{CloudFront}フィールドレベル暗号化を使用した機密データの保護

 

 


https://docs.aws.amazon.com/ja_jp/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html

https://dev.classmethod.jp/articles/cloudfront-field-level-encryption/

https://dev.classmethod.jp/articles/alb-backend-https/

https://qiita.com/daichi_sugiyama/items/623218b6e9173d5e7ed7

 

CloudFront --HTTPS--> ALB --HTTPS--> EC2


前提:
Route53 でドメイン取得済
セキュリティグループ で 443 許可済
ACMワイルドカード証明書取得済み

 

-- 1. コマンド等のインストール

-- 1.1 aws cli version 2 インストール

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version

 

-- 1.2 jqインストール
sudo yum -y install jq


-- 2. EC2インスタンス作成


-- ap-northeast-1a


vim a.sh

#!/bin/bash
yum -y update
yum -y install mod_ssl
systemctl start httpd
systemctl enable httpd
echo $(hostname) > /var/www/html/index.html

 

aws ec2 run-instances \
--image-id ami-0404778e217f54308 \
--instance-type t3.nano \
--key-name key1 \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=instance01}]' \
--subnet-id subnet-11111111111111111 \
--user-data file://a.sh

 

aws ec2 describe-instances


-- 3. phpインストール
-- httpdサーバをインストールしたEC2インスタンスにログインして実行
-- user-dataではうまく実行できなかった

sudo su -
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm
yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
yum-config-manager --enable remi-php74
yum -y install php74 php74-php php74-php-fpm
ln -s /usr/bin/php74 /usr/bin/php
php -v
echo '<?php var_dump($_POST);' > /var/www/html/index.php
systemctl restart httpd

 

 


-- 4. ロードバランサーの作成


aws elbv2 create-load-balancer \
--name alb01  \
--subnets subnet-11111111111111111 subnet-22222222222222222 \
--security-groups sg-33333333333333333


aws elbv2 describe-load-balancers
aws elbv2 describe-load-balancers| jq -r .LoadBalancers.LoadBalancerArn

 


aws elbv2 create-target-group \
--name target01 \
--protocol HTTPS \
--port 443 \
--vpc-id vpc-44444444444444444 \
--ip-address-type ipv4 \
--target-type instance

aws elbv2 describe-target-groups
aws elbv2 describe-target-groups| jq -r .TargetGroups.TargetGroupArn

aws elbv2 describe-target-group-attributes \
--target-group-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:targetgroup/target01/5555555555555555

 

aws elbv2 register-targets \
--target-group-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:targetgroup/target01/5555555555555555  \
--targets Id=i-00000000000000000


aws elbv2 describe-target-health \
--target-group-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:targetgroup/target01/5555555555555555

 


-- 5. リスナーの作成
aws elbv2 describe-ssl-policies


aws elbv2 create-listener \
--load-balancer-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:loadbalancer/app/alb01/6666666666666666 \
--protocol HTTPS \
--port 443  \
--default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:targetgroup/target01/5555555555555555 \
--certificates CertificateArn=arn:aws:acm:ap-northeast-1:999999999999:certificate/11111111-2222-3333-4444-555555555555 \
--ssl-policy ELBSecurityPolicy-2016-08

 


aws elbv2 describe-listeners \
--load-balancer-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:loadbalancer/app/alb01/6666666666666666

aws elbv2 describe-listeners \
--load-balancer-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:loadbalancer/app/alb01/6666666666666666 | jq -r .Listeners.ListenerArn


-- 6. Route53へDNSレコード(ALBへのエイリアスレコード)を登録

 


-- 7. ディストリビューションの作成


aws cloudfront create-distribution \
--origin-domain-name test.yyyyyyyy.link


aws cloudfront list-distributions

aws cloudfront get-distribution \
--id AAAAAAAAAAAAAA

aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA

 

 


-- 8. キャッシュ動作に設定を追加する

オリジンプロトコルポリシーをHTTPS onlyに変更
ビューワープロトコルポリシーをHTTPS onlyに変更
許可された HTTP メソッドを[GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE] に変更

 


aws cloudfront get-distribution \
--id AAAAAAAAAAAAAA

aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA


aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .DistributionConfig > distribution.json

vim distribution.json


Origins -> Items -> CustomOriginConfig -> OriginProtocolPolicy を下記のように修正

          "OriginProtocolPolicy": "https-only",
          

DefaultCacheBehavior -> ViewerProtocolPolicy を下記のように修正

    "ViewerProtocolPolicy": "https-only",


DefaultCacheBehavior -> AllowedMethods を下記のように修正

    "AllowedMethods": {
      "Quantity": 7,
      "Items": [
        "HEAD",
        "DELETE",
        "POST",
        "GET",
        "OPTIONS",
        "PUT",
        "PATCH"
      ],
      "CachedMethods": {
        "Quantity": 2,
        "Items": [
          "HEAD",
          "GET"
        ]
      }
    },

 

aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .ETag

aws cloudfront update-distribution \
--id AAAAAAAAAAAAAA \
--if-match BBBBBBBBBBBBBB \
--distribution-config file://distribution.json

 


-- 9. 信頼されたキーグループのキーペアを作成する


-- 9.1 パブリックとプライベートのキーペアを作成する

openssl genrsa -out private_key.pem 2048


openssl rsa -pubout -in private_key.pem -out public_key.pem


-- 9.2 パブリックキーを CloudFront にアップロードする

cat public_key.pem

※EncodedKeyの改行部分は\nで置き換える

vim pubkey.json

{
    "CallerReference": "cli-example",
    "Name": "ExampleKey",
    "EncodedKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxPMbCA2Ks0lnd7IR+3pw\nwd3H/7jPGwj8bLUmore7bX+oeGpZ6QmLAe/1UOWcmZX2u70dYcSIzB1ofZtcn4cJ\nenHBAzO3ohBY/L1tQGJfS2A+omnN6H16VZE1JCK8XSJyfze7MDLcUyHZETdxuvRb\nA9X343/vMAuQPnhinFJ8Wdy8YBXSPpy7r95ylUQd9LfYTBzVZYG2tSesplcOkjM3\n2Uu+oMWxQAw1NINnSLPinMVsutJy6ZqlV3McWNWe4T+STGtWhrPNqJEn45sIcCx4\nq+kGZ2NQ0FyIyT2eiLKOX5Rgb/a36E/aMk4VoDsaenBQgG7WLTnstb9sr7MIhS6A\nrwIDAQAB\n-----END PUBLIC KEY-----\n",
    "Comment": "example public key"
}


aws cloudfront create-public-key \
--public-key-config file://pubkey.json

aws cloudfront list-public-keys

aws cloudfront get-public-key \
--id CCCCCCCCCCCCCC

 


-- 10. フィールドレベル暗号化のプロファイルを作成する

aws cloudfront create-field-level-encryption-profile \
--field-level-encryption-profile-config '{
            "Name": "profile01",
            "CallerReference": "cli-example",
            "Comment": "prfile01",
            "EncryptionEntities": {
                "Quantity": 1,
                "Items": [
                    {
                        "PublicKeyId": "CCCCCCCCCCCCCC",
                        "ProviderId": "test",
                        "FieldPatterns": {
                            "Quantity": 1,
                            "Items": [
                                "secret"
                            ]
                        }
                    }
                ]
            }
        }'

 


aws cloudfront list-field-level-encryption-profiles


aws cloudfront get-field-level-encryption-profile \
--id DDDDDDDDDDDDD

 

 


-- 11. フィールドレベル暗号化の設定を作成する

aws cloudfront create-field-level-encryption-config \
--field-level-encryption-config '{
        "CallerReference": "cli-example",
        "Comment": "",
        "QueryArgProfileConfig": {
            "ForwardWhenQueryArgProfileIsUnknown": false,
            "QueryArgProfiles": {
                "Quantity": 0,
                "Items":
            }
        },
        "ContentTypeProfileConfig": {
            "ForwardWhenContentTypeIsUnknown": false,
            "ContentTypeProfiles": {
                "Quantity": 1,
                "Items": [
                    {
                        "Format": "URLEncoded",
                        "ProfileId": "DDDDDDDDDDDDD",
                        "ContentType": "application/x-www-form-urlencoded"
                    }
                ]
            }
        }
    }'

 

 

aws cloudfront list-field-level-encryption-configs


aws cloudfront get-field-level-encryption-config \
--id EEEEEEEEEEEEEE

 

 

-- 12. ディストリビューションのビヘイビアでフィールドレベル暗号化を有効化

 

aws cloudfront get-distribution \
--id AAAAAAAAAAAAAA

aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA


aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .DistributionConfig > distribution.json

vim distribution.json


DefaultCacheBehavior -> FieldLevelEncryptionId を下記のように修正

    "FieldLevelEncryptionId": "EEEEEEEEEEEEEE",
          


aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .ETag

aws cloudfront update-distribution \
--id AAAAAAAAAAAAAA \
--if-match FFFFFFFFFFFFF \
--distribution-config file://distribution.json

 

 

-- 13. 動作確認


curl -v -X GET https://test.yyyyyyyy.link/index.html

curl -v -X GET https://xxxxxxxxxxxxx.cloudfront.net/index.html


curl \
-d "param1=value1&param2=value2" \
-H "Content-Type: application/x-www-form-urlencoded" \
-X POST \
https://xxxxxxxxxxxxx.cloudfront.net/index.php

 

curl \
-d "secret=value1&param2=value2" \
-H "Content-Type: application/x-www-form-urlencoded" \
-X POST \
https://xxxxxxxxxxxxx.cloudfront.net/index.php

 

 


-- 14. クリーンアップ


-- ディストリビューションの無効化

aws cloudfront get-distribution \
--id AAAAAAAAAAAAAA

aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA


※ distribution.jsonはget-distribution-configコマンドのDistributionConfigから取得し、Enabledをfalseに変更する

aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .DistributionConfig > distribution.json

sed -i 's/"Enabled": true/"Enabled": false/' distribution.json

 

aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .ETag

aws cloudfront update-distribution \
--id AAAAAAAAAAAAAA \
--if-match GGGGGGGGGGGGG \
--distribution-config file://distribution.json


※ if-matchにはETagの値をセット

無効化されるまで待つ


-- ディストリビューションの削除

aws cloudfront get-distribution \
--id AAAAAAAAAAAAAA

aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA

aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .ETag

aws cloudfront delete-distribution \
--id AAAAAAAAAAAAAA \
--if-match HHHHHHHHHHHHHH

aws cloudfront list-distributions

 

-- フィールドレベル暗号化の設定の削除


aws cloudfront list-field-level-encryption-configs


aws cloudfront get-field-level-encryption-config \
--id EEEEEEEEEEEEEE

aws cloudfront delete-field-level-encryption-config \
--id EEEEEEEEEEEEEE \
--if-match IIIIIIIIIIIIII

 

-- フィールドレベル暗号化のプロファイルの削除

 

aws cloudfront list-field-level-encryption-profiles


aws cloudfront get-field-level-encryption-profile \
--id DDDDDDDDDDDDD


aws cloudfront delete-field-level-encryption-profile \
--id DDDDDDDDDDDDD \
--if-match IIIIIIIIIIIIII

 

 

-- パブリックキーの削除

aws cloudfront list-public-keys

aws cloudfront get-public-key \
--id CCCCCCCCCCCCCC

aws cloudfront delete-public-key \
--id CCCCCCCCCCCCCC \
--if-match JJJJJJJJJJJJJ

 


-- Route53からDNSレコード(ALBへのエイリアスレコード)を削除

 

-- リスナーの削除

aws elbv2 describe-listeners \
--load-balancer-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:loadbalancer/app/alb01/6666666666666666


aws elbv2 delete-listener \
--listener-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:listener/app/alb01/6666666666666666/7777777777777777


-- ターゲットグループの削除

aws elbv2 describe-target-groups

aws elbv2 deregister-targets \
--target-group-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:targetgroup/target01/5555555555555555 \
--targets Id=i-00000000000000000

aws elbv2 delete-target-group \
--target-group-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:targetgroup/target01/5555555555555555

 


-- ロードバランサーの削除

aws elbv2 describe-load-balancers

aws elbv2 delete-load-balancer \
--load-balancer-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:loadbalancer/app/alb01/6666666666666666

 

-- EC2インスタンスの削除

aws ec2 describe-instances

aws ec2 terminate-instances --instance-ids i-00000000000000000