AWS セキュリティのベスト プラクティス ??次 要約 1 概要 1 AWS 責任共有モデルの概要 3 AWS の安全なグローバルインフラストラクチャについて

  • View
    217

  • Download
    1

Embed Size (px)

Text of AWS セキュリティのベスト プラクティス ??次 要約 1 概要 1 AWS...

  • AWS

    2016 8

    (

    http://aws.amazon.com/security

    )

    http://aws.amazon.com/security

  • 2016, Amazon Web Services, Inc. or its affiliates.All rights reserved.

    AWS

    AWS

    AWS

    AWS

    The responsibilities and liabilities of AWS to its customers are controlled by

    AWS agreements, and this document is not part of, nor does it modify, any

    agreement between AWS and its customers.

  • 1

    1

    AWS 3

    AWS 5

    IAM 5

    6

    AWS 7

    9

    14

    15

    Trusted Advisor 16

    AWS 17

    AWS ISMS 19

    AWS IAM 22

    AWS 23

    IAM 24

    IAM 25

  • AWS 26

    IAM 27

    Amazon EC2 IAM 29

    30

    ID 31

    Amazon EC2 OS 33

    35

    36

    37

    39

    Amazon S3 40

    Amazon EBS 42

    Amazon RDS 44

    Amazon Glacier 47

    Amazon DynamoDB 47

    Amazon EMR 48

    50

    51

  • AWS

    52

    AWS 55

    Amazon S3 56

    Amazon RDS 56

    Amazon DynamoDB 57

    Amazon EMR 58

    59

    AMI 61

    63

    64

    AMI 65

    65

    68

    73

    75

    Amazon Virtual Private Cloud (VPC) 75

    78

    83

  • : DNSNTP 85

    88

    92

    93

    DoS & DDoS 95

    99

    104

    105

    105

    107

    107

    108

    109

  • 1/110

    (AWS)

    AWS Information

    Security Management System (ISMS)

    AWS

    AWS

    IT

    (AWS)

  • AWS

    2016 8

    2/110

    AWS

    AWS

    AWS

    AWS

    Information Security Management System (ISMS)

    AWS

    ISMS http://www.27000.org/iso-27001.htm

    ISO 27001 ISMS AWS

    AWS

    http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdfhttp://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdfhttp://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdfhttp://www.27000.org/iso-27001.htm

  • AWS

    2016 8

    3/110

    http://aws.amazon.com/documentation

    AWS )

    AWS

    AWS

    AWS ISMS

    AWS ISMS AWS

    AWS

    AWS

    AWS

    1 Identity and

    Access Management (IAM) AWS

    AWS

    http://aws.amazon.com/documentation

  • AWS

    2016 8

    4/110

    Amazon Elastic Compute Cloud (Amazon EC2)

    AWS

    ISMS AWS

    AWS ISMS

    Amazon EC2

    Amazon AMI

    AWS

    http://aws.amazon.com/compliance/#third-

    party

    http://aws.amazon.com/compliance/#third-partyhttp://aws.amazon.com/compliance/#third-party

  • AWS

    2016 8

    5/110

    AWS

    AWS AWS

    AWS

    AWS

    ()

    IAM

    IAM AWS

    1 IAM

    AWS

    AWS AWS (E

    )

    AWS

    AWS (

    ID )

    (CLI)AWS SDK API

    AWS

    http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdfhttp://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf

  • AWS

    2016 8

    6/110

    IAM AWS

    URL

    AWS

    IAM

    AWS

    IAM

    AWS AWS

    IAM

    AWS

    AWS

    AWS ()

    http://docs.aws.amazon.com/IAM/latest/UserGuide/WhatUsersNeedToKnow.htmlhttp://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.htmlhttp://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html

  • AWS

    2016 8

    7/110

    2 (

    )

    (ISP)

    (LAN)

    AWS AWS

    (API)

    (CLI)

    AWS

    ()

    AWS

    AWS

    AWS

    3

    https://aws.amazon.com/console

  • AWS

    2016 8

    8/110

    : Amazon EC2

    Amazon Elastic Block Store (Amazon

    EBS)Auto ScalingAmazon Virtual Private Cloud (Amazon VPC)

    : Amazon

    EC2

    AWS

    IAM

    ID

    Amazon Relational Database Services (Amazon RDS)Amazon

    Elastic Map Reduce (Amazon EMR)AWS Elastic Beanstalk

  • AWS

    2016 8

    9/110

    :

    Amazon Simple Storage

    Service (Amazon S3)Amazon GlacierAmazon DynamoDBAmazon

    Simple Queuing Service (Amazon SQS)Amazon Simple Email Service

    (Amazon SES)

    AWS API

    AWS

    IAM

    Amazon EC2Amazon EBSAmazon VPC

    AWS

    AWS

    1

  • AWS

    2016 8

    10/110

    1:

    AWS

    AWS

    AWS

    AWS

    AWS

  • AWS

    2016 8

    11/110

    AWS

    Amazon EC2

    OS

    AWS

    AWS

    EC2

    AWS

    AMI Amazon EC2

    Secure Shell (SSH) Windows (RDP)

    Amazon EC2

    Amazon EC2

    X.509 Microsoft Active Directory

  • AWS

    2016 8

    12/110

    EC2 AWS Amazon EC2

    RSA

    Amazon EC2

    EC2

    AWS IAM

    AWS

    EC2

    OpenSSL Amazon EC2

    AWS

    AWS Amazon EC2

    RSA

    Amazon

    EC2

    AWS

    cloud-init Amazon EC2 Linux

    AWS AMI Amazon EC2

    ~/.ssh/authorized_keys

  • AWS

    2016 8

    13/110

    ~/.ssh/authorized_keys Amazon

    EC2 ID

    (ec2-user )

    SSH Amazon EC2 Linux

    ec2config Amazon EC2 Windows

    AWS AMI ec2config

    Amazon EC2

    AWS

    Amazon EC2

    Windows

    Amazon EC2

    Windows

    AWS Amazon EC2 Amazon EC2

    LDAP

    Active Directory Amazon EC2

  • AWS

    2016 8

    14/110

    AWS Amazon RDS Amazon EMR

    AWS Amazon RDS for Oracle

    Oracle

    AWS AWS

    Amazon RDS

    (BC/DR)

    AWS

    Amazon RDS RDS

    Amazon EMR Amazon EMR Amazon EC2

    2

    2:

  • AWS

    2016 8

    15/110

    Amazon S3 Amazon DynamoDB

    AWS

    Amazon S3 DynamoDB IAM

    () IAM

    ACL

    IAM / ID

    Amazon S3

    HTTPS

    3 AWS

    3:

  • AWS

    2016 8

    16/110

    Trusted Advisor

    AWS Trusted Advisor

    Amazon

    EC2 Trusted Advisor

    Trusted Advisor

    22 (SSH)23 (Telnet) 3389 (RDP)

    5500 (VNC)

    1433 (MSSQL Server)1434 (MSSQL Monitor)

    3306 (MySQL)Oracle (1521)5432 (PostgreSQL)

    AWS IAM

    AWS 2 Multi-Factor

    Authentication (MFA)

  • AWS

    2016 8

    17/110

    AWS

    ISMS

    (////

    )

    2

    ()

    (

    )

  • AWS

    2016 8

    18/110

    1

    e EC2Elastic Load

    BalancingRDS

    /

    e PCI

    AWS PCI

    (COO) Amazon RDS

    IT

    (COO) S3Glacier IT

    HR HR EC2S3RDS

    IT

    AWS Direct Connect

    (CIO)

    AWS Direct Connect

    BI EMRRedshiftDynamo

    DBS3

    (COO) BI

    BI

    LDAP IT EC2IAM

    Windows AMI EC2

    1:

  • AWS

    2016 8

    19/110

    AWS ISMS

    AWS

    (ISMS)

    2 AWS ISMS

    ISMS ISO 27001

    1

    AWS

    ( AWS

    )

  • AWS

    2016 8

    20/110

    2 ISMS

    3

    IT

    (

    )

    AWS

    OCTAVE (Operationally Critical Threat, Asset,

    and Vulnerability Evaluation)ISO 31000:2009 Risk Management

    ENISA (European Network and Information Security Agency)IRAM

    (Information Risk Analysis Methodology)NIST (National Institute of

    Standards & Technology) Special Publication (SP) 800-30 rev.1 Risk

    Management Guide

    4

    AWS

  • AWS

    2016 8

    21/110

    5

    6

    7

    ISO 27002NIST SP 800-

    53COBIT (Control Objectives for Information and related Technology)

    CSA-CCM (Cloud Security Alliance-Cloud Control Matrix)

    8

    ISMS

    9

    2: ISMS

  • AWS

    2016 8

    22/110

    AWS IAM

    ISMS

    IAM AWS IAM

    AWS

    IAM

    AWS AWS

    AWS AWS AWS

    AWS

    AWS AWS

    AWS

    1 AWS

    AWS IAM

  • AWS

    2016 8

    23/110

    IAM IAM

    AWS IAM AWS

    CLI API

    AWS

    IAM

    AWS

    AWS

    AWS

    3

    AWS

    3

    AWS

    AWS

    1

    AWS

    AWS

  • AWS

    2016 8

    24/110

    AWS

    (DNS

    Active Directory ) AWS 1

    AWS

    3: AWS

    IAM

    IAM

    IAM

    IAM AWS AWS

    IAM

    ID

  • AWS

    2016 8

    25/110

    IAM

    IAM 1 AWS IAM

    IAM

    AWS

    IAM

    IAM 1 IAM AWS

    IAM

    IAM

    John IAM

    Archives Amazon S3

    John

    Archives John

    Sally Betty Archives

    JohnSallyBetty 3

    JohnSallyBetty 3

    IAM AWS

    1

    AWS

  • AWS

    2016 8

    26/110

    AWS

    AWS IAM ID

    ID 2

    1 AWS AWS

    1 AWS API

    4 2

    / AWS E

    IAM AWS

    IAM

    (

    )

    MFA AWS Multi-Factor Authentication (MFA)

    MFA

    AWS

    ( 1 )

    MFA ( 2

    ) MFA S3

    AWS

    AWS IAM

    MFA

    AWS Gemalto MFA

    MFA

    4:

  • AWS

    2016 8

    27/110

    5 API

    AWS API

    ID

    AWS

    AWS IAM

    2

    API