Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS IAM で MFA 有効でないユーザを awscli + Mackerel で監視する / Monitoring users who are not MFA enabled with AWS IAM with awscli + Mackerel

AWS IAM で MFA 有効でないユーザを awscli + Mackerel で監視する / Monitoring users who are not MFA enabled with AWS IAM with awscli + Mackerel

#kosen10s LT#14 で発表したネタです。AWS IAM に登録されたユーザで、多要素認証が有効でないユーザを調べて Mackerel で監視するまでです。

do-su-0805

May 12, 2019
Tweet

More Decks by do-su-0805

Other Decks in Programming

Transcript

  1. AWS IAM Ͱ MFA ༗ޮͰͳ͍ϢʔβΛ

    awscli + Mackerel Ͱ؂ࢹ͢Δ
    Kosen10s LT#14
    do_su_0805

    View full-size slide

  2. ΞδΣϯμ
    w 5-%3
    w ߏ੒ਤ
    w ֤छઃఆ

    View full-size slide

  3. 5-%3
    • awscli ͷ `aws iam` Λ࢖͏ͱɺMFA ͕༗ޮͰͳ͍Ϣʔβ͕ൈ͖ग़ͤΔ

    ◦ ҰൃͰ͸ൈ͖ग़ͤͳ͍ͷͰɺ૊Έ߹Θ͍ͤͯ͘

    ◦ ϋʔυ΢ΣΞΩʔͳϢʔβ͚ͩൈ͖ग़͢ͷ͕ͪΐͬͱେม

    • ͦͷ਺Λ Mackerel ͷϝτϦοΫͱͯ͠౤ߘ͠ɺ؂ࢹ͢Δ

    ◦ ϝτϦοΫͱͯ͠ඞཁͳ͍ͳΒɺνΣοΫ؂ࢹͰ΋ಉ͜͡ͱ͕Ͱ͖Δ

    View full-size slide

  4. ߏ੒ਤ
    ਤߏ੒ਤ

    View full-size slide

  5. BXTDMJʹ͍ͭͯ
    l"84ίϚϯυϥΠϯΠϯλʔϑΣΠε $-*
    ͸ɺ"84αʔϏεΛ؅ཧ͢
    ΔͨΊͷ౷߹πʔϧͰ͢ɻμ΢ϯϩʔυ͓Αͼઃఆ༻ͷ୯ҰͷπʔϧͷΈΛ
    ࢖༻ͯ͠ɺίϚϯυϥΠϯ͔Βෳ਺ͷ"84αʔϏεΛ੍ޚ͠ɺεΫϦϓτ
    Λ࢖༻ͯ͜͠ΕΒΛࣗಈԽ͢Δ͜ͱ͕Ͱ͖·͢ɻz

    "84ίϚϯυϥΠϯΠϯλʔϑΣΠεIUUQTBXTBNB[PODPNKQDMJ

    !5

    View full-size slide

  6. .BDLFSFMʹ͍ͭͯ
    l.BDLFSFMʢϚΧϨϧʣ͸ɺӡ༻தͷΫϥ΢υ΋͘͠͸ΦϯϓϨϛεͷαʔ
    όʹΤʔδΣϯτΛͭೖΕΔ͚ͩͰɺ؆୯ʹαʔό؅ཧΛ࢝ΊΒΕ·͢ɻ
    ؂ࢹαʔόࣗ਎ͷߏஙɾӡ༻͸ෆཁͰ͢ɻ͞ΒʹෛՙͷϦιʔεঢ়گͳͲͷ
    ਺஋ΛάϥϑʹՄࢹԽ͠·͢ɻো֐ൃੜ࣌ʹ͸Ξϥʔτ͕ه࿥͞Εɺ༷ʑͳ
    πʔϧʹ௨஌Ͱ͖·͢ɻγεςϜӡ༻อकʹ࠷దͳ؂ࢹαʔϏεͰ͢ɻz

    ಛ௕ͱػೳಛ௕z l.BDLFSFMʢϚΧϨϧʣ৽ੈ୅ͷαʔό؅ཧɾ؂ࢹαʔϏε

    IUUQTNBDLFSFMJPKBGFBUVSFT

    !6

    View full-size slide

  7. ਤ.BDLFSFM

    IUUQTNBDLFSFMJPKB

    View full-size slide

  8. BXTDMJΛ࢖ͬͯ৘ใΛऔಘ͢Δ
    w ొ৔͢ΔίϚϯυ͸ͭ
    w BXTJBNMJTUVTFST
    w "84*".ϢʔβͷҰཡΛऔಘ
    w BXTJBNMJTUWJSUVBMNGBEFWJDFT
    w "84*".ʹొ࿥͞Ε͍ͯΔԾ૝.'"σόΠεҰཡΛऔಘ
    w BXTJBNMJTUNGBEFWJDFTVTFSOBNF\VTFS^
    w "84*".ʹొ࿥͞Ε͍ͯΔɺಛఆϢʔβͷ.'"σόΠεҰཡΛऔಘ

    View full-size slide

  9. BXTDMJΛ࢖ͬͯ৘ใΛऔಘ͢Δ
    MJTUVTFSTͰϢʔβҰཡΛग़͢
    w BXTJBNMJTUVTFSTcKR6TFST<>cTFMFDU 1BTTXPSE-BTU6TFEOVMM
    c6TFS/BNFScTPSU
    w JBNMJTUVTFSTͷ݁Ռ͔ΒɺʮύεϫʔυϩάΠϯͨ͠ϢʔβʯͷҰཡ
    Λऔಘ

    View full-size slide

  10. BXTDMJΛ࢖ͬͯ৘ใΛऔಘ͢Δ
    MJTUWJSUVBMNGBEFWJDFTͰ༗ޮͳԾ૝.'"σόΠεͷॴ༗ऀΛग़͢
    w BXTJBNMJTUWJSUVBMNGBEFWJDFTcKR7JSUVBM.'"%FWJDFT<>cTFMFDU &OBCMF%BUFOVMM
    a

    c6TFS6TFS/BNFScTPSU
    w JBNMJTUWJSUVBMNGBEFWJDFTͷ݁Ռ͔ΒɺԼهͷΑ͏ʹߜΓࠐΉ
    w ʮԾ૝.'"σόΠεҰཡ͔Βʯ
    w ʮ༗ޮͳσόΠεͷҰཡΛग़͠ʯ
    w ʮͦͷॴ༗ऀΛऔಘ͢Δʯ

    View full-size slide

  11. BXTDMJΛ࢖ͬͯ৘ใΛऔಘ͢Δ
    MJTUNGBEFWJDFTͰಛఆϢʔβʹ༗ޮͳ.'"σόΠε͕͋Δ͔Λௐ΂Δ
    w GPSVTFSJO ʮʯͷ݁Ռͱʮʯͷ݁Ռͷࠩ෼Ϣʔβ
    EP

    BXTJBNMJTUNGBEFWJDFTVTFSOBNF\VTFS^cKR.'"%FWJDFT<>a

    cTFMFDU &OBCMF%BUFOVMM
    c6TFS/BNFS

    EPOF
    w ʮʯͱʮʯͷ݁Ռͷࠩ෼ͱͯ͠දࣔ͞ΕͨϢʔβ͕ɺଞʹσόΠε͕ͳ͍͔Λௐ΂Δ
    w ʮʯͷ݁Ռ͸ʰԾ૝.'"σόΠεʱͳͷͰϋʔυ΢ΣΞΩʔ͸ೖΒͳ͍
    w ͔ͱ͍ͬͯɺʮʯͰऔಘͨ͠શϢʔβΛ্هͰݕࡧ͢Δͷ΋ͳ͊ɾɾɾ
    w ௐ΂ͯɺݟ͔ͭͬͨΒʮʯಉ༷ʹϢʔβ໊Λऔಘ͢Δ

    View full-size slide

  12. BXTDMJΛ࢖ͬͯ৘ใΛऔಘ͢Δ
    औಘ݁ՌΛ΋ͱʹ·ͱΊΔ
    w ʮʯͷ݁ՌશϢʔβʜ"
    w ʮʯͷ݁ՌԾ૝.'"σόΠεͰ.'"͍ͯ͠ΔϢʔβʜ#
    w ʮʯͷ݁Ռϋʔυ΢ΣΞσόΠεͰ.'"͍ͯ͠ΔϢʔβʜ$
    w #ͱ$ͷVOJR߹ܭ.'"༗ޮͳϢʔβʜ%
    w "ͱ%ͷࠩ෼.'"͕༗ޮͰͳ͍Ϣʔβ

    View full-size slide

  13. .BDLFSFMͰ؂ࢹ͢Δ
    w ࢼ͠ʹ
    ϗετϝτϦοΫͱͯ͠.BDLFSFMʹ౤ߘ͢Δ
    w NBDLFSFMBHFOUDPOGʹ͜Μͳײ͡ʹॻ͍ͯ
    w 

    DPNNBOEl Χ΢ϯτεΫϦϓτ
    l
    w ͜Μͳײ͡ʹεΫϦϓτ͕ग़ྗ͢Δͱ ۭന͸UBC

    w "84@*".BMMVTFST

    "84@*".WJSUVBMNGBVTFST

    "84@*".IBSEXBSFNGBVTFST

    "84@*".XSPOH@VTFS

    View full-size slide

  14. .BDLFSFMͰ؂ࢹ͢Δ
    w ࢼ͠ʹ
    ϗετϝτϦοΫͱͯ͠.BDLFSFMʹ౤ߘ͢Δ
    w ͜͏ͳΔ

    ਤ౤ߘྫ

    View full-size slide

  15. .BDLFSFMͰ؂ࢹ͢Δ
    w αʔϏεϝτϦοΫͱͯ͠.BDLFSFMʹ౤ߘ͢Δͱ͖͸
    w ͖ͬ͞ͷܭࢉ݁ՌΛ"1*ܦ༝Ͱ౤ߘͨ͠Γ
    w BQJWTFSWJDFTTFSWJDF/BNFUTECʹ1045͢Δ
    w ͖ͬ͞ͷܭࢉ݁ՌΛNLSUISPXͰ౤ߘͨ͠Γ
    w ্ه"1*ͷXSBQQFS

    View full-size slide

  16. .BDLFSFMͰ؂ࢹ͢Δ
    w νΣοΫ؂ࢹͰ؂ࢹ͢Δ৔߹ʢϢʔβ਺͸͍Βͳ͍ਓ޲͚ʣ
    w NBDLFSFMBHFOUDPOGʹ͜Μͳײ͡ʹॻ͍ͯ
    w 

    DPNNBOEl Χ΢ϯτεΫϦϓτ
    l
    w εςʔλε ͱҰॹʹϝοηʔδ
    Λฦ͢εΫϦϓτΛஔ͘
    w ʮ.'"༗ޮ͡Όͳ͍Ϣʔβ͕ʯͳΒ0, FYJU

    w ʮ.'"༗ޮ͡Όͳ͍Ϣʔβ͕͡Όͳ͍ʯͳΒͩΊ

    FYJU

    View full-size slide

  17. .BDLFSFMͰ؂ࢹ͢Δ
    w ؂ࢹϧʔϧͰ͢Δ৔߹ Ϣʔβ਺ͷਪҠͳͲ΋ཉ͍͠ਓ޲͚ʣ
    w ϗετPSαʔϏεϝτϦοΫͱͯ͠౤ߘ͢Δ
    w ؂ࢹϧʔϧΛӈͷΑ͏ʹ࡞੒͢Δ
    ਤ؂ࢹϧʔϧͷઃఆྫ

    View full-size slide