Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CloudTrail の証跡から IAM ポリシーを生成する IAM Access Analyzer の機能を AWS CLI から使ってみた話 /jawsug-asa-20-lt

YoshihiroITO
April 22, 2021
Technology
0
1.3k

CloudTrail の証跡から IAM ポリシーを生成する IAM Access Analyzer の機能を AWS CLI から使ってみた話 /jawsug-asa-20-lt

JAWS UG 朝会 #20 の LT 資料です。
https://jawsug-asa.connpass.com/event/208498/

スライドの詳細
CloudTrail の証跡から IAM ポリシーを作成する IAM Access Analyzer の新機能を AWS CLI で試す - michimani.net
https://michimani.net/post/aws-get-started-generating-iam-policies-based-on-actual-activity/

YoshihiroITO

April 22, 2021
Tweet

More Decks by YoshihiroITO

See All by YoshihiroITO
AWS CLI のエイリアス機能はいいぞ /jawsug-bgnr-48-lt
michimani
1
710
URL 正規化処理を Lambda@Edge から CloudFront Functions に移行した話 /jawsug-asa-21-session
michimani
2
1.3k
AWS CDK で文字起こし + 翻訳パイプラインを作ってみた /jawsug-bgnr-26-lt
michimani
1
2.2k

Other Decks in Technology

See All in Technology
2023-09-05_OCIJP_まれによくあるマルチクラウドでDB-AP分離構成のこと
hk_shino
2
220
Ubieのアプリ開発を支える自動テスト
guchey
0
160
サーバーレスアーキテクチャを使って、小さく作って大きくする取り組み
daikimori
0
1.2k
サービスへの影響を抑えてデータベースの移行を実施したはなし Aurora MySQL -> Cloud SQL
pistatium
0
270
Develop Sales Automation Workflow on LINE
linedevth
0
170
Aurora MySQL v1 から v3 へ一段飛ばしのバージョンアップをした話
hmatsu47
PRO
1
210
重厚長大な企業の内製開発組織で成果を出すためのサーバーレスアーキテクチャ / ServerlessDays Tokyo 2023
mongolyy
3
800
Autify Company Deck
autifyhq
1
25k
Azure OpenAI Service リファレンスアーキテクチャからみる本番システムレベルの LLM アプリに必要な検討項目の解説 / From Azure OpenAI Reference Architecture to Production-Ready LLM Apps #serverlessdays #serverlesstokyo
koudaiii
6
1.8k
DevOpsDays Taipei 2023 行前攻略
devopstaiwan
0
370
kanto_kaggler_senkin13
senkin13
1
1k
サーバーを超えて: 開発者のために作られたTiDB ServerlessとChat2Query
pingcap0315
0
110

Featured

See All Featured
10 Git Anti Patterns You Should be Aware of
lemiorhan
644
56k
The Cult of Friendly URLs
andyhume
71
5.3k
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.2k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
215
12k
Designing Experiences People Love
moore
133
22k
Making the Leap to Tech Lead
cromwellryan
119
8.1k
The Invisible Customer
myddelton
113
12k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
10
1.2k
How to train your dragon (web standard)
notwaldorf
70
4.7k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.2k
The Cost Of JavaScript in 2023
addyosmani
9
1.5k
A Tale of Four Properties
chriscoyier
150
21k

Transcript

  1. 2021.04.22
    @michimani210
    CloudTrail IAM
    IAM Access Analyzer
    AWS CLI
    [JAWS-UG #20]
    #jawsug_asa

    View Slide

  2. #
    # AWS
    AWS CLI
    AWS Certificate Manager
    #
    : https://michimani.net
    / Yoshihiro Ito
    @michimani210

    View Slide

  3. 1. IAM Access Analyzer
    2. AWS CLI
    3.
    IAM Access Analyzer
    CloudTrail

    View Slide

  4. 1. IAM Access Analyzer
    CloudTrail IAM
    IAM
    90
    ( )
    IAM JSON

    IAM Access Analyzer makes it easier to implement least privilege permissions by generating IAM policies based on access activity
    https://aws.amazon.com/about-aws/whats-new/2021/04/iam-access-analyzer-easier-implement-least-privilege-permissions-generating-iam-policies-access-activity

    View Slide

  5. 2. AWS CLI
    IAM Access Analyzer
    aws accessanalyzer


    ・cancel-policy-generation


    ・get-generated-policy


    ・list-policy-generations


    ・start-policy-generation


    v1 1.19.47 v2 2.1.36
    (2021/04/22 07:40 JST) 1.19.55 2.1.39

    View Slide

  6. 2. AWS CLI - start-policy-generation
    start-policy-generation
    CloudTrail ARN
    IAM IAM ARN

    View Slide

  7. 2. AWS CLI - start-policy-generation
    1: IAM ( ) ARN
    AWS CLI ARN

    View Slide

  8. 2. AWS CLI - start-policy-generation
    2: JSON

    View Slide

  9. 2. AWS CLI - start-policy-generation
    2: JSON
    IAM ARN

    View Slide

  10. 2. AWS CLI - start-policy-generation
    2: JSON
    IAM ARN
    ( 90 )
    endTime

    View Slide

  11. 2. AWS CLI - start-policy-generation
    2: JSON
    IAM ARN
    CloudTrail ARN
    ( 90 )
    endTime

    View Slide

  12. 2. AWS CLI - start-policy-generation
    2: JSON
    IAM ARN
    CloudTrail ARN
    ( 90 )
    endTime

    View Slide

  13. 2. AWS CLI - start-policy-generation

    View Slide

  14. 2. AWS CLI - get-generated-policy

    View Slide

  15. 2. AWS CLI - get-generated-policy

    View Slide

  16. 2. AWS CLI - get-generated-policy

    View Slide

  17. 2. AWS CLI - get-generated-policy
    (JSON )

    View Slide

  18. 2. AWS CLI - get-generated-policy
    (JSON )
    jq
    &

    View Slide

  19. 2. AWS CLI - get-generated-policy
    (JSON )
    jq
    &
    : ReadOnly s3:PutObject
    s3:PutObject

    View Slide

  20. 2. AWS CLI - get-generated-policy
    (JSON )
    jq
    &
    : ReadOnly s3:PutObject
    s3:PutObject

    View Slide

  21. 2. AWS CLI - get-generated-policy
    (JSON )
    jq
    &
    : ReadOnly s3:PutObject
    s3:PutObject
    aws iam create-policy
    aws iam attach-role-policy

    View Slide

  22. 3.
    IAM Access Analyzer
    CloudTrail
    AWS CLI
    #
    CloudTrail IAM IAM Access Analyzer AWS CLI
    https://michimani.net/post/aws-get-started-generating-iam-policies-based-on-actual-activity/

    View Slide

  23. #jawsug_asa

    View Slide