2024 클라우드 보안 가이드(AWS, AZURE, GCP)
https://www.skshieldus.com/kor/support/eventDetail.do?idx=501#
클라우드서비스 보안인증기준 해설서(2023.03)
클라우드 취약점 점검 가이드
https://isms-p.kisa.or.kr/main/csap/notice/
프라이빗 서브넷
인터넷 게이트웨이로의 라우팅이 포함되지 않은 서브넷
NAT 게이트웨이
NAT(네트워크 주소 변환) 서비스
프라이빗 서브넷의 인스턴스는 VPC 외부의 서비스에 연결할 수 있지만 외부 서비스에서 이러한 인스턴스와의 연결을 시작할 수 없도록 NAT 게이트웨이의 사용이 가능
https://docs.aws.amazon.com/ko_kr/vpc/latest/userguide/nat-gateway-scenarios.html
운영 위주
두 개의 가용영역에 각각 하나의 서브넷 생성
rookies037_bastion
rookies037_keypair_bastion
rookies037_sg_bastion
(22번 포트만 허용)private subnet에 위치하고 퍼블릭 IP 자동 할당 선택 X
rookies037_private
rookies037_keypair_private
rookie037_sg_private
(22번 포트만 허용)cmd에서 키 페어를 내려받은 폴더로 이동
C:\Users\r2com> cd d:\aws
d:\aws> dir
D 드라이브의 볼륨: 새 볼륨
볼륨 일련 번호: AE30-D2D6
d:\aws 디렉터리
2024-04-04 오후 02:47 <DIR> .
2024-04-04 오후 02:47 <DIR> ..
2024-04-04 오후 01:15 1,674 rookies037-keypair-web.pem
2024-04-04 오후 01:25 1,678 rookies037_keypair_bastion.pem
2024-04-04 오후 01:28 1,678 rookies037_keypair_private.pem
3개 파일 5,030 바이트
2개 디렉터리 83,785,228,288 바이트 남음
# ssh -i 키파일 사용자@서버주소
d:\aws>ssh -i rookies037-keypair-web.pem ubuntu@57.181.39.91
The authenticity of host '57.181.39.91 (57.181.39.91)' can't be established.
ECDSA key fingerprint is SHA256:1LPnZuhzn9l604Ga8X397IkdAXxb9ku2ch6O0VS448o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '57.181.39.91' (ECDSA) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'rookies037-keypair-web.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "rookies037-keypair-web.pem": bad permissions
ubuntu@57.181.39.91: Permission denied (publickey).
https://docs.aws.amazon.com/ko_kr/AWSEC2/latest/UserGuide/managing-users.html#ami-default-user-names
d:\aws>ssh -i rookies037-keypair-web.pem ubuntu@57.181.39.91
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 6.5.0-1014-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Thu Apr 4 07:14:48 UTC 2024
System load: 0.0 Processes: 98
Usage of /: 20.7% of 7.57GB Users logged in: 1
Memory usage: 20% IPv4 address for eth0: 10.0.10.211
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Thu Apr 4 05:32:23 2024 from 219.255.90.59
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
ubuntu@ip-10-0-10-211:~$
ubuntu@ip-10-0-10-211:~$ sudo apt update
ubuntu@ip-10-0-10-211:~$ sudo apt install -y apache2
ubuntu@ip-10-0-10-211:~$ sudo systemctl start apache2
ubuntu@ip-10-0-10-211:~$ sudo systemctl enable apache2
C:\Users\r2com> d:
d:\aws> dir *.pem
D 드라이브의 볼륨: 새 볼륨
볼륨 일련 번호: AE30-D2D6
d:\aws 디렉터리
2024-04-04 오후 01:15 1,674 rookies037-keypair-web.pem
2024-04-04 오후 01:25 1,678 rookies037_keypair_bastion.pem
2024-04-04 오후 01:28 1,678 rookies037_keypair_private.pem
3개 파일 5,030 바이트
0개 디렉터리 83,785,228,288 바이트 남음
d:\aws>ssh -i rookies037_keypair_bastion.pem ubuntu@18.183.222.2
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~
# 베스천 호스트의 개인키 및 퍼블릭 IP 사용
The authenticity of host '18.183.222.2 (18.183.222.2)' can't be established.
ECDSA key fingerprint is SHA256:ImGCmtuUnVz+y8TT5994W210Y6qzL11Tdk9MT3Ya4ks.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '18.183.222.2' (ECDSA) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'rookies037_keypair_bastion.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "rookies037_keypair_bastion.pem": bad permissions
ubuntu@18.183.222.2: Permission denied (publickey).
d:\aws>whoami
desktop-304u2mr\r2com
d:\aws>ssh -i rookies037_keypair_bastion.pem ubuntu@18.183.222.2
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 6.5.0-1014-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Thu Apr 4 07:39:18 UTC 2024
System load: 0.0 Processes: 95
Usage of /: 20.7% of 7.57GB Users logged in: 0
Memory usage: 20% IPv4 address for eth0: 10.0.10.100
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
ubuntu@ip-10-0-10-100:~$
D:\aws>scp -i rookies037_keypair_bastion.pem rookies037_keypair_private.pem ubuntu@18.183.222.2:/home/ubuntu/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | +-- 베스천 호스트의 username, IP,
| +-- 베스천 호스트로 복사할 파일 파일을 복사할 위치
| 내부 서버로 SSH 접속에 사용할 개인키
+-- 베스천 호스트 접속에 사용하는 개인키
rookies037_keypair_private.pem 100% 1678 42.2KB/s 00:00
ubuntu@ip-10-0-10-100:~$ ls -l
total 4
-rw-rw-r-- 1 ubuntu ubuntu 1678 Apr 4 08:34 rookies037_keypair_private.pem
ubuntu@ip-10-0-10-100:~$ ssh -i rookies037_keypair_private.pem ubuntu@10.0.30.174
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
| |
| +-- 내부 서버의 username과 내부 IP
+-- scp 명령으로 복사해 온 내부 서버의 개인 키 파일
The authenticity of host '10.0.30.174 (10.0.30.174)' can't be established.
ED25519 key fingerprint is SHA256:RMTEAvE1LsMwgZH3IDz/to/oh5+CKk/v1U6pepVQi4o.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.30.174' (ED25519) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for 'rookies037_keypair_private.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "rookies037_keypair_private.pem": bad permissions
ubuntu@10.0.30.174: Permission denied (publickey).
ubuntu@ip-10-0-10-100:~$ chmod 700 rookies037_keypair_private.pem
ubuntu@ip-10-0-10-100:~$ ls -l
total 4
-rwx------ 1 ubuntu ubuntu 1678 Apr 4 08:34 rookies037_keypair_private.pem
ubuntu@ip-10-0-10-100:~$ ssh -i rookies037_keypair_private.pem ubuntu@10.0.30.174
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 6.5.0-1014-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Thu Apr 4 08:52:29 UTC 2024
System load: 0.080078125 Processes: 95
Usage of /: 20.7% of 7.57GB Users logged in: 0
# 내부 서버로 SSH 접속
Memory usage: 20% IPv4 address for eth0: 10.0.30.174
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
ubuntu@ip-10-0-30-174:~$
private subnet에 위치하므로 외부로 연결할 수 없으므로 NAT Gateway를 추가하고 연결하는 과정 필요
ubuntu@ip-10-0-30-174:~$ sudo apt update
NAT Gateway로의 라우팅을 추가
ubuntu@ip-10-0-30-174:~$ sudo apt update
ubuntu@ip-10-0-30-174:~$ sudo apt install nginx -y
ubuntu@ip-10-0-30-174:~$ sudo ufw app list
Available applications:
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSH
ubuntu@ip-10-0-30-174:~$ sudo ufw allow 'Nginx HTTP'
Rules updated
Rules updated (v6)
ubuntu@ip-10-0-30-174:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
ubuntu@ip-10-0-30-174:~$ sudo ufw status
Status: active
To Action From
-- ------ ----
Nginx HTTP ALLOW Anywhere
Nginx HTTP (v6) ALLOW Anywhere (v6)
ubuntu@ip-10-0-30-174:~$ exit # 내부 서버의 SSH 접속 종료
logout
Connection to 10.0.30.174 closed.
ubuntu@ip-10-0-10-100:~$ exit # 베스천 호스트
ubuntu@ip-10-0-10-100:~$ exit # 베스천 호스트의 SSH 접속 종료
logout
Connection to 18.183.222.2 closed.
d:\aws> # 내 PC