Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWSアカウントの認証管理

kawaji
July 18, 2018
0
30

 AWSアカウントの認証管理

kawaji

July 18, 2018
Tweet

More Decks by kawaji

See All by kawaji
JP_Stripes名古屋の紹介
kawaji_scratch
0
110
[email protected]で複数オリジンに振り分けてみた
kawaji_scratch
0
190
Hyperledger Fabric AWSインフラ構成についてふりかえる
kawaji_scratch
0
9
AppSyncでチャットアプリ作ってみた
kawaji_scratch
0
14
2021/2/21 コードの共同所有
kawaji_scratch
0
460
NGK2021S LT大会 CloudShellに期待すること
kawaji_scratch
0
130
2020/12/28 CloudShellに期待すること
kawaji_scratch
0
23
2020/04/20 JAWS-UG名古屋 アジェンダ
kawaji_scratch
0
24
Aamazonを支えるクラウドとは?
kawaji_scratch
0
60

Featured

See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k
Building Adaptive Systems
keathley
28
1.4k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
Making the Leap to Tech Lead
cromwellryan
117
7.7k
How STYLIGHT went responsive
nonsquared
89
4.2k
GitHub's CSS Performance
jonrohan
1021
430k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
182
15k
Building Better People: How to give real-time feedback that sticks.
wjessup
346
17k
The World Runs on Bad Software
bkeepers
PRO
59
5.8k
A Tale of Four Properties
chriscoyier
149
21k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
Build your cross-platform service in a week with App Engine
jlugia
221
17k

Transcript

  1. "84ΞΧ΢ϯτͷ
    ೝূ؅ཧ
    ʙ"844VNNJUʹͯΦεεϝͷ
    ΞΧ΢ϯτ؅ཧʹ͍ͭͯฉ͍͖ͯͨʙ
    +"84—6(໊ݹ԰
    ઒࿏ོٛ

    View Slide

  2. ࣗݾ঺հ
    w ઒࿏ོٛ̐ࡀ̏ࣇͷ෕
    w ॴଐ
    w ༗ݶձࣾεΫϥονιϑτ
    w +"846(໊ݹ԰
    w +14USJQFT໊ݹ԰
    w ܦྺ
    w ήʔϜϓϩάϥϚʔʹಌΕɺϫϯμʔεϫϯɾϓϨΠεςʔγϣϯʢॳ୅ʣͷ
    ։ൃΛόΠτΛܦͯɺύνϯίձࣾʹब৬ɻ
    w ̎̍ࡀͷࠒɺੈͷதͷ্࢘ͱ͍͏ਓؒΛ͢΂ͯ൱ఆ͠΍Ήͳ͘ಠཱͯ͠ࠓʹࢸ
    Δɻ
    w ࠓ͸"84Λར༻ͨ͠डୗ։ൃɾӡ༻ͳͲΛߦ͍ͬͯ·͢ɻ
    ໊ࢗ๨Εͯདྷͯ͠·ͬͨͷͰ
    'BDFCPPLͳͲͰ͓༑ୡʹ
    ͳ͍ͬͯͩ͘͞ɻ

    View Slide

  3. ͔͜͜Βઌ͸"844VNNJU5PLZPͰ
    ࣮ࡍʹ࢖༻͞ΕͨεϥΠυͷҾ༻͕ଟ਺ग़͖ͯ·͢ɻ
    "844VNNJU΁ਃ͠ࠐΈΛߦͬͨํʹ͍ͭͯ͸
    μ΢ϯϩʔυͯ͠શ෦ೖΓΛޚཡ͍ͩ͘͞
    ࡱӨͬͯ໰୊ͳ͍Ͱ͔͢ʁপޱ͞Μ
    ஫ҙࣄ߲

    View Slide

  4. ΞδΣϯμ
    wෳ਺ϓϩδΣΫτΛෳ਺ਓͰ໘౗ΈΔͱ͖ʹࠔΔ͜
    ͱ
    wೝূ؅ཧͷجૅ
    wΞΧ΢ϯτΛ̍ͭͰར༻͢Δ৔߹
    wෳ਺ͷΞΧ΢ϯτΛར༻͢Δ৔߹

    View Slide

  5. ෳ਺ϓϩδΣΫτΛෳ਺ਓͰ໘౗ΈΔͱ͖ʹࠔΔ͜ͱ
    w ผϓϩδΣΫτͷϝϯόʔ͕͏͔ͬΓӨڹ͕͋Δૢ࡞Λͯ͠
    ͠·͏ɻ
    w "84ͷαʔϏε্ݶ؇࿨ਃ੥Λ͍Ζ͍Ζߦ͏ඞཁʹग़͘Θ͢
    w ͲͷϓϩδΣΫτͰ͍͘Βར༻͍ͯ͠Δͷ͔ίετ೺Ѳ͕೉
    ͍͠
    w ͦ΋ͦ΋֤αʔϏεͷϦιʔε͕ͲΕ͕ͲΕ͔ͩΘ͔Βͳ͘
    ͳ͍ͬͯ͘

    ʢ"ϓϩδΣΫτͷ&$Ͳ͜ʹ͋ΔΜ͚ͩͬʁͳͲʣ
    ΞΧ΢ϯτΛ̍ͭͰ؅ཧ͍ͯ͠Δ৔߹

    View Slide

  6. ෳ਺ϓϩδΣΫτΛෳ਺ਓͰ໘౗ΈΔͱ͖ʹࠔΔ͜ͱ
    w ຖճϢʔβʔొ࿥͍ͯ͘͠ͷ͕େมɻ
    w ΞΧ΢ϯτ࡞੒ͷ౓ʹΫϨδοτΧʔυొ࿥ͯ͠ɺ੥ٻ͕
    ෳ਺ճߦΘΕΔ
    w ϢʔβʔΛ࡟আ͢Δ࡞ۀ΋େม
    ΞΧ΢ϯτΛෳ਺࡞੒͍ͯ͠Δ৔߹

    View Slide

  7. ͜ΕΒΑ͋͘Δෆศ͞ɺෆຬΛղফ
    Ͱ͖Δώϯτͷ͓࿩Λ͍͖ͯ͠·͢ɻ

    View Slide

  8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    AWS
    AWS

    View Slide

  9. ID
    AWS
    AWS
    [email protected]
    1
    IAM
    3
    IAM
    2 IAM

    View Slide

  10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    ID: AWS
    ID
    AWS Organizations
    ID
    AWS
    [email protected]
    1

    View Slide

  11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    AWS
    AWS
    IAM
    ID: IAM
    2
    IAM
    AWS

    View Slide

  12. IAM
    ID: IAM
    AWS
    EC2、ECS、
    SDK CLI
    IAM
    3
    IAM

    View Slide

  13. : AWS
    マネージメント
    コンソール
    API
    AWS
    ユーザ名・
    パスワード
    1
    SDK CLI
    >
    アクセスキー ID・
    シークレットアクセスキー

    View Slide

  14. : AWS
    マネージメント
    コンソール
    API
    AWS
    ユーザ名・
    パスワード
    1
    SDK CLI
    >
    IAM
    2
    アクセスキー ID・
    シークレットアクセスキー
    アカウント・
    ユーザ名・
    パスワード

    View Slide

  15. : AWS
    マネージメント
    コンソール
    API
    IAM
    3
    アクセスキー ID・
    シークレットアクセスキー・
    セッショントークン
    AWS
    ユーザ名・
    パスワード
    1
    SDK CLI
    >
    IAM
    2
    アクセスキー ID・
    シークレットアクセスキー
    アカウント・
    ユーザ名・
    パスワード

    View Slide

  16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    : AWS API
    ID AKIAIOSFODNN7EXAMPLE
    wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    IAM AWS

    View Slide

  17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    : AWS API
    ID AKIAIOSFODNN7EXAMPLE
    wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    IAM
    AWS STS API
    FQoDYXdzEJv//////////wEaDMtRHEaQvoG3OONy8yKsAe3Mu8RFO+Co7haOiO/NggdPx0HDGsT5GYJZxns4e4IRsq+RbweXOit5mR
    KGO9tPDYlR8P1/5czaCaC2Krv2YdrslGRxV8v0XkFMx3qIGIhRrxh7F+7JZUXBXchOI6DwcQcKePOT0E2HM1t7vPeI+Xb1sZidw5m2UX47
    OJhIjrjdUuu0gGXoJcZI1JEp197lCpDsv/7Ytb9DCL1xe+Pn83tELdEUuCxiI/9Yhe0oq8rz1wU=

    View Slide

  18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    : SDK CLI
    AWS_ACCESS_KEY_ID,
    AWS_SECRET_ACCESS_KEY
    ~/.aws/credentials
    (aws configure )
    EC2 ECS Lambda
    IAM

    View Slide

  19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    :
    MFA


    IAM MFA
    CLI MFA
    IP
    CLI
    >
    コンソール
    コンソール
    CLI
    >
    コンソール SDK

    View Slide

  20. : IAM
    IAM
    IAM
    taro.yamada
    hanako.yamada
    ImageMagnifierLambda
    S3Admin
    BucketAAA_ReadWrite
    ProjectBBB-EC2_StartStop
    ProjectCCC-EC2_StartStop
    AWS
    AdministratorAccess
    AmazonS3FullAccess
    AmazonS3ReadOnlyAccess

    View Slide

  21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    : IAM
    API
    EC2 "Action": "ec2:*",
    "Resource": "*"
    JSON 抜粋
    VPC DirectConnect
    "Action": [
    "ec2:CreateVpc*",
    "ec2:AttachInternetGateway",
    "ec2:AssociateRouteTable", ...... ],
    "Resource": "*"

    View Slide

  22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    : IAM
    "Action": [
    "ec2:StartInstance",
    "ec2:StopInstance" ],
    "Resource": "arn:aws:ec2:ap-northeast-
    1:123456789012:instance/i-AAAAAAAA"
    JSON 抜粋
    EC2
    i-AAAAAAAA
    AAA

    View Slide

  23. AWS
    : IAM
    AAA
    AAA
    BBB
    BBB
    i-33333333 i-44444444
    BBB
    i-11111111 i-22222222
    AAA

    View Slide

  24. AWS
    : IAM
    AAA
    AAA
    BBB
    BBB
    i-33333333 i-44444444
    BBB
    i-11111111 i-22222222
    AAA

    View Slide

  25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    AWS

    View Slide

  26. AWS
    AWS A
    AAA
    AWS B
    BBB
    AWS A
    i-11111111 i-22222222
    AAA
    AWS B
    i-33333333 i-44444444
    BBB

    View Slide

  27. AWS
    AWS A
    AAA
    AWS B
    BBB
    AWS A
    i-11111111 i-22222222
    AAA
    AWS B
    i-33333333 i-44444444
    BBB
    IAM

    View Slide

  28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

    View Slide

  29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    AWS
    AWS
    AWS Organizations

    View Slide

  30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    AWS Organizations
    複数の AWS アカウントを
    管理するための組織を構成
    組織内の全アカウントの
    料金を一括で請求
    新規の AWS アカウントを
    コンソールからもCLIからも
    簡単に作成できる
    サービスの利用可否を
    ポリシーで制御可能
    無料で利用可

    View Slide

  31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    AWS
    AWS
    AWS
    AWS VPC
    Direct Connect Interface
    VPN
    AWS Organizations

    View Slide

  32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    AWS IAM
    ADFS +
    SAML
    AWS SSO
    1 2 3

    View Slide

  33. IAM AWS IAM
    AWS
    AWS
    IAM
    AWS
    IAM
    AWS
    1

    View Slide

  34. IAM
    AWS
    IAM
    IAM AWS AssumeRole API
    アクセスキーで
    AssumeRole で呼び出し
    S3Admin ロールを指定
    S3 Admin の一時的な
    アクセスキーを取得
    一時的なアクセスキーで
    S3 の API の呼び出す
    IAM
    S3Admin
    1

    View Slide

  35. ADFS + SAML
    ADFS (Microsoft Active Directory Federation Service) AWS
    SAML
    AWS
    Active Directory
    AWS
    ADFS SAML
    AWS
    IAM
    IAM
    ADFS
    Active
    Directory
    2

    View Slide

  36. AWS SSO
    AWS SSO Active Directory (AD) AWS Directory
    Service Activce Directory AWS Organizations
    AWS Organizations
    AWS
    Active Directory
    AWS
    SSO SAML
    AWS
    IAM
    IAM
    Active
    Directory
    3

    View Slide

  37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    AWS Single Sign-On (SSO)
    SSO
    AWS Organizations
    CLI
    SAML SaaS
    AWS Directory Service
    AWS Directory Service
    Active Directory
    AWS Organizations
    ユーザポータル
    外部SaaS設定

    View Slide

  38. ·ͱΊ
    w ΞΧ΢ϯτ͸༻్͝ͱʹ෼͚ͯ
    ͍ͬͨ΄͏ָ͕ͳӡ༻Ͱ͖·͢Α
    w ΞΧ΢ϯτ͸"840SHBOJ[BUJPOT
    Λར༻ͯ͠࡞੒ͨ͠΄͏͕ྑ͍

    View Slide

  39. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂʂ

    View Slide

  40. Πϕϯτࠂ஌

    View Slide

  41. 1W E 1W F
    A G
    1 12 8
    U / 11 - 2 @
    :
    TRNSPJ O I
    ! ! !
    1 3
    /0 1 -21
    ©GAMBA OSAKA

    View Slide

  42. ࣭໰λΠϜ
    w ͕࣌ؒ͋Ε͹࣭໰ʹ౴͑Δ࣌ؒʹ
    ׂΓ౰ͯΔ༧ఆ

    View Slide