AWS IAMの以下のリソースについてどのように考えればいいか - Identity-based Policy vs Resource-based Policy - Permission Boundary - Tag-Based Policy - AWS SSO vs Federated IAM Role
*".Ͳ͏͠·͠ΐ͏CZLFOTDBM
View Slide
*".ͳʹΘ͔ΒΜ
ࠓͷత
LFOTDBM͕*".पΓΛ͢
LFOTDBM͕͢*".पΓͷ૬ஊΛ͍ͨ͠ڭ͑ͯ΄͍͠
BQQTMJEPFWFOUR[PW
4MJEP%FNP BQQTMJEPFWFOUR[PW
*EFOUJUZ"OE"DDFTT.BOBHFNFOU "84440 *EFOUJUZ"OE"DDFTT.BOBHFNFOU *".1PMJDZ JEFOUJUZCBTFE1PMJDZ SFTPVSDFCBTFEQPMJDZ QFSNJTTJPOCPVOEBSJFT 4$1T"$-T TFTTJPOQPMJDJFTࠓͷϑΥʔΧε*".
ͨΓલʹΔ͜ͱ 3PPUͷ.'"ઃఆ ύεϫʔυϙϦγʔͷઃఆ *E1ͱͷ440 *".Ϣʔβʔ ਓؒͦͦΘͳ͍ ϚϧνΞΧϯτɾ0SHBOJ[BUJPOߏલఏ
લఏߏ
*".1PMJDJFTWT3FTPVSDF1PMJDJFT
1PMJDZ%FDJTJPOϑϩʔhttps://aws.amazon.com/jp/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/
*".1PMJDJFT3FTPVSDF1PMJDJFT{"Version": "2012-10-17","Id": "Policy1581347975270","Statement": [{"Sid": "Stmt1581347973356","Effect": "Allow","Principal": {"AWS": “arn:aws:iam::xxxxx:root"},"Action": ["s3:*","s3:List*","s3:Get*"],"Resource": ["arn:aws:s3:::secure-brigade-test","arn:aws:s3:::secure-brigade-test/*"]}]}{"Version": "2012-10-17","Id": "Policy1581347975270","Statement": [{"Sid": "Stmt1581347973356","Effect": "Allow","Action": ["s3:*","s3:List*","s3:Get*"],"Resource": ["arn:aws:s3:::secure-brigade-test","arn:aws:s3:::secure-brigade-test/*"]}]} Կʹରͯ͠ԿΛͰ͖Δ͔ ୭͕ԿΛͰ͖Δ͔
*".1PMJDJFT3FTPVSDF1PMJDJFT
"Principal": {“AWS": “arn:aws:iam::xxxxx:role/roleA“}}"Principal": {“AWS": “arn:aws:iam::xxxxx:role/roleB“}}“Effect": “Allow”,“Action": [“s3:*”],“Resource": [“arn:aws:s3:::bucketA”“arn:aws:s3:::bucketA/*”],"Principal": {“AWS": “arn:aws:iam::xxxxx:role/roleA“}}
"Principal": {“AWS": [“arn:aws:iam::xxxxx:role/roleA“,“arn:aws:iam::xxxxx:role/roleB“]}“Effect": “Allow”,“Action": [“s3:*”],“Resource": [“arn:aws:s3:::bucketA”“arn:aws:s3:::bucketA/*”]“Effect": “Allow”,“Action": [“s3:*”],“Resource": [“arn:aws:s3:::bucketB”“arn:aws:s3:::bucketB/*”]“Effect": “Allow”,“Action": [“s3:*”],“Resource": [“arn:aws:s3:::bucketC”“arn:aws:s3:::bucketC/*”]
*".1PMJDJFTͱ3FTPVSDF1PMJDJFTͷ͍͚ ݁ہ"/%݅ͳͷͰ྆ํఆٛ͠ͳ͚ΕͳΒͳ͍ Ͱɺجຊํʁ LFOTDBMͷݸਓతݟղ*".1PMJDZଆͷ੍ޚʹΑͤΔ
࠷ॳ͜͏ࢥͬͯͨ{"Version": "2012-10-17","Id": "Policy1581347975270","Statement": [{"Sid": "Stmt1581347973356","Effect": "Allow","Principal": {"AWS": “arn:aws:iam::xxxxx:arn/roleA“}"Action": [“s3:List”, “s3:Get”],"Resource": ["arn:aws:s3:::secure-brigade-test","arn:aws:s3:::secure-brigade-test/*"]}]}{"Version": "2012-10-17","Id": "Policy1581347975270","Statement": [{"Sid": "Stmt1581347973356","Effect": "Allow","Action": ["s3:*"],"Resource": ["*"]}]}*".ͱ͍͏ʮೖΓޱʯΛ֤छϦιʔεʹґଘͤͨ͘͞ͳ͍ ϦιʔεଆͰറΔ
ࠓ͜͏{"Version": "2012-10-17","Id": "Policy1581347975270","Statement": [{"Sid": "Stmt1581347973356","Effect": "Allow","Principal": {"AWS": “arn:aws:iam::xxxxx:root"},"Action": ["s3:*"],"Resource": ["arn:aws:s3:::secure-brigade-test","arn:aws:s3:::secure-brigade-test/*"]}]}{"Version": "2012-10-17","Id": "Policy1581347975270","Statement": [{"Sid": "Stmt1581347973356","Effect": "Allow","Action": ["s3:List*","s3:Get*"],"Resource": ["arn:aws:s3:::secure-brigade-test","arn:aws:s3:::secure-brigade-test/*"]}]}ࡉ੍͔͍ޚ*".1PMJDZͰϦιʔεଆ؇͘ɻ"84Λ·ΔͬͱڐՄ *EFOUJUZͷೝՄͱ͍͏ҙຯͰɺ*".ଆʹઃఆΛ͚ͭΔͷ͕ɺࢥతʹͨͩͦ͠͏ 5BHΛ͔ͭͬͨৄࡉͳ੍ޚ*".ଆ͔Β͔͠Ͱ͖ͳ͍ Ϧιʔεຖͷ੍ޚӡ༻తʹେม
1FSNJTTJPO#PVOEBSZ
1FSNJTTJPO#PVOEBSZͷ͍ಓ ׂͱ͍ॴ͕Θ͔Βͳ͍
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html{"Sid": "Stmt1581347973356","Effect": "Allow","Principal": {"AWS": ["arn:aws:iam::xxx:role/roleA"]},"Action": [“s3:*"],"Resource": ["arn:aws:s3:::bucketA","arn:aws:s3:::bucketA/*"]}{"Effect": “Allow","Action": [“s3:List*”,“s3:Get*”],"Resource": [“*”]}{"Effect": “Allow","Action": [“*”],"Resource": [“*”]}#VDLFU"ͷશ"DUJPO͕ڐՄ
1FSNJTTJPO#PVOEBSZͷ͍ಓ ԿΛ%FMFHBUF͍ͨ͠ͷ͔Θ͔ͬͯΔͳΒɺ࠷ॳ͔Β*EFOUJUZ#BTFEʹ͢Ε͍͍ͷͰʁ *EFOUJUZͰ3FTPVSDFͰΒͤͨ͘ͳ͍1FSNJTTJPOΛఆٛʹ͏ͷͰ͋ΕɺͦΕ*EFOUJUZʹఆٛͩͬͨ͜ͱ͔͠ͳ͍ ํجຊతʹΘͣɺ*EFOUJUZ#BTFE1PMJDZΛ࠷ॳ͔Βར༻͢Δʁ
5BH#BTFE"DDFTT
{"Sid": "VisualEditor1","Effect": "Allow","Action":eadBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"],"Resource": "*"},{"Sid": "VisualEditor2","Effect": "Allow","Action": ["s3:GetObject"],"Resource": "*","Condition": {"StringEquals": {"s3:ExistingObjectTag/Owner": "frontend","s3:ExistingObjectTag/Confidentiality": "public"}}},{"Sid": "VisualEditor4","Effect": "Allow","Action": ["s3:PutObject","s3:PutObjectTagging"],"Resource": "*","Condition": {"StringEquals": {"s3:RequestObjectTag/Owner": "frontend","s3:RequestObjectTag/Confidentiality": "public"}}}0XOFSGSPOUFOE$POpQVCMJD0XOFSGSPOUFOE$POpTFOTJUJWF0XOFSGSPOUFOE
{"Sid": "VisualEditor1","Effect": "Allow","Action":eadBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"],"Resource": "*"},{"Sid": "VisualEditor2","Effect": "Allow","Action": ["s3:GetObject"],"Resource": "*","Condition": {"StringEquals": {"s3:ExistingObjectTag/Owner": "frontend","s3:ExistingObjectTag/Confidentiality": "public"}}},{"Sid": "VisualEditor4","Effect": "Allow","Action": ["s3:PutObject","s3:PutObjectTagging"],"Resource": "*","Condition": {"StringEquals": {"s3:RequestObjectTag/Owner": "frontend","s3:RequestObjectTag/Confidentiality": "public"}}}0XOFSGSPOUFOE$POpQVCMJD0XOFSGSPOUFOE0XOFSGSPOUFOE$POpTFOTJUJWF
{"Sid": "VisualEditor1","Effect": "Allow","Action":adBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"],"Resource": "*"},{"Sid": "VisualEditor2","Effect": "Allow","Action": ["s3:GetObject"],"Resource": "*","Condition": {"StringEquals": {"s3:ExistingObjectTag/Owner": "backend","s3:ExistingObjectTag/Confidentiality": "public"}}},{"Sid": "VisualEditor4","Effect": "Allow","Action": ["s3:PutObject","s3:PutObjectTagging"],"Resource": "*","Condition": {"StringEquals": {"s3:RequestObjectTag/Owner": "backend","s3:RequestObjectTag/Confidentiality": [“confidential”,“public”,”sensitive”]},“ForAllValues:StringEquals": {“s3:RequestObjectTagKeys”:[“Owner”, “Confidentiality”, ”Description”]},}}0XOFSCBDLFOE$POpTFOTJUJWF0XOFSCBDLFOE$POpTFOTJUJWF%FTDOBOEFNP
࣮ࡍͷӡ༻ "#"$͍͖͍ͬͯͨؾ࣋ͪ͋Δ "#"$ͦͷͷΑΓλάӡ༻͕ॏཁखؒͦ͏ λάͷϧʔϧ λάʹ͚ͭΔ λάܯരͷػӡ 0SHBOJ[BUJPOͷ5BH1PMJDJFTͱηοτͰΒͳ͍ͱ͍͚ͳͦ͞͏ &$4λεΫͷ3PMFʹ4FSWJDFλά͚ͭͯɺ3%4ΞΫηεΛλά੍ޚ͢Δͱເ͕͕Δ 4FTTJPOλάͪΐͬͱௐ͖Εͳ͔ͬͨɺ͢·ͳ͍
d*".ͳʹΘ͔ΒΜd͜͜Θ͔ͬͨ
"84440WT"84*".
ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘೝূํࣜ 4".- 4".-ϓϩϏδϣχϯά͋Γ ͳ͠1FSNJTTJPOܗࣜ1FSNJTTJPO4FUTׂΓͯͨ"84ΞΧϯτʹ3PMFΛࣗಈతʹੜ*".3PMF3FHJPO BQOPSUIFBTUͳ͠ ͋Γ$-*DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ͍ͱΕΔ
"84440Ͱ1FSNJTTJPOΛҰݴཧͰ͖Δ͕
1PMJDZ%PDVNFOUXJUI*B$͑ɺ"84440Ͱͳ͘ͱҰݩཧՄೳ
$VTUPN1PMJDZ1FSNJTTJPO SPMFͱ
ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘೝূํࣜ 4".- 4".-ϓϩϏδϣχϯά͋Γ ͳ͠1FSNJTTJPOܗࣜ1FSNJTTJPO4FUTׂΓͯͨ"84ΞΧϯτʹ3PMFΛࣗಈతʹੜ*".3PMF3FHJPO BQOPSUIFBTUͳ͠ ͋Γ$-*DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ͍ͱΕΔ मਖ਼ͱΕΔ
$ aws sso login --profile AdministratorAccess-master$ aws sso get-role-credentials --role-name "AdministratorAccess" --account-id "xxxx" --access-token $(cat ~/.aws/sso/cache/SOMETHING.json | jq -r ".accessToken") --region ap-southeast-1{"roleCredentials": {"accessKeyId": “ACCESS_KEY_ID”,"secretAccessKey": “SECRET_ACCESS_KEY”,"sessionToken": “SESSION_TOKEN”,"expiration": 1581669130000}}################ 2020/02/15 मਖ਼ɻaws version 2ͰࣗಈͰͬͯ͘ΕΔ$ aws sso login --profile AdministratorAccess-master$ aws s3 ls s3://secure-brigade-test-main --profile AdministratorAccess-master
BXTDMJͷॆ࣮ DVTUPNQFSNJTTJPOQPMJDZͷςϯϓϨԽ DVTUPNQFSNJTTJPOQPMJDZͷෳར༻ "1*ཧ͕Ͱ͖ΔΑ͏ʹͳͬͨ"84440 ݱ࣌ͷϕετɺ"84ͷதͷਓͷߟ͑Λฉ͔ͳ͍ͱͳΜͱ ֎෦ϑΣσϨʔγϣϯΛ*".3PMFʹ͍ͨ͠ͷ͔ɺ"84440ʹ͍ͨ͠ͷ͔ ࢥΛฉ͖͍ͨ ݸਓͰͱΓ͋͑ͣ྆ํηοτΞοϓͯ͠Δকདྷతͳϕετʢཁʣ
ͱ͍͏Θ͚Ͱ
*".
ͳʹ
Θ͔ΒΜ
*".ͳʹΘ͔ΒΜऴ੍࡞ɾஶ࡞ᴸᴸᴸᴸᴸɹɹɹ
͓·͚
3PPUͷ)8σόΠεෳొ·ͩʁʁʁ
ऴ੍࡞ɾஶ࡞ᴸᴸᴸᴸᴸɹɹɹɹɹɹɹɹɹɹ