Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CloudTrail の証跡から IAM ポリシーを生成する IAM Access Analy...

Yoshihiro ITO
April 22, 2021
Technology
0
1.6k

CloudTrail の証跡から IAM ポリシーを生成する IAM Access Analyzer の機能を AWS CLI から使ってみた話 /jawsug-asa-20-lt

JAWS UG 朝会 #20 の LT 資料です。
https://jawsug-asa.connpass.com/event/208498/

スライドの詳細
CloudTrail の証跡から IAM ポリシーを作成する IAM Access Analyzer の新機能を AWS CLI で試す - michimani.net
https://michimani.net/post/aws-get-started-generating-iam-policies-based-on-actual-activity/

Yoshihiro ITO

April 22, 2021
Tweet

More Decks by Yoshihiro ITO

See All by Yoshihiro ITO
AWS CLI のエイリアス機能はいいぞ /jawsug-bgnr-48-lt
michimani
1
1.1k
URL 正規化処理を Lambda@Edge から CloudFront Functions に移行した話 /jawsug-asa-21-session
michimani
2
1.6k
AWS CDK で文字起こし + 翻訳パイプラインを作ってみた /jawsug-bgnr-26-lt
michimani
1
2.6k

Other Decks in Technology

See All in Technology
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
970
Mastering Quickfix
daisuzu
1
310
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
120
複雑なState管理からの脱却
sansantech
PRO
1
160
Chasing the White Whale of Open Source - ROI
mrbobbytables
0
110
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
160
Next.jsとNuxtが混在? iframeでなんとかする!
ypresto
2
490
組織成長を加速させるオンボーディングの取り組み
sudoakiy
3
260
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
120
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
410
『Firebase Dynamic Links終了に備える』 FlutterアプリでのAdjust導入とDeeplink最適化
techiro
0
190
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k

Featured

See All Featured
Thoughts on Productivity
jonyablonski
67
4.3k
Why Our Code Smells
bkeepers
PRO
334
57k
Designing for humans not robots
tammielis
250
25k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Speed Design
sergeychernyshev
25
620
Building an army of robots
kneath
302
43k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Automating Front-end Workflow
addyosmani
1366
200k
Bash Introduction
62gerente
608
210k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k

Transcript

  1. 2021.04.22 @michimani210 CloudTrail IAM IAM Access Analyzer AWS CLI [JAWS-UG

    #20] #jawsug_asa

  2. # # AWS AWS CLI AWS Certificate Manager # :

    https://michimani.net / Yoshihiro Ito @michimani210

  3. 1. IAM Access Analyzer 2. AWS CLI 3. IAM Access

    Analyzer CloudTrail

  4. 1. IAM Access Analyzer CloudTrail IAM IAM 90 ( )

    IAM JSON 
 IAM Access Analyzer makes it easier to implement least privilege permissions by generating IAM policies based on access activity https://aws.amazon.com/about-aws/whats-new/2021/04/iam-access-analyzer-easier-implement-least-privilege-permissions-generating-iam-policies-access-activity

  5. 2. AWS CLI IAM Access Analyzer aws accessanalyzer ・cancel-policy-generation ・get-generated-policy

    ・list-policy-generations ・start-policy-generation v1 1.19.47 v2 2.1.36 (2021/04/22 07:40 JST) 1.19.55 2.1.39

  6. 2. AWS CLI - start-policy-generation start-policy-generation CloudTrail ARN IAM IAM

    ARN

  7. 2. AWS CLI - start-policy-generation 1: IAM ( ) ARN

    AWS CLI ARN

  8. 2. AWS CLI - start-policy-generation 2: JSON

  9. 2. AWS CLI - start-policy-generation 2: JSON IAM ARN

  10. 2. AWS CLI - start-policy-generation 2: JSON IAM ARN (

    90 ) endTime

  11. 2. AWS CLI - start-policy-generation 2: JSON IAM ARN CloudTrail

    ARN ( 90 ) endTime

  12. 2. AWS CLI - start-policy-generation 2: JSON IAM ARN CloudTrail

    ARN ( 90 ) endTime

  13. 2. AWS CLI - start-policy-generation

  14. 2. AWS CLI - get-generated-policy

  15. 2. AWS CLI - get-generated-policy

  16. 2. AWS CLI - get-generated-policy

  17. 2. AWS CLI - get-generated-policy (JSON )

  18. 2. AWS CLI - get-generated-policy (JSON ) jq &

  19. 2. AWS CLI - get-generated-policy (JSON ) jq & :

    ReadOnly s3:PutObject s3:PutObject

  20. 2. AWS CLI - get-generated-policy (JSON ) jq & :

    ReadOnly s3:PutObject s3:PutObject

  21. 2. AWS CLI - get-generated-policy (JSON ) jq & :

    ReadOnly s3:PutObject s3:PutObject aws iam create-policy aws iam attach-role-policy

  22. 3. IAM Access Analyzer CloudTrail AWS CLI # CloudTrail IAM

    IAM Access Analyzer AWS CLI https://michimani.net/post/aws-get-started-generating-iam-policies-based-on-actual-activity/

  23. #jawsug_asa