Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CloudTrail の証跡から IAM ポリシーを生成する IAM Access Analyzer の機能を AWS CLI から使ってみた話 /jawsug-asa-20-lt

Yoshihiro ITO
April 22, 2021
Technology
0
1.5k

CloudTrail の証跡から IAM ポリシーを生成する IAM Access Analyzer の機能を AWS CLI から使ってみた話 /jawsug-asa-20-lt

JAWS UG 朝会 #20 の LT 資料です。
https://jawsug-asa.connpass.com/event/208498/

スライドの詳細
CloudTrail の証跡から IAM ポリシーを作成する IAM Access Analyzer の新機能を AWS CLI で試す - michimani.net
https://michimani.net/post/aws-get-started-generating-iam-policies-based-on-actual-activity/

Yoshihiro ITO

April 22, 2021
Tweet

More Decks by Yoshihiro ITO

See All by Yoshihiro ITO
AWS CLI のエイリアス機能はいいぞ /jawsug-bgnr-48-lt
michimani
1
1k
URL 正規化処理を Lambda@Edge から CloudFront Functions に移行した話 /jawsug-asa-21-session
michimani
2
1.5k
AWS CDK で文字起こし + 翻訳パイプラインを作ってみた /jawsug-bgnr-26-lt
michimani
1
2.5k

Other Decks in Technology

See All in Technology
[2024最新版]AWS Control Towerを使ったセキュアなマルチアカウント環境の作り方
hiashisan
0
270
初中級者用如何使用backlog -VALE TUDOEDITION-
in0u
0
140
ABEMAにおけるLLMを用いたコンテンツベース推薦システム導入と効果検証
cyberagentdevelopers
PRO
1
700
テストケースの自動生成に生成AIの導入を試みた話と生成AIによる今後の期待
shift_evolve
0
180
VPoEの視点から見た、ヘンリーがサーバーサイドKotlinを使う理由 / Why Server-side Kotlin 2024
cho0o0
1
420
CEL(Common Expression Language)で書いた条件にマッチしたIAM Policyを見つける / iam-policy-finder
fujiwara3
0
710
サービスの持続的な成長と技術負債について
siva_official
PRO
10
4.4k
How to Think Like a Performance Engineer
csswizardry
4
590
公共領域から学ぶ クラウド移行についてエンジニアが意識していること
kawakawa2222
0
140
データベース研修 分析向けSQL入門【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
110
Amazon FSx for NetApp ONTAPのパフォーマンスチューニング要素をまとめてみた #cm_odyssey #devio2024
non97
0
220
可視化プラットフォームGrafanaの基本と活用方法の全て
hamadakoji
0
230

Featured

See All Featured
Unsuck your backbone
ammeep
666
57k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
12
3.8k
Building Your Own Lightsaber
phodgson
101
5.9k
5 minutes of I Can Smell Your CMS
philhawksworth
200
19k
Optimising Largest Contentful Paint
csswizardry
18
2.6k
Large-scale JavaScript Application Architecture
addyosmani
506
110k
Why Our Code Smells
bkeepers
PRO
332
56k
Web Components: a chance to create the future
zenorocha
307
41k
Rebuilding a faster, lazier Slack
samanthasiow
78
8.5k
How GitHub (no longer) Works
holman
305
140k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
18
1.2k
Six Lessons from altMBA
skipperchong
24
3.2k

Transcript

  1. 2021.04.22 @michimani210 CloudTrail IAM IAM Access Analyzer AWS CLI [JAWS-UG

    #20] #jawsug_asa

  2. # # AWS AWS CLI AWS Certificate Manager # :

    https://michimani.net / Yoshihiro Ito @michimani210

  3. 1. IAM Access Analyzer 2. AWS CLI 3. IAM Access

    Analyzer CloudTrail

  4. 1. IAM Access Analyzer CloudTrail IAM IAM 90 ( )

    IAM JSON 
 IAM Access Analyzer makes it easier to implement least privilege permissions by generating IAM policies based on access activity https://aws.amazon.com/about-aws/whats-new/2021/04/iam-access-analyzer-easier-implement-least-privilege-permissions-generating-iam-policies-access-activity

  5. 2. AWS CLI IAM Access Analyzer aws accessanalyzer ・cancel-policy-generation ・get-generated-policy

    ・list-policy-generations ・start-policy-generation v1 1.19.47 v2 2.1.36 (2021/04/22 07:40 JST) 1.19.55 2.1.39

  6. 2. AWS CLI - start-policy-generation start-policy-generation CloudTrail ARN IAM IAM

    ARN

  7. 2. AWS CLI - start-policy-generation 1: IAM ( ) ARN

    AWS CLI ARN

  8. 2. AWS CLI - start-policy-generation 2: JSON

  9. 2. AWS CLI - start-policy-generation 2: JSON IAM ARN

  10. 2. AWS CLI - start-policy-generation 2: JSON IAM ARN (

    90 ) endTime

  11. 2. AWS CLI - start-policy-generation 2: JSON IAM ARN CloudTrail

    ARN ( 90 ) endTime

  12. 2. AWS CLI - start-policy-generation 2: JSON IAM ARN CloudTrail

    ARN ( 90 ) endTime

  13. 2. AWS CLI - start-policy-generation

  14. 2. AWS CLI - get-generated-policy

  15. 2. AWS CLI - get-generated-policy

  16. 2. AWS CLI - get-generated-policy

  17. 2. AWS CLI - get-generated-policy (JSON )

  18. 2. AWS CLI - get-generated-policy (JSON ) jq &

  19. 2. AWS CLI - get-generated-policy (JSON ) jq & :

    ReadOnly s3:PutObject s3:PutObject

  20. 2. AWS CLI - get-generated-policy (JSON ) jq & :

    ReadOnly s3:PutObject s3:PutObject

  21. 2. AWS CLI - get-generated-policy (JSON ) jq & :

    ReadOnly s3:PutObject s3:PutObject aws iam create-policy aws iam attach-role-policy

  22. 3. IAM Access Analyzer CloudTrail AWS CLI # CloudTrail IAM

    IAM Access Analyzer AWS CLI https://michimani.net/post/aws-get-started-generating-iam-policies-based-on-actual-activity/

  23. #jawsug_asa