Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
medibaにおけるIAMユーザ管理の歴史 / instudystyle LT mediba IAM Management History
Search
Kazuki Numazawa
August 02, 2019
Technology
2
1.2k
medibaにおけるIAMユーザ管理の歴史 / instudystyle LT mediba IAM Management History
2019/08/02 インフラ・ネットワークエンジニア勉強会 Vol.1
https://istyle.connpass.com/event/133989/
にて、LT発表した資料。
Kazuki Numazawa
August 02, 2019
Tweet
Share
More Decks by Kazuki Numazawa
See All by Kazuki Numazawa
AWS account and user management design in asken
numasawa
2
750
日本からでも楽しめる!re:Inventの楽しみ方 / re:Invent 2018 from Japan
numasawa
1
170
英語?なにそれおいしいの?人向けre:Inventを楽しむ方法 / re:Invent 2018 Standby
numasawa
0
880
Utilization of data of RDS aurora
numasawa
0
52
reinvent ultra quiz champion
numasawa
0
540
AWS導入事例と失敗談
numasawa
1
520
Other Decks in Technology
See All in Technology
コンパウンドスタートアップのためのスケーラブルでセキュアなInfrastructure as Codeパイプラインを考える / Scalable and Secure Infrastructure as Code Pipeline for a Compound Startup
yuyatakeyama
3
2.1k
0→1開発における技術選定において一番大切なこと
bicstone
1
320
転移学習とドメイン適応の基礎
kmatsui
2
570
Signals Unleashed: The Full Guide
rainerhahnekamp
0
360
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
110
2024/4/26 コンピュータ歴史博物館解説告知
toshi_atsumi
0
200
長期間TiDBを使ってきた話 @ 私たちはなぜNewSQLを使うのかTiDB選定5社が語る選定理由と活用LT / Experiences with TiDB Over Time
chibiegg
2
690
社内勉強会運営のコツ
senoo
6
1.1k
なぜ NOT A HOTEL が Web3 に取り組むのか - NOT A HOTEL TECH TALK
ynunokawa
0
160
"好き"との生活/Regularly update profile with GitHub Actions
judeeeee
0
150
DevOpsメトリクスとアウトカムの接続にトライ!開発プロセスを通して計測できるメトリクスの活用方法
ham0215
1
190
**強い**エンジニアのなり方 - フィードバックサイクルを勝ち取る / grow one day each day
soudai
60
17k
Featured
See All Featured
Designing for Performance
lara
602
67k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
154
14k
How to Ace a Technical Interview
jacobian
272
22k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
124
32k
Debugging Ruby Performance
tmm1
70
11k
Infographics Made Easy
chrislema
237
18k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
The Language of Interfaces
destraynor
151
23k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
240
1.2M
Done Done
chrislema
178
15k
The Invisible Side of Design
smashingmag
294
49k
Transcript
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE mediba ʹ͓͚Δ IAM Ϣʔβཧͷྺ࢙ ΠϯϑϥɾωοτϫʔΫΤϯδχΞษڧձ Vol.1
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣗݾհ ໊લ: প Ұथ ॴଐ: ɹגࣜձࣾmediba ΠϯϑϥετϥΫνϟʔ෦ ͬͯΔ͜ͱ: ɹओʹ
AWS ΛͬͨγεςϜΠϯϑϥͷઃܭɾߏஙɾӡ༻ AWS ྺ: 7 ɹ2016 AWS ϧτϥΫΠζνϟϯϐΦϯ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾհ גࣜձࣾmediba ۀ༰: KDDI גࣜձࣾͷ au εϚʔτύεΛத৺ͱͨ͠ au ؔ࿈αʔϏεӡӦ
ͷଞɺࠃ֎ʹͯΧϧνϟʔɾήʔϜɾࢠҭͯɺ෯͍Ͱαʔ ϏεΛల։͠ɺϢʔβʔ͕ΠϯλʔωοτΛ௨ͯ͡ඞཁͳ࣌ʹඞཁͳ ใʹΞΫηεͰ͖Δڥͮ͘ΓͷͨΊͷαʔϏεΛఏڙ͍ͯ͠· ͢ɻ ※auεϚʔτύε KDDI גࣜձࣾͷඪ·ͨొඪͰ͢ɻ https://www.mediba.jp/company/info.html ΑΓൈਮ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾհ ؆୯ʹݴ͏ͱɺ • au ؔ࿈αʔϏεͬͯ·͢ • au ֎ͷαʔϏεॾʑͬͯ·͢ ͜ΕΒΛ௨ͯ͡
ʮώτʹ“HAPPY”Λʯಧ͚Δͷ͕ զʑͷϛογϣϯͰ͢ɻ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾհ ѻ͍ͬͯΔ au ؔ࿈αʔϏε(Ұ෦) • au Web ϙʔλϧ (
https://auone.jp/ ) • au Web ϙʔλϧͷχϡʔε໘ ( https://article.auone.jp/ ) • au ఱؾ ( https://tenki.auone.jp/ ) • ϙΠϯτஷΊΔ ( https://enjoy.point.auone.jp/ ) • au εϚʔτύεͷҰ෦ίϯςϯπ • ձһಛయɺΞϓϦऔΓ์ɺೖୀձɺetc…
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ຊ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ظ] (2013ʙ2015ࠒ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβཧ[ظ] • mediba ʹ͓͚Δ AWS ར༻ 2013ࠒ͔Β • ϒϩάͷձࣾܦ༝Ͱ
AWS ΞΧϯτΛൃߦ ͯ͠ར༻ • ͳͷͰɺ͕͢͞ʹʮroot ϢʔβΛར༻͢Δʯͱ ͍͏ΞϯνύλʔϯதͷΞϯνύλʔϯঢ়ଶ ආ͚ΒΕ͍ͯͨ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͪͳΈʹલ৬ͰͬͯͨYOʂ(খ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβཧ[ظ] • ࠷ॳͷࠒɺ·ͩ • ΞΧϯτݸఔ • ར༻ऀਓఔ • ͦͷ࣌ͷ
IAM Ϣʔβ • ֤ AWS ΞΧϯτͦΕͧΕʹ ݸਓ༻ IAM ϢʔβΛ࡞
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβཧ[ظ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [సػ] (2015)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సػ] ࣌2015 ؾ͚ΞΧϯτ͕େྔʹ → ࣗવͱ IAM Ϣʔβେʹ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE Why ?
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సػ] • AWS Λར༻ͨ͠ϓϩμΫτ͕૿͑Δͨͼʹ3ͭ ͣͭΞΧϯτ͕૿͑Δঢ়ଶ • 2015ࠒʹ40͍ۙΞΧϯτ͕͋ͬͨͱ͔ͳ ͔ͬͨͱ͔
• ΞΧϯτ͝ͱʹ IAM ϢʔβΛ࡞ɾཧ͢Δ ͷਖ਼͖ͭ͘ͳ͖ͬͯͨ • ར༻ऀଆɺϩάΠϯɾϩάΞτΛ܁Γ ฦ͢ͷ͕͠ΜͲ͔ͬͨͱࢥ͏
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సػ] • ͍ͭͰʹɺ͜ͷࠒ͔ΒηΩϡϦςΟ໘͕ؾʹͳ Γͩ͢ • ͜͜·ͰɺID/ύεϫʔυ ͷΈͰϩάΠϯ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [సظ] (2015)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సظ] • IAM Ϣʔβͷཧ͕ࡶ • IAM ϢʔβͷηΩϡϦςΟ໘͕ؾʹͳΔ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͜ͷ2ͭΛಉ࣌ʹղܾ͢ΔͨΊ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ʮ౿Έ AWS ΞΧϯτํࣜʯ Λ࠾༻
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సظ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సظ] • Πϝʔδ౿Έαʔόͱಉ͡ • ֤ϓϩμΫτͷ֤ڥͷೖΓޱͱ͚ͯͩ͠ͷ AWS ΞΧϯτΛ༻ҙ •
ೖΓޱ͕1ͭʹͳΔͷͰɺ͜͜ͷ CloudTrail Λ ༗ޮԽͯ͠ɺϩάΠϯهΛอଘɺࢹ • ౿Έ্ͷ IAM Ϣʔβͷ MFA ઃఆΛඞਢͱ͢ Δ͜ͱͰηΩϡϦςΟΛ্
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ख़ظ] (2016ʙݱࡏ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͔͜͜Βɺ࣮ࡍʹͲ͏͍͏ ઃఆʹͳ͍ͬͯΔ͔Λ͝հ͠·͢ɻ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ֤ϓϩμΫτͷ֤ڥͷ AWS ΞΧϯτଆ (࣮ڥ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ • ৽ن AWS ΞΧϯτൃߦޙɺ࠷ॳʹ ΫϩεΞΧϯτΞΫηε༻ͷ IAM ϩʔϧΛ༻ҙ •
͜ͷ IAM ϩʔϧʹɺ౿ΈΞΧϯτ͔Βͷ ར༻ڐՄΛઃఆ • ʮMFA ඞਢʯΛ݅ʹઃఆ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ • IAM ϩʔϧେ·͔ʹҎԼͷछྨͷͷΛ༻ҙ • ཧऀ༻ • Administrator •
ਖ਼ࣾһ༻ • IAM ͷҰ෦ݖݶҎ֎શͯڐՄ • (ਖ਼ࣾһҎ֎ͷ)։ൃऀ༻ • ୲͍ͯ͠ΔϓϩμΫτͰར༻͢ΔαʔϏεͷݖݶͷΈڐՄ • ReadOnly ༻ • ROMઐ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ ͪͳΈʹɺ సظʹ͜ͷΛಋೖͨ͠ࡍɺͦͷ࣌ଘࡏ͍ͯͨ͠ AWSΞΧϯτશͯʹલड़ͷϩʔϧΛ࡞ɻ ͦͷޙɺ౿Έ AWS ΞΧϯτʹݸਓ༻ IAM Ϣʔβͷ
࡞ͱεΠον֬ೝ͕औΕͨஈ֊Ͱɺ࣮ڥଆͷݸਓ༻ IAM ϢʔβΛશͯআͨ͠ɻ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ • ͜ΕҎ߱ɺIAM Ϣʔβͷ࡞Λݪଇېࢭ • IAM ϩʔϧͷར༻Λܒɾਪਐ • ͨͩ͠ɺͨ·ʔʹΞΫηεΩʔ/γʔΫϨοτΞΫηε
ΩʔͰ͔͠ରԠͰ͖ͳ͍ύςΟʔϯ͕͋Δ • ͜ͷ߹૬ஊͷ্Ͱɺྫ֎తʹ IAM ϢʔβΛ࡞
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έ AWS ΞΧϯτଆ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έଆ • ݸਓ༻ͷ IAM Ϣʔβ͜͜ʹ͔͠࡞Βͳ͍ • IAM Ϣʔβʹ MFA
Λઃఆ • ཧऀܥͷ IAM ϢʔβҎ֎ɺҎԼͷݖݶͷΈ༩ • εΠον͢ΔͨΊͷݖݶ (sts:AssumeRole) • ࣗͷ MFA ઃఆΛ͢Δݖݶ • ࣗͷύεϫʔυΛઃఆ͢Δݖݶ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έଆ • MFA ͷઃఆΛ͍ͯ͠ͳͯ͘౿ΈͷϩάΠϯ Ͱ͖ͯ͠·͏ • લड़ͷʮMFA ඞਢʯͷ͕݅ΫϩεΞΧϯτ༻ͷ ϩʔϧʹ͍͍ͯΔ
• ͜ͷ݅ͰɺMFA ະઃఆऀͷεΠονΛ੍ • ͜ΕʹΑΓɺMFA ͕ઃఆ͞Εͳ͍··ͷར༻Λ͙
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έଆ • ਖ਼ࣾһҎ֎ͷ IAM Ϣʔβ Source IP Ͱͷૢ࡞੍ݶ ༩
• AWS ίϯιʔϧͷΞΫηεΛ੍ݶͰ͖ͳ͍ͷ Ͱɺ౿ΈͷϩάΠϯͲ͔͜ΒͰͰ͖Δ • ͨͩɺਖ਼ࣾһҎ֎ɺΦϑΟε֎Ͱͷར༻Λఆ ͍ͯ͠ͳ͍ • ͦͷҝͷ Source IP ʹΑΔૢ࡞੍ݶ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ • ਖ਼ࣾһ • ձ͔ࣾΒۀ༻ͱͯ͠ εϚʔτϑΥϯΛࢧڅ͞Ε͍ͯΔ • ͦͷۀʹ
MFA ༻ͷΞϓϦ (mediba Ͱ Authy ͷར༻Λਪ)Λ Πϯετʔϧͯ͠ར༻
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ • ਖ਼ࣾһҎ֎ • Χʔυܕͷཧ MFA σόΠεΛར༻ •
ਖ਼ࣾһಉ༷ɺձࣾཧͷσόΠεʹඥ͚͔ͨͬ ͨͨΊɺձࣾͰΧʔυΛ༻ҙ • ཧऀଆͰMFA Λઃఆͯ͠ΧʔυΛି༩
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ݱࡏ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ݱࡏ] ݱࡏ͜Ε·Ͱઆ໌ͨ͠ঢ়ଶͰӡ༻ AWS ΞΧϯτ80ఔ ·͊ಛʹେ͖ͳࢧোແ͍
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ະདྷ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • MFA ΧʔυܕσόΠεΊ͍ͨ • ୯७ʹɺཧΧʔυͷཧ͕໘ • mediba
ͰχΞγϣΞ։ൃΛ͍ͯ͠Δ • ํڌͷձࣾʹσόΠεΛି༩Ͱ͖ͳ͍ • IP ΞυϨεʹΑΔར༻ڌͷ੍ݶΛ͍ͯ͠Δ͔Β ݸਓͰྑ͍ͷͰʁͷొ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • MFA ΧʔυܕσόΠεΊ͍ͨ • ୯७ʹɺཧΧʔυͷཧ͕໘ • mediba
ͰχΞγϣΞ։ൃΛ͍ͯ͠Δ • ํڌͷձࣾʹσόΠεΛି༩Ͱ͖ͳ͍ • IP ΞυϨεʹΑΔར༻ڌͷ੍ݶΛ͍ͯ͠Δ͔Β ݸਓͰྑ͍ͷͰʁͷొ ͜ΕΒͷ͔Βɺ ΊΔํͰௐத
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • OS ΞΧϯτ IAM Ϣʔβ͚ͩͰཧ • Systems
Manager ͷ Session Manager Λར༻ • طʹ Session Manager ͚ͩͰ։ൃΛߦͬͯΒͬ ͍ͯΔϓϩμΫτ͋Δ • ࠓޙɺ৽نʹߏங͢ΔϓϩμΫτͰجຊతʹ Session Manager Λ࠾༻͍ͯ͘͠
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • Session Manager ͷϝϦοτ • SSH ͷ͚݀͋ෆཁ
• ౿Έαʔόෆཁ • Private Subnet ʹ͋ͬͯར༻Մೳ • ૢ࡞ϩάΛ S3 ͱ CloudWatch Logs ʹग़ྗՄೳ • IAM ϙϦγʔͰ EC2 ΠϯελϯεͷΞΫηε੍ݶՄೳ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • Session Manager ͷσϝϦοτ • SSM Agent
ͷಋೖ͕ඞཁ • OS ΞΧϯτ͕ ssm-user ͱ͍͏ͷݻఆ • no pass Ͱ sudo ՄೳͳݖݶΛ͍࣋ͬͯΔ • IAM Ϣʔβຖʹར༻ίϚϯυΛ੍ݶ͍ͨ͠ɺͱ͍͏͜ͱ ͕Ͱ͖ͳ͍ • ↑ͷέʔε EC2 Instance Connect Ͱղܾ͠Α͏ʂ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • Session Manager ͷσϝϦοτ • SSM Agent
ͷಋೖ͕ඞཁ • OS ΞΧϯτ͕ ssm-user ͱ͍͏ͷݻఆ • no pass Ͱ sudo ՄೳͳݖݶΛ͍࣋ͬͯΔ • IAM Ϣʔβຖʹར༻ίϚϯυΛ੍ݶ͍ͨ͠ɺͱ͍͏͜ͱ ͕Ͱ͖ͳ͍ • ↑ͷέʔε EC2 Instance Connect Ͱղܾ͠Α͏ʂ ݱ࣌Ͱɺ͜ΕΒͷ σϝϦοτ͕ϋʔυϧʹ ͳΔ͜ͱͳ͍ͨΊɺ ՄೳͳݶΓ࠾༻͍ͯ͘͠