Contenu connexe
Similaire à Config rulesを1年ほど使い続けて分かったこと
Similaire à Config rulesを1年ほど使い続けて分かったこと (20)
Config rulesを1年ほど使い続けて分かったこと
- 2. • 久保智成
– TIS株式会社所属
– 過去はITインフラ全般(主にキャリア向け)/自社インフラ基盤設計
– ここ数年AWS系多め
– AWSアライアンス系のタスク多め
• 趣味
– IT界隈のおっさんと飲んだくれる
• 好きなAWSサービス
– Amazon S3 とにかくS3
• もろもろのid
– @tomonari_q
• このごろ書いてるもの
お前だれ?
- 5. Security Best Practices使ってますか?
• AWS共有責任モデル
• AWSでのアセットの定義と分類
• AWSで資産を保護するためのISMSの設計
• AWSアカウント、IAMユーザー、グループ、およびロールの管理
• Amazon EC2インスタンスへのOSレベルのアクセスの管理
• データの保護
• オペレーティングシステムとアプリケーションの保護
• インフラストラクチャの保護
• セキュリティモニタング、アラート監査証跡およびイシデント対応の管理
- 6. • AWS共有責任モデル
• AWSでのアセットの定義と分類
• AWSで資産を保護するためのISMSの設計
• AWSアカウント、IAMユーザー、グループ、およびロールの管理
• Amazon EC2インスタンスへのOSレベルのアクセスの管理
• データの保護
• オペレーティングシステムとアプリケーションの保護
• インフラストラクチャの保護
• セキュリティモニタング、アラート監査証跡およびイシデント対応の管理
だいたいの考え方が
書かれています
Security Best Practices使ってますか?
- 7. Security at Scale:Governance in AWS
AWS Services Governanceenabling feature
Amazon EC2
Amazon EC2 idempotency instance launch
Amazon EC2 resource tagging
Amazon Linux AMIs
Amazon EC2 Dedicated Instances
Amazon EC2 instance launch wizard
Amazon EC2 security groups
Elastic Load Balancing Elastic Load Balancing traffic distribution
Amazon VPC
Amazon VPC
Amazon VPC logical isolation
Amazon VPC network ACLs
Amazon VPC private IP addresses
Amazon VPC security groups
On-premise hardware/software VPN connections
Amazon Route 53
Amazon Route 53 latency resource record sets
Route 53 health Checks and DNS failover
AWS Direct Connect AWS Direct Connect
Amazon S3
Amazon S3 Access Control Lists (ACLs)
Amazon S3 Bucket Policies
Amazon S3 Query String Authentication
Amazon S3 Client-Side Encryption
Amazon S3 Server-Side Encryption
Amazon S3 Object Expiration
Amazon S3 server access logs
Amazon S3 TCP selective acknowledgement
Amazon S3 TCP window scaling
Amazon Glacier
Amazon Glacier vault inventory
Amazon Glacier archives
Amazon EBS Amazon EBS snapshots
AWS Import/Export AWS Import/Export bulk datano…
AWS Storage Gateway
AWS Storage Gateway integration
AWS Storage Gateway APIs
AWS Services Governanceenabling feature
Amazon CloudFront Amazon CloudFront
Amazon CloudFront access logs
Amazon RDS
Amazon RDS database logs
Amazon RDS Multi-AZ Deployments
Managed AWS No-SQL/SQL Database Services
Amazon Dynamo DB Managed AWS No-SQL/SQL Database Services
AWS Management Console
Account Activity page
AWS Account Billing
AWS service pricing
AWS Trusted Advisor
Billing Alarms
Consolidated billing
Pay-as-you-go pricing
AWS CloudTrail
Amazon Incident Management Team
Amazon Simple Notification Service
Multi-region deployment
AWS Identity and Access AWS IAM Multi-Factor Authentication (MFA)
Management (IAM)
AWS IAM password policy
AWS IAM Permissions
AWS IAM Policies
AWS IAM Roles
Amazon CloudWatch
AWS CloudWatch Dashboard
Amazon CloudWatch alarms
AWS Elastic Beanstalk AWS Elastic Beanstalk monitoring
AWS CloudFormation AWS CloudFormation templates
AWS Data Pipeline AWS Data Pipeline Task Runner
AWS CloudHSM CloudHSM key storage
AWS Marketplace Extensive 3rd Party Solutions
Data Centers
AWS SOC 1 physical access controls
AWS SOC 2-Security physical access controls
AWS PCI DSS physical access controls
AWS ISO 27001 physical access controls
AWS FedRAMP physical access controls
- 8. Security at Scale:Governance in AWS
AWS Services Governanceenabling feature
Amazon EC2
Amazon EC2 idempotency instance launch
Amazon EC2 resource tagging
Amazon Linux AMIs
Amazon EC2 Dedicated Instances
Amazon EC2 instance launch wizard
Amazon EC2 security groups
Elastic Load Balancing Elastic Load Balancing traffic distribution
Amazon VPC
Amazon VPC
Amazon VPC logical isolation
Amazon VPC network ACLs
Amazon VPC private IP addresses
Amazon VPC security groups
On-premise hardware/software VPN connections
Amazon Route 53
Amazon Route 53 latency resource record sets
Route 53 health Checks and DNS failover
AWS Direct Connect AWS Direct Connect
Amazon S3
Amazon S3 Access Control Lists (ACLs)
Amazon S3 Bucket Policies
Amazon S3 Query String Authentication
Amazon S3 Client-Side Encryption
Amazon S3 Server-Side Encryption
Amazon S3 Object Expiration
Amazon S3 server access logs
Amazon S3 TCP selective acknowledgement
Amazon S3 TCP window scaling
Amazon Glacier
Amazon Glacier vault inventory
Amazon Glacier archives
Amazon EBS Amazon EBS snapshots
AWS Import/Export AWS Import/Export bulk datano…
AWS Storage Gateway
AWS Storage Gateway integration
AWS Storage Gateway APIs
AWS Services Governanceenabling feature
Amazon CloudFront Amazon CloudFront
Amazon CloudFront access logs
Amazon RDS
Amazon RDS database logs
Amazon RDS Multi-AZ Deployments
Managed AWS No-SQL/SQL Database Services
Amazon Dynamo DB Managed AWS No-SQL/SQL Database Services
AWS Management Console
Account Activity page
AWS Account Billing
AWS service pricing
AWS Trusted Advisor
Billing Alarms
Consolidated billing
Pay-as-you-go pricing
AWS CloudTrail
Amazon Incident Management Team
Amazon Simple Notification Service
Multi-region deployment
AWS Identity and Access AWS IAM Multi-Factor Authentication (MFA)
Management (IAM)
AWS IAM password policy
AWS IAM Permissions
AWS IAM Policies
AWS IAM Roles
Amazon CloudWatch
AWS CloudWatch Dashboard
Amazon CloudWatch alarms
AWS Elastic Beanstalk AWS Elastic Beanstalk monitoring
AWS CloudFormation AWS CloudFormation templates
AWS Data Pipeline AWS Data Pipeline Task Runner
AWS CloudHSM CloudHSM key storage
AWS Marketplace Extensive 3rd Party Solutions
Data Centers
AWS SOC 1 physical access controls
AWS SOC 2-Security physical access controls
AWS PCI DSS physical access controls
AWS ISO 27001 physical access controls
AWS FedRAMP physical access controls
よりチェックリスト的。
いくつかの内容はConfig Rules
あると便利です。
- 13. AWS Config AWS Lambda
subnet
IAM
role
CloudTrail
VPN
gateway
route table
Elastic IP
EC2 EC2
Security Group
リソースの
設定を記録
AWS Config Rules
Lambdaのトリガーと
設定情報の引き渡し
評価結果の
引渡し(AWS Config API)
ルール(Lambdaファンク
ション)の実行
Config Rulesの
ダッシュボード
AWSで用意してあるマネージドルールと、
ユーザーがLambdaファンクションで定義するカス
タムルールを使えます。
- 26. 設定の詳細説明
aws lambda add-permission --function-name <functionname> --region <region>
--statement-id <id> --action “lambda:InvokeFunction”
--principal config.amazonaws.com --source-arn <config-rules-arn>
Lambdaファンクションへの
パーミッション設定
こんなコマンド打つわけですが…
- 32. AWS Service resourceType Value
AWS Certificate Manager AWS::ACM::Certificate
CloudTrail AWS::CloudTrail::Trail
EBS AWS::EC2::Volume
EC2
AWS::EC2::Host
AWS::EC2::EIP
AWS::EC2::Instance
AWS::EC2::NetworkInterface
AWS::EC2::SecurityGroup
EC2 Systems Manager
AWS::SSM::ManagedInstanceInvent
ory
Elastic Load Balancing
AWS::ElasticLoadBalancingV2::L
oadBalancer
IAM
AWS::IAM::User
AWS::IAM::Group
AWS::IAM::Role
AWS::IAM::Policy
Redshift
AWS::Redshift::Cluster
AWS::Redshift::ClusterParameterGro
up
AWS::Redshift::ClusterSecurityGroup
AWS::Redshift::ClusterSnapshot
AWS::Redshift::ClusterSubnetGroup
AWS::Redshift::EventSubscription
AWS Service resourceType Value
RDS
AWS::RDS::DBInstance
AWS::RDS::DBSecurityGroup
AWS::RDS::DBSnapshot
AWS::RDS::DBSubnetGroup
AWS::RDS::EventSubscription
S3 AWS::S3::Bucket
VPC
AWS::EC2::CustomerGateway
AWS::EC2::InternetGateway
AWS::EC2::NetworkAcl
AWS::EC2::RouteTable
AWS::EC2::Subnet
AWS::EC2::VPC
AWS::EC2::VPNConnection
AWS::EC2::VPNGateway
今は対応リソースが増えてます
http://docs.aws.amazon.com/ja_jp/config/latest/developerguide/resource-config-reference.html
- 33. AWS Service resourceType Value
AWS Certificate Manager AWS::ACM::Certificate
CloudTrail AWS::CloudTrail::Trail
EBS AWS::EC2::Volume
EC2
AWS::EC2::Host
AWS::EC2::EIP
AWS::EC2::Instance
AWS::EC2::NetworkInterface
AWS::EC2::SecurityGroup
EC2 Systems Manager
AWS::SSM::ManagedInstanceInvent
ory
Elastic Load Balancing
AWS::ElasticLoadBalancingV2::L
oadBalancer
IAM
AWS::IAM::User
AWS::IAM::Group
AWS::IAM::Role
AWS::IAM::Policy
Redshift
AWS::Redshift::Cluster
AWS::Redshift::ClusterParameterGro
up
AWS::Redshift::ClusterSecurityGroup
AWS::Redshift::ClusterSnapshot
AWS::Redshift::ClusterSubnetGroup
AWS::Redshift::EventSubscription
AWS Service resourceType Value
RDS
AWS::RDS::DBInstance
AWS::RDS::DBSecurityGroup
AWS::RDS::DBSnapshot
AWS::RDS::DBSubnetGroup
AWS::RDS::EventSubscription
S3 AWS::S3::Bucket
VPC
AWS::EC2::CustomerGateway
AWS::EC2::InternetGateway
AWS::EC2::NetworkAcl
AWS::EC2::RouteTable
AWS::EC2::Subnet
AWS::EC2::VPC
AWS::EC2::VPNConnection
AWS::EC2::VPNGateway
今は対応リソースが増えてます
http://docs.aws.amazon.com/ja_jp/config/latest/developerguide/resource-config-reference.html
対応リソースは確認
しましょう