bitbankのAWSアカウント作成管理術

Transcript

1. bitbankͷAWSΞΧ΢ ϯτ࡞੒؅ཧज़ AWS DevDay 2019 ࠙਌ձLT @mdps513 ΍ͬͨΜ
   

2. Service
   

3. ໨࣍ • എܠ • ղܾ͢ΔͨΊʹ΍ͬͨ͜ͱ • ݁Ռ • ͜Ε͔Β
   

   

4. എܠ • AWS SSOΛ࢖͍ͬͯΔ • ݱࡏฐࣾͰ؅ཧ͍ͯ͠ΔAWSΞΧ΢ϯτ͸໿60ݸ΄ͲͰຖ݄૿ ͍͑ͯΔ • ΞΧ΢ϯτ࡞੒ґཔ͕݄ʹ1,2݅,ଟ͍࣌ʹ͸ຖिඈΜͰ͘Δ •

   ݱࡏAWSνʔϜ͸4໊ • ͦΕͧΕϓϩδΣΫτ͓࣋ͬͯΓɺΞΧ΢ϯτ؅ཧઐ೚ͷϓϩδΣ Ϋτͷਓ͸୭΋͍ͳ͍
   

5. ΞΧ΢ϯτ࡞੒࣌ͷϑϩʔ (ฐࣾͷྫ) 1. GlugentFlowͰਃ੥ 2. ΞΧ΢ϯτ࡞੒ 3. CloudTrailઃఆ 4. AWS

   Configઃఆ 5. GuardDutyઃఆ 6. Cost Visualizer ϩʔϧઃఆ 7. ΤϯλʔϓϥΠζαϙʔτՃೖ 8. Organaizational Unitઃఆ 9. RootΞΧ΢ϯτ෧ҹ 10. ݖݶ෇༩
   

6. ΞΧ΢ϯτ࡞੒࣌ͷϑϩʔ (ฐࣾͷྫ) 1. GlugentFlowͰਃ੥ 2. ΞΧ΢ϯτ࡞੒ 3. CloudTrailઃఆ 4. AWS

   Configઃఆ 5. GuardDutyઃఆ 6. Cost Visualizer ϩʔϧઃఆ 7. ΤϯλʔϓϥΠζαϙʔτՃೖ 8. Organaizational Unitઃఆ 9. RootΞΧ΢ϯτ෧ҹ 10. ݖݶ෇༩
    ଟ͍͠໘౗͍͘͞ɻɻɻ (※ݸਓͷײ૝Ͱ͢)

7. ͜ΕͰ͸ΞΧ΢ϯτ࡞੒Ͱ೔͕฻Ε ͯ͠·͏…
   

8. ΞΧ΢ϯτ࡞੒࣌ͷϑϩʔ (ฐࣾͷྫ) • 1. GlugentFlowͰਃ੥ • 2. ΞΧ΢ϯτ࡞੒ • 3.

   organaizational Unitઃఆ • 4. CloudTrailઃఆ • 5. AWS Configઃఆ • 6. GuardDutyઃఆ • 7. Cost Visualizer ϩʔϧઃఆ • 8. ΤϯλʔϓϥΠζαϙʔτՃೖ • 9. RootΞΧ΢ϯτ෧ҹ • 10. ݖݶ෇༩
    ͜͜ɺ ࣗಈԽͰ͖ͳ͍ʁ

9. ͦ͏ͩɺࣗಈԽ͠Α͏ɻ
   

10. ΍ͬͨ͜ͱ ͦͷ1 ΞΧ΢ϯτ࡞੒ͱorganaizational Unitઃఆ • GlugentFlow͔Βਃ੥͕͋ͬͨΒ API Gateway͔ΒLambdaΛൃՐ • CreateAPI͕ୟ͔Εͯࣗಈతʹ࡞

    ੒͞ΕΔ • ͦͷޙద੾ͳOrganizational Unit ʹৼΓ෼͚ΒΕΔ
    

11. ΍ͬͨ͜ͱ ͦͷ2
     CloudTrail, Config, GuardDuty,ͦ ͷଞϩʔϧઃఆ • Organizational

    Unitʹ௥Ճ͞Ε ͨ࣌ͷCloudWatchEventsΛτ ϦΨʔ͠ɺLambdaΛൃՐ • CloudTrail,Config, GuardDuty ͳͲͷ֤छϩʔϧ͸ CloudFormationStacksetsΛ༻ ͍֤ͯΞΧ΢ϯτʹઃఆΛ൓ө

12. ͦͷ2ͷStackSetsΛ༗ޮԽ͢Δ ࡍʹ஫ҙ͍ͯ͠Δ͜ͱ • ฐࣾͰ͸ϩάΛϩάऩू༻ͷS3 όέοτʹू໿͍ͯ͠Δ • ϩάΛ֘౰ͷS3ʹॻ͖ࠐΉͨΊ ʹΫϩεΞΧ΢ϯτͰͷόέο τϙϦγʔͷΞΫηεڐՄ͕ඞཁ •

    LambdaͰOrganizationAPI͔Β ΞΧ΢ϯτΛऔಘͯ͠ stsAssumeRoleΛ༻͍ͯOUຖʹ S3policyUpdate
    

13. ΍ͬͨ͜ͱ ͦͷ3
     • ΤϯλʔϓϥΠζαϙʔτՃೖ • αϙʔτAPIΛLambdaͰൃՐ ͤͯ͞ΞΫςΟϕʔγϣϯґཔ

14. ΍ͬͨ͜ͱ ͦͷ4
     • StepFunctionͰͷ ϑϩʔ࡞੒

15. ݁Ռ ࠓ·Ͱ3࣌ؒఔऔΒΕ͍ͯͨΞΧ΢ϯτ࡞੒࣌ ʹ͔͔Δ͕࣌ؒ30෼͘Β͍ʹઅ໿Ͱ͖ͨ ຊདྷ΍Δ΂͖͜ͱʹूதͰ͖ΔΑ͏ʹͳͬͨ ΞΧ΢ϯτ࡞੒ґཔ͕ා͘ͳ͘ͳͬͯ໷΋
 ͙ͬ͢Γ຾ΕΔΑ͏ʹͳͬͨ
    

16. ͜Ε͔Β • GuardDutyͷΞΧ΢ϯτ༗ޮԽΞΫςΟϕʔ γϣϯϑϩʔ΋ࣗಈԽ͍ͨ͠ • ࡞੒։࢝࣌ɺऴྃ࣌ɺΤϥʔ࣌ʹSlack௨஌Λ ͢ΔΑ͏ʹ͍ͨ͠
    

17. ͍͞͝ʹ ϏοτόϯΫͰ͸ AWSΤϯδχΞΛ ืू͍ͯ͠·͢ʂ
    

18. ͓ΘΓ