$30 off During Our Annual Pro Sale. View Details »

AWS IAMどうしましょ

Kengo Suzuki
February 14, 2020

AWS IAMどうしましょ

AWS IAMの以下のリソースについてどのように考えればいいか
- Identity-based Policy vs Resource-based Policy
- Permission Boundary
- Tag-Based Policy
- AWS SSO vs Federated IAM Role

Kengo Suzuki

February 14, 2020
Tweet

More Decks by Kengo Suzuki

Other Decks in Technology

Transcript

  1. *".Ͳ͏͠·͠ΐ͏
    CZLFOTDBM

    View Slide

  2. *".ͳʹ΋Θ͔ΒΜ

    View Slide

  3. ࠓ೔ͷ໨త

    View Slide

  4. LFOTDBM͕*".पΓΛ࿩͢

    View Slide

  5. LFOTDBM͕࿩͢
    *".पΓͷ૬ஊΛ͍ͨ͠
    ڭ͑ͯ΄͍͠

    View Slide

  6. BQQTMJEPFWFOU
    R[PW

    View Slide

  7. 4MJEP%FNP BQQTMJEPFWFOUR[PW

    View Slide

  8. *EFOUJUZ"OE"DDFTT.BOBHFNFOU
    "84440
    *EFOUJUZ"OE"DDFTT.BOBHFNFOU
    *".1PMJDZ
    JEFOUJUZCBTFE1PMJDZ
    SFTPVSDFCBTFEQPMJDZ
    QFSNJTTJPOCPVOEBSJFT
    4$1T"$-T
    TFTTJPOQPMJDJFT
    ࠓ೔ͷϑΥʔΧε*".

    View Slide

  9. ౰ͨΓલʹ΍Δ͜ͱ
    3PPU޶΁ͷ.'"ઃఆ
    ύεϫʔυϙϦγʔͷઃఆ
    *E1ͱͷ440
    *".Ϣʔβʔ ਓؒ
    ͸ͦ΋ͦ΋࢖Θͳ͍
    ϚϧνΞΧ΢ϯτɾ0SHBOJ[BUJPOߏ੒
    લఏ

    View Slide

  10. લఏߏ੒

    View Slide

  11. *".1PMJDJFT
    WT
    3FTPVSDF1PMJDJFT

    View Slide

  12. 1PMJDZ%FDJTJPOϑϩʔ
    https://aws.amazon.com/jp/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

    View Slide

  13. *".1PMJDJFT3FTPVSDF1PMJDJFT
    {
    "Version": "2012-10-17",
    "Id": "Policy1581347975270",
    "Statement": [{
    "Sid": "Stmt1581347973356",
    "Effect": "Allow",
    "Principal": {
    "AWS": “arn:aws:iam::xxxxx:root"},
    "Action": [
    "s3:*",
    "s3:List*",
    "s3:Get*"],
    "Resource": [
    "arn:aws:s3:::secure-brigade-test",
    "arn:aws:s3:::secure-brigade-test/*"]
    }]
    }
    {
    "Version": "2012-10-17",
    "Id": "Policy1581347975270",
    "Statement": [{
    "Sid": "Stmt1581347973356",
    "Effect": "Allow",
    "Action": [
    "s3:*",
    "s3:List*",
    "s3:Get*"],
    "Resource": [
    "arn:aws:s3:::secure-brigade-test",
    "arn:aws:s3:::secure-brigade-test/*"]
    }]
    } Կʹରͯ͠ԿΛͰ͖Δ͔ ୭͕ԿΛͰ͖Δ͔

    View Slide

  14. *".
    1PMJDJFT
    3FTPVSDF
    1PMJDJFT

    View Slide

  15. "Principal": {
    “AWS": “arn:aws:iam::xxxxx:role/roleA“}
    }
    "Principal": {
    “AWS": “arn:aws:iam::xxxxx:role/roleB“}
    }
    “Effect": “Allow”,
    “Action": [“s3:*”],
    “Resource": [“arn:aws:s3:::bucketA”
    “arn:aws:s3:::bucketA/*”],
    "Principal": {
    “AWS": “arn:aws:iam::xxxxx:role/roleA“}
    }

    View Slide

  16. "Principal": {
    “AWS": [
    “arn:aws:iam::xxxxx:role/roleA“,
    “arn:aws:iam::xxxxx:role/roleB“]
    }
    “Effect": “Allow”,
    “Action": [“s3:*”],
    “Resource": [“arn:aws:s3:::bucketA”
    “arn:aws:s3:::bucketA/*”]
    “Effect": “Allow”,
    “Action": [“s3:*”],
    “Resource": [“arn:aws:s3:::bucketB”
    “arn:aws:s3:::bucketB/*”]
    “Effect": “Allow”,
    “Action": [“s3:*”],
    “Resource": [“arn:aws:s3:::bucketC”
    “arn:aws:s3:::bucketC/*”]

    View Slide

  17. *".1PMJDJFTͱ3FTPVSDF1PMJDJFTͷ࢖͍෼͚
    ݁ہ"/%৚݅ͳͷͰ྆ํఆٛ͠ͳ͚Ε͹
    ͳΒͳ͍
    Ͱ͸ɺجຊํ਑͸ʁ
    LFOTDBMͷݸਓతݟղ*".1PMJDZଆͷ
    ੍ޚʹΑͤΔ

    View Slide

  18. ࠷ॳ͸͜͏ࢥͬͯͨ
    {
    "Version": "2012-10-17",
    "Id": "Policy1581347975270",
    "Statement": [{
    "Sid": "Stmt1581347973356",
    "Effect": "Allow",
    "Principal": {
    "AWS": “arn:aws:iam::xxxxx:arn/roleA“}
    "Action": [“s3:List”, “s3:Get”],
    "Resource": [
    "arn:aws:s3:::secure-brigade-test",
    "arn:aws:s3:::secure-brigade-test/*"]
    }]
    }
    {
    "Version": "2012-10-17",
    "Id": "Policy1581347975270",
    "Statement": [{
    "Sid": "Stmt1581347973356",
    "Effect": "Allow",
    "Action": ["s3:*"],
    "Resource": [
    "*"]
    }]
    }
    *".ͱ͍͏ʮೖΓޱʯΛ
    ֤छϦιʔεʹґଘͤͨ͘͞ͳ͍ ϦιʔεଆͰറΔ

    View Slide

  19. ࠓ͸͜͏
    {
    "Version": "2012-10-17",
    "Id": "Policy1581347975270",
    "Statement": [{
    "Sid": "Stmt1581347973356",
    "Effect": "Allow",
    "Principal": {
    "AWS": “arn:aws:iam::xxxxx:root"},
    "Action": ["s3:*"],
    "Resource": [
    "arn:aws:s3:::secure-brigade-test",
    "arn:aws:s3:::secure-brigade-test/*"]
    }]
    }
    {
    "Version": "2012-10-17",
    "Id": "Policy1581347975270",
    "Statement": [{
    "Sid": "Stmt1581347973356",
    "Effect": "Allow",
    "Action": [
    "s3:List*",
    "s3:Get*"],
    "Resource": [
    "arn:aws:s3:::secure-brigade-test",
    "arn:aws:s3:::secure-brigade-test/*"]
    }]
    }
    ࡉ੍͔͍ޚ͸*".1PMJDZͰ
    Ϧιʔεଆ͸؇͘ɻ
    "84޶Λ·ΔͬͱڐՄ
    *EFOUJUZ΁ͷೝՄͱ͍͏ҙຯͰɺ*".ଆʹઃఆΛ͚ͭΔͷ
    ͕ɺࢥ૝తʹͨͩͦ͠͏
    5BH౳Λ͔ͭͬͨৄࡉͳ੍ޚ͸*".ଆ͔Β͔͠Ͱ͖ͳ͍
    Ϧιʔεຖͷ੍ޚ͸ӡ༻తʹେม

    View Slide

  20. *".ͳʹ΋Θ͔ΒΜ

    View Slide

  21. 1FSNJTTJPO#PVOEBSZ

    View Slide

  22. 1FSNJTTJPO#PVOEBSZͷ࢖͍ಓ
    ׂͱ࢖͍ॴ͕Θ͔Βͳ͍

    View Slide

  23. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
    {
    "Sid": "Stmt1581347973356",
    "Effect": "Allow",
    "Principal": {
    "AWS": [
    "arn:aws:iam::xxx:role/roleA"]},
    "Action": [“s3:*"],
    "Resource": [
    "arn:aws:s3:::bucketA",
    "arn:aws:s3:::bucketA/*"]
    }
    {
    "Effect": “Allow",
    "Action": [“s3:List*”,
    “s3:Get*”],
    "Resource": [“*”]
    }
    {
    "Effect": “Allow",
    "Action": [“*”],
    "Resource": [“*”]
    }
    #VDLFU"΁ͷ
    શ"DUJPO͕ڐՄ

    View Slide

  24. View Slide

  25. 1FSNJTTJPO#PVOEBSZͷ࢖͍ಓ
    ԿΛ%FMFHBUF͍ͨ͠ͷ͔Θ͔ͬͯΔͳΒɺ࠷ॳ͔Β*EFOUJUZ
    #BTFEʹ͢Ε͹͍͍ͷͰ͸ʁ
    *EFOUJUZͰ΋3FTPVSDFͰ΋΍Βͤͨ͘ͳ͍1FSNJTTJPOΛఆٛ
    ʹ࢖͏ͷͰ͋Ε͹ɺͦΕ͸*EFOUJUZ಺ʹఆٛͩͬͨ͜ͱ͔͠ͳ͍
    ํ਑جຊతʹ࢖Θͣɺ*EFOUJUZ#BTFE1PMJDZΛ࠷ॳ͔Βར༻
    ͢Δʁ

    View Slide

  26. *".ͳʹ΋Θ͔ΒΜ

    View Slide

  27. 5BH#BTFE"DDFTT

    View Slide

  28. {
    "Sid": "VisualEditor1",
    "Effect": "Allow",
    "Action":
    eadBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"],
    "Resource": "*"
    },
    {
    "Sid": "VisualEditor2",
    "Effect": "Allow",
    "Action": ["s3:GetObject"],
    "Resource": "*",
    "Condition": {
    "StringEquals": {
    "s3:ExistingObjectTag/Owner": "frontend",
    "s3:ExistingObjectTag/Confidentiality": "public"
    }
    }
    },
    {
    "Sid": "VisualEditor4",
    "Effect": "Allow",
    "Action": ["s3:PutObject","s3:PutObjectTagging"],
    "Resource": "*",
    "Condition": {
    "StringEquals": {
    "s3:RequestObjectTag/Owner": "frontend",
    "s3:RequestObjectTag/Confidentiality": "public"
    }
    }
    }
    0XOFSGSPOUFOE
    $POpQVCMJD
    0XOFSGSPOUFOE
    $POpTFOTJUJWF
    0XOFS
    GSPOUFOE

    View Slide

  29. {
    "Sid": "VisualEditor1",
    "Effect": "Allow",
    "Action":
    eadBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"],
    "Resource": "*"
    },
    {
    "Sid": "VisualEditor2",
    "Effect": "Allow",
    "Action": ["s3:GetObject"],
    "Resource": "*",
    "Condition": {
    "StringEquals": {
    "s3:ExistingObjectTag/Owner": "frontend",
    "s3:ExistingObjectTag/Confidentiality": "public"
    }
    }
    },
    {
    "Sid": "VisualEditor4",
    "Effect": "Allow",
    "Action": ["s3:PutObject","s3:PutObjectTagging"],
    "Resource": "*",
    "Condition": {
    "StringEquals": {
    "s3:RequestObjectTag/Owner": "frontend",
    "s3:RequestObjectTag/Confidentiality": "public"
    }
    }
    }
    0XOFSGSPOUFOE
    $POpQVCMJD
    0XOFS
    GSPOUFOE
    0XOFSGSPOUFOE
    $POpTFOTJUJWF

    View Slide

  30. {
    "Sid": "VisualEditor1",
    "Effect": "Allow",
    "Action":
    adBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"],
    "Resource": "*"
    },
    {
    "Sid": "VisualEditor2",
    "Effect": "Allow",
    "Action": ["s3:GetObject"],
    "Resource": "*",
    "Condition": {
    "StringEquals": {
    "s3:ExistingObjectTag/Owner": "backend",
    "s3:ExistingObjectTag/Confidentiality": "public"
    }
    }
    },
    {
    "Sid": "VisualEditor4",
    "Effect": "Allow",
    "Action": ["s3:PutObject","s3:PutObjectTagging"],
    "Resource": "*",
    "Condition": {
    "StringEquals": {
    "s3:RequestObjectTag/Owner": "backend",
    "s3:RequestObjectTag/Confidentiality": [
    “confidential”,“public”,”sensitive”]
    },
    “ForAllValues:StringEquals": {
    “s3:RequestObjectTagKeys”:[
    “Owner”, “Confidentiality”, ”Description”]
    },
    }
    }
    0XOFSCBDLFOE
    $POpTFOTJUJWF
    0XOFSCBDLFOE
    $POpTFOTJUJWF
    %FTDOBOEFNP

    View Slide

  31. ࣮ࡍͷӡ༻
    "#"$΍͍͖͍ͬͯͨؾ࣋ͪ͸͋Δ
    "#"$ͦͷ΋ͷΑΓλάӡ༻͕ॏཁखؒͦ͏
    λάͷϧʔϧ
    λάʹ͚ͭΔ஋
    λάܯ࡯ര஀ͷػӡ
    0SHBOJ[BUJPOͷ5BH1PMJDJFTͱηοτͰ΍Βͳ͍ͱ͍͚ͳͦ͞͏
    &$4λεΫͷ3PMFʹ4FSWJDFλά͚ͭͯɺ3%4ΞΫηεΛλά੍ޚ͢Δͱເ͕޿͕Δ
    4FTTJPOλά͸ͪΐͬͱௐ΂͖Εͳ͔ͬͨɺ͢·ͳ͍

    View Slide

  32. d*".ͳʹ΋Θ͔ΒΜd
    ͜͜͸Θ͔ͬͨ

    View Slide

  33. "84440WT"84*".

    View Slide

  34. ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘ
    ೝূํࣜ 4".- 4".-
    ϓϩϏδϣ
    χϯά
    ͋Γ ͳ͠
    1FSNJTTJPO
    ܗࣜ
    1FSNJTTJPO4FUT
    ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ


    *".3PMF
    3FHJPO BQOPSUIFBTUͳ͠ ͋Γ
    $-*
    DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ
    ͍
    ͱΕΔ

    View Slide

  35. ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘ
    ೝূํࣜ 4".- 4".-
    ϓϩϏδϣ
    χϯά
    ͋Γ ͳ͠
    1FSNJTTJPO
    ܗࣜ
    1FSNJTTJPO4FUT
    ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ


    *".3PMF
    3FHJPO BQOPSUIFBTUͳ͠ ͋Γ
    $-*
    DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ
    ͍
    ͱΕΔ

    View Slide

  36. View Slide

  37. View Slide

  38. ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘ
    ೝূํࣜ 4".- 4".-
    ϓϩϏδϣ
    χϯά
    ͋Γ ͳ͠
    1FSNJTTJP
    Oܗࣜ
    1FSNJTTJPO4FUT
    ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ


    *".3PMF
    3FHJPO BQOPSUIFBTUͳ͠ ͋Γ
    $-*
    DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ
    ͍
    ͱΕΔ

    View Slide

  39. "84440಺Ͱ1FSNJTTJPOΛҰݴ
    ؅ཧͰ͖Δ͕

    View Slide

  40. 1PMJDZ%PDVNFOU
    XJUI
    *B$࢖͑͹ɺ"84440Ͱͳ͘ͱ΋
    Ұݩ؅ཧՄೳ

    View Slide

  41. View Slide

  42. $VTUPN1PMJDZ͸
    1FSNJTTJPO SPMF
    ͱ

    View Slide

  43. ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘ
    ೝূํࣜ 4".- 4".-
    ϓϩϏδϣ
    χϯά
    ͋Γ ͳ͠
    1FSNJTTJPO
    ܗࣜ
    1FSNJTTJPO4FUT
    ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ


    *".3PMF
    3FHJPO BQOPSUIFBTUͳ͠ ͋Γ
    $-*
    DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ
    ͍ͱΕΔ मਖ਼

    ͱΕΔ

    View Slide

  44. $ aws sso login --profile AdministratorAccess-master
    $ aws sso get-role-credentials --role-name "AdministratorAccess" --account-id "xxxx" --access-
    token $(cat ~/.aws/sso/cache/SOMETHING.json | jq -r ".accessToken") --region ap-southeast-1
    {
    "roleCredentials": {
    "accessKeyId": “ACCESS_KEY_ID”,
    "secretAccessKey": “SECRET_ACCESS_KEY”,
    "sessionToken": “SESSION_TOKEN”,
    "expiration": 1581669130000
    }
    }
    ################ 2020/02/15 मਖ਼ɻaws version 2Ͱ͸ࣗಈͰ΍ͬͯ͘ΕΔ
    $ aws sso login --profile AdministratorAccess-master
    $ aws s3 ls s3://secure-brigade-test-main --profile AdministratorAccess-master

    View Slide

  45. BXTDMJͷॆ࣮
    DVTUPNQFSNJTTJPOQPMJDZͷςϯϓϨԽ
    DVTUPNQFSNJTTJPOQPMJDZͷෳ਺ར༻
    "1*؅ཧ͕Ͱ͖ΔΑ͏ʹͳͬͨ"84440
    ݱ࣌఺ͷϕετ͸ɺ"84ͷதͷਓͷߟ͑Λฉ͔ͳ͍ͱͳΜͱ΋
    ֎෦ϑΣσϨʔγϣϯΛ*".3PMFʹ͍ͨ͠ͷ͔ɺ"84440ʹ͍ͨ͠ͷ͔
    ࢥ૝Λฉ͖͍ͨ
    ݸਓͰ͸ͱΓ͋͑ͣ྆ํηοτΞοϓͯ͠Δ
    কདྷతͳϕετʢཁ๬ʣ

    View Slide

  46. *".ͳʹ΋Θ͔ΒΜ

    View Slide

  47. ͱ͍͏Θ͚Ͱ

    View Slide

  48. *".

    View Slide

  49. ͳʹ΋

    View Slide

  50. Θ͔ΒΜ

    View Slide

  51. *".ͳʹ΋Θ͔ΒΜ

    ੍࡞ɾஶ࡞
    ᴸᴸᴸᴸᴸ
    ɹɹɹ

    View Slide

  52. ͓·͚

    View Slide

  53. 3PPU޶ͷ)8σόΠεෳ਺ొ࿥·ͩʁʁʁ

    View Slide


  54. ੍࡞ɾஶ࡞
    ᴸᴸᴸᴸᴸ
    ɹɹɹɹɹɹɹɹɹɹ

    View Slide