Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CloudTrail の証跡から IAM ポリシーを生成する IAM Access Analyzer の機能を AWS CLI から使ってみた話 /jawsug-asa-20-lt

CloudTrail の証跡から IAM ポリシーを生成する IAM Access Analyzer の機能を AWS CLI から使ってみた話 /jawsug-asa-20-lt

JAWS UG 朝会 #20 の LT 資料です。
https://jawsug-asa.connpass.com/event/208498/

スライドの詳細
CloudTrail の証跡から IAM ポリシーを作成する IAM Access Analyzer の新機能を AWS CLI で試す - michimani.net
https://michimani.net/post/aws-get-started-generating-iam-policies-based-on-actual-activity/

573d75e1a72107ff5c806d7e70a9e67d?s=128

YoshihiroITO

April 22, 2021
Tweet

Transcript

  1. 2021.04.22 @michimani210 CloudTrail IAM IAM Access Analyzer AWS CLI [JAWS-UG

    #20] #jawsug_asa
  2. # # AWS AWS CLI AWS Certificate Manager # :

    https://michimani.net / Yoshihiro Ito @michimani210
  3. 1. IAM Access Analyzer 2. AWS CLI 3. IAM Access

    Analyzer CloudTrail
  4. 1. IAM Access Analyzer CloudTrail IAM IAM 90 ( )

    IAM JSON 
 IAM Access Analyzer makes it easier to implement least privilege permissions by generating IAM policies based on access activity https://aws.amazon.com/about-aws/whats-new/2021/04/iam-access-analyzer-easier-implement-least-privilege-permissions-generating-iam-policies-access-activity
  5. 2. AWS CLI IAM Access Analyzer aws accessanalyzer ・cancel-policy-generation ・get-generated-policy

    ・list-policy-generations ・start-policy-generation v1 1.19.47 v2 2.1.36 (2021/04/22 07:40 JST) 1.19.55 2.1.39
  6. 2. AWS CLI - start-policy-generation start-policy-generation CloudTrail ARN IAM IAM

    ARN
  7. 2. AWS CLI - start-policy-generation 1: IAM ( ) ARN

    AWS CLI ARN
  8. 2. AWS CLI - start-policy-generation 2: JSON

  9. 2. AWS CLI - start-policy-generation 2: JSON IAM ARN

  10. 2. AWS CLI - start-policy-generation 2: JSON IAM ARN (

    90 ) endTime
  11. 2. AWS CLI - start-policy-generation 2: JSON IAM ARN CloudTrail

    ARN ( 90 ) endTime
  12. 2. AWS CLI - start-policy-generation 2: JSON IAM ARN CloudTrail

    ARN ( 90 ) endTime
  13. 2. AWS CLI - start-policy-generation

  14. 2. AWS CLI - get-generated-policy

  15. 2. AWS CLI - get-generated-policy

  16. 2. AWS CLI - get-generated-policy

  17. 2. AWS CLI - get-generated-policy (JSON )

  18. 2. AWS CLI - get-generated-policy (JSON ) jq &

  19. 2. AWS CLI - get-generated-policy (JSON ) jq & :

    ReadOnly s3:PutObject s3:PutObject
  20. 2. AWS CLI - get-generated-policy (JSON ) jq & :

    ReadOnly s3:PutObject s3:PutObject
  21. 2. AWS CLI - get-generated-policy (JSON ) jq & :

    ReadOnly s3:PutObject s3:PutObject aws iam create-policy aws iam attach-role-policy
  22. 3. IAM Access Analyzer CloudTrail AWS CLI # CloudTrail IAM

    IAM Access Analyzer AWS CLI https://michimani.net/post/aws-get-started-generating-iam-policies-based-on-actual-activity/
  23. #jawsug_asa