AWS公式オンラインセミナー: https://amzn.to/JPWebinar 過去資料: https://amzn.to/JPArchive

1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Webinar
https://amzn.to/JPWebinar https://amzn.to/JPArchive
Security Solutions Architect
2019/06/18
AWS Config
[AWS Black Belt Online Seminar]

2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS
Amazon GuardDuty AWS Security Hub

3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Black Belt Online Seminar
•
•
① 吹き出しをクリック
② 質問を入力
③ Sendをクリック
Twitter
#awsblackbelt

4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• 2019 6 18
AWS (http://aws.amazon.com)
• AWS
AWS
•
• AWS does not offer binding price quotes. AWS pricing is publicly available and is subject to
change in accordance with the AWS Customer Agreement available at
http://aws.amazon.com/agreement/. Any pricing information included in this document is provided
only as an estimate of usage charges for AWS services based on certain information that you
have provided. Monthly charges will be based on your actual use of AWS services, and may vary
from the estimates provided.

5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
•
• AWS Config
• AWS Config Rules
•
•
•

6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A
A01
2 xx/xx/xx
Corporate data center
DB
Internet
Firewall
Router
L3SW
LB
DB
A
3 xx/xx/xx
Firewall
Router
L3SW
LB

7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
-
-
-
-
B
A01
8 xx/xx/xx
C
A01
8 xx/xx/xx
D
A01
8 xx/xx/xx
E
A01
8 xx/xx/xx
!?!?
A
3 ( )
xx/xx/xx
A
3 ( )
xx/xx/xx

8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS
Tag
AWS Config
Auto Scaling

9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config

10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Config
•
•
•
•
•
•
•
AWS Config

11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
AWS Config

12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
•
•
•
•
•
•
•

13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
AWS

14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS
6 3 14:52 1

15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
→

16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS
Customer
gateway
VPN Connection
Internet
gateway
EBS
Elastic network
interface
EC2
EIPNACL
VPC
Route table Subnet
Security
Group

18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config AWS
*1:
*1 *1 *1
https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/resource-config-reference.html

20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config

21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Rules

22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config

23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Rules
•
•
マネージドルール
•
•
カスタムルール
•
•

24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
•
•
•
•
•
•
•
•

26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/managed-rules-by-aws-config.html

27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda functionAWS Config Rules

28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
https://github.com/awslabs/aws-config-rdk

29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

31. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
#1
• approved-amis-by-id
• AMI ( )
• required-tags
•
EC2 ‘CostCenter’
• encrypted-volumes
• EBS
• ec2-instance-managed-by-ssm
• EC2 AWS Systems Manager
• vpc-flow-logs-enabled
• VPC (Flow Logs)

32. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
#2
• s3-bucket-public-read-prohibited
• Amazon S3
• s3-bucket-public-write-prohibited
• Amazon S3
• rds-snapshots-public-prohibited
• Amazon RDS
• s3-bucket-server-side-encryption-enabled
• Amazon S3 Amazon S3
• access-keys-rotated
•

33. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Rules
GitHub
•
•
•
•

34. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SSM OS
• SSM Inventory
• AWS Config / Config Rules
•
• Config Rules SSM Automation
• CloudWatch Event + Lambda
EC2 SSM Inventory AWS Config
利用禁止
ソフトウェア
AWS Config
Rules
CloudWatch
Events
Lambda
Chat
Mail
Config Rulesの「修復アクション」として
SSM Automationを呼び出し
ソフトウェアの変更を時系列で確認
コンプライアンス違反を確認
連携を設定

35. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
https://aws.amazon.com/jp/blogs/mt/aws-config-best-practices

36. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
#1. AWS Config
→
→
#2.
→
#3.
→

37. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
#5. S3
→ AWS
→
S3 AWS Managed Rule
• s3-bucket-public-write-prohibited
• s3-bucket-public-read-prohibited

38. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
#19. Data aggregation
#20. Organizations aggregator
→
→

39. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Central dashboard
that provides an
aggregated view
Multi-account,
multi-region
Integrates with
AWS Organizations
Available at no
additional charge

40. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

41. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

42. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

43. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
(2019/06/18 )
•
•
•
https://aws.amazon.com/jp/config/pricing/

44. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

45. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS
Tag
AWS Config
Auto Scaling

46. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config / Config Rules

47. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
https://aws.amazon.com/jp/blogs/mt/aws-config-best-practices/
AWS Config
https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/managed-rules-by-aws-
config.html
AWS Config
https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/select-resources.html
AWS Config
https://aws.amazon.com/jp/config/faq/

48. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Q&A
AWS Japan Blog https://aws.amazon.com/jp/blogs/news/

49. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS AWS
https://amzn.to/JPArchive

50. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Webinar
https://amzn.to/JPWebinar https://amzn.to/JPArchive