Post on 19-May-2020
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Webinar
https://amzn.to/JPWebinar https://amzn.to/JPArchive
Security Solutions Architect
2019/06/18
AWS Config
[AWS Black Belt Online Seminar]
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS
Amazon GuardDuty AWS Security Hub
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Black Belt Online Seminar
•
•
①吹き出しをクリック②質問を入力③ Sendをクリック
#awsblackbelt
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• 2019 6 18
AWS (http://aws.amazon.com)
• AWS
AWS
•
• AWS does not offer binding price quotes. AWS pricing is publicly available and is subject to
change in accordance with the AWS Customer Agreement available at
http://aws.amazon.com/agreement/. Any pricing information included in this document is provided
only as an estimate of usage charges for AWS services based on certain information that you
have provided. Monthly charges will be based on your actual use of AWS services, and may vary
from the estimates provided.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
•
• AWS Config
• AWS Config Rules
•
•
•
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A
A01
2 xx/xx/xx
Corporate data center
DB
Internet
Firewall
Router
L3SW
LB
DB
A
3 xx/xx/xx
Firewall
Router
L3SW
LB
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
-
-
-
-
B
A01
8 xx/xx/xx
C
A01
8 xx/xx/xx
D
A01
8 xx/xx/xx
E
A01
8 xx/xx/xx
!?!?
A
3 ( )
xx/xx/xx
A
3 ( )
xx/xx/xx
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS
Tag
AWS Config
Auto Scaling
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Config
•
••
••
•
•AWS Config
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
AWS Config
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
•
•
•
•
•
•
•
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
AWS
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS
6 3 14:52 1
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
→
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS
Customer
gateway
VPN Connection
Internet
gateway
EBS
Elastic network
interface
EC2
EIPNACL
VPC
Route table Subnet
Security
Group
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config AWS
*1:
*1 *1 *1
https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/resource-config-reference.html
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Rules
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Rules
•
•
マネージドルール•
•
カスタムルール•
•
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
••
•
•
•
••
•
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/managed-rules-by-aws-config.html
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda functionAWS Config Rules
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
https://github.com/awslabs/aws-config-rdk
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
#1
• approved-amis-by-id
• AMI ( )
• required-tags
•
EC2 ‘CostCenter’
• encrypted-volumes
• EBS
• ec2-instance-managed-by-ssm
• EC2 AWS Systems Manager
• vpc-flow-logs-enabled
• VPC (Flow Logs)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
#2
• s3-bucket-public-read-prohibited
• Amazon S3
• s3-bucket-public-write-prohibited
• Amazon S3
• rds-snapshots-public-prohibited
• Amazon RDS
• s3-bucket-server-side-encryption-enabled
• Amazon S3 Amazon S3
• access-keys-rotated
•
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Rules
GitHub
•
•
•
•
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SSM OS
• SSM Inventory
• AWS Config / Config Rules
•
• Config Rules SSM Automation
• CloudWatch Event + Lambda
EC2 SSM Inventory AWS Config
利用禁止ソフトウェア
AWS ConfigRules
CloudWatchEvents
Lambda
Chat
Config Rulesの「修復アクション」としてSSM Automationを呼び出し
ソフトウェアの変更を時系列で確認コンプライアンス違反を確認
連携を設定
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
https://aws.amazon.com/jp/blogs/mt/aws-config-best-practices
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
#1. AWS Config
→→
#2.
→
#3.
→
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
#5. S3
→ AWS
→
S3 AWS Managed Rule
• s3-bucket-public-write-prohibited
• s3-bucket-public-read-prohibited
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
#19. Data aggregation
#20. Organizations aggregator
→→
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Central dashboard
that provides an
aggregated view
Multi-account,
multi-region
Integrates with
AWS Organizations
Available at no
additional charge
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
(2019/06/18 )
•
•
•
https://aws.amazon.com/jp/config/pricing/
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS
Tag
AWS Config
Auto Scaling
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config / Config Rules
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config https://aws.amazon.com/jp/blogs/mt/aws-config-best-practices/
AWS Config
https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/managed-rules-by-aws-
config.html
AWS Config
https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/select-resources.html
AWS Config
https://aws.amazon.com/jp/config/faq/
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Q&A
AWS Japan Blog https://aws.amazon.com/jp/blogs/news/
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS AWS
https://amzn.to/JPArchive
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Webinar
https://amzn.to/JPWebinar https://amzn.to/JPArchive