AWS IAMどうしましょ

*".Ͳ͏͠·͠ΐ͏ CZLFOTDBM

*".ͳʹ΋Θ͔ΒΜ

ࠓ೔ͷ໨త

LFOTDBM͕*".पΓΛ࿩͢

LFOTDBM͕࿩͢ *".पΓͷ૬ஊΛ͍ͨ͠ ڭ͑ͯ΄͍͠

BQQTMJEPFWFOU R[PW

4MJEP%FNP BQQTMJEPFWFOUR[PW

*EFOUJUZ"OE"DDFTT.BOBHFNFOU "84440 *EFOUJUZ"OE"DDFTT.BOBHFNFOU *".1PMJDZ JEFOUJUZCBTFE1PMJDZ
SFTPVSDFCBTFEQPMJDZ QFSNJTTJPOCPVOEBSJFT 4$1T"$-T TFTTJPOQPMJDJFT ࠓ೔ͷϑΥʔΧε*".

౰ͨΓલʹ΍Δ͜ͱ 3PPU޶΁ͷ.'"ઃఆ ύεϫʔυϙϦγʔͷઃఆ *E1ͱͷ440 *".Ϣʔβʔ
ਓؒ ͸ͦ΋ͦ΋࢖Θͳ͍ ϚϧνΞΧ΢ϯτɾ0SHBOJ[BUJPOߏ੒ લఏ

લఏߏ੒

*".1PMJDJFT WT 3FTPVSDF1PMJDJFT

1PMJDZ%FDJTJPOϑϩʔ https://aws.amazon.com/jp/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

*".1PMJDJFT3FTPVSDF1PMJDJFT { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356",
"Effect": "Allow", "Principal": { "AWS": “arn:aws:iam::xxxxx:root"}, "Action": [ "s3:*", "s3:List*", "s3:Get*"], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Action": [ "s3:*", "s3:List*", "s3:Get*"], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } Կʹରͯ͠ԿΛͰ͖Δ͔ ୭͕ԿΛͰ͖Δ͔

*". 1PMJDJFT 3FTPVSDF 1PMJDJFT

"Principal": { “AWS": “arn:aws:iam::xxxxx:role/roleA“} } "Principal": { “AWS": “arn:aws:iam::xxxxx:role/roleB“} }
“Effect": “Allow”, “Action": [“s3:*”], “Resource": [“arn:aws:s3:::bucketA” “arn:aws:s3:::bucketA/*”], "Principal": { “AWS": “arn:aws:iam::xxxxx:role/roleA“} }

"Principal": { “AWS": [ “arn:aws:iam::xxxxx:role/roleA“, “arn:aws:iam::xxxxx:role/roleB“] } “Effect": “Allow”, “Action":
[“s3:*”], “Resource": [“arn:aws:s3:::bucketA” “arn:aws:s3:::bucketA/*”] “Effect": “Allow”, “Action": [“s3:*”], “Resource": [“arn:aws:s3:::bucketB” “arn:aws:s3:::bucketB/*”] “Effect": “Allow”, “Action": [“s3:*”], “Resource": [“arn:aws:s3:::bucketC” “arn:aws:s3:::bucketC/*”]

*".1PMJDJFTͱ3FTPVSDF1PMJDJFTͷ࢖͍෼͚ ݁ہ"/%৚݅ͳͷͰ྆ํఆٛ͠ͳ͚Ε͹ ͳΒͳ͍ Ͱ͸ɺجຊํ਑͸ʁ LFOTDBMͷݸਓతݟղ*".1PMJDZଆͷ ੍ޚʹΑͤΔ

࠷ॳ͸͜͏ࢥͬͯͨ { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356",
"Effect": "Allow", "Principal": { "AWS": “arn:aws:iam::xxxxx:arn/roleA“} "Action": [“s3:List”, “s3:Get”], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Action": ["s3:*"], "Resource": [ "*"] }] } *".ͱ͍͏ʮೖΓޱʯΛ ֤छϦιʔεʹґଘͤͨ͘͞ͳ͍ ϦιʔεଆͰറΔ

ࠓ͸͜͏ { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356",
"Effect": "Allow", "Principal": { "AWS": “arn:aws:iam::xxxxx:root"}, "Action": ["s3:*"], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*"], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } ࡉ੍͔͍ޚ͸*".1PMJDZͰ Ϧιʔεଆ͸؇͘ɻ "84޶Λ·ΔͬͱڐՄ *EFOUJUZ΁ͷೝՄͱ͍͏ҙຯͰɺ*".ଆʹઃఆΛ͚ͭΔͷ ͕ɺࢥ૝తʹͨͩͦ͠͏ 5BH౳Λ͔ͭͬͨৄࡉͳ੍ޚ͸*".ଆ͔Β͔͠Ͱ͖ͳ͍ Ϧιʔεຖͷ੍ޚ͸ӡ༻తʹେม

*".ͳʹ΋Θ͔ΒΜ

1FSNJTTJPO#PVOEBSZ

1FSNJTTJPO#PVOEBSZͷ࢖͍ಓ ׂͱ࢖͍ॴ͕Θ͔Βͳ͍

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html { "Sid": "Stmt1581347973356", "Effect": "Allow", "Principal": { "AWS": [
"arn:aws:iam::xxx:role/roleA"]}, "Action": [“s3:*"], "Resource": [ "arn:aws:s3:::bucketA", "arn:aws:s3:::bucketA/*"] } { "Effect": “Allow", "Action": [“s3:List*”, “s3:Get*”], "Resource": [“*”] } { "Effect": “Allow", "Action": [“*”], "Resource": [“*”] } #VDLFU"΁ͷ શ"DUJPO͕ڐՄ

1FSNJTTJPO#PVOEBSZͷ࢖͍ಓ ԿΛ%FMFHBUF͍ͨ͠ͷ͔Θ͔ͬͯΔͳΒɺ࠷ॳ͔Β*EFOUJUZ #BTFEʹ͢Ε͹͍͍ͷͰ͸ʁ *EFOUJUZͰ΋3FTPVSDFͰ΋΍Βͤͨ͘ͳ͍1FSNJTTJPOΛఆٛ ʹ࢖͏ͷͰ͋Ε͹ɺͦΕ͸*EFOUJUZ಺ʹఆٛͩͬͨ͜ͱ͔͠ͳ͍ ํ਑جຊతʹ࢖Θͣɺ*EFOUJUZ#BTFE1PMJDZΛ࠷ॳ͔Βར༻ ͢Δʁ

*".ͳʹ΋Θ͔ΒΜ

5BH#BTFE"DDFTT

{ "Sid": "VisualEditor1", "Effect": "Allow", "Action": eadBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"], "Resource": "*" },
{ "Sid": "VisualEditor2", "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/Owner": "frontend", "s3:ExistingObjectTag/Confidentiality": "public" } } }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": ["s3:PutObject","s3:PutObjectTagging"], "Resource": "*", "Condition": { "StringEquals": { "s3:RequestObjectTag/Owner": "frontend", "s3:RequestObjectTag/Confidentiality": "public" } } } 0XOFSGSPOUFOE $POpQVCMJD 0XOFSGSPOUFOE $POpTFOTJUJWF 0XOFS GSPOUFOE

{ "Sid": "VisualEditor1", "Effect": "Allow", "Action": eadBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"], "Resource": "*" },
{ "Sid": "VisualEditor2", "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/Owner": "frontend", "s3:ExistingObjectTag/Confidentiality": "public" } } }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": ["s3:PutObject","s3:PutObjectTagging"], "Resource": "*", "Condition": { "StringEquals": { "s3:RequestObjectTag/Owner": "frontend", "s3:RequestObjectTag/Confidentiality": "public" } } } 0XOFSGSPOUFOE $POpQVCMJD 0XOFS GSPOUFOE 0XOFSGSPOUFOE $POpTFOTJUJWF

{ "Sid": "VisualEditor1", "Effect": "Allow", "Action": adBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"], "Resource": "*" },
{ "Sid": "VisualEditor2", "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/Owner": "backend", "s3:ExistingObjectTag/Confidentiality": "public" } } }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": ["s3:PutObject","s3:PutObjectTagging"], "Resource": "*", "Condition": { "StringEquals": { "s3:RequestObjectTag/Owner": "backend", "s3:RequestObjectTag/Confidentiality": [ “confidential”,“public”,”sensitive”] }, “ForAllValues:StringEquals": { “s3:RequestObjectTagKeys”:[ “Owner”, “Confidentiality”, ”Description”] }, } } 0XOFSCBDLFOE $POpTFOTJUJWF 0XOFSCBDLFOE $POpTFOTJUJWF %FTDOBOEFNP

࣮ࡍͷӡ༻ "#"$΍͍͖͍ͬͯͨؾ࣋ͪ͸͋Δ "#"$ͦͷ΋ͷΑΓλάӡ༻͕ॏཁखؒͦ͏ λάͷϧʔϧ λάʹ͚ͭΔ஋
λάܯ࡯ര஀ͷػӡ 0SHBOJ[BUJPOͷ5BH1PMJDJFTͱηοτͰ΍Βͳ͍ͱ͍͚ͳͦ͞͏ &$4λεΫͷ3PMFʹ4FSWJDFλά͚ͭͯɺ3%4ΞΫηεΛλά੍ޚ͢Δͱເ͕޿͕Δ 4FTTJPOλά͸ͪΐͬͱௐ΂͖Εͳ͔ͬͨɺ͢·ͳ͍

d*".ͳʹ΋Θ͔ΒΜd ͜͜͸Θ͔ͬͨ

"84440WT"84*".

ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘ ೝূํࣜ 4".- 4".- ϓϩϏδϣ χϯά ͋Γ ͳ͠
1FSNJTTJPO ܗࣜ 1FSNJTTJPO4FUT ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ ੒ *".3PMF 3FHJPO BQOPSUIFBTUͳ͠ ͋Γ $-* DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ ͍ ͱΕΔ

1FSNJTTJP Oܗࣜ 1FSNJTTJPO4FUT ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ ੒ *".3PMF 3FHJPO BQOPSUIFBTUͳ͠ ͋Γ $-* DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ ͍ ͱΕΔ

"84440಺Ͱ1FSNJTTJPOΛҰݴ ؅ཧͰ͖Δ͕

1PMJDZ%PDVNFOU XJUI *B$࢖͑͹ɺ"84440Ͱͳ͘ͱ΋ Ұݩ؅ཧՄೳ

$VTUPN1PMJDZ͸ 1FSNJTTJPO SPMF ͱ

1FSNJTTJPO ܗࣜ 1FSNJTTJPO4FUT ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ ੒ *".3PMF 3FHJPO BQOPSUIFBTUͳ͠ ͋Γ $-* DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ ͍ͱΕΔ मਖ਼ ͱΕΔ

$ aws sso login --profile AdministratorAccess-master $ aws sso get-role-credentials
--role-name "AdministratorAccess" --account-id "xxxx" --accesstoken $(cat ~/.aws/sso/cache/SOMETHING.json | jq -r ".accessToken") --region ap-southeast-1 { "roleCredentials": { "accessKeyId": “ACCESS_KEY_ID”, "secretAccessKey": “SECRET_ACCESS_KEY”, "sessionToken": “SESSION_TOKEN”, "expiration": 1581669130000 } } ################ 2020/02/15 मਖ਼ɻaws version 2Ͱ͸ࣗಈͰ΍ͬͯ͘ΕΔ $ aws sso login --profile AdministratorAccess-master $ aws s3 ls s3://secure-brigade-test-main --profile AdministratorAccess-master

BXTDMJͷॆ࣮ DVTUPNQFSNJTTJPOQPMJDZͷςϯϓϨԽ DVTUPNQFSNJTTJPOQPMJDZͷෳ਺ར༻ "1*؅ཧ͕Ͱ͖ΔΑ͏ʹͳͬͨ"84440 ݱ࣌఺ͷϕετ͸ɺ"84ͷதͷਓͷߟ͑Λฉ͔ͳ͍ͱͳΜͱ΋
֎෦ϑΣσϨʔγϣϯΛ*".3PMFʹ͍ͨ͠ͷ͔ɺ"84440ʹ͍ͨ͠ͷ͔ ࢥ૝Λฉ͖͍ͨ ݸਓͰ͸ͱΓ͋͑ͣ྆ํηοτΞοϓͯ͠Δ কདྷతͳϕετʢཁ๬ʣ

*".ͳʹ΋Θ͔ΒΜ

ͱ͍͏Θ͚Ͱ

ͳʹ΋

Θ͔ΒΜ

*".ͳʹ΋Θ͔ΒΜ ऴ ੍࡞ɾஶ࡞ ᴸᴸᴸᴸᴸ ɹɹɹ

͓·͚

3PPU޶ͷ)8σόΠεෳ਺ొ࿥·ͩʁʁʁ

ऴ ੍࡞ɾஶ࡞ ᴸᴸᴸᴸᴸ ɹɹɹɹɹɹɹɹɹɹ

AWS IAMどうしましょ

AWS IAMどうしましょ

More Decks by Kengo Suzuki

Other Decks in Technology

Featured

Transcript