Amazonã®ã¯ã©ã¦ããµã¼ãã¹ã®ã»ãã¥ãªãã£å¯¾çã®ã¾ã¨ã
ã¯ã©ã¦ãã³ã³ãã¥ã¼ãã£ã³ã°ã«ä¹ãåºãéã®æ大ã®ã»ãã¥ãªãã£ä¸ã®æ¸å¿µã¯ã顧客æ å ±ã»æ¸ãããããã¨ã ã»ãã«ç§ç»åãªã©ã誰ãã«é ããã¨ããã«ãããã財å¸ãªã©ã®è²´éåã¯è身é¢ãããèªåã®è¿ãã¨ããã«ç½®ãã¦ãããã¨ããä»ã¾ã§ã®å¸¸èã«åããè¡åãè¿«ãããã®ã§ãããã¯ã©ã¦ãæããããã¾ãã¦é ããç¸æãAmazonã¨ãã140億円の追徴課税を命じられような事業者ã§ããã°ãªãããã§ããã
ãã®èª°ããæããä¸å®ãææããããã«Amazon Web Services (AWS) ã¯èªç¤¾ã®ã»ãã¥ãªãã£å¯¾çãã¾ã¨ããæç« ãå ¬éãã¦ããã
Amazon Web Services Security ホワイトペーパー
(PDF注æ)
è¦ã¯ãAmazonã¯ãããªã«é å¼µã£ã¦çããã®ãã¼ã¿ã®ã»ãã¥ãªãã£ã確ä¿ãã¦ãã¾ãããã¨ãã販売ä¿é²ã®ä¸ç°ã§ããããããããã¾ã¨ã¾ã£ã¦ãã¦ãAmazonã®ãµã¼ãã¹å©ç¨ãæ¤è¨ãã¦ãã人ã ãã§ãªãã¯ã©ã¦ãã³ã³ãã¥ã¼ãã£ã³ã°ã®ã»ãã¥ãªãã£ãèãã人ãã¡ã«ã¨ã£ã¦ä¸èªã®ä¾¡å¤ã¯ããã¨æã£ãã®ã§ãããã§ãã¤ã³ããç´¹ä»ãããã
ç¹ã«åãã¨ããã£ãã¨ããã¯èµ¤åã«ãã¦ããã
å ã«ææ³
å
¨ä½ãéããç§ã®ææ³ãå
ã«æ¸ãã¦ãã¾ãã°ãé常ã«éå¿çãªã»ãã¥ãªãã£ã«å¯¾ããåãçµã¿ã ã¨æããç¹ã«ã»ãã¥ãªãã£å±ãè¦éãããã¡ãªå¯ç¨æ§ã®è¿½æ±ãå¾¹åºããã¦ãããããã¯1åæ¢ã¾ãã ãã§ãè«å¤§ãªæ©ä¼æ失ãçºçããEã³ãã¼ã¹ä¼æ¥ã®DNAã«ãããã®ã ãããä»å¾ç»å ´ããã§ããããå½å
è³æ¬ã®å¾çºã¯ã©ã¦ããµã¼ãã¹æä¾è
ã¯å°ãªãã¨ããã®ã©ã¤ã³ãã¯ãªã¢ããªãã¨å¸å ´åå
¥ã§ããªãã®ã§ã¯ãªããã
ç°¡åã«ãä¸ã¤èã£ã½ãç¨èªè§£èª¬
ç¥èª | æå³ |
---|---|
AWS | Amazon Web Servicesã®ç¥ãAmazonãæä¾ãã¦ããå種ã¯ã©ã¦ãç³»ãµã¼ãã¹ã®ç·ç§°ãå ¨å®¹ã¯こちらã |
EC2 | Amazon Elastic Compute Cloudã®ç¥ãå¹³ããè¨ãã°ä»®æ³ã¬ã³ã¿ã«ãµã¼ããµã¼ãã¹ã ããç®æãã¦ããã¨ããã¯å£®å¤§ãElasticã¯ã延ã³ç¸®ã¿ãããã¨ããæå³ã |
S3 | Amazon Simple Storage Service ã®ç¥ãä»®æ³ã¹ãã¬ã¼ã¸ãµã¼ãã¹ãEC2ã®OSã«æ¥ç¶ããããAPIã使ã£ãå種ã¯ã©ã¤ã¢ã³ãã¢ããªããæ¥ç¶ããããã¦ä½¿ããç¾æç¹ã§ã¯ãä¸è¾ã«ãSimpleã¨ã¯è¨ãé£ãã |
åç½®ããé·ããªã£ããã以ä¸ãAmazonã®ã»ãã¥ãªãã£å¯¾çã§ããã
å種èªè¨¼ã¨èªå¯ã®åå¾
AWSã¯ä¼è¨ç£æ»æ³äººã¨ååãã¦ãSOXæ³ãéµå®ãã¦ããã
ã¾ããSAS 70 (the Statement on Auditing Standards No. 70) ã®TYPE IIã¨ããèªè¨¼ãåå¾ããã
ä»å¾ãããå³æ ¼ãªèªè¨¼åºæºãè¨ããããã°ãããæºããããã®åªåãè¡ãäºå®ã§ããã
ãã®åªåã®è£ä»ãã¨ãã¦ã顧客ã®ä¸ã«ã¯AWSä¸ã§HIPPA-compliantã®ãã«ã¹ã±ã¢ã¢ããªã±ã¼ã·ã§ã³ãç«ã¡ä¸ãã¦ãããã®ãããã
ã»ãã¥ã¢ãã¶ã¤ã³åå
Amazonã§ã®éçºããã»ã¹ã¯ã»ãã¥ã¢ã½ããã¦ã§ã¢ãã¹ããã©ã¯ãã£ã¹ã«åºã¥ãã¦è¡ãããã
ããã«ã¯Amazonã»ãã¥ãªãã£ãã¼ã ã«ããå
¬å¼ãªãã¶ã¤ã³ã¬ãã¥ã¼ãè
å¨ã¢ããªã³ã°ããªã¹ã¯ã¢ã»ã¹ã¡ã³ãã®å®æ½ãã½ã¼ã¹ã³ã¼ã診æãå¤é¨å°é家ã«ããèå¼±æ§è¨ºæãå«ã¾ããã
ãªã¹ã¯åæã¬ãã¥ã¼ã¯ãã¶ã¤ã³ãã§ã¼ãºã«å§ã¾ããä¸è¬å
¬éå¾ã¾ã§è¡ãããã
ç©çã»ãã¥ãªãã£
é·å¹´ã®Amazonã®ãµã¼ãã¹æä¾ã®ãã¦ãã¦ãçããã¦ããã
ãã¼ã¿ã»ã³ã¿ã¼ã¯ç®ç«ããªããã«("Amazon"ã¨åãããªããã«)ã«å容ãããã«ã¸ã®ã¢ã¯ã»ã¹ã¯å³ããå¶éãã¦ããã
å¢çã¨å
¥ãå£ã«ã¯ããã®ã¬ã¼ããã³ã¨ãããªç£è¦ã·ã¹ãã ãåãã¦ããã
ææ°å¼ã®ä¾µå
¥è
æ¤ç¥ã·ã¹ãã ã¨æ§ã
ãªé»åè£
ç½®ã使ç¨ããã¦ããã
å
¥å®¤ã許å¯ããã¦ããã¹ã¿ããã¯äºè¦ç´ èªè¨¼ãæä½2åãã¹ããªãã¨ãã¼ã¿ã»ã³ã¿ã¼ã®ããã¢ã«å°éã§ããªãã
訪åè
ãå¤é¨ã®ä½æ¥å¡ã¯èº«å証ææ¸ã®æ示ã®å¾ã«ãµã¤ã³ããã¦å
¥å®¤ããå
é¨ã§ã¯å¸¸ã«ã¹ã¿ããã横ã«ä»ãæ·»ãã
å¾æ¥å¡ãè¾ããå ´åãAWSã«é¢é£ããé¨ç½²ãé¢ããå ´åã«ã¯ç´ã¡ã«ã¢ã¯ã»ã¹æ¨©ãç¡å¹ã«ãããã
顧客ã®ãã¼ã¿ã«ã¢ã¯ã»ã¹ããå¯è½æ§ã®ãã社å¡ã«ã¤ãã¦ã¯ãæ³å¾ãéµå®ãã¤ã¤ãããã詳細ãªèº«ä¸èª¿æ»ãå®æ½ããã
ãã¼ã¿ã®ããã¯ã¢ãã
ãã¼ã¿ãããã¯ã¢ãããããã¿ã¤ãã³ã°ã«ã¤ãã¦ã¯AWSã®åãµã¼ãã¹ã§å¤§åå 容ãç°ãªãã
ãµã¼ãã¹å | ããã¯ã¢ããã®å 容 |
---|---|
S3 | ãã¼ã¿æ¸ãè¾¼ã¿æã«æ å ±ãç©ççã«å¥ã®å ´æ(ã¨ã¼ãããã¨ã¢ã¡ãªã«æ±æµ·å²¸ãªã©)ã«ããããä¿åããããã©ã¡ããã«é害çºçããéã«ã¯ãå¥ã®ãã¼ãããã®å¾©æ§ãè¡ãã |
SimpleDB | S3ã«åã |
Elastic Block Store | ãã¼ã¿ã®è¤è£½ãåå¾ããããåãå ´æã«ä¿åããããå¾ã£ã¦EBSã®ãã¼ã¿ã¯S3ã«ããã¯ã¢ãããããã¨ãæ¨å¥¨ãã¦ãããã¡ãªã¿ã«EBSã¯ãã¡ã¤ã«ã·ã¹ãã ã稼åãããã¾ã¾ã¹ãããã·ã§ããããã¯ã¢ãããåå¾ã§ããã |
EC2 | EC2ã®ã¤ã¡ã¼ã¸ã«æ¥ç¶ãããä»®æ³ãã£ã¹ã¯ã¯ããã¯ã¢ããããã¦ããªããå¿ è¦ããã£ããS3ã«ããã¯ã¢ãããã¹ãã |
ãããã¯ã¼ã¯ã»ãã¥ãªãã£
DDOS対ç
AWS APIã®å端æ«ã¯ãAmazonã¨ããä¸çæ大ã®ãªã³ã©ã¤ã³ã¹ãã¢ãæ§ç¯ããçµé¨ãæã¤ã¨ã³ã¸ãã¢ããã®ãã¦ãã¦ãé§ä½¿ãã¦æ§ç¯ãããã¤ã³ã¿ã¼ãããã¹ã±ã¼ã«ã®ä¸çç´ã®ã¤ã³ãã©ã«è¨ç½®ããã¦ãããç¬èªã®DDoSç·©åæè¡ã使ç¨ããã¦ãããã¾ãAmazonã®ãããã¯ã¼ã¯ã¯ãã«ããã¼ã ããã«ããããã¤ãã¼ã§ããã
Man In the Middle Attacks対ç
AWS APIã®èªè¨¼ã¯å ¨ã¦SSLã§ä¿è·ããã¦ãããAmazon EC2ã®AMIã¯SSHãã¹ãéµãæåã®èµ·åæã«ä½æãã¦ããã
IPã¹ãã¼ãã£ã³ã°å¯¾ç
Amazon EC2ã®ã¤ã³ã¹ã¿ã³ã¹ã¯éä¿¡å ãå½è£ ãããã¼ã¿ããããã¯ã¼ã¯ã«éä¿¡ã§ããªããAmazonãå¶å¾¡ããããã¹ããã¼ã¹ãã¡ã¤ã¢ã¼ã¦ã©ã¼ã«ãã½ã¼ã¹IPã¨Macã¢ãã¬ã¹ã®æ´åæ§ããã§ãã¯ãã¦ããã
ãã¼ãã¹ãã£ã³å¯¾ç
EC2ã®é¡§å®¢ããã¼ãã¹ãã£ã³ããããã¨ã¯ãµã¼ãã¹è¦ç´éåã¨ãªããéåãçºè¦ãããå ´åãå
¨ã¦èª¿æ»ã®å¯¾è±¡ã¨ãªãã¾ããéåè¡çºãçºè¦ããéã«ã¯ãµãã¼ãã¾ã§ãå ±åä¸ããã
ã¾ãEC2ã¤ã³ã¹ã¿ã³ã¹ã«å¯¾ããã¹ãã£ã³ã¯ç¡æå³ã§ãããããã©ã«ãã§å
¨ã¦ã®ã¤ã³ãã¦ã³ãéä¿¡ã¯ãããã¯ããããsecurity groupsæ©è½ã使ã£ã¦å¿
è¦ãªãã¼ãã ããéæ¾ããã
éä¿¡ã®çè´å¯¾ç
EC2ã®ã¤ã³ã¹ã¿ã³ã¹ã§ã¤ã³ã¿ã¼ãã§ã¼ã¹ããããã¹ãã£ã¹ã¢ã¼ãã«å¤æ´ãã¦ãèªã¤ã³ã¹ã¿ã³ã¹å®ã§ãªãéä¿¡ãçè´ãããã¨ã¯ã§ããªãã1人ã®ã¦ã¼ã¶ã2ã¤ã®ã¤ã³ã¹ã¿ã³ã¹ãä¿æãã¦ãã¦ãåãç©çãã·ã³ã§ç¨¼åãã¦ãããå ´åã§ãåæ§ã
ARPãã£ãã·ã¥ãã¤ãºãã³ã°ã¯æè¡ç対çãæ½ããã¦ããããEC2ã§ã¯ä¸å¯è½ã
è¨å®ç®¡ç
AWSã®ã¤ã³ãã©ã¸ã®ã¡ã³ããã³ã¹ãè¨å®å¤æ´ã¯å ¨ã¦æ¿èªãããè¨é²ããããã¹ããããå®æ½è¨±å¯ãããããµã¼ãã¹ã«å½±é¿ãåã¶å¤æ´ãå ããå ´åãã¡ã¼ã«ãWeb(http://status.aws.amazon.com)ã§ã¢ãã¦ã³ã¹ãããã
EC2ã®ã»ãã¥ãªãã£
EC2ã®ã»ãã¥ãªãã£ã¯ãã¹ãOSãã²ã¹ãOSããã¡ã¤ã¢ã¼ã¦ã©ã¼ã«ãç½²åãããAPIã³ã¼ã«ã®4ã¤ã«ãã£ã¦å®ç¾ãããã
ãã¹ãOSã®ã»ãã¥ãªãã£
ãã¹ãOSã¯ç¹å¥ã«ãã¶ã¤ã³ãããè¦å¡åããã¦ãã¦ãå ¨ã¦ã®ã¢ã¯ã»ã¹ã¯è¨é²ããç£æ»ããã¦ããã
ã²ã¹ãOSã®ã»ãã¥ãªãã£
ä»®æ³ã¤ã³ã¹ã¿ã³ã¹ã®ç®¡çè 権éã¯ã¦ã¼ã¶ãæã¡ãAWSå´ã¯ä»®æ³OSã«ãã°ã¤ã³/ã¢ã¯ã»ã¹ãã権å©ãæã£ã¦ããªãããã¹ã¯ã¼ããã¼ã¹ã®èªè¨¼ãé¿ãããã¨ããå§ãã
ãã¡ã¤ã¢ã¼ã¦ã©ã¼ã«
EC2ã¯ããã©ã«ãã§å ¨ã¦ã®ä»®æ³ã¤ã³ã¹ã¿ã³ã¹ã¸ã®ã¤ã³ãã¦ã³ãéä¿¡ãæå¦ãããã¡ã¤ã¢ã¼ã¦ã©ã¼ã«ãåãã¦ãããéä¿¡ã®å¶å¾¡ã¯ãããã³ã«æ¯ããã¼ãåä½ãã½ã¼ã¹IP(CIDRã§ã®æå®ãå¯è½)ã§æ¡ä»¶æå®å¯è½ããã®ãã¡ã¤ã¢ã¼ã¦ã©ã¼ã«ã¯ã²ã¹ãOSããã¯å¶å¾¡ä¸å¯è½ã§ãããããã»ãã¥ãªãã£ãé«ãããããã«å ãã¦ã²ã¹ãOSä¸ã§iptablesãWindows Firewall, IPsecã使ããã¨ããå§ããã¾ãã
API
ä»®æ³ã¤ã³ã¹ã¿ã³ã¹ã®èµ·åãåæ¢ããã¡ã¤ã¢ã¼ã¦ã©ã¼ã«æä½ã®APIå©ç¨ã«ã¯x.509証ææ¸ããã㯠Amazon Secret Access Keyãã¤ãã£ãèªè¨¼ãå¿ è¦ããã®APIã¸ã®ã¢ã¯ã»ã¹ã¯SSLã§æå·åãããã¨ãå¯è½ã§ããã
ãã¤ãã¼ãã¤ã¶ã¼
Amazonã®ä»®æ³OSç°å¢ã¯Xen Hypervisorãå¤§å¹ ã«ã«ã¹ã¿ãã¤ãºãããã®ã«ããå®ç¾ããããããã»ããµã¼ã®å©ç¨ããã£ã¹ã¯ã¸ã®ã¢ã¯ã»ã¹ã¯å ¨ã¦ä»®æ³åãããã¦ã¼ã¶åã³ã²ã¹ãOSã¯ç©çãã£ã¹ã¯ãCPUã¸ã®ã¢ã¯ã»ã¹ãè¡ããªãã
ã¤ã³ã¹ã¿ã³ã¹ã®ç¬ç«æ§ãä¿ã¤
ä»®æ³ã¤ã³ã¹ã¿ã³ã¹ãåä¸ãã¼ãã¦ã§ã¢ä¸ã®ä»ã®ä»®æ³OSããã®å½±é¿ãåããªãä»çµã¿ãå®ç¾ããã¦ãããXenã®ã¦ã¼ã¶ã³ãã¥ããã£/éçºã³ãã¥ããã£ã«Amazonã¯ç©æ¥µçã«é¢ä¸ãã¦ãããAWSã®ãã¡ã¤ã¢ã¼ã¦ã©ã¼ã«ã¯ç©çãããã¯ã¼ã¯ã¤ã³ã¿ã¼ãã§ã¼ã¹ã¨Xenã®ä»®æ³ã¤ã³ã¿ã¼ãã§ã¼ã¹ã®éã«å®è£
ãããéä¿¡ã®ç¬ç«åº¦ãé«ããã®ã«è²¢ç®ãã¦ãããAWSç¬èªã®ãã£ã¹ã¯ä»®æ³åã¬ã¤ã¤ã¼ã¯ã¹ãã¬ã¼ã¸ã®ãã¼ã¿ãããã¯ãã¦ã¼ã¶ãå©ç¨ããç´åã«ãèªåçã«å
容ãæ¶å»ãããåã®ã¦ã¼ã¶ã®ãã¼ã¿ãæ®ããã¨ã¯ãªããã¨ã¯ãããã¡ã¤ã«ã·ã¹ãã æå·åãªã©ãã¦ã¼ã¶ãç¬èªã«è¡ããã¨ã¯è¯ããã¨ãã¦ã¼ã¶ãæ示çã«æå®ããªãéããåä¸å°åå
ã§ã®ãã¼ã¿ã®è¤è£½ã¯ããªãã
å¯ç¨æ§ãä¿ã¤ããã«(Fault Separation)
EC2ã¯ä»®æ³OSã®å°ççãªä½ç½®(ã¢ã¡ãªã«æ±æµ·å²¸ãã¨ã¼ããããªã©)ãã¦ã¼ã¶ãé¸æãããã¨ãå¯è½ãããã«ããã°ãã¼ãã«ãªãªã¹ã¯åæ£ãå¯è½ã¨ãªããããã«åæ ç¹(ä¾ãã°ã¢ã¡ãªã«æ±æµ·å²¸)ã¯ãã®ä¸ã§è¤æ°ã®é½å¸ã«æ½è¨ãåæ£ããã¦ãã¦ãåæ½è¨éã§çµ¶ããå
é¨ãã¼ã¿ã®åæãè¡ããã¦ããããªãæ½è¨éã®ãã¼ã¿åæã¯ã¤ã³ã¿ã¼ãããã使ã£ã¦ããåããã¦ããã
S3ã®ã»ãã¥ãªãã£
S3ã¯bucket-(ãã£ã¹ã¯å
¨ä½)ã¨object-åä½ã§ã¢ã¯ã»ã¹ã³ã³ããã¼ã«å¯è½ãEC2ããã¢ã¯ã»ã¹ããå ´åã§ããã¤ã³ã¿ã¼ãããããAPIã使ã£ã¦ã¢ã¯ã»ã¹ããå ´åããHMAC-SHA1ç½²åã使ã£ãã¦ã¼ã¶èªè¨¼ãçµã¦ããªããã¤ACLã§ã¢ã¯ã»ã¹è¨±å¯ãããã¦ããäºãåææ¡ä»¶ã¨ãªããbucket-(ãã£ã¹ã¯å
¨ä½)ã¨object-åä½ã®ACLè¨å®ã¯ç¬ç«ãã¦ãããç¶æ¿ãããªããã¢ã¯ã»ã¹ã³ã³ããã¼ã«ã¯AWSã®ã¦ã¼ã¶IDãããã¯emailã¢ãã¬ã¹ãDevPay Product IDãå
ã«å¶å¾¡ã§ããã
ãã¼ã¿ç®¡ç
S3ã¯SSLã§ãã¢ã¯ã»ã¹å¯è½ããªãã¸ã§ã¯ããS3ããåé¤ãããå ´åããããã³ã°ãå³ææ¶å»ãããæ°ç§ä»¥å
ã§å
¨ä¸çã«ä¿æããã¦ããè¤è£½ãå«ãåé¤ãå®äºããã
ã¹ãã¬ã¼ã¸ã®å»æ£
AWSã§ä½¿ç¨ãããã¹ãã¬ã¼ã¸ãå»æ£ãããéã«ã¯ãDoD 5520.22-M ããã㯠NIST 800-88 ã¨ããã¬ã¤ãã©ã¤ã³ã«æ²¿ã£ã¦é©åã«å¦çããä¸ã§å»æ£ãããã
ãªããæ¬ææ¸ã¯ç¿»è¨³ã§ã¯ãªãç§ãèªãã§ã¦ãã¤ã³ãã¨æã£ãã¨ãããæãæ¸ããããã®ã§ãããç§ã使ããªãSimpleDBãSQSãªã©ã®ãµã¼ãã¹ã«é¢ããè¨è¿°ã¯èªãã§ããªããã訳ãã¦ããªããããã¦ããã®ææ¸ã¯Amazonã®é å¼µãã¾ã宣è¨ã§ãã£ã¦ãç¾ç¶ã¨é£ãéããçãã¦ããå¯è½æ§ã¯ããã