AWSを始めるにあたってのAWS IAM基礎 / jawsug-niigata-8

Transcript

1. AWSΛ࢝ΊΔʹ͋ͨͬͯͷ AWS IAMجૅ 2020-05-09 JAWS-UG৽ׁ#8 @kasacchiful

2. ࣗݾ঺հ • ּݪ ޺ (@kasacchiful) • ৽ׁࢢ಺ࡏॅͷιϑτ΢ΣΞΤϯδχΞ • ޷͖ͳݴޠ: Ruby

   • ݱࡏΑ͘৮͍ͬͯΔAWSαʔϏε: WorkSpaces / Amplify

3. ಺༰ • IAMͱ͸Կ͔Λͬ͘͟Γઆ໌ • IAMϢʔβʔ / άϧʔϓ / ϙϦγʔ /

   ϩʔϧ • ·ͣ͜Ε͚ͩ͸΍͓͖͍ͬͯͨ͜ͱ5ͭ

4. JAWS-UG৽ׁͷϋϯζΦϯͰ͸… • IAMϢʔβ࡞੒ͯ͠AdministratorAccessϙϦγʔΛIAM άϧʔϓʹΞλον͍ͯ͠ΔͷͰɺIAM͔ͳΓ৮͍ͬͯΔ IUUQTHJUIVCDPNLBTBDDIJGVMKBXTVHOJJHBUBCMPCNBTUFS@SFHJTUSBUJPONE

5. IAM is Կʁ

6. AWS Identity and Access Management (IAM) • AWSͷૢ࡞ΛΑΓηΩϡΞʹ͢ΔͨΊͷ࢓૊ Έ •

   ೝূɾೝՄ • AWSΛૢ࡞͢ΔͨΊͷϢʔβʔʗάϧʔϓʗϩʔϧͷ࡞੒ • Ϣʔβʔຖͷೝূ৘ใͷઃఆ • Ϣʔβʔʗάϧʔϓʗϩʔϧʹର࣮ͯ͠ߦͰ͖Δૢ࡞Λઃఆ

7. IAMΛ࢖͏ʹ͸ • AWSϚωδϝϯτίϯιʔϧ͔Βૢ࡞͢Δ͜ ͱ͕ଟ͍ • CLI΍SDK͔Β΋ΞΫηεՄೳ

8. IAMϢʔβʔʗάϧʔϓʗϙ Ϧγʔ

9. IAMϢʔβʔʗάϧʔϓʗϙϦγʔ • IAMϢʔβʔ: Ϣʔβʔͷ1୯Ґ • IAMάϧʔϓ: IAMϢʔβʔΛ·ͱΊͨ΋ͷ • IAMϙϦγʔ: ݖݶઃఆ

10. ରԠؔ܎ *".Ϣʔβ
    " *".Ϣʔβ
    # *".Ϣʔβ
    $

11. ରԠؔ܎ *".Ϣʔβ
    " *".Ϣʔβ
    # *".Ϣʔβ
    $ *".άϧʔϓ
    ؅ཧऀ *".άϧʔϓ
    

    ։ൃऀ

12. ରԠؔ܎ *".Ϣʔβ
    " *".Ϣʔβ
    # *".Ϣʔβ
    $ *".άϧʔϓ
    ؅ཧऀ *".άϧʔϓ
    

    ։ൃऀ ϙϦ γʔ ϙϦ γʔ

13. ରԠؔ܎ *".Ϣʔβ
    " *".Ϣʔβ
    # *".Ϣʔβ
    $ *".άϧʔϓ
    ؅ཧऀ *".άϧʔϓ
    

    ։ൃऀ ϙϦ γʔ ϙϦ γʔ ϙϦ γʔ

14. ରԠؔ܎ *".Ϣʔβ
    " *".Ϣʔβ
    # *".Ϣʔβ
    $ *".άϧʔϓ
    ؅ཧऀ *".άϧʔϓ
    

    ։ൃऀ ϙϦ γʔ ϙϦ γʔ ϙϦ γʔ "84ΞΧ΢ϯτ

15. AWSΞΧ΢ϯτ (ϧʔτϢʔβʔ) ͸جຊ࢖༻͠ͳ͍ • AWSΞΧ΢ϯτ͸ͳΜͰ΋Ͱ͖Δ͕Ώ͑ʹɺ ࿙Ӯͨ͠৔߹ɺऔΓฦ͠ͷ͔ͭͳ͍ࣄଶʹ • جຊతʹ໨తʹԠͯ͡IAMϢʔβʔ΍ϩʔϧ Λ࡞੒ͯ͠ΞΫηε͢Δ͜ͱͰɺ֤ʑͷΞΫ ηε؅ཧɾঝೝɾ؂ࠪ

    (CloudTrail) ͢Δ͜ͱ ͕Մೳʹ

16. IAMϢʔβ࡞੒࣌ͷ AWSΞΫηεͷछྨͷબ୒ "84
    $-*΍"84
    4%,౳ɺ
    ϓϩάϥϜ͔Β"84ʹΞΫηε͢Δࡍʹඞཁ "84Ϛωδϝϯτίϯιʔϧʹ
    ΞΫηε͢Δࡍʹඞཁ

17. git-secretsͰΞΫηεΩʔ࿙Ӯ Λ๷͙ IUUQTHJUIVCDPNBXTMBCTHJUTFDSFUT

18. IAMϙϦγʔ • ͲͷAWSαʔϏεʢϦιʔεʣʹରͯ͠ • ͲͷΑ͏ͳΞΫγϣϯΛ • ڐՄ or ڋ൱ ͢Δ

    ΛJSONܗࣜͰهड़ͨ͠΋ͷ

19. IAMϙϦγʔ • ͲͷAWSαʔϏεʢϦιʔεʣʹରͯ͠ • ͲͷΑ͏ͳΞΫγϣϯΛ • ڐՄ or ڋ൱ ͢Δ

    ΛJSONܗࣜͰهड़ͨ͠΋ͷ 3FTPVSDF "DUJPO &⒎FDU

20. IAMϙϦγʔαϯϓϧ { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:*",

    "Resource": "*", "Condition": { "DateGreaterThan": {"aws:CurrentTime": "2017-07-01T00:00:00Z"}, "DateLessThan": {"aws:CurrentTime": "2017-12-31T23:59:59Z"} } } } IUUQTEPDTBXTBNB[PODPNKB@KQ*".MBUFTU6TFS(VJEFSFGFSFODF@QPMJDJFT@FYBNQMFT@BXTEBUFTIUNM ಛఆͷ೔෇಺ͰΞΫηεΛڐՄ͢Δ

21. ϙϦγʔͷධՁ݁Ռ • Կ΋໌ࣔ͞Ε͍ͯͳ͚Ε͹ɺσϑΥϧτͰ ʮڋ൱ʯ • ʮڐՄʯ͕͋Ε͹ɺʮڐՄʯ • ໌ࣔతʹʮڋ൱ʯ͕͋Ε͹ɺͨͱ͑ʮڐՄʯ ͕͋Ζ͏ͱ΋ɺʮڋ൱ʯ

22. ϙϦγʔͷධՁ݁Ռ ڐՄͷεςʔτϝϯτهड़͕ ͋Δ ͳ͍ ڋ൱ͷεςʔ τϝϯτهड़ ͕ ͋Δ ڋ൱ ڋ൱

    ͳ͍ ڐՄ ڋ൱
    ʢσϑΥϧτʣ

23. IAMϙϦγʔͷछྨ • AWS؅ཧϙϦγʔ • Α͘࢖͏ݖݶઃఆΛAWS͕༻ҙ͍ͯ͠ΔϙϦγʔ • ΧελϚʔ؅ཧϙϦγʔ • զʑࣗ਎͕࡞੒ͨ͠ϙϦγʔ •

    IAMϢʔβɺάϧʔϓɺϩʔϧʹΞλονͰ͖Δ • ΠϯϥΠϯϙϦγʔ • IAMϢʔβɺάϧʔϓɺϩʔϧʹ௚઀ॻ͖ࠐΜͩϙϦγʔ • ଞͷIAMϢʔβͳͲʹΞλονͰ͖ͳ͍͕ɺ1ର1ͷద༻ʹศར

24. IAMϙϦγʔͷछྨ • AWS؅ཧϙϦγʔ • Α͘࢖͏ݖݶઃఆΛAWS͕༻ҙ͍ͯ͠ΔϙϦγʔ • ΧελϚʔ؅ཧϙϦγʔ • զʑࣗ਎͕࡞੒ͨ͠ϙϦγʔ •

    IAMϢʔβɺάϧʔϓɺϩʔϧʹΞλονͰ͖Δ • ΠϯϥΠϯϙϦγʔ • IAMϢʔβɺάϧʔϓɺϩʔϧʹ௚઀ॻ͖ࠐΜͩϙϦγʔ • ଞͷIAMϢʔβͳͲʹΞλονͰ͖ͳ͍͕ɺ1ର1ͷద༻ʹศར ͸͡Ί͸ɺ"84؅ཧϙϦγʔ Λ͏·͘࢖ͬͯઃఆͯ͠ΈΑ͏
    ׳Ε͖ͯͨΒɺಠࣗʹϙϦγʔ Λ࡞੒ͯ͠ઃఆͯ͠ΈΑ͏

25. IAM Policy Generator *".
    1PMJDZΛ
    બ୒ IUUQTBXTQPMJDZHFOTBNB[POBXTDPNQPMJDZHFOIUNM

26. IAMϩʔϧ

27. IAMϩʔϧ • ୈ3ऀʹʮݖݶΛҕৡʯ͢ΔͨΊʹ࢖༻ • AWSϦιʔε΍IAMϢʔβʹϩʔϧΛ௨ͯ͠ݖݶΛ෇༩Ͱ ͖Δ • Α͘࢖ΘΕΔྫ: • EC2ʹS3ΞΫηεՄೳͳIAMϩʔϧΛΞλον

    • LambdaʹS3ΞΫηεՄೳͳIAMϩʔϧΛΞλον

28. JAWS-UG৽ׁͷϋϯζΦϯͰ͸… • EC2΍LambdaͷϋϯζΦϯͰIAMϩʔϧΛ࢖༻ͯ͠ݖݶ Λ෇༩͍ͯ͠Δ IUUQTHJUIVCDPNLBTBDDIJGVMKBXTVHOJJHBUBCMPCNBTUFS@FD@BWBJMBCJMJUZNE IUUQKBXTVHOJJHBUBIBOETPOTXFCTJUFBQOPSUIFBTUBNB[POBXTDPN@MBNCEB@T@IBOETPOIUNM

29. Կ͕͏Ε͍͠ͷ͔ • ΞΫηεΩʔΛऔಘ͠ͳͯ͘ࡁΉͷͰɺηΩϡΞʹΞΫη εͰ͖ΔΑ͏ʹͳΔɻ IUUQTHJUIVCDPNLBTBDDIJGVMKBXTVHOJJHBUBCMPCNBTUFS@FD@BWBJMBCJMJUZNE IUUQKBXTVHOJJHBUBIBOETPOTXFCTJUFBQOPSUIFBTUBNB[POBXTDPN@MBNCEB@T@IBOETPOIUNM

30. ΫϩεΞΧ΢ϯτΞΫηε • ผͷAWSΞΧ΢ϯτʹ͋ΔϦιʔε΁ΞΫη εΛҕ೚͢Δํ๏ͰɺIAMϩʔϧΛ࢖༻͢Δ IUUQTEPDTBXTBNB[PODPNKB@KQ*".MBUFTU6TFS(VJEFUVUPSJBM@DSPTTBDDPVOUXJUISPMFTIUNM

31. ·ͣ͜Ε͚ͩ͸΍͓͖ͬͯͨ ͍͜ͱ5ͭ

32. ·ͣ͜Ε͚ͩ͸΍͓͖͍ͬͯͨ ͜ͱ5ͭ • IAMͷμογϡϘʔυʹܝࡌ͞Ε͍ͯΔ5ͭͷ߲໨Λશͯ׬ྃʹ͠ ͓͖͍ͯͨ • ͓·͚: IAMͷμογϡϘʔυʹܝࡌ͞Ε͍ͯΔIAMϢʔβʔͷα ΠϯΠϯϦϯΫΛΧελϚΠζ͓͖͍ͯͨ͠

33. ϧʔτΞΧ΢ϯτͷMFA༗ޮԽ • AWSΞΧ΢ϯτʢϧʔτΞΧ΢ϯτʣʹMFA ʢଟཁૉೝূʣΛઃఆ͓ͯ͜͠͏ • Google AuthenticatorɺAuthy౳ͷԾ૝MFA ΛઃఆͰ͖ΔΞϓϦΛ࢖༻͢ΔͱศརͰ͢ɻ

34. ݸʑͷIAMϢʔβʔͷ࡞੒ & άϧʔϓΛ࢖༻ͨ͠ΞΫηεڐՄͷׂΓ౰ͯ • IAMϢʔβ࡞੒ͯ͠ɺIAMάϧʔϓ࢖ͬͯIAM ϙϦγʔΛׂΓ౰ͯ·͠ΐ͏

35. IAMύεϫʔυϙϦγʔͷద༻ • ύεϫʔυϙϦγʔΛઃఆ͠Α͏

36. ΞΫηεΩʔͷϩʔςʔγϣϯ • ϓϩάϥϜͰ࢖༻͢ΔΞΫηεΩʔ͸গͳͯ͘΋೥1ճ͸มߋ͠· ͠ΐ͏ • ະ࢖༻ͷΞΫηεΩʔ͸࡟আ͠·͠ΐ͏

37. ͓·͚: IAMϢʔβʔͷαΠϯ ΠϯϦϯΫͷΧελϚΠζ • σϑΥϧτ͸ʮAWSΞΧ΢ϯτIDʯ͕ઃఆ͞Ε͍ͯΔ • ΧελϚΠζ͓ͯ͘͠ͱɺϚωδϝϯτίϯιʔϧͷαΠϯΠϯ ʹͯɺAWSΞΧ΢ϯταΠϯΠϯը໘ͱIAMϢʔβʔαΠϯΠϯ ը໘Λ੾Γସ͑΍͘͢ͳΔ͸ͣ ΧελϚΠζͨ͠จࣈྻ
    

    ʢΞΧ΢ϯτΤΠϦΞεʣ

38. ·ͱΊ

39. ·ͱΊ • IAM͸ɺೝূɾೝՄΛ࢘ΔେࣄͳαʔϏε • AWSΞΧ΢ϯτͰ͸ͳ͘ɺIAMϢʔβͰૢ࡞͠Α͏ • ·ͣ͸ηΩϡϦςΟεςʔλε5߲໨͸શͯ׬͓ྃͯ͜͠͏ • IAMαΠϯΠϯϦϯΫͷΧελϚΠζ͓ͯ͘͠ͱศར •

    IAMϙϦγʔͰඞཁ࠷খݶͷݖݶΛઃఆͰ͖Ε͹ɺॳ৺ऀ͔Βதڃऀ΁ Ұา౿Έग़ͤΔ • αʔϏεؒ࿈ܞʹ͸IAMϩʔϧΛઃఆ͠Α͏

40. ͓ΘΓ