AWS IAMどうしましょ

406ea2cac59924cedae4629c3c6c84fb?s=47 Kengo Suzuki
February 14, 2020

AWS IAMどうしましょ

AWS IAMの以下のリソースについてどのように考えればいいか
- Identity-based Policy vs Resource-based Policy
- Permission Boundary
- Tag-Based Policy
- AWS SSO vs Federated IAM Role

406ea2cac59924cedae4629c3c6c84fb?s=128

Kengo Suzuki

February 14, 2020
Tweet

Transcript

  1. *".Ͳ͏͠·͠ΐ͏ CZLFOTDBM

  2. *".ͳʹ΋Θ͔ΒΜ

  3. ࠓ೔ͷ໨త

  4. LFOTDBM͕*".पΓΛ࿩͢

  5. LFOTDBM͕࿩͢ *".पΓͷ૬ஊΛ͍ͨ͠ ڭ͑ͯ΄͍͠

  6. BQQTMJEPFWFOU R[PW

  7. 4MJEP%FNP BQQTMJEPFWFOUR[PW

  8.  *EFOUJUZ"OE"DDFTT.BOBHFNFOU  "84440  *EFOUJUZ"OE"DDFTT.BOBHFNFOU  *".1PMJDZ  JEFOUJUZCBTFE1PMJDZ

     SFTPVSDFCBTFEQPMJDZ  QFSNJTTJPOCPVOEBSJFT   4$1T"$-T  TFTTJPOQPMJDJFT ࠓ೔ͷϑΥʔΧε*".
  9.  ౰ͨΓલʹ΍Δ͜ͱ  3PPU޶΁ͷ.'"ઃఆ  ύεϫʔυϙϦγʔͷઃఆ  *E1ͱͷ440  *".Ϣʔβʔ

    ਓؒ ͸ͦ΋ͦ΋࢖Θͳ͍  ϚϧνΞΧ΢ϯτɾ0SHBOJ[BUJPOߏ੒ લఏ
  10. લఏߏ੒

  11. *".1PMJDJFT WT 3FTPVSDF1PMJDJFT

  12. 1PMJDZ%FDJTJPOϑϩʔ https://aws.amazon.com/jp/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

  13. *".1PMJDJFT3FTPVSDF1PMJDJFT { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356",

    "Effect": "Allow", "Principal": { "AWS": “arn:aws:iam::xxxxx:root"}, "Action": [ "s3:*", "s3:List*", "s3:Get*"], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Action": [ "s3:*", "s3:List*", "s3:Get*"], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } Կʹରͯ͠ԿΛͰ͖Δ͔ ୭͕ԿΛͰ͖Δ͔
  14. *". 1PMJDJFT 3FTPVSDF 1PMJDJFT

  15. "Principal": { “AWS": “arn:aws:iam::xxxxx:role/roleA“} } "Principal": { “AWS": “arn:aws:iam::xxxxx:role/roleB“} }

    “Effect": “Allow”, “Action": [“s3:*”], “Resource": [“arn:aws:s3:::bucketA” “arn:aws:s3:::bucketA/*”], "Principal": { “AWS": “arn:aws:iam::xxxxx:role/roleA“} }
  16. "Principal": { “AWS": [ “arn:aws:iam::xxxxx:role/roleA“, “arn:aws:iam::xxxxx:role/roleB“] } “Effect": “Allow”, “Action":

    [“s3:*”], “Resource": [“arn:aws:s3:::bucketA” “arn:aws:s3:::bucketA/*”] “Effect": “Allow”, “Action": [“s3:*”], “Resource": [“arn:aws:s3:::bucketB” “arn:aws:s3:::bucketB/*”] “Effect": “Allow”, “Action": [“s3:*”], “Resource": [“arn:aws:s3:::bucketC” “arn:aws:s3:::bucketC/*”]
  17. *".1PMJDJFTͱ3FTPVSDF1PMJDJFTͷ࢖͍෼͚  ݁ہ"/%৚݅ͳͷͰ྆ํఆٛ͠ͳ͚Ε͹ ͳΒͳ͍  Ͱ͸ɺجຊํ਑͸ʁ  LFOTDBMͷݸਓతݟղ*".1PMJDZଆͷ ੍ޚʹΑͤΔ

  18. ࠷ॳ͸͜͏ࢥͬͯͨ { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356",

    "Effect": "Allow", "Principal": { "AWS": “arn:aws:iam::xxxxx:arn/roleA“} "Action": [“s3:List”, “s3:Get”], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Action": ["s3:*"], "Resource": [ "*"] }] } *".ͱ͍͏ʮೖΓޱʯΛ ֤छϦιʔεʹґଘͤͨ͘͞ͳ͍ ϦιʔεଆͰറΔ
  19. ࠓ͸͜͏ { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356",

    "Effect": "Allow", "Principal": { "AWS": “arn:aws:iam::xxxxx:root"}, "Action": ["s3:*"], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*"], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } ࡉ੍͔͍ޚ͸*".1PMJDZͰ Ϧιʔεଆ͸؇͘ɻ "84޶Λ·ΔͬͱڐՄ  *EFOUJUZ΁ͷೝՄͱ͍͏ҙຯͰɺ*".ଆʹઃఆΛ͚ͭΔͷ ͕ɺࢥ૝తʹͨͩͦ͠͏  5BH౳Λ͔ͭͬͨৄࡉͳ੍ޚ͸*".ଆ͔Β͔͠Ͱ͖ͳ͍  Ϧιʔεຖͷ੍ޚ͸ӡ༻తʹେม
  20. *".ͳʹ΋Θ͔ΒΜ

  21. 1FSNJTTJPO#PVOEBSZ

  22. 1FSNJTTJPO#PVOEBSZͷ࢖͍ಓ  ׂͱ࢖͍ॴ͕Θ͔Βͳ͍

  23. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html { "Sid": "Stmt1581347973356", "Effect": "Allow", "Principal": { "AWS": [

    "arn:aws:iam::xxx:role/roleA"]}, "Action": [“s3:*"], "Resource": [ "arn:aws:s3:::bucketA", "arn:aws:s3:::bucketA/*"] } { "Effect": “Allow", "Action": [“s3:List*”, “s3:Get*”], "Resource": [“*”] } { "Effect": “Allow", "Action": [“*”], "Resource": [“*”] } #VDLFU"΁ͷ શ"DUJPO͕ڐՄ
  24. None
  25. 1FSNJTTJPO#PVOEBSZͷ࢖͍ಓ  ԿΛ%FMFHBUF͍ͨ͠ͷ͔Θ͔ͬͯΔͳΒɺ࠷ॳ͔Β*EFOUJUZ #BTFEʹ͢Ε͹͍͍ͷͰ͸ʁ  *EFOUJUZͰ΋3FTPVSDFͰ΋΍Βͤͨ͘ͳ͍1FSNJTTJPOΛఆٛ ʹ࢖͏ͷͰ͋Ε͹ɺͦΕ͸*EFOUJUZ಺ʹఆٛͩͬͨ͜ͱ͔͠ͳ͍  ํ਑جຊతʹ࢖Θͣɺ*EFOUJUZ#BTFE1PMJDZΛ࠷ॳ͔Βར༻ ͢Δʁ

  26. *".ͳʹ΋Θ͔ΒΜ

  27. 5BH#BTFE"DDFTT

  28. { "Sid": "VisualEditor1", "Effect": "Allow", "Action": eadBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"], "Resource": "*" },

    { "Sid": "VisualEditor2", "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/Owner": "frontend", "s3:ExistingObjectTag/Confidentiality": "public" } } }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": ["s3:PutObject","s3:PutObjectTagging"], "Resource": "*", "Condition": { "StringEquals": { "s3:RequestObjectTag/Owner": "frontend", "s3:RequestObjectTag/Confidentiality": "public" } } } 0XOFSGSPOUFOE $POpQVCMJD 0XOFSGSPOUFOE $POpTFOTJUJWF 0XOFS GSPOUFOE
  29. { "Sid": "VisualEditor1", "Effect": "Allow", "Action": eadBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"], "Resource": "*" },

    { "Sid": "VisualEditor2", "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/Owner": "frontend", "s3:ExistingObjectTag/Confidentiality": "public" } } }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": ["s3:PutObject","s3:PutObjectTagging"], "Resource": "*", "Condition": { "StringEquals": { "s3:RequestObjectTag/Owner": "frontend", "s3:RequestObjectTag/Confidentiality": "public" } } } 0XOFSGSPOUFOE $POpQVCMJD 0XOFS GSPOUFOE 0XOFSGSPOUFOE $POpTFOTJUJWF
  30. { "Sid": "VisualEditor1", "Effect": "Allow", "Action": adBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"], "Resource": "*" },

    { "Sid": "VisualEditor2", "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/Owner": "backend", "s3:ExistingObjectTag/Confidentiality": "public" } } }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": ["s3:PutObject","s3:PutObjectTagging"], "Resource": "*", "Condition": { "StringEquals": { "s3:RequestObjectTag/Owner": "backend", "s3:RequestObjectTag/Confidentiality": [ “confidential”,“public”,”sensitive”] }, “ForAllValues:StringEquals": { “s3:RequestObjectTagKeys”:[ “Owner”, “Confidentiality”, ”Description”] }, } } 0XOFSCBDLFOE $POpTFOTJUJWF 0XOFSCBDLFOE $POpTFOTJUJWF %FTDOBOEFNP
  31. ࣮ࡍͷӡ༻  "#"$΍͍͖͍ͬͯͨؾ࣋ͪ͸͋Δ  "#"$ͦͷ΋ͷΑΓλάӡ༻͕ॏཁखؒͦ͏  λάͷϧʔϧ  λάʹ͚ͭΔ஋ 

    λάܯ࡯ര஀ͷػӡ  0SHBOJ[BUJPOͷ5BH1PMJDJFTͱηοτͰ΍Βͳ͍ͱ͍͚ͳͦ͞͏  &$4λεΫͷ3PMFʹ4FSWJDFλά͚ͭͯɺ3%4ΞΫηεΛλά੍ޚ͢Δͱເ͕޿͕Δ  4FTTJPOλά͸ͪΐͬͱௐ΂͖Εͳ͔ͬͨɺ͢·ͳ͍
  32. d*".ͳʹ΋Θ͔ΒΜd ͜͜͸Θ͔ͬͨ

  33. "84440WT"84*".

  34. ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘ ೝূํࣜ 4".- 4".- ϓϩϏδϣ χϯά ͋Γ ͳ͠

    1FSNJTTJPO ܗࣜ 1FSNJTTJPO4FUT ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ ੒ *".3PMF 3FHJPO BQOPSUIFBTUͳ͠ ͋Γ $-* DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ ͍ ͱΕΔ
  35. ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘ ೝূํࣜ 4".- 4".- ϓϩϏδϣ χϯά ͋Γ ͳ͠

    1FSNJTTJPO ܗࣜ 1FSNJTTJPO4FUT ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ ੒ *".3PMF 3FHJPO BQOPSUIFBTUͳ͠ ͋Γ $-* DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ ͍ ͱΕΔ
  36. None
  37. None
  38. ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘ ೝূํࣜ 4".- 4".- ϓϩϏδϣ χϯά ͋Γ ͳ͠

    1FSNJTTJP Oܗࣜ 1FSNJTTJPO4FUT ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ ੒ *".3PMF 3FHJPO BQOPSUIFBTUͳ͠ ͋Γ $-* DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ ͍ ͱΕΔ
  39. "84440಺Ͱ1FSNJTTJPOΛҰݴ ؅ཧͰ͖Δ͕

  40. 1PMJDZ%PDVNFOU XJUI *B$࢖͑͹ɺ"84440Ͱͳ͘ͱ΋ Ұݩ؅ཧՄೳ

  41. None
  42. $VTUPN1PMJDZ͸ 1FSNJTTJPO SPMF ͱ

  43. ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘ ೝূํࣜ 4".- 4".- ϓϩϏδϣ χϯά ͋Γ ͳ͠

    1FSNJTTJPO ܗࣜ 1FSNJTTJPO4FUT ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ ੒ *".3PMF 3FHJPO BQOPSUIFBTUͳ͠ ͋Γ $-* DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ ͍ͱΕΔ मਖ਼ ͱΕΔ
  44. $ aws sso login --profile AdministratorAccess-master $ aws sso get-role-credentials

    --role-name "AdministratorAccess" --account-id "xxxx" --access- token $(cat ~/.aws/sso/cache/SOMETHING.json | jq -r ".accessToken") --region ap-southeast-1 { "roleCredentials": { "accessKeyId": “ACCESS_KEY_ID”, "secretAccessKey": “SECRET_ACCESS_KEY”, "sessionToken": “SESSION_TOKEN”, "expiration": 1581669130000 } } ################ 2020/02/15 मਖ਼ɻaws version 2Ͱ͸ࣗಈͰ΍ͬͯ͘ΕΔ $ aws sso login --profile AdministratorAccess-master $ aws s3 ls s3://secure-brigade-test-main --profile AdministratorAccess-master
  45.  BXTDMJͷॆ࣮  DVTUPNQFSNJTTJPOQPMJDZͷςϯϓϨԽ  DVTUPNQFSNJTTJPOQPMJDZͷෳ਺ར༻  "1*؅ཧ͕Ͱ͖ΔΑ͏ʹͳͬͨ"84440  ݱ࣌఺ͷϕετ͸ɺ"84ͷதͷਓͷߟ͑Λฉ͔ͳ͍ͱͳΜͱ΋

     ֎෦ϑΣσϨʔγϣϯΛ*".3PMFʹ͍ͨ͠ͷ͔ɺ"84440ʹ͍ͨ͠ͷ͔  ࢥ૝Λฉ͖͍ͨ  ݸਓͰ͸ͱΓ͋͑ͣ྆ํηοτΞοϓͯ͠Δ কདྷతͳϕετʢཁ๬ʣ
  46. *".ͳʹ΋Θ͔ΒΜ

  47. ͱ͍͏Θ͚Ͱ

  48. *".

  49. ͳʹ΋

  50. Θ͔ΒΜ

  51. *".ͳʹ΋Θ͔ΒΜ ऴ ੍࡞ɾஶ࡞ ᴸᴸᴸᴸᴸ ɹɹɹ

  52. ͓·͚

  53. 3PPU޶ͷ)8σόΠεෳ਺ొ࿥·ͩʁʁʁ

  54. ऴ ੍࡞ɾஶ࡞ ᴸᴸᴸᴸᴸ ɹɹɹɹɹɹɹɹɹɹ