share facebook facebook facebook twitter twitter menu hatena pocket slack

2021.04.05 MON

JAWS DAYS 2021登壇の落ち穂拾い「AWSからのメール読んでいますか?」

廣山 豊

WRITTEN BY 廣山 豊

本日2021年のJAWS DAYSに登壇させていただきました。
資料はこちら。
https://speakerdeck.com/pict3/awskarafalsemerudu-ndeimasuka
動画も追って配信予定かと思います。

JAWS DAYSについての個人的な感想であったり、登壇の中では時間やスライドの文字サイズの都合上書ききれなかったことを、ここで綴っておきたいと思います。

JAWS DAYSについて

JAWS-UG(Japan AWS User Group)主催のイベントです。
JAWS-UGは、全国各地やカテゴリごとに支部があり、頻繁にイベントが開催されていますが、JAWS DAYSは、それらが一堂に集まって開かれる非常に大規模なイベントです。

今年はオンラインでの開催。
3,500名以上の方々がお申し込みいただいた模様。
運営のみなさま、ありがとうございました!

直接、リスナーの方の反応は見えないのが寂しくもあり不安でもありましたが、あとでTwitter見るとポジティブな書き込みがありよかったです。

登壇にあたって気をつけたこと

※あくまで、勝手に個人的に気をつけたことです。運営側からリクエストされたわけでも、そうでない人を否定する意図でもありません。

ちゃんと準備する

「準備してあれかい!」と思われるかもですが、自分なりに精一杯事前に準備して挑みました。
・休日にこれだけの人数の方が時間を割いていただいてもらっていること
・準備や当日の進行のために努力いただいていること
・企業、個人スポンサーのご協力
それらのことを考えると、少しでもいいものになるようにと、スライドの改訂とセルフリハを繰り返しました。
(まぁ、自分自身が人前で喋ることが得意でないからでもありますが)

リスナーを意識

あくまでユーザーのためのイベント。自社の宣伝を最小限にするように意識いたしました。
今回のコンテンツで言えば、初心者向けトラックであったこともあり、あくまでこれから業務利用される方をターゲットにコンテンツをチューニングしました。
最初は、自社内で行なっている検知の仕組みのようなテクニカルなことをもう少し多く話そうと思っていましたが、今回はなるべく技術的なところを減らし、一人情シスのようなユーザーでも必要最低限の対応をしていただくことにフォーカスしました。
JAWS-UG支部や別の機会で登壇させていただく際は、もう少し深く話させていただくこともありますが、ユーザーが痛い目に合わないことを目的に絞り、シンプルでわかりやすいことを意識しました。

スライド補足

データ

スライドに貼ったメールの全文

Your AWS Abuse Report [XXXXXXXXXXX] [AWS ID XXXXXXXXXXXX]
Hello,

We've received a report(s) that your AWS resource(s)

AWS ID: XXXXXXXXXXXX     Region: xx-yy-#    EC2 Instance Id: i- XXXXXXXXXXXX [XX.XX.XX.XX]


has been implicated in activity which resembles attempts to access remote hosts on the internet without authorization. Activity of this nature is forbidden in the AWS Acceptable Use Policy (https://aws.amazon.com/aup/). We've included the original report below for your review.

Please take action to stop the reported activity and reply directly to this email with details of the corrective actions you have taken. If you do not consider the activity described in these reports to be abusive, please reply to this email with details of your use case.

If you're unaware of this activity, it's possible that your environment has been compromised by an external attacker, or a vulnerability is allowing your machine to be used in a way that it was not intended.

We are unable to assist you with troubleshooting or technical inquiries. However, for guidance on securing your instance, we recommend reviewing the following resources:

* Amazon EC2 Security Groups User Guide:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html (Linux)
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/using-network-security.html (Windows)

* Tips for Securing EC2 Instances:
https://aws.amazon.com/answers/security/aws-securing-ec2-instances (Linux)
https://aws.amazon.com/answers/security/aws-securing-windows-instances (Windows)

* AWS Security Best Practices:
https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf

If you require further assistance with this matter, you can take advantage of our developer forums:

https://forums.aws.amazon.com/index.jspa

Or, if you are subscribed to a Premium Support package, you may reach out for one-on-one assistance here:

https://console.aws.amazon.com/support/home#/case/create?issueType=technical

Please remember that you are responsible for ensuring that your instances and all applications are properly secured. If you require any further information to assist you in identifying or rectifying this issue, please let us know in a direct reply to this message.

Regards,
Action Required: Your AWS account XXXXXXXXXXX is compromised
Dear AWS customer,

Your AWS Account is compromised! Please review the following notice
and take immediate action to secure your account. We have also opened
an outbound Support Case if you have any additional questions or
concerns regarding this notice.

Your security is important to us. We have become aware that the AWS
Access Key AKI~ (belonging to IAM user
"xxx") along with the corresponding Secret Key is
publicly available online at
https://github.com/具体的なファイル.

This poses a security risk to your account and other users, could lead
to excessive charges from unauthorized activity or abuse, and violates
the AWS Customer Agreement.

Please delete the exposed credentials from your AWS account by using
the instructions below and take steps to prevent any new credentials
from being published in this manner again. Unfortunately, deleting the
keys from the public website and/or disabling them is NOT sufficient
to secure your account.

Failure to perform the below security steps within 24 hours may result
in the termination of all EC2 Spot instances in addition to any other
suspected unauthorized usage on your account. If you believe you've
received this note in error, please contact us immediately via the
support case.

To additionally protect your account from excessive charges, we have
temporarily limited your ability to create some AWS resources.

Detailed instructions are included below for your convenience.

CHECK FOR UNAUTHORIZED USAGE
We strongly encourage you to immediately review your AWS account for
any unauthorized AWS usage, suspect running instances, or
inappropriate IAM users and policies. To check the usage, please log
into your AWS Management Console and go to each service page to see
what resources are being used. Please pay special attention to the
running EC2 instances and IAM users, roles, and groups. You can also
check for any unexpected usage on the "Bills" page in the Billing
console.

https://console.aws.amazon.com/billing/home#/bill

Please keep in mind that unauthorized usage can occur in any region
and that in your console you only see one region at a time. To switch
between regions, you can use the dropdown in the top-right corner of
the console screen.

DELETE THE KEY (ROOT ACCOUNT)
If you are not using the access key, you can simply delete it. To
delete the exposed key, visit the "Security Credentials" page here:
https://console.aws.amazon.com/iam/home#security_credential. Your keys
will be listed in the "Access Keys" section.

DELETE THE KEY (IAM USERS)
Navigate to your IAM Users list in the AWS Management Console, here:
https://console.aws.amazon.com/iam/home#users. Please select the IAM
user identified above. Click on the "User Actions" drop-down menu and
then click "Manage Access Keys" to show that user's active Access
Keys. Click "Delete" next to the access key identified above.

ROTATE THE KEY
If your application uses the access key, you need to replace the
exposed key with a new one. To do this, first create a second key (at
that point both keys will be active) and modify your application to
use the new key.
Then disable (but do not delete) the first key. If there are any
problems with your application, you can make the first key active
again. When your application is fully functional with the first key
inactive, please delete the first key.

ENABLE AMAZON GUARDDUTY
Amazon GuardDuty is an AWS threat detection service that helps you
continuously monitor and protect your AWS accounts and workloads.
Enabling Amazon GuardDuty on your accounts gives you further
visibility into malicious or unauthorized activity, alerting you to
take action in order to reduce the risk of harm. To learn more, visit:
https://aws.amazon.com/guardduty

Please follow the Best Practices of Managing your Access Keys at
http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html.

If you have any additional questions or concerns regarding this
notification, please reply to the Support Case.

Sincerely,
Amazon Web Services

Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc.
Amazon.com is a registered trademark of Amazon.com, Inc. This message
was produced and distributed by Amazon Web Services Inc., 410 Terry
Ave. North, Seattle, WA 98109-5210
Action Required: Irregular activity in your AWS account: XXXXXXXXXXXX
Dear AWS customer,

Your AWS Account may be compromised! Please review the following notice and take immediate action to secure your account.

We detected abnormal activity in your AWS account that matches the pattern of unauthorized access. This activity is related to your AWS Access Key AKI~ belonging to User , which may indicate that this Access Key and the corresponding Secret Key are compromised.

This poses a security risk to your account (including other account users), could lead to excessive charges from unauthorized activity, and violates the AWS Customer Agreement or other agreement with us governing your use of our service. To protect your account from excessive charges, we have temporarily limited your ability to use some AWS services. To remove the limits, please follow the instructions below. 

If the unauthorized usage is not stopped we may suspend your AWS account. To protect your account from excessive charges, we may terminate any suspected unauthorized resources on your account.

If you believe that your account is secured and there is no unauthorized access or usage, please contact us immediately via the support case.

PLEASE FOLLOW THE INSTRUCTIONS BELOW TO SECURE YOUR ACCOUNT:

Step 1: Delete or rotate the exposed AWS Access Key AKI~. To delete IAM User Keys go to your AWS Management Console here: https://console.aws.amazon.com/iam/home#users. To delete Root User Keys go here: https://console.aws.amazon.com/iam/home#security_credential.

If your application uses the exposed Access Key, you need to replace the Key. To replace the Key, first create a second Key (at that point both Keys will be active) and then modify your application to use the new Key.
Then disable (but do not delete) the exposed Key by clicking on the “Make inactive” option in the console. If there are any problems with your application, you can reactivate the exposed Key. When your application is fully functional using the new Key, please delete the exposed Key.

NOTE: Only rotating or deleting the exposed key may not be sufficient to protect your account, see Step 2.

Step 2: Check your CloudTrail log for unsanctioned activity such as creation of unauthorized IAM users, policies, roles or temporary security credentials. To secure your account please delete any unauthorized IAM users, roles, and policies, and revoke any temporary credentials. NOTE: You cannot revoke temporary credentials obtained via the Root User. For more information see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_disable-perms.html#denying-access-to-credentials-creator .

To delete unauthorized IAM User, navigate to https://console.aws.amazon.com/iam/home#users. To delete unauthorized policies go here: https://console.aws.amazon.com/iam/home#/policies. To delete unauthorized roles go here: https://console.aws.amazon.com/iam/home#/roles .

You can revoke temporary credentials by following the instructions here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_disable-perms.html#denying-access-to-credentials-by-issue-time. Temporary credentials can also be revoked by deleting the IAM User. NOTE: Deleting IAM Users may impact production workloads and should be done carefully.

Step 3: Review your AWS account for any unauthorized AWS usage, such as unauthorized EC2 instances, Lambda functions or EC2 Spot bids. To check usage, please log into your AWS Management Console and review each service page. You can also check for any unexpected usage on the "Bills" page in the Billing console. https://console.aws.amazon.com/billing/home#/bill

Please keep in mind that unauthorized usage can occur in any region and that your console displays only one region at a time. To switch between regions, you can use the dropdown in the top-right corner of the console screen.

Please take steps to prevent any new credentials from being publicly exposed. See Best Practices of Managing your Access Keys at http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html.

WE RECOMMEND YOU ENABLE AMAZON GUARDDUTY
Amazon GuardDuty is an AWS threat detection service that helps you continuously monitor and protect your AWS accounts and workloads. Enabling Amazon GuardDuty on your accounts gives you further visibility into malicious or unauthorized activity, alerting you to take action in order to reduce the risk of harm. To learn more, visit: https://aws.amazon.com/guardduty.

If you have any questions, you can contact us by accessing the newly created Support Case in your account’s Support Center. If you do not see a new case, you can create a case from the Support Center here: https://console.aws.amazon.com/support/home?#/

Thank you for your immediate attention to this matter.

Sincerely,
Amazon Web Services
CloudTrail Managed Policy Scope Down [AWS Account: XXXXXXXXXXX]
Hello,

On November 30, 2020, CloudTrail’s current access policy (AWSCloudTrailAccessPolicy) will be deprecated and replaced with a new version (AWSCloudTrail_FullAccess), which has a reduced permission set.

The current AWSCloudTrailAccessPolicy will continue to work for existing accounts; however, once the replacement occurs, it will not be able to be attached to new IAM principals. For accounts with AWSCloudTrailAccessPolicy, no customer action is required as these accounts will still have this policy attached; accounts without AWSCloudTrailAccessPolicy will not be able to view this policy for attachment after it is deprecated. These changes are intended to constrain the scope of CloudTrail’s full access policy to the minimum set of actions required to manage CloudTrail resources through the AWS console or API.

As always, AWS recommends that use of either CloudTrail full access policy be limited to high security roles in your account.

Sincerely,
Amazon Web Services

スライドに乗せきれられなかったものを含むメールタイトル群

対応要求系
Action Required: Irregular activity in your AWS account: XXXXXXXXXXXX
[Action Required]: Your AWS Storage Gateway VM will be deprecated on January 1, 2022. Please migrate to a new gateway VM.
[ACTION REQUIRED]EECS Deprecation of Managed Policy
[Action Requested] AWS X-Ray Tracing Permissions Not Enabled for AWS Step Functions State Machines
[Action Required] Recommended patch upgrade for database clusters running on Aurora MySQL 1.23.0
[Action Required] Red Hat Enterprise Linux 6 Extended Lifecycle phase begins December 1, 2020
[Action Required] Service Update Notification - Your Amazon ECS Service Running on AWS Fargate Needs an Update [AWS Account: XXXXXXXXXXXX]
[Action Required] Amazon EKS Kubernetes 1.14 Deprecation - Update Your Cluster
[Action Required] AWS CodeBuild to remove support for Windows 2016
[Action Required] Mandatory Patches for Amazon Aurora PostgreSQL
[Action Required] Amazon S3 and Amazon CloudFront migrating default certificates to Amazon Trust Services in March 2021
[ACTION REQUIRED] AWS is updating minimum requirements for AWS Tools for PowerShell to Windows PowerShell 3.0 and .NET Framework 4.5
[Action Required] Security Groups in EC2 Classic
[Action Required] Amazon SES is Ending Support for Signature Version 3 Effective September 30, 2020
[Action Required] Amazon EKS Kubernetes 1.13 Deprecation - Update Your Cluster
[Action Needed] – Update Firewall settings to allow access to expanded IP address ranges for Amazon WorkSpaces.
Action Required: Upcoming changes for Chromium based browsers affecting ELB
[ACTION MAY BE REQUIRED] Amazon Connect launches new domain, connect.aws, starting November 6, 2020
[ACTION MAY BE REQUIRED] Migration timeline for new ARN format for Amazon ECS resource
[ACTION MAY BE REQUIRED] Important Updates to Your Classic Load Balancer HTTP Header Parsing Behaviour
[No Action Required] Lambda@Edge Billing Will Move to Amazon CloudFront in February 2020
その他
AWS RoboMaker End of Life Support Notice [AWS Account: XXXXXXXXXXXX]
AWS Lambda managed policies deprecation notice
Credentials for your RDS instance potentially exposed [AWS Account: XXXXXXXXXXXX]
AWS CodePipeline is updating pipeline execution statuses
Notification of Amazon S3 buckets configured for public access
WorkSpaces Streaming Protocol is Generally Available for Production Use
Notification on changes to the names of finding types in AWS Security Hub
Amazon DocumentDB to update default engine version to 4.0.0
CloudTrail Managed Policy Scope Down
[Important Notification] Advice for customers using ECS to deal with newly introduced Docker Hub rate limits
AWS Marketplace Price Change Notification
AWS Organizations Delegated Administrator Logging Changes
Important Notification Regarding Your AWS Marketplace Subscription
Deprecation of AWSConfigRole IAM managed policy
Automatic patches available for Amazon Aurora with PostgreSQL Compatibility
AWS Codepipeline is deprecating its managed policy “AWSCodePipelineFullAccess”
Important updates to AWS Security Hub
Update on automatic minor version upgrade for your Amazon Aurora MySQL database instances
Action Maybe Required: Update on our recently launched ALB/CLB feature - “Desync Mitigation Mode”
Important Update Regarding Your Palo Alto Networks AWS Marketplace Subscription [AWS Account: XXXXXXXXXXXX]
Notification of Upcoming Service-Linked Role Scoping Down for AWS Server Migration Service
aws-apitools are deprecated in favour of AWS CLI [AWS Account: XXXXXXXXXXXX]
Database version upgrade for your Amazon Aurora MySQL database instances
AWS CodeBuild Ending Maintenance of Older Images
AWS Service Catalog pricing update
[For Your Awareness] Amazon WorkSpaces Public Bundles to Exclude WinZip or 7-Zip
TLS 1.2 to become the minimum for all AWS FIPS endpoints
Action Needed: Improve the Security of your Web Identity Federation Configuration
Securing Amazon S3 Buckets
Your AWS Elastic Beanstalk Platform Versions is Approaching Retirement
Changes to AWS Batch INACTIVE Job Definitions

最後に

地震が起こり、急遽クロージングを切り上げられた運用の英断はすごいと思いました。
懇親会も中止となり直接お礼を申し上げられませんでしたが、この場を提供いただきありがとうございました。
そして、地震の被害が小さいことを願っております。

元記事はこちら

JAWS DAYS 2021登壇の落ち穂拾い「AWSからのメール読んでいますか?」

廣山 豊

廣山 豊

もっか修行中

cloudpack

cloudpackは、Amazon EC2やAmazon S3をはじめとするAWSの各種プロダクトを利用する際の、導入・設計から運用保守を含んだフルマネージドのサービスを提供し、バックアップや24時間365日の監視/障害対応、技術的な問い合わせに対するサポートなどを行っております。
AWS上のインフラ構築およびAWSを活用したシステム開発など、案件のご相談はcloudpack.jpよりご連絡ください。