AWSアカウントの認証管理

Transcript

1. "84
   ΞΧ΢ϯτͷ
   ೝূ؅ཧ ʙ"84
   4VNNJUʹͯΦεεϝͷ
   ΞΧ΢ϯτ؅ཧʹ͍ͭͯฉ͍͖ͯͨʙ +"84—6(໊ݹ԰
   ઒࿏ོٛ

2. ࣗݾ঺հ w ઒࿏ོٛ
   ̐ࡀ
   ̏ࣇͷ෕
   w ॴଐ
   w ༗ݶձࣾεΫϥονιϑτ
   w +"846(
   ໊ݹ԰
   w

   +1
   4USJQFT
   ໊ݹ԰
   w ܦྺ
   w ήʔϜϓϩάϥϚʔʹಌΕɺϫϯμʔεϫϯɾϓϨΠεςʔγϣϯʢॳ୅ʣͷ ։ൃΛόΠτΛܦͯɺύνϯίձࣾʹब৬ɻ
   w ̎̍ࡀͷࠒɺੈͷதͷ্࢘ͱ͍͏ਓؒΛ͢΂ͯ൱ఆ͠΍Ήͳ͘ಠཱͯ͠ࠓʹࢸ Δɻ
   w ࠓ͸"84Λར༻ͨ͠डୗ։ൃɾӡ༻ͳͲΛߦ͍ͬͯ·͢ɻ ໊ࢗ๨Εͯདྷͯ͠·ͬͨͷͰ
   'BDFCPPLͳͲͰ͓༑ୡʹ
   ͳ͍ͬͯͩ͘͞ɻ

3. ͔͜͜Βઌ͸"84
   4VNNJU
   5PLZPͰ
   ࣮ࡍʹ࢖༻͞ΕͨεϥΠυͷҾ༻͕ଟ਺ग़͖ͯ·͢ɻ
   "84
   4VNNJU
   ΁ਃ͠ࠐΈΛߦͬͨํʹ͍ͭͯ͸
   μ΢ϯϩʔυͯ͠શ෦ೖΓΛޚཡ͍ͩ͘͞
   ࡱӨͬͯ໰୊ͳ͍Ͱ͔͢ʁ
   পޱ͞Μ ஫ҙࣄ߲

4. ΞδΣϯμ wෳ਺ϓϩδΣΫτΛෳ਺ਓͰ໘౗ΈΔͱ͖ʹࠔΔ͜ ͱ
   wೝূ؅ཧͷجૅ
   wΞΧ΢ϯτΛ̍ͭͰར༻͢Δ৔߹
   wෳ਺ͷΞΧ΢ϯτΛར༻͢Δ৔߹

5. ෳ਺ϓϩδΣΫτΛෳ਺ਓͰ໘౗ΈΔͱ͖ʹࠔΔ͜ͱ w ผϓϩδΣΫτͷϝϯόʔ͕͏͔ͬΓӨڹ͕͋Δૢ࡞Λͯ͠ ͠·͏ɻ
   w "84ͷαʔϏε্ݶ؇࿨ਃ੥Λ͍Ζ͍Ζߦ͏ඞཁʹग़͘Θ͢
   w ͲͷϓϩδΣΫτͰ͍͘Βར༻͍ͯ͠Δͷ͔ίετ೺Ѳ͕೉ ͍͠
   w

   ͦ΋ͦ΋֤αʔϏεͷϦιʔε͕ͲΕ͕ͲΕ͔ͩΘ͔Βͳ͘ ͳ͍ͬͯ͘ 
 ʢ"ϓϩδΣΫτͷ&$Ͳ͜ʹ͋ΔΜ͚ͩͬʁͳͲʣ ΞΧ΢ϯτΛ̍ͭͰ؅ཧ͍ͯ͠Δ৔߹

6. ෳ਺ϓϩδΣΫτΛෳ਺ਓͰ໘౗ΈΔͱ͖ʹࠔΔ͜ͱ w ຖճϢʔβʔొ࿥͍ͯ͘͠ͷ͕େมɻ
   w ΞΧ΢ϯτ࡞੒ͷ౓ʹΫϨδοτΧʔυొ࿥ͯ͠ɺ੥ٻ͕ ෳ਺ճߦΘΕΔ
   w ϢʔβʔΛ࡟আ͢Δ࡞ۀ΋େม ΞΧ΢ϯτΛෳ਺࡞੒͍ͯ͠Δ৔߹

7. ͜ΕΒΑ͋͘Δෆศ͞ɺෆຬΛղফ Ͱ͖Δώϯτͷ͓࿩Λ͍͖ͯ͠·͢ɻ

8. © 2018, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. AWS AWS

9. ID AWS AWS [email protected] 1 IAM 3 IAM 2 IAM

10. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. ID: AWS ID AWS Organizations ID AWS [email protected] 1

11. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS AWS IAM ID: IAM 2 IAM AWS

12. IAM ID: IAM AWS EC2、ECS、 SDK CLI IAM 3 IAM

13. : AWS マネージメント コンソール API AWS ユーザ名・ パスワード 1 SDK

    CLI > アクセスキー ID・ シークレットアクセスキー

14. : AWS マネージメント コンソール API AWS ユーザ名・ パスワード 1 SDK

    CLI > IAM 2 アクセスキー ID・ シークレットアクセスキー アカウント・ ユーザ名・ パスワード

15. : AWS マネージメント コンソール API IAM 3 アクセスキー ID・ シークレットアクセスキー・

    セッショントークン AWS ユーザ名・ パスワード 1 SDK CLI > IAM 2 アクセスキー ID・ シークレットアクセスキー アカウント・ ユーザ名・ パスワード

16. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. : AWS API ID AKIAIOSFODNN7EXAMPLE wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY IAM AWS

17. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. : AWS API ID AKIAIOSFODNN7EXAMPLE wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY IAM AWS STS API FQoDYXdzEJv//////////wEaDMtRHEaQvoG3OONy8yKsAe3Mu8RFO+Co7haOiO/NggdPx0HDGsT5GYJZxns4e4IRsq+RbweXOit5mR KGO9tPDYlR8P1/5czaCaC2Krv2YdrslGRxV8v0XkFMx3qIGIhRrxh7F+7JZUXBXchOI6DwcQcKePOT0E2HM1t7vPeI+Xb1sZidw5m2UX47 OJhIjrjdUuu0gGXoJcZI1JEp197lCpDsv/7Ytb9DCL1xe+Pn83tELdEUuCxiI/9Yhe0oq8rz1wU=

18. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. : SDK CLI AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY ~/.aws/credentials (aws configure ) EC2 ECS Lambda IAM

19. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. : MFA • • IAM MFA CLI MFA IP CLI > コンソール コンソール CLI > コンソール SDK

20. : IAM IAM IAM taro.yamada hanako.yamada ImageMagnifierLambda S3Admin BucketAAA_ReadWrite ProjectBBB-EC2_StartStop

    ProjectCCC-EC2_StartStop AWS AdministratorAccess AmazonS3FullAccess AmazonS3ReadOnlyAccess

21. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. : IAM API EC2 "Action": "ec2:*", "Resource": "*" JSON 抜粋 VPC DirectConnect "Action": [ "ec2:CreateVpc*", "ec2:AttachInternetGateway", "ec2:AssociateRouteTable", ...... ], "Resource": "*"

22. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. : IAM "Action": [ "ec2:StartInstance", "ec2:StopInstance" ], "Resource": "arn:aws:ec2:ap-northeast- 1:123456789012:instance/i-AAAAAAAA" JSON 抜粋 EC2 i-AAAAAAAA AAA

23. AWS : IAM AAA AAA BBB BBB i-33333333 i-44444444 BBB

    i-11111111 i-22222222 AAA

24. AWS : IAM AAA AAA BBB BBB i-33333333 i-44444444 BBB

    i-11111111 i-22222222 AAA

25. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS

26. AWS AWS A AAA AWS B BBB AWS A i-11111111

    i-22222222 AAA AWS B i-33333333 i-44444444 BBB

27. AWS AWS A AAA AWS B BBB AWS A i-11111111

    i-22222222 AAA AWS B i-33333333 i-44444444 BBB IAM

28. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.

29. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS AWS AWS Organizations

30. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS Organizations 複数の AWS アカウントを 管理するための組織を構成 組織内の全アカウントの 料金を一括で請求 新規の AWS アカウントを コンソールからもCLIからも 簡単に作成できる サービスの利用可否を ポリシーで制御可能 無料で利用可

31. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS AWS AWS AWS VPC Direct Connect Interface VPN AWS Organizations

32. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS IAM ADFS + SAML AWS SSO 1 2 3

33. IAM AWS IAM AWS AWS IAM AWS IAM AWS 1

34. IAM AWS IAM IAM AWS AssumeRole API アクセスキーで AssumeRole で呼び出し

    S3Admin ロールを指定 S3 Admin の一時的な アクセスキーを取得 一時的なアクセスキーで S3 の API の呼び出す IAM S3Admin 1

35. ADFS + SAML ADFS (Microsoft Active Directory Federation Service) AWS

    SAML AWS Active Directory AWS ADFS SAML AWS IAM IAM ADFS Active Directory 2

36. AWS SSO AWS SSO Active Directory (AD) AWS Directory Service

    Activce Directory AWS Organizations AWS Organizations AWS Active Directory AWS SSO SAML AWS IAM IAM Active Directory 3

37. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS Single Sign-On (SSO) SSO AWS Organizations CLI SAML SaaS AWS Directory Service AWS Directory Service Active Directory AWS Organizations ユーザポータル 外部SaaS設定

38. ·ͱΊ w ΞΧ΢ϯτ͸༻్͝ͱʹ෼͚ͯ ͍ͬͨ΄͏ָ͕ͳӡ༻Ͱ͖·͢Α
    w ΞΧ΢ϯτ͸
    "84
    0SHBOJ[BUJPOT Λར༻ͯ͠࡞੒ͨ͠΄͏͕ྑ͍

39. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂʂ

40. Πϕϯτࠂ஌

41. 1W E 1W F A G 1 12 8 U

    / 11 - 2 @ : TRNSPJ O I ! ! ! 1 3 /0 1 -21 ©GAMBA OSAKA

42. ࣭໰λΠϜ w ͕࣌ؒ͋Ε͹࣭໰ʹ౴͑Δ࣌ؒʹ ׂΓ౰ͯΔ༧ఆ