Downloaded 10 times
More Related Content
![[20210519 Security-JAWS] AWS エッジサービス入門ハンズオンの紹介と AWS WAF のアップデートについて](https://cdn.slidesharecdn.com/ss_thumbnails/awsedgeserviceandwafupdates-210520051606-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
![[AWS Summit 2012] 基調講演 Day1: Go Global !](https://cdn.slidesharecdn.com/ss_thumbnails/awssummit-key-20120913-121001095550-phpapp01-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
![[AWS初心者向けWebinar] 利用者が実施するAWS上でのセキュリティ対策](https://cdn.slidesharecdn.com/ss_thumbnails/20151217-aws-security-151218023451-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
![[!注意! 2013年2月時点の資料] Amazon Web Services (AWS)について](https://cdn.slidesharecdn.com/ss_thumbnails/aws-201302-komuro-131104021442-phpapp02-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
![[20220126] JAWS-UG 2022初頭までに葬ったAWSアンチパターン大紹介](https://cdn.slidesharecdn.com/ss_thumbnails/20220126-anti-220126190603-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
2000年代SaaS on AWS
- 1. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. 2020年代SaaS on AWS 荒木靖宏 Yasuhiro Araki JAWS DAYS 2020 ONLINE
- 2. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. 荒木靖宏 です。どうぞよろしく アマゾン ウェブ サービス ジャパン 技術統括本部 シニアマネージャ プリンシパルソリューションアーキテクト 2011年からAWSのソリューションアーキテクト です 好きなサービスはAWS DirectConnectとEC2 Spot 今日はSaaSとネットワークの話をします
- 3. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. SaaSの基本的な構成 EC2 Instance S3 Bucket Public Subnet Private Subnet Load Balancer インター ネット SaaS側がインターネット接続を管理
- 4. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. 今日のWebアプリに対する最大の脅威 App Vulnerabilities Bad Bots DDoS 0 200 400 600 800 1000 1200 1400 1600 1800 1 2 3 4 5 6 7 8 9 10 11 12 Largest DDoS Attacks (Gbps) Mem cached Mirai botnet
- 5. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. DDoS対策用の防御レイヤ追加 EC2 Instance S3 Bucket Public Subnet Private Subnet Shield Shield Advanced ALB CloudFront WAF Firewall Manager SaaS側がインターネット接続努力した!
- 6. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. 攻撃怖いので閉域で おねがいします
- 7. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. 閉域網でのSaaSの基本的な構成 EC2 Instance S3 Bucket Public Subnet Private Subnet Load Balancer Consumer VPC VPC(A社) A社閉域網 A社 SaaS側が閉域網に参加
- 8. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. 増えていくお客様閉域網 EC2 Instance S3 Bucket Public Subnet Private Subnet Load Balancer Consumer VPC VPC(A社) 閉域網 A社 B社閉域網 VPC(B社) B社 すりあわせ地獄の発生
- 9. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. AWS PrivateLink と Amazon EventBridge ネットワークのシンプル化 スケーラブル セキュア(インターネットなし) 片方向(常に利用者側からアクセス) シームレスな“point-to-point” 統合 多くのAWSサービスとSaaSアプリケー ションと連動 シンプルなプログラミングモデル
- 10. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. PrivateLinkの典型的な例 Consumer VPC Customer Services VPCE AWS Service Endpoints 3rd Party SaaS/DaaS applications region VPC Customer VPC AWS VPC SaaS VPC Sensitive Data Services
- 11. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. PrivateLink for SaaS Service Consumer Service Provider NL B VPCE SaaS VPCAWS Customer-A region VPC VPC
- 12. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Private Linkを双方向で使うことも可能 Service Consumer Service Provider NL B VPCE NL B VPCE region VPC VPC NL B
- 13. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Private Link + Event Bridge Service Consumer Service Provider NL B VPCE region VPC VPC NL B
- 14. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. SaaS on AWS 2020 EC2 Instance Shield Shield Advanced ALB CloudFront WAF Firewall Manager Direct Connect and/or VPN VPCEアクセスはユーザ側が選択&AWSまでを用意する時代に
- 15. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. アクセスは ユーザ側が選択 & SaaS側は PrivateLink+EventBridge
- 16. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. CloudFrontによる防御レイヤ追加 EC2 Instance S3 Bucket Public Subnet Private Subnet CloudFront ALB
- 17. © 2020, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Firewallによる防御レイヤ追加 EC2 Instance S3 Bucket Public Subnet Private Subnet CloudFront WAF ALB Firewall Manager
Editor's Notes
- #2 顧客の用意したDirectConnectにのっかれば閉域SaaSできます! SaaSの皆様が専用線用意する時代は終わりました
- #3 https://oldfart.aka.corp.amazon.com:7009/oldfart/oldfart.cgi?name=yasuarak&submit=Show+me Worldwide summary: 13575 ( 2.23% ) < yasuarak > ( 97.77% ) 594817 There are 608,393 employees at Amazon right now. 13,575 employees (2.23% of the employees at Amazon today) were hired before yasuarak. Of current employees, 594,817 (97.77%) were hired after yasuarak. Tokyo summary: 38 ( 2.55% ) < yasuarak > ( 97.38% ) 1449 There are 1,488 employees at Amazon in Tokyo right now. 38 Tokyo employees (2.55% of the employees in Tokyo at Amazon today) were hired before yasuarak. Of current Tokyo employees, 1,449 (97.38%) were hired after yasuarak.
- #4 NET-1 Throughout the session we will visually show how each layer of perimeter protection is added to a basic web application. Here we show you a basic web application. This application if left as is, does not take advantage of all the security measures available to you which leaves it vulnerable to attack. This simplified architecture is shown so we can draw attention to the principles we’re discussing today and how and where each layer of protection is added. Let’s begin by adding the first layer of perimeter protection, Amazon CloudFront.
- #5 Threats are coming at us from multiple angles. There are DDoS attacks that try to exhaust your application resources so it won’t be available to your users. This includes volumetric attacks, transport layer attacks, and application layer attacks. We see two things within DDOS attacks: first, short lived attacks that only last for a couple of minutes are increasing in number. Second, the larger DDOS attacks are exponentially growing in size. The memcached reflection attack seen earlier this year peaked well over 1 Tbps and was more than twice the size of the Mirai botnet attacks. **CLICK** We’re also confronted by web application attacks that exploit some weakness in your application code. **CLICK** There are also all kind of bots, generating half of web traffic by some estimates. Some are good like search bots for site indexing. Others are bad and try to steal content from your website.
- #8 NET-1 Throughout the session we will visually show how each layer of perimeter protection is added to a basic web application. Here we show you a basic web application. This application if left as is, does not take advantage of all the security measures available to you which leaves it vulnerable to attack. This simplified architecture is shown so we can draw attention to the principles we’re discussing today and how and where each layer of protection is added. Let’s begin by adding the first layer of perimeter protection, Amazon CloudFront.
- #9 NET-1 Throughout the session we will visually show how each layer of perimeter protection is added to a basic web application. Here we show you a basic web application. This application if left as is, does not take advantage of all the security measures available to you which leaves it vulnerable to attack. This simplified architecture is shown so we can draw attention to the principles we’re discussing today and how and where each layer of protection is added. Let’s begin by adding the first layer of perimeter protection, Amazon CloudFront.
- #10 ここからは、2019年7月にリリースされた、Amazon EventBridgeという新しいサーバーレス サービスについてご紹介いたします。 Amazon EventBridge は、独自のアプリケーション、SaaS アプリケーション、AWS のサービスからのデータを使用して アプリケーションどうしを簡単に接続することを可能にするサーバーレスイベントバスです。 もちろんサーバーレス サービスですので、完全マネージドで使用した分だけ課金される従量課金のサービスとなります。
- #11 AWS Services We are influencing CISO or security groups to rely on PrivateLink as the new normal way to access AWS Service APIs (and other SaaS or DaaS offerings) API, micro-services / Anything behind a load balancer Internal applications like APIs or micro-services are common use cases, like logging, monitoring, and container systems. Also, any services or resources can be accessed if they are behind a load balancer. Software-as-a-Service (SaaS) Third party software hosted on the AWS Marketplace or when using bring your own license, like SnowFlake and TrendMicro Services that process sensitive data When customers are concerned about data, PrivateLink offers an additional layer of security to manage where data is flowing, like CapitalOne and MasterCard
- #17 And with that, we’ve now added our first layer of perimeter protection by restricting all access to your application through CloudFront. I’m now going to hand the session over to Ritwik who will talk about how to add the next two layers of perimeter protection.