͱʹؔ࿈͢ΔϥΠϒϥϦ/αʔϏε • SCP • Declarative- policies • CloudFormation Hooks •

    Solutions Constructs Factories • assertions • Aspects • cdk-nag • cfn-nag • Checkov • cfn-guard Develop Build&Test Pre-Deployment Operations • SecurityHub • Config • RCP

21. ϑΣʔζ͝ͱʹؔ࿈͢ΔϥΠϒϥϦ/αʔϏε Develop Build&Test Pre-Deployment Operations ։ൃ࣌ͱσϓϩΠલͷγϑτϨϑτ͢ΔͨΊͷίʔυ/αʔϏε͕ڧԽʂ • SCP • Declarative

    policies • CloudFormation Hooks • Solutions Constructs Factories • assertions • Aspects • cdk-nag • cfn-nag • Checkov • cfn-guard • SecurityHub • Config • RCP

22. ·ͱΊ • ҎԼͷΞοϓσʔτͷৼΓฦΓΛ͠·ͨ͠ • AWS CDK Solutions Constructs Factories͕ηΩϡΞʹίϯετϥΫτΛ࡞ Δ৽͍͠Solutions

    Constructs • CloudFormation Hooks͕Ξοϓσʔτ͠ɺLambda΍DSLͷར༻͕Մೳʹ • CDKηΩϡϦςΟͷશମͰηΩϡϦςΟγϑτϨϑτͷಈ͖͕ڧԽ • Solutions Constructs FactoriesͰ։ൃதʹηΩϡϦςΟରࡦ • CloudFormation HooksͰpre-deploymentͷ࣌ͷηΩϡϦςΟରࡦ͕ڧԽ

23. એ఻ ձࣾͷํͰ΋Πϕϯτ͋Γ·͢ʂConnpassͰࢀՃड෇த ࣗ෼΋ొஃ͢ΔͷͰΦϯϥΠϯɾΦϑϥΠϯͲͪΒͰ΋ੋඇʂ