ã¯ããã«
æ¥åã§ AWS ã䜿ã£ãŠéçºããŠããŸãããã»ãã¥ãªãã£ã¯ãã£ãšããªããšãªãæ°ãã€ããŠãããçšåºŠã§ããã.gitignore ã§æ©å¯æ
å ±ã¯ Git ã«äžããªãããã«ããŠãã·ãŒã¯ã¬ãã㯠Secrets Manager ã«å
¥ããŠãããã§å¯Ÿçã§ããŠããã€ããã§ããããšããã®ãæ£çŽãªãšããã§ããã§ããèªåã®äœã£ãç°å¢ãæ»æè
ããèŠãŠã©ãèŠããŠããã®ããŸã§ã¯ãèããããšããããŸããã§ããã
ãããªäžãAWS ã«ç¹åãã CTF(Capture The Flag)ã®ååšãç¥ããæãåããç³»ã®ã€ãã³ãã奜ããªããšããããååå ããŠã¿ãŸãã(åå ã€ãã³ãïŒSecurity-JAWS DAYS ã10th Anniversary Eventã Day2 ã® CTF)ãã€ãã³ãã¯ã4 æé以å ã«æ¶ç©ºäŒæ¥ã® AWS ç°å¢ãžäŸµå ¥ããŠæ å ±ãéãããšãããããCloudTrail ã§ã®ãã©ã¬ã³ãžãã¯èª¿æ»ãŸã§ãæ»æåŽããé²åŸ¡åŽãŸã§éãã§äœéšã§ããæ§æã§ããã
çµè«ããæžããšãååå ã§ãå šåè§£ãåãããšã¯ã§ããŸããããã ãè§£ãçµãã£ãŠããã®æ¹ãåŠã³ã¯å€ãã£ãã§ããä»äººäºã§ã¯çµããããªãç®æãããã€ããããã€ãã³ããçµãã£ãåŸããé¢é£ããæ å ±ã察çã調ã¹ãŠã¿ãŸããã
ä»åæ±ã 5 ã€ã®ããŒãã¯ãæ£çŽã©ããããªããšãªãè¯ããªãããšã ããšã¯åãã£ãŠãããã®ã§ãããã§ããå ·äœçã«ã©ããªãªã¹ã¯ããã£ãŠããªãè¯ããªãã®ããŸã§ã¯ãããŸãèžã¿èŸŒãã§èããããŠããŸããã§ãããä»åã® CTF ã¯ããã®ããªãããèªåã®æãåãããŠç¢ºãããããããã£ããã«ãªã£ããšæããŸãã
æ¬èšäºã¯ããã® CTF ãšãã®åŸèª¿ã¹ãããšããAWS ã§ã·ãŒã¯ã¬ãããæ®ã£ãŠããŸã 5 ã€ã®å žåãã¿ãŒã³ãšããŠæŽçãããã®ã§ãã
å
¬éãªãœãŒã¹ ââ .env ãããã«ãã£ã
.envãã¡ã€ã«ã¯ã¢ããªã±ãŒã·ã§ã³ã®ç°å¢å€æ°ã管çãããã¡ã€ã«ã§ãã ããŒã¿ããŒã¹ã®ãã¹ã¯ãŒããAPIããŒãæžãããããšãå€ããWebãµãŒããŒã®èšå®ãã¹ã§å ¬éãããŠããŸãã±ãŒã¹ãåŸãçµ¶ã¡ãŸããã TechVault瀟ã®WebãµãŒããŒãã.envãã¡ã€ã«ãæ¢ããŠã¿ããã
åå¿è ã§ãããåããæ©å¯æ å ±
å顿ã«ãWebãµãŒããŒã®èšå®ãã¹ã§å
¬éãããŠããŸãããšãã£ãã®ã§ãcurl å©ãã° .env ã®ç°å¢å€æ°èŠããããããªãããšã宿ã«èããŠå®éãã£ãŠã¿ãŸããããããšã.env ãã¡ã€ã«ãè¿ã£ãŠããŠãäžãã AWS ã®ã¢ã¯ã»ã¹ããŒãååŸã§ããŠããŸããŸããã
æåã¯ããåãããæãã§ããç§ã§ããããããã«ã€ããŠã¯æå€ãšãããªãè§£ããŠããŸããåã³ããæ»æã®æè»œãã®æ¹ãå°è±¡ã«æ®ããŸããã
ãªããããæç«ããã®ã
ããããã®åé¡ã¯ãAWS ã¢ã¯ã»ã¹ããŒã¿ãããªæ©å¯æ
å ±ã .env ã«æžããŠãããã Web ããçŽæ¥ã¢ã¯ã»ã¹ã§ããå Žæã«çœ®ããŠããŸã£ãŠããããšã§ãã
ãã ããã£ãšæ ¹ã£ãã蟿ããšãé·ææå¹ã® AWS ã¢ã¯ã»ã¹ããŒã䜿ãããšãåé¡ã§ãããæŒãããå°ããã®ããã¡ã€ã«ã«çœ®ããŠããæç¹ã§ã.env ãã©ãã«é ããã察çãšããŠã¯åŒ±ãããã§ãã
ãã㯠CTF ã®äžã ãã®è©±ã§ã¯ãããŸããã調ã¹ãŠã¿ããšãPalo Alto Networks ã® Unit 42 ããçŽ11äžã®ãã¡ã€ã³ããå
¬éç¶æ
ã® .env ãåéãã9äžä»¶ä»¥äžã®ç°å¢å€æ°ãæŒæŽ©ããå€§èŠæš¡ãªæåè¡çºãå¯èœã«ãªã£ãããšãå ±åããŠããŸãã(Unit 42)ãæ»æè
ã¯æ©æ¢°çã«äžçäžãã¹ãã£ã³ããŠåã£ãŠããã®ã§ãããã¡ã¯ç®ç«ããªããã倧äžå€«ãã¯éçšããŸããã
CTF åŸã«èª¿ã¹ã察ç
ã€ãã³ãåŸã«å¯Ÿçã調ã¹ãŠã¿ãããèªåãç¥ããªãã£ãéžæè¢ãããã€ãåºãŠããŸããã
ãããã AWS ã®ãã¹ããã©ã¯ãã£ã¹ã§ã¯ãEC2 ã LambdaãECS ãã AWS API ãå©ããšãã¯ãIAM ãŠãŒã¶ãŒã®ã¢ã¯ã»ã¹ããŒã§ã¯ãªã IAM ããŒã«ã䜿ãããšãæšå¥šãããŠããŸããããŒã«ãªãäžæã¯ã¬ãã³ã·ã£ã«ãèªåã§çºè¡ã»æŽæ°ãããã®ã§ããããããã¡ã€ã«ã«ã眮ããŠãããå¿ èŠããªããªããŸããAWS ã®å€(ãªã³ãã¬ãå€éš CI ãªã©)ããã¢ã¯ã»ã¹ãããšãããIAM Roles Anywhere ã§åãããšãã§ããŸãã
ããã§ãé·æããŒãã©ãããŠã䜿ããããåŸãªãå Žåã¯ã宿çãªããŒããŒã·ã§ã³ãå¿
èŠã«ãªããŸãããAWS Config Rule ã® access-keys-rotated ã§ã90æ¥ä»¥äžããŒããŒã·ã§ã³ãããŠããªãããŒããèªåæ€åºã§ããŸããã䜿ããªããã䜿ããšããŠããèªåã§ç£èŠããããšããäºæ®µæ§ãã®äœå¶ã倧åã§ãã
ããã«ãGit ãªããžããªãžã®ã·ãŒã¯ã¬ããæ··å
¥ãæ€ç¥ãã git-secrets(AWS Labs 補)ã gitleaksãtrufflehog ãšãã£ãããŒã«ããããŸãããããã¯æ¬¡ã®ç« (Gitå±¥æŽ)ã§ãã£ãšæ·±ãè§ŠããŸãããæ»æè
ã®èŠç¹ã«ç«ã£ãŠåããŠãèªåã®ç¥ããªãé²åŸ¡ã®äžçããã£ãããšã«æ°ã¥ããããŸããã
å®åã§æèããŠããããããš
åºæ¬çãªå¯ŸçïŒ.env ã Git 管çããå€ããé·æããŒãé¿ããïŒãã§ããŠããŠãããããæ€ç¥ã»ç£èŠããä»çµã¿ïŒgit-secrets ã Config Rule ãªã©ïŒãŸã§æŒãããŠãããšãããå®å¿ã§ããæãåãããŠæ»æãäœéšããŠåããŠãããããéžæè¢ã®ååšã宿ã§ããæ°ãããŸãã
ããããŠãããã倧äžå€«ããšæããç¶æ ãšãã察çã®åŒãåºããæã£ãŠãããç¶æ ã¯å¥ç©ã ãªããšããã®ãããã®ç« ã§ã®äžçªã®æ°ã¥ãã§ããã
â ãã®ç« ã®ãã€ã³ã
.envã Web ããçŽæ¥èŠããå Žæã«çœ®ããšãcurl äžçºã§äžèº«ãåããã- æ¬è³ªçãªåé¡ã¯ãé·æã¢ã¯ã»ã¹ããŒã䜿ã£ãŠããããšããé ãå Žæã§ã¯ãªã
- IAM ããŒã«åã§é·æããŒãã®ãã®ãç¡ããã®ãæ¬ç
Gitå±¥æŽ ââ ãæ¶ããã¯ãããæ¶ããŠããªã
ããŒã¿ã«ã®ããã¿ãŒã« TechVault 瀟㮠GitHub ãªããžããªãžã®ãªã³ã¯ãæžããŠãã£ãã ããªãŒãã³ãœãŒã¹ã§éææ§ã瀺ããã€ããã§å ¬éããããããâŠâŠ ã³ãããå±¥æŽãæãäžãããšãæ¶ããã¯ãã®æ å ±ãæ®ã£ãŠããããšãããã
Git ãé¡ãã ãã§åããŠããŸã£ã
誀ã£ãŠéå»ã«æ
å ±ãã³ãããããŠããŸã£ãŠãããã ãããã³ãããå±¥æŽãæŒã£ãŠã¿ããèŠã€ããããã ãªããšåé¡ãèŠãŠæ°ã¥ããŸãããå®éã« git log --all -p ã§éå»ã®ã³ããããæããšãåé€ãããã¯ãã® .env ãã¡ã€ã«ããã®ãŸãŸæ®ã£ãŠããŠãAWS ããŒãäžç·ã«çºæã§ããŸããã
糞å£ãèŠããŠããã¯ãClaude ã« log ãäžžã 貌ãä»ããŠæ¢ããŠããã£ããšããããã¡ãããããªãèŠã€ãã£ãŠããŸããŸãããèªåãå«ããŠããã£ããã³ããããããŠããŸãããšã¯çŸå®ã«èµ·ããããã®ã§ãå°ãæãããããŸããã
ãªããããæç«ããã®ã
Git ã¯åæ£ããŒãžã§ã³ç®¡çã·ã¹ãã ãªã®ã§ããã¡ã€ã«ããåé€ããã³ãããããäœã£ãŠããéå»ã®ã³ããããããã®ãã¡ã€ã«ã¯æ¶ããŸãããæ°ããå±¥æŽã远å ããã ãã§ããã€ãŸããæ©å¯æ å ±ããã£ããã³ãããããŠããŸã£ãç¬éã«ãããã¯æ°žé ã«å±¥æŽã®äžã«æ®ãç¶ããŸã(æå³çã«å±¥æŽãæžãæããªãéã)ã
ãããããªããžããªãæ¢ã« clone ãããã fork ããããããŠããå Žåãèªåã®ãªããžããªã§å±¥æŽãæ¶ããŠããä»ã®å Žæã«æ®ã£ããŸãŸã«ãªãããšãããåŸãŸããã ãããæŒãããã¡ã€ã«ãæ¶ãããããããæŒããç¬éã«éµãç¡å¹åãããæ¹ãå æ±ºã«ãªããŸãã
CTF åŸã«èª¿ã¹ã察ç
ãã®ã¹ããŒãžããã£ããã«ãGit ã®ã·ãŒã¯ã¬ããæ··å ¥å¯Ÿçãæ¹ããŠèª¿ã¹ãŸããã
æãåºæ¬çãªã®ã¯ãã³ããããããåã«æ€åºããä»çµã¿ã§ããgit-secrets(AWS Labs 補)㯠AWS ã®ããŒãã¿ãŒã³ã«ç¹åããŠããŠãgit commit æã«ããã¯ã§ãããã¯ããŠãããŸããããæ±çšçãªãã®ãšã㊠gitleaks(å
¬åŒ)ã trufflehog(å
¬åŒ)ãããããã¡ã㯠AWS ã ãã§ãªãå€ãã®ãµãŒãã¹ã®ããŒãã¿ãŒã³ãæ€åºå¯èœã§ããtrufflehog ã¯æ€åºããããŒãå®éã« API ã§å©ããŠãçããŠãããããŸã§ç¢ºèªã§ããããšããã®ãé¢çœãç¹åŸŽã§ããã
çŸåšã®æ¬åœã¯ãGitHub ã®ã·ãŒã¯ã¬ããã¹ãã£ã³ + ããã·ã¥ä¿è·(GitHub å ¬åŒããã¥ã¡ã³ã)ã§ããGitHub åŽã§ 200 çš®é¡ä»¥äžã®ã·ãŒã¯ã¬ãã圢åŒãèªåæ€åºããã·ãŒã¯ã¬ãããå«ã push ããããããããã¯ããŠãããŸãããããªãã¯ãªããžããªãªãç¡æããã©ã€ããŒã㯠GitHub Advanced Security ãå¿ èŠã§ããããpre-commit ãå°å ¥ãããããããGitHub ã®æ©èœãæå¹åãããæ¹ããçµç¹å šäœãžã®å±éããŒãã«ã¯äœããã§ãã
ãããŠãããæ¢ã«æŒãããŠããŸã£ãå Žåã®æé ãã¯ã£ããããŠããŸãããŸãéµãå³åº§ã«ããŒããŒã·ã§ã³ããŠ(å±¥æŽåé€ããå
)ããã®ããã§ git filter-repo ãªã©ã®ããŒã«ã§å±¥æŽãæžãæããããã ãclone ã fork ãããŠããåæãªããçµå±ã®ãšããããŒããŒã·ã§ã³ããã¹ãŠã§ãã
å®åã§æèããŠããããããš
ããã¯æå€ãšèµ·ããããããã¹ã§ãã.env ã .gitignore ã§å€ããŠããŠããããã远å ããåã«äžåºŠã³ãããããŠããŸã£ãŠããã°ãå±¥æŽã«ã¯æ®ã£ãŠããŸãã誰ã«ã§ãèµ·ãããããããããäººã®æ³šæåã«é Œãã®ã§ã¯ãªããä»çµã¿ã§é²ãããšã倧äºã ãšå®æããŸããã
GitHub ã®ããã·ã¥ä¿è·ãæå¹ã«ãããéå»ã®å±¥æŽã宿çã«ã¹ãã£ã³ãããããããä»çµã¿ãå ¥ããŠãããšãããã£ããããäºæ ã«ãªãåã«æ¢ããããŸãã
â ãã®ç« ã®ãã€ã³ã
- Git ã¯ãåé€ã³ããããã§ã¯å±¥æŽäžã®ãã¡ã€ã«ãæ¶ããªã
- æŒããæã®å¯Ÿå¿ã¯ãå±¥æŽåé€ããå ã«éµã®ããŒããŒã·ã§ã³ããéå
- æ€åºã¯ pre-commit(gitleaks ç)ãš GitHub ã®ããã·ã¥ä¿è·ã®äºæ®µæ§ã
Dockerã¬ã€ã€ãŒ ââ ãrm ããããæ¶ãããã®èœãšã穎
DataAnalystRoleã§ECRãªããžããªãèŠããããšã«æ°ãã€ããã Dockerã€ã¡ãŒãžã®ãã«ãå±¥æŽã«ã¯ãã€ãŠå«ãŸããŠããæ©å¯æ å ±ãæ®ãããšãããã ã€ã¡ãŒãžã®ã¬ã€ã€ãŒãæ·±æãããŠã¿ããã
RUN rm ã®åŸãã«ãã¡ã€ã«ãæ®ã£ãŠãã
ECR ã®ã€ã¡ãŒãžã®ãã«ãå±¥æŽã確èªãããšãCOPY secret.txt . ã®æ¬¡ã®è¡ã« RUN rm secret.txt ã䞊ãã§ããã®ãèŠããŸãããæåã¯åé€ããŠããã®ã ãããããåããªãããªãšæã£ãã®ã§ãããéå»ã®ã¬ã€ã€ãŒãèŠãŠãããšããã® secret.txt ããã®ãŸãŸæ®ã£ãŠããŸããã
ç§ã¯æ®æ®µã®æ¥åã§ã Docker ã䜿ã£ãŠããŸãããã€ã¡ãŒãžã®ã¬ã€ã€ãŒãäžæãã€èŠããããªæäœã¯åããŠã§ãããã€ã¡ãŒãžã®ã¬ã€ã€ãŒæ§æïŒmanifestïŒããåã¬ã€ã€ãŒã®èå¥åïŒdigestïŒã®åãæ¹ã調ã¹ãªãããææ¢ãã§æãé²ããŠãããæ®æ®µã¯ããã«ãããŠåãããããšããããŠããªãã£ãèªåã«ãšã£ãŠãã€ã¡ãŒãžã®äžããããªé¢šã«éãããšã¯ãæ£çŽæã£ãŠããŸããã§ããã
ãªããããæç«ããã®ã
Docker ã®ã€ã¡ãŒãžã¯è¿œèšå°çšã®ã¬ã€ã€ãŒæ§é ã§ã§ããŠããŸããCOPY ã§ãã¡ã€ã«ã远å ããã¬ã€ã€ãŒããRUN rm ã§ãã¡ã€ã«ãåé€ããã¬ã€ã€ãŒããã©ã¡ãããæ°ããã¬ã€ã€ãŒãäžã«ç©ã¿å¢ããæäœã§ãã£ãŠãéå»ã®ã¬ã€ã€ãŒã¯å€æŽãããŸãããæçµçãªã³ã³ããã®äžã§ã¯ãã¡ã€ã«ãèŠããªããªã£ãŠããŠããéå»ã®ã¬ã€ã€ãŒãçŽæ¥åãåºãã°ãåé€åã®ãã¡ã€ã«ããã®ãŸãŸåºãŠããŸãã
ã€ãŸã Dockerfile ã« COPY secret.txt . && RUN rm secret.txt ãšæžããŠã䜿ã£ãããæ¶ãããã€ããã§ããããã¯è¡šé¢äžã®è©±ãã€ã¡ãŒãžã pull ã§ãã人ãªãã誰ã§ã埩å
ã§ããŠããŸããŸããGit ã®å±¥æŽãšçºæ³ã䌌ãŠããŸããã
CTF åŸã«èª¿ã¹ã察ç
ãã®ã¹ããŒãžããã£ããã« Docker ã®ã·ãŒã¯ã¬ãã管çã«ã€ããŠèª¿ã¹ãŠã¿ããšãæ®æ®µã®äœ¿ãæ¹ã§ã¯è§Šããªãä»çµã¿ãããã€ãåºãŠããŸããã
æãæ ¹æ¬çãªå¯Ÿç㯠BuildKit Secret Mount(å
¬åŒããã¥ã¡ã³ã)ã§ãããRUN --mount=type=secret,id=mysecret ... ãšããæžãæ¹ã§ããã«ãæã«ã·ãŒã¯ã¬ãããããŠã³ãã ãããŠãã¬ã€ã€ãŒã«ã¯äžåæ®ããŸãããCOPY ã§æã¡èŸŒãã§ RUN rm ãããšããçºæ³ãã®ãã®ãäžèŠã«ããä»çµã¿ã§ããã䜿ã£ãããæ¶ããã®ã§ã¯ãªããæåããã¬ã€ã€ãŒã«æ®ããªãããšããèãæ¹ã§ãã
䜵ããŠçµã¿åãããã¹ããªã®ã .dockerignore(å
¬åŒ)ã§ãã.gitignore ã® Docker çã§ããã«ãã³ã³ããã¹ãããç¹å®ã®ãã¡ã€ã«ãé€å€ããŸãã.env ã secrets/ ãäºãé€å€ããŠããã°ãéã« COPY . . ãšæžããŠãæ©å¯ãã¡ã€ã«ãæ··å
¥ããŸããã
ã»ãã«ãã«ãã¹ããŒãžãã«ãã§ãã«ãçšãšå®è¡çšã®ã¬ã€ã€ãŒãåããææ³ããããŸããããŸãã¯äžã®2ã€ã§ååã«å¹ãããã§ãã
ãªããECR ã«ã¯ã€ã¡ãŒãžã¹ãã£ã³æ©èœ(Basic / Enhanced)ããããŸãããããã¯äž»ã« CVE(è匱æ§)ãæ€åºããããã®ãã®ã§ããã¬ã€ã€ãŒã«æ®ã£ãã·ãŒã¯ã¬ããããèŠã€ãããã®ã§ã¯ãããŸãããã¹ãã£ã³ãæå¹ã«ããŠãããããšãã£ãŠãã¬ã€ã€ãŒã«æ®ã£ãã·ãŒã¯ã¬ããã®åé¡ãé²ããããã§ã¯ãªãããšããç¹ã¯æ°ãã€ãããã§ãã
å®åã§æèããŠããããããš
Docker ã¯æ®æ®µãã䜿ã£ãŠããŸããããBuildKit Secret Mount ã¯ä»ååããŠç¥ããŸãããã·ãŒã¯ã¬ãããã䜿ã£ããæ¶ããã®ã§ã¯ãªããæåããã¬ã€ã€ãŒã«æ®ããªãããšããçºæ³ã¯ãDockerfile ãæžããšãã«ãã²æèããŠãããããšããã§ãã
Git ã®å±¥æŽããDocker ã®ã¬ã€ã€ãŒããæ§é ãã远èšãã«ãªã£ãŠãã以äžãæ¶ããã€ããã®ãã®ãæ®ãã®ã¯åœç¶ã§ãããæ¶ãããããæåããæã¡èŸŒãŸãªãããåæã«çµã¿ç«ãŠãã®ãå®å šã ãšæããŸããã
â ãã®ç« ã®ãã€ã³ã
- Docker ã€ã¡ãŒãžã¯è¿œèšå°çšã
RUN rmããŠãéå»ã¬ã€ã€ãŒã«ã¯æ®ã - æ ¹æ¬å¯Ÿç㯠BuildKit Secret Mount ã§ãã¬ã€ã€ãŒã«æ®ããªããèšèš
- ECR ã®ã€ã¡ãŒãžã¹ãã£ã³ã¯ CVE æ€åºçšãã·ãŒã¯ã¬ããæ€åºã¯å¥åé¡
ã·ãŒã¯ã¬ãã管çãµãŒãã¹ ââ ãæå·åããŠããã倧äžå€«ãã®èœãšã穎
DataAnalystRoleã®æš©éã§Lambda颿°ãèŠããããšã«æ°ãã€ããã Lambda颿°ã«ã¯ãç°å¢å€æ°ããšããèšå®æ å ±ãåã蟌ãä»çµã¿ãããã éçºè ããã£ããæ©å¯æ å ±ãç°å¢å€æ°ã«æžããŠããããšãããã確èªããŠã¿ããã
Lambdaç°å¢å€æ°ã«
/techvault/internal/api-keyãšããSSMã®ãã¹ãæžããŠãã£ãã SSMãã©ã¡ãŒã¿ã¹ãã¢ã¯Secrets Managerã«äŒŒãæ©å¯æ å ±ã®ç®¡çãµãŒãã¹ã ã éå±€æ§é ã§ç®¡çãããŠããã®ã§ããã¹ã蟿ã£ãŠæãäžããŠã¿ããã
æå·åãããŠããã¯ããªã®ã«ãèŠããŠããŸã£ã
Lambda 颿°ã®ç°å¢å€æ°ã get-function-configuration ã§èŠããšãããã«ã¯æ©å¯æ
å ±ãæ®éã«æžãããŠããŸããããç°å¢å€æ°ã ããèšå®ã®ç¯å²ããšæã蟌ãã§ããç®æã«ããã£ãããšã·ãŒã¯ã¬ããã眮ãããŠããã®ã§ãã
ããã«ããã®ç°å¢å€æ°ã®äžã« /techvault/internal/api-key ãšãã SSM ã®ãã¹ãæžããŠãã£ãã®ã§ã蟿ã£ãŠã¿ãŸãããSSM Parameter Store ã® SecureString ã¯æå·åãããŠããã¯ãã§ããã--with-decryption ãä»ããŠåŒã³åºããšãäžèº«ãèŠããŠããŸããŸããã
æ£çŽãç§ã¯ãããŸã§ãSecrets Manager ã SecureString ã«å ¥ããŠããã°å®å¿ããšæã£ãŠããç¯ãå°ããããŸãããã§ãå®éã«ã¯ãæš©éããæã£ãŠããã°ãæå·åãããå€ã容æã«ååŸã§ããŠããŸãã®ã§ãã
ãªããããæç«ããã®ã
ãæå·åãããŠããããšãå®å šã«å®ãããŠãããã¯å¥ã®è©±ã§ãã
SSM SecureString ã Secrets Manager ããä¿ç®¡æã®æå·åã¯ããŠãããŸãã誰ããçŽæ¥ã¹ãã¬ãŒãžããèªãã§ããæå·åããããã€ãåããèŠããªãããšããæå³ã§ã¯ç¢ºãã«å®å
šã§ããããããäœ¿çšæ(API çµç±ã§ååŸãããšã)ã¯å¥ã®è©±ãssm:GetParameter ãš kms:Decrypt ã®æš©éãæã£ãŠããã°ã誰ã§ã --with-decryption ã§äžèº«ãåŒãåºããŸãã
ã€ãŸãããæå·åãã¯ä¿ç®¡æã®è©±ããã¢ã¯ã»ã¹å¶åŸ¡ãã¯äœ¿çšæã®è©±ã§ãäž¡æ¹ãæã£ãŠåããŠå®å
šãšèšããŸããCTF ã§ã¯ DataAnalystRole ã«ããŸããŸãã®äž¡æ¹ã®æš©éãä»ããŠããã®ã§ãã·ãŒã¯ã¬ããã容æã«åŸãããŠããŸã£ãã®ã§ãããŸã Lambda ã®ç°å¢å€æ°ã«è³ã£ãŠã¯æå·åãããããŠããããget-function-configuration ã®æš©éãããã°èª°ã§ãå¹³æã§èªããç¶æ
ã§ããã
CTF åŸã«èª¿ã¹ã察ç
ãã®ã¹ããŒãžã§èªèã厩ããéšåããã£ãã®ã§ã察çãæ¹ããŠèª¿ã¹ãŸããã
ãŸã倧åæãšããŠãæå°æš©éã®åå(å
¬åŒã®ãã¹ããã©ã¯ãã£ã¹)ãåºçºç¹ã«ãªããŸããssm:GetParameter ã secretsmanager:GetSecretValue ã®æš©éã Resource: "*" ã§ä»ããŠããªãããSSM Parameter Store ãªããã¹éå±€ãæŽ»çšã㊠arn:aws:ssm:...:parameter/myapp/prod/* ã®ããã«çµããŸãããSecrets Manager ãã·ãŒã¯ã¬ããå ARN ã§çµããŸãã
ç¹ã«å¹ããšæããã®ããSecrets Manager ã®ãªãœãŒã¹ããŒã¹ããªã·ãŒã§ããããã¯ã·ãŒã¯ã¬ããèªèº«ã«ããã®ã·ãŒã¯ã¬ãã㯠Role-A ãš Role-B ããèªããŸããããšçŽæ¥æžããããªã·ãŒã§ãIAM ããªã·ãŒãåºããªã£ãŠããŸã£ãŠããŠããã·ãŒã¯ã¬ããåŽã§æçµçã«ãããã¯ã§ããŸããSSM Parameter Store ã«ã¯ãã®æ©èœããªãã®ã§ãSecrets Manager ãéžã¶æå³ã®ã²ãšã€ã ãšç¥ããŸããã
ããäžã€ãKMS Key Policy ã§ã®äºéããã¯ãæå¹ã§ããSecureString ã Secrets Manager ã¯å
éšçã« KMS ã§æå·åãããŠããŸãããCustomer Managed Key ã䜿ãã°ãKMS Key åŽã§ããã®éµã䜿ãã Principalããå¶éã§ããŸããssm:GetParameter ã®æš©éãæã£ãŠããŠããKMS Decrypt ã®æš©éããªããã°åŸ©å·ã§ããªããããããŠå€å±€ã§é²åŸ¡ãçµããããã§ã(å
¬åŒ)ã
ãã㊠Lambda ã®ç°å¢å€æ°ãããã¯ãããããèšå®å€ããå ¥ããããã®å Žæã§ãã£ãŠãã·ãŒã¯ã¬ããä¿ç®¡åº«ã§ã¯ãªãããšããæŽçã倧äºã§ãããã·ãŒã¯ã¬ãã㯠Lambda Extensions ã® Parameters and Secrets Lambda æ¡åŒµã䜿ã£ãŠãå®è¡æã« Secrets Manager ããååŸããã®ãæšå¥šãããŠããŸãã
å®åã§æèããŠããããããš
Secrets Manager ã SecureString ã䜿ããšããã€ããæå·åããŠä¿åã§ããŠãããããšã§å®å¿ããã¡ã§ããã§ãå®éã«éèŠãªã®ã¯ãã誰ããã®ã·ãŒã¯ã¬ãããèªãããããšããã¢ã¯ã»ã¹å¶åŸ¡ã®èŠç¹ã§ããã
ãªãœãŒã¹ããŒã¹ããªã·ãŒã Customer Managed KMS Key ã䜿ãã°ãããã®ã·ãŒã¯ã¬ããã¯ãã®ããŒã«ããèªããªãããšæç€ºçã«çžããŸãããæå·åããšãã¢ã¯ã»ã¹å¶åŸ¡ããå¥ç©ãšããŠäž¡æ¹æŒããããããããã®ç« ã§äžçªè ¹èœã¡ããèŠç¹ã§ããã
â ãã®ç« ã®ãã€ã³ã
- ãæå·åãã¯ä¿ç®¡æã®è©±ããã¢ã¯ã»ã¹å¶åŸ¡ãã¯äœ¿çšæã®è©±ãäž¡æ¹å¿ èŠ
- Secrets Manager ã®ãªãœãŒã¹ããŒã¹ããªã·ãŒã§ã誰ãèªãããããæç€º
- Lambda ã®ç°å¢å€æ°ã¯ã·ãŒã¯ã¬ããä¿ç®¡åº«ã§ã¯ãªããå®è¡æååŸãæšå¥š
ã©ã³ã¿ã€ã ââ ãã¡ã€ã«ã«ãªããŠãããµãŒããŒããæŒãã
TechVault Portalã®
/dashboardã§ã¯ãããã·ã¥ããŒãåç¥ã«å€éšãªã³ã¯ã貌ããšããªã³ã¯å ã®å 容ãèªã¿åã£ãŠã«ãŒããèªåçæããã å ã®ã¹ããŒãžã§èŠã€ããinternal-data-serverã¯ãã©ãŠã¶ããçŽæ¥éããªãã¯ãã ããåç¥ã«ãŒãçæåŠçã¯ç€Ÿå ãããã¯ãŒã¯åŽãããªã³ã¯å ã確èªããŠããã SSRFãšããè匱æ§ãæãããã«ããã®ãã¬ãã¥ãŒæ©èœã®æåã調ã¹ãå éšAPIã®æ¡å ããæ¬¡ã®å ¥å£ãèŠã€ããŠãäžæèªèšŒæ å ±ã«ãã©ãçããã確èªãããã
ãIMDSv1 ãNGãã®æ¬åœã®æå³ãäœæãã
ãIMDSv1 ãã»ãã¥ãªãã£çã«NGããšã¯ç¥ã£ãŠããããã©ããªãNGãªã®ãã¯ãã¡ãããšçè§£ããŠããªãã£ãããšã«ãä»åæ»æãããŠã¿ãŠåããŠæ°ã¥ããŸããã
ããã·ã¥ããŒãã®ãå€éšãªã³ã¯ãã«ãŒãã«èªåçæãããæ©èœããå§ãŸã£ãŠãURL ãã©ã¡ãŒã¿ãæžãæããŠãããšã瀟å ãããã¯ãŒã¯å ã® API ã«å°éããæçµçã« `http://169.254.169.254/âŠ`(EC2 ã®ã¡ã¿ããŒã¿ãµãŒãã¹)ãŸã§èŸ¿ãçããŸããããããã IAM ããŒã«ã®äžæèªèšŒæ å ±ãåŒãåºãããšãããããã IMDSv1 ã®è匱æ§ãããšçŽåŸã§ããŸããã
ãªããURL ã®ãã§ãŒã³æ§ç¯ã«ã¯å°ãæžæããŸããããAI ã«æ§æãç¶æ³ãäŒãããæ°ç§ã§çµã¿ç«ãŠãŠãããŸãããããã§ãæ»æã®çµã¿ç«ãŠãã®ãã®ã®ããŒãã«ãäžãã£ãŠããããšããæ°ã¥ãããããŸãã(ããã¯æåŸã®ç« ã§ããå°ãè§ŠããŸã)ã
ãªããããæç«ããã®ã
EC2 ã®ã¡ã¿ããŒã¿ãµãŒãã¹(IMDS)ã¯ãã€ã³ã¹ã¿ã³ã¹ã®äžãã `http://169.254.169.254/` ã«ã¢ã¯ã»ã¹ãããšãèªåèªèº«ã®æ å ±ã IAM ããŒã«ã®äžæèªèšŒæ å ±ãååŸã§ããä»çµã¿ã§ããã¢ããªã±ãŒã·ã§ã³ã AWS API ãåŒã³åºããšãã«äœ¿ãã䟿å©ãªä»æãã§ãã
IMDSv1 ã¯åçŽãª GET ãªã¯ãšã¹ãäžçºã§æ å ±ãåããŸããèªèšŒãããŒã¯ã³ãäžèŠãã ããããããµãŒããŒåŽã§ä»»æ URL ã«ã¢ã¯ã»ã¹ã§ããè匱æ§(SSRF)ããããšãå éšãã IMDS ãå©ããŠèªèšŒæ å ±ãåŒãåºããŠããŸãããã§ãããã㯠2019 幎㮠Capital One äºä»¶ã§å€§èŠæš¡ã«æªçšããããã¿ãŒã³ã§ãAWS ãåŸç¶ã® IMDSv2 ãå°å ¥ããçŽæ¥ã®åæ©ã«ãªããŸããã
ããã§éèŠãªã®ã¯ãã·ãŒã¯ã¬ããããã¡ã€ã«ãã³ãŒãã®ã©ãã«ãæžãããŠããªããŠããæ»æãæç«ããŠããŸããšããç¹ã§ãããããŸã§ã®ç« ã§ã¯ãã·ãŒã¯ã¬ãããã©ããã«æ®ã£ãŠããã話ã§ãããããã®ã¹ããŒãžã¯ãåããŠãããµãŒããŒãã®ãã®ããã·ãŒã¯ã¬ãããæŒããããçºæ³ãã²ãšã€å¥ã®æ¬¡å ã«ãããŸãã
CTF åŸã«èª¿ã¹ã察ç
IMDSv1 ãçããã®æ»æã«å¯ŸããŠã¯ã察çãæ¯èŒçã¯ã£ããããŠããŸãã
æãå¹ãã®ã IMDSv2 ã®åŒ·å¶(å
¬åŒããã¥ã¡ã³ã)ã§ããIMDSv2 ã¯ã¡ã¿ããŒã¿ãååŸããåã«ããŸã PUT ãªã¯ãšã¹ãã§ã»ãã·ã§ã³ããŒã¯ã³ãååŸããä»çµã¿ã«ãªã£ãŠããŠããã®äžã§ GET æã«ããããŒã§ããŒã¯ã³ãéãå¿
èŠããããŸããSSRF ã®å€ã㯠GET ããçºè¡ã§ãããã«ã¹ã¿ã ããããŒãä»ããããªãã®ã§ããããã PUT ãæãŠãªã â ããŒã¯ã³åããªã â ã¡ã¿ããŒã¿ãåããªãããšããèšèšã§é²ããŸããæ¢åã€ã³ã¹ã¿ã³ã¹ã¯ aws ec2 modify-instance-metadata-options --http-tokens required ã§ IMDSv2 å¿
é ã«åãæ¿ãã§ããŸãã
æ°èŠã€ã³ã¹ã¿ã³ã¹ã®ããã«ãã¢ã«ãŠã³ãå šäœã®ããã©ã«ãã IMDSv2 å¿ é ã«ããããšãã§ããŸã(å ¬åŒ)ãè€æ° AWS ã¢ã«ãŠã³ããéçšããŠããå Žåã¯ãSCP(Service Control Policy)ã§çµç¹ã¬ãã«ã§ IMDSv2 ã匷å¶ãããšããéžæè¢ããããŸãã
ããããªã IMDSv2 å¿
é ã«ãããšãIMDSv1 ã䜿ã£ãŠããã¢ããªãå£ããã®ã§ã¯?ããšããäžå®ã«ã¯ãCloudWatch ã® MetadataNoToken ã¡ããªã¯ã¹ã䟿å©ã§ãããããã¯ãããŒã¯ã³ãªãã§ IMDS ã«ã¢ã¯ã»ã¹ãããåæ°ããèšæž¬ãããã®ã§ããŒããç¶ããŠããã° IMDSv1 ãç¡å¹åããŠãå®å
šããšå€æã§ããŸãã
ãããã¯ãIMDS åŽãã®å¯Ÿçã§ãããã¢ããªåŽã® SSRF 察ç(URL ãæ±ãæ©èœã§å éš IP ãæåŠãããèš±å¯ãªã¹ãæ¹åŒã«ããç)ãš IAM ããŒã«ã®æš©éæå°å(æŒããå Žåã®è¢«å®³ç¯å²ãéå®ãã)ãçµã¿åãããŠãå€å±€ã§å®ãã®ã倧åã§ãã
å®åã§æèããŠããããããš
EC2 ã䜿ããªããIMDSv2 ã匷å¶ã«ãªã£ãŠããããæ°ããäœãã€ã³ã¹ã¿ã³ã¹ã§ããã©ã«ãå¿
é ã®èšå®ãå
¥ã£ãŠããããTerraform ã® Launch Template ã« IMDSv2 å¿
é ã®èšå®(metadata_options ã® http_tokens = "required")ãæžãããŠãããããã®ãããã¯ãèšèšãã¬ãã¥ãŒã®æ®µéã§æŒãããŠãããããã€ã³ãã ãšæããŸããã
ã·ãŒã¯ã¬ããã®ç®¡çãèãããšãããããŸã§ã®èªåã¯ããã¡ã€ã«ãã³ãŒãã«ããäœããã°ãããæãæµ®ãã¹ãŠããŸããããããåããŠãããµãŒããŒãã®ãã®ããæŒããçµè·¯ãããããšèº«ã«æã¿ãŠåŠã¶ããšãã§ããŸããã
â ãã®ç« ã®ãã€ã³ã
- IMDSv1 + SSRF 㯠Capital One äºä»¶ã®å žåãã¿ãŒã³ãä»ããããã
- IMDSv2 匷å¶(HttpTokens=required)ã§å€§åã® SSRF çµç±æ»æãé²ãã
- ã·ãŒã¯ã¬ããã¯ããã¡ã€ã«ãã ãã§ãªããåäœäžã®ãµãŒããŒããããæŒãã
CTFãšå匷ãéããŠã®ææ
ååå ã§ããåããããã®éææ
CTF ã«åå ããã®ã¯ä»åãåããŠã§ããããã»ãã¥ãªãã£å°éã§ã¯ãªãèªåããæãããŠã©ããŸã§è§£ããã®ãããšããäžå®ååã奜å¥å¿ååã§ã®åæŠã§ãããããšããã©ããã§ Claude ã«åãåãã€ã€ãå¶éæéã 10 åã»ã©ãªãŒããŒããªããããå šåè§£ãããšãã§ããŸãããããã¯ççŽã«å¬ããã£ãã§ãã
CTF ãçµãã£ãŠããããæ¬èšäºã§æ±ã£ã 5 ã€ã®èœãšã穎ãäžå¿ã«ã察çã調ã¹ãŠãããã¡ã«ãæ»æãäœéšãããšãé²åŸ¡ã®çè§£ããããŸã§å€ããã®ãããšäœåºŠã宿ããŸãããã³ãŒããèšå®ããã»ãã¥ãªãã£ãã®èŠç¹ã§èªã¿çŽãçãã€ããããããä»åã®æå€§ã®åç©«ã ãšæããŠããŸãã
ã»ãã«ãå°è±¡çã ã£ãã¹ããŒãž
æ¬èšäºã«ã¯åãŸããããªãã£ãã®ã§ãããç¹ã«å°è±¡çã ã£ãã®ã Bedrock Agent ã®æš©éãæªçšããã¹ããŒãžã§ããã
ä»çµã¿èªäœã¯ã·ã³ãã«ã§ããšãŒãžã§ã³ãã¯åŒ·ãæš©éãæã£ãŠããŠããŠãŒã¶ãŒãããããããã£ãŠããšåŒã³åºããããããã®æš©éã§ AWS ã®ãªãœãŒã¹ãæäœããŠãããŸããåé¡ã¯ãåŒã³åºããŠãŒã¶ãŒã«æš©éããªããŠãããšãŒãžã§ã³ãåŽã®æš©éã§å®è¡ãããŠããŸããšããç¹ã§ãããã®ã¹ããŒãžã§ã¯ãèªå(DataAnalystRole)ã§ã¯çŽæ¥èªããªã S3 ãªããžã§ã¯ãããBedrock Agent çµç±ã§åŒã³åºãããšã§åŒãåºããŠããŸããŸããã
ãæš©éã®ãªããŠãŒã¶ãŒããåŒ·ãæš©éãæã€ãšãŒãžã§ã³ããèžã¿å°ã«ããŠæ å ±ãåŸããããã㯠Confused Deputy åé¡ ãšåŒã°ããå€å žçãªè匱æ§ãã¿ãŒã³ã§ãããAI ãšãŒãžã§ã³ããæ®åããäžã§æ°ãããã¿ãŒã³ãšããŠèŠããŠãããªããŠã¯ãããªããšæããŸãããAI ã«æš©éãå§ããæãä¿¡é Œå¢çãã©ãã«åŒãããããã¯ä»åŸãŸããŸãéèŠã«ãªãããŒãã ãšæããŸãã
AI ãšäžŠèµ°ãããæãããæèŠ
æè¿ã®èªåã¯ãAI ã«æç€ºãäžžæãããŠãåºãŠããçµæãã¬ãã¥ãŒã»å€æããã®ãäžå¿ã«ãªã£ãŠããŸãããWhat ãäžããŠãHow ã¯ä»»ãããç¶æ ãããã¯ããã§å¹ççã§ãããçç£æ§ãäžãã£ãŠããã¯ããªã®ã§ãããä»å CTF ãè§£ããŠããæäžã®æèŠã¯ããããšã¯å°ãéã£ãŠããŸããã
AI ã«ç¶æ³ãäŒããªããæ¬¡ã®äžæãçžè«ããçåãçãããèããŠå³è§£æ¶ãããé·æéã¶ã£éãã§èããªããæãåããããããããããŒã«è¿ãæèŠãWhat ã«å¯Ÿãã How ããAI ãšäžç·ã«ã²ãããæš¡çŽ¢ããæéãã¡ãã£ãšåãŸã§æ®éã ã£ããã®æèŠããå°ãæãããæããŠããŸã£ãããšã«ã¯ãèªåã§ãé©ããŸããã
CTF ã®ãããªæ¢çŽ¢çãªã¿ã¹ã¯ã¯ãAI ã«äžžæããããã䞊走ããæ¹ãåã£ãŠããã®ãããããŸãããããã¯ä»åŸã® AI ã®äœ¿ãæ¹ãèããäžã§ããã²ãšã€ã®å®æãšããŠæ®ã£ãæ°ãããŸãã
åæã«æããã屿©æ
ãã®äžŠèµ°ã®æ¥œãããšè¡šè£äžäœã§ã匷ã屿©æãèŠãã CTF ã§ããã
ã»ãã¥ãªãã£ç¹åããŠããªãèªåã®ãããªãšã³ãžãã¢ã§ããAI ã®å©ããããã°ãæéãããããã°ãããªãå¹ åºãæ»æãçµã¿ç«ãŠãããŠããŸããSSRF ã® URL ãã§ãŒã³ããAI ã«ç¶æ³ãæž¡ãã°æ°ç§ã§æ§ç¯ã§ããŸãããæ»æã®çµã¿ç«ãŠãã®ãã®ã®ããŒãã«ããæ¥éã«äžãã£ãŠããæä»£ã«å ¥ã£ããšããããšã ãšæããŸãã
ããã¯ãæ»æè ã AI ã䜿ããããšãèŠæããŠãé²åŸ¡åŽã®åºæ¬å¯Ÿçãæ¹ããŠåŸ¹åºããå¿ èŠãããããšãã話ã ãšåãåããŸãããæ¬èšäºã§æ±ã£ã 5 ã€ã®èœãšã穎ã¯ãã©ãã察çãæç¢ºã«ååšãããã®ã°ããã§ããã察çã¯ãããã©åŸ¹åºã§ããŠããªãããšããç¶æ ããAI æä»£ã®æ»æè ã«ãšã£ãŠã¯ã銳走ã«ãªããããªããªããšæããŸããã
ååå ãçµããŠ
éææãšå±æ©æãæ··ããåã£ã CTF ã§ããããçµå±ã®ãšãããèªåã®ããã«æ®æ®µã¯ã»ãã¥ãªãã£ãå°éã«ããŠããªããšã³ãžãã¢ã«ãšã£ãŠãæ»æè èŠç¹ã§èŠããšããçµéšã¯ãæããã«åŠã³ã®å¯åºŠãé«ãæããããŸããããŸãæ©äŒãããã°ææŠããããšæããŸãã
ãããã«
CTF ãéããŠåŠãã ããšã 5 ã€ã®ç« ã«ãŸãšããŠããŸããããæ¯ãè¿ã£ãŠã¿ããšãå ±éããŠããã®ã¯ãåœããåã ãšæã£ãŠããããšããããäžåºŠçã£ãŠã¿ãããšããå§¿å¢ã§ããã
.gitignore ã§å€ããŠãããã倧äžå€«ãRUN rm ã§æ¶ãããã倧äžå€«ãSecrets Manager ã§æå·åããŠãããã倧äžå€«ãIMDSv1 ããããªãããšã¯ç¥ã£ãŠãããã©ããäžèŠæ£ãããã§ãããæ»æè
èŠç¹ã«ç«ã€ãšãæã£ãŠããã»ã©ã«ã¯ã倧äžå€«ãã§ã¯ãªãã£ããããç¥ã£ãŠãããã®ã¬ãã«ãæµ
ãã£ããããããšã«æ°ã¥ããŸããã
AI ã§èª°ããæ»æè ã«ãªãåŸãæä»£ã§ããã ãããããèªåã®ã倧äžå€«ããäžåºŠçã£ãŠã¿ããšããããå§ããããšæããŸãã