Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
medibaにおけるIAMユーザ管理の歴史 / instudystyle LT mediba...
Search
Kazuki Numazawa
August 02, 2019
Technology
2
1.3k
medibaにおけるIAMユーザ管理の歴史 / instudystyle LT mediba IAM Management History
2019/08/02 インフラ・ネットワークエンジニア勉強会 Vol.1
https://istyle.connpass.com/event/133989/
にて、LT発表した資料。
Kazuki Numazawa
August 02, 2019
Tweet
Share
More Decks by Kazuki Numazawa
See All by Kazuki Numazawa
システムのログは保存したか?で、その後どうする?システムのログ保存先とコスト最適化について
numasawa
2
400
AWS account and user management design in asken
numasawa
2
920
日本からでも楽しめる!re:Inventの楽しみ方 / re:Invent 2018 from Japan
numasawa
1
200
英語?なにそれおいしいの?人向けre:Inventを楽しむ方法 / re:Invent 2018 Standby
numasawa
0
930
Utilization of data of RDS aurora
numasawa
0
67
reinvent ultra quiz champion
numasawa
0
570
AWS導入事例と失敗談
numasawa
1
570
Other Decks in Technology
See All in Technology
Reading Code Is Harder Than Writing It
trishagee
2
120
RayでPHPのデバッグをちょっと快適にする
muno92
PRO
0
140
Exadata Database Service on Cloud@Customer セキュリティ、ネットワーク、および管理について
oracle4engineer
PRO
2
1.5k
クラウドサービス事業者におけるOSS
tagomoris
3
980
Potential EM 制度を始めた理由、そして2年後にやめた理由 - EMConf JP 2025
hoyo
2
1.7k
PHPカンファレンス名古屋-テックリードの経験から学んだ設計の教訓
hayatokudou
2
530
php-conference-nagoya-2025
fuwasegu
0
140
スキルだけでは満たせない、 “組織全体に”なじむオンボーディング/Onboarding that fits “throughout the organization” and cannot be satisfied by skills alone
bitkey
0
140
(機械学習システムでも) SLO から始める信頼性構築 - ゆる SRE#9 2025/02/21
daigo0927
0
240
【詳説】コンテンツ配信 システムの複数機能 基盤への拡張
hatena
0
190
CDKのコードを書く環境を作りました with Amazon Q
nobuhitomorioka
1
150
短縮URLをお手軽に導入しよう
nakasho
0
140
Featured
See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
27
1.6k
The Cult of Friendly URLs
andyhume
78
6.2k
How to train your dragon (web standard)
notwaldorf
91
5.9k
Become a Pro
speakerdeck
PRO
26
5.2k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
366
25k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
6
570
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
45
9.4k
The Cost Of JavaScript in 2023
addyosmani
47
7.3k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Visualization
eitanlees
146
15k
Automating Front-end Workflow
addyosmani
1368
200k
GraphQLの誤解/rethinking-graphql
sonatard
68
10k
Transcript
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE mediba ʹ͓͚Δ IAM Ϣʔβཧͷྺ࢙ ΠϯϑϥɾωοτϫʔΫΤϯδχΞษڧձ Vol.1
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣗݾհ ໊લ: প Ұथ ॴଐ: ɹגࣜձࣾmediba ΠϯϑϥετϥΫνϟʔ෦ ͬͯΔ͜ͱ: ɹओʹ
AWS ΛͬͨγεςϜΠϯϑϥͷઃܭɾߏஙɾӡ༻ AWS ྺ: 7 ɹ2016 AWS ϧτϥΫΠζνϟϯϐΦϯ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾհ גࣜձࣾmediba ۀ༰: KDDI גࣜձࣾͷ au εϚʔτύεΛத৺ͱͨ͠ au ؔ࿈αʔϏεӡӦ
ͷଞɺࠃ֎ʹͯΧϧνϟʔɾήʔϜɾࢠҭͯɺ෯͍Ͱαʔ ϏεΛల։͠ɺϢʔβʔ͕ΠϯλʔωοτΛ௨ͯ͡ඞཁͳ࣌ʹඞཁͳ ใʹΞΫηεͰ͖Δڥͮ͘ΓͷͨΊͷαʔϏεΛఏڙ͍ͯ͠· ͢ɻ ※auεϚʔτύε KDDI גࣜձࣾͷඪ·ͨొඪͰ͢ɻ https://www.mediba.jp/company/info.html ΑΓൈਮ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾհ ؆୯ʹݴ͏ͱɺ • au ؔ࿈αʔϏεͬͯ·͢ • au ֎ͷαʔϏεॾʑͬͯ·͢ ͜ΕΒΛ௨ͯ͡
ʮώτʹ“HAPPY”Λʯಧ͚Δͷ͕ զʑͷϛογϣϯͰ͢ɻ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾհ ѻ͍ͬͯΔ au ؔ࿈αʔϏε(Ұ෦) • au Web ϙʔλϧ (
https://auone.jp/ ) • au Web ϙʔλϧͷχϡʔε໘ ( https://article.auone.jp/ ) • au ఱؾ ( https://tenki.auone.jp/ ) • ϙΠϯτஷΊΔ ( https://enjoy.point.auone.jp/ ) • au εϚʔτύεͷҰ෦ίϯςϯπ • ձһಛయɺΞϓϦऔΓ์ɺೖୀձɺetc…
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ຊ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ظ] (2013ʙ2015ࠒ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβཧ[ظ] • mediba ʹ͓͚Δ AWS ར༻ 2013ࠒ͔Β • ϒϩάͷձࣾܦ༝Ͱ
AWS ΞΧϯτΛൃߦ ͯ͠ར༻ • ͳͷͰɺ͕͢͞ʹʮroot ϢʔβΛར༻͢Δʯͱ ͍͏ΞϯνύλʔϯதͷΞϯνύλʔϯঢ়ଶ ආ͚ΒΕ͍ͯͨ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͪͳΈʹલ৬ͰͬͯͨYOʂ(খ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβཧ[ظ] • ࠷ॳͷࠒɺ·ͩ • ΞΧϯτݸఔ • ར༻ऀਓఔ • ͦͷ࣌ͷ
IAM Ϣʔβ • ֤ AWS ΞΧϯτͦΕͧΕʹ ݸਓ༻ IAM ϢʔβΛ࡞
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβཧ[ظ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [సػ] (2015)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సػ] ࣌2015 ؾ͚ΞΧϯτ͕େྔʹ → ࣗવͱ IAM Ϣʔβେʹ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE Why ?
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సػ] • AWS Λར༻ͨ͠ϓϩμΫτ͕૿͑Δͨͼʹ3ͭ ͣͭΞΧϯτ͕૿͑Δঢ়ଶ • 2015ࠒʹ40͍ۙΞΧϯτ͕͋ͬͨͱ͔ͳ ͔ͬͨͱ͔
• ΞΧϯτ͝ͱʹ IAM ϢʔβΛ࡞ɾཧ͢Δ ͷਖ਼͖ͭ͘ͳ͖ͬͯͨ • ར༻ऀଆɺϩάΠϯɾϩάΞτΛ܁Γ ฦ͢ͷ͕͠ΜͲ͔ͬͨͱࢥ͏
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సػ] • ͍ͭͰʹɺ͜ͷࠒ͔ΒηΩϡϦςΟ໘͕ؾʹͳ Γͩ͢ • ͜͜·ͰɺID/ύεϫʔυ ͷΈͰϩάΠϯ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [సظ] (2015)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సظ] • IAM Ϣʔβͷཧ͕ࡶ • IAM ϢʔβͷηΩϡϦςΟ໘͕ؾʹͳΔ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͜ͷ2ͭΛಉ࣌ʹղܾ͢ΔͨΊ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ʮ౿Έ AWS ΞΧϯτํࣜʯ Λ࠾༻
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సظ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సظ] • Πϝʔδ౿Έαʔόͱಉ͡ • ֤ϓϩμΫτͷ֤ڥͷೖΓޱͱ͚ͯͩ͠ͷ AWS ΞΧϯτΛ༻ҙ •
ೖΓޱ͕1ͭʹͳΔͷͰɺ͜͜ͷ CloudTrail Λ ༗ޮԽͯ͠ɺϩάΠϯهΛอଘɺࢹ • ౿Έ্ͷ IAM Ϣʔβͷ MFA ઃఆΛඞਢͱ͢ Δ͜ͱͰηΩϡϦςΟΛ্
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ख़ظ] (2016ʙݱࡏ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͔͜͜Βɺ࣮ࡍʹͲ͏͍͏ ઃఆʹͳ͍ͬͯΔ͔Λ͝հ͠·͢ɻ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ֤ϓϩμΫτͷ֤ڥͷ AWS ΞΧϯτଆ (࣮ڥ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ • ৽ن AWS ΞΧϯτൃߦޙɺ࠷ॳʹ ΫϩεΞΧϯτΞΫηε༻ͷ IAM ϩʔϧΛ༻ҙ •
͜ͷ IAM ϩʔϧʹɺ౿ΈΞΧϯτ͔Βͷ ར༻ڐՄΛઃఆ • ʮMFA ඞਢʯΛ݅ʹઃఆ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ • IAM ϩʔϧେ·͔ʹҎԼͷछྨͷͷΛ༻ҙ • ཧऀ༻ • Administrator •
ਖ਼ࣾһ༻ • IAM ͷҰ෦ݖݶҎ֎શͯڐՄ • (ਖ਼ࣾһҎ֎ͷ)։ൃऀ༻ • ୲͍ͯ͠ΔϓϩμΫτͰར༻͢ΔαʔϏεͷݖݶͷΈڐՄ • ReadOnly ༻ • ROMઐ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ ͪͳΈʹɺ సظʹ͜ͷΛಋೖͨ͠ࡍɺͦͷ࣌ଘࡏ͍ͯͨ͠ AWSΞΧϯτશͯʹલड़ͷϩʔϧΛ࡞ɻ ͦͷޙɺ౿Έ AWS ΞΧϯτʹݸਓ༻ IAM Ϣʔβͷ
࡞ͱεΠον֬ೝ͕औΕͨஈ֊Ͱɺ࣮ڥଆͷݸਓ༻ IAM ϢʔβΛશͯআͨ͠ɻ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ • ͜ΕҎ߱ɺIAM Ϣʔβͷ࡞Λݪଇېࢭ • IAM ϩʔϧͷར༻Λܒɾਪਐ • ͨͩ͠ɺͨ·ʔʹΞΫηεΩʔ/γʔΫϨοτΞΫηε
ΩʔͰ͔͠ରԠͰ͖ͳ͍ύςΟʔϯ͕͋Δ • ͜ͷ߹૬ஊͷ্Ͱɺྫ֎తʹ IAM ϢʔβΛ࡞
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έ AWS ΞΧϯτଆ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έଆ • ݸਓ༻ͷ IAM Ϣʔβ͜͜ʹ͔͠࡞Βͳ͍ • IAM Ϣʔβʹ MFA
Λઃఆ • ཧऀܥͷ IAM ϢʔβҎ֎ɺҎԼͷݖݶͷΈ༩ • εΠον͢ΔͨΊͷݖݶ (sts:AssumeRole) • ࣗͷ MFA ઃఆΛ͢Δݖݶ • ࣗͷύεϫʔυΛઃఆ͢Δݖݶ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έଆ • MFA ͷઃఆΛ͍ͯ͠ͳͯ͘౿ΈͷϩάΠϯ Ͱ͖ͯ͠·͏ • લड़ͷʮMFA ඞਢʯͷ͕݅ΫϩεΞΧϯτ༻ͷ ϩʔϧʹ͍͍ͯΔ
• ͜ͷ݅ͰɺMFA ະઃఆऀͷεΠονΛ੍ • ͜ΕʹΑΓɺMFA ͕ઃఆ͞Εͳ͍··ͷར༻Λ͙
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έଆ • ਖ਼ࣾһҎ֎ͷ IAM Ϣʔβ Source IP Ͱͷૢ࡞੍ݶ ༩
• AWS ίϯιʔϧͷΞΫηεΛ੍ݶͰ͖ͳ͍ͷ Ͱɺ౿ΈͷϩάΠϯͲ͔͜ΒͰͰ͖Δ • ͨͩɺਖ਼ࣾһҎ֎ɺΦϑΟε֎Ͱͷར༻Λఆ ͍ͯ͠ͳ͍ • ͦͷҝͷ Source IP ʹΑΔૢ࡞੍ݶ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ • ਖ਼ࣾһ • ձ͔ࣾΒۀ༻ͱͯ͠ εϚʔτϑΥϯΛࢧڅ͞Ε͍ͯΔ • ͦͷۀʹ
MFA ༻ͷΞϓϦ (mediba Ͱ Authy ͷར༻Λਪ)Λ Πϯετʔϧͯ͠ར༻
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ • ਖ਼ࣾһҎ֎ • Χʔυܕͷཧ MFA σόΠεΛར༻ •
ਖ਼ࣾһಉ༷ɺձࣾཧͷσόΠεʹඥ͚͔ͨͬ ͨͨΊɺձࣾͰΧʔυΛ༻ҙ • ཧऀଆͰMFA Λઃఆͯ͠ΧʔυΛି༩
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ݱࡏ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ݱࡏ] ݱࡏ͜Ε·Ͱઆ໌ͨ͠ঢ়ଶͰӡ༻ AWS ΞΧϯτ80ఔ ·͊ಛʹେ͖ͳࢧোແ͍
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ະདྷ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • MFA ΧʔυܕσόΠεΊ͍ͨ • ୯७ʹɺཧΧʔυͷཧ͕໘ • mediba
ͰχΞγϣΞ։ൃΛ͍ͯ͠Δ • ํڌͷձࣾʹσόΠεΛି༩Ͱ͖ͳ͍ • IP ΞυϨεʹΑΔར༻ڌͷ੍ݶΛ͍ͯ͠Δ͔Β ݸਓͰྑ͍ͷͰʁͷొ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • MFA ΧʔυܕσόΠεΊ͍ͨ • ୯७ʹɺཧΧʔυͷཧ͕໘ • mediba
ͰχΞγϣΞ։ൃΛ͍ͯ͠Δ • ํڌͷձࣾʹσόΠεΛି༩Ͱ͖ͳ͍ • IP ΞυϨεʹΑΔར༻ڌͷ੍ݶΛ͍ͯ͠Δ͔Β ݸਓͰྑ͍ͷͰʁͷొ ͜ΕΒͷ͔Βɺ ΊΔํͰௐத
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • OS ΞΧϯτ IAM Ϣʔβ͚ͩͰཧ • Systems
Manager ͷ Session Manager Λར༻ • طʹ Session Manager ͚ͩͰ։ൃΛߦͬͯΒͬ ͍ͯΔϓϩμΫτ͋Δ • ࠓޙɺ৽نʹߏங͢ΔϓϩμΫτͰجຊతʹ Session Manager Λ࠾༻͍ͯ͘͠
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • Session Manager ͷϝϦοτ • SSH ͷ͚݀͋ෆཁ
• ౿Έαʔόෆཁ • Private Subnet ʹ͋ͬͯར༻Մೳ • ૢ࡞ϩάΛ S3 ͱ CloudWatch Logs ʹग़ྗՄೳ • IAM ϙϦγʔͰ EC2 ΠϯελϯεͷΞΫηε੍ݶՄೳ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • Session Manager ͷσϝϦοτ • SSM Agent
ͷಋೖ͕ඞཁ • OS ΞΧϯτ͕ ssm-user ͱ͍͏ͷݻఆ • no pass Ͱ sudo ՄೳͳݖݶΛ͍࣋ͬͯΔ • IAM Ϣʔβຖʹར༻ίϚϯυΛ੍ݶ͍ͨ͠ɺͱ͍͏͜ͱ ͕Ͱ͖ͳ͍ • ↑ͷέʔε EC2 Instance Connect Ͱղܾ͠Α͏ʂ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • Session Manager ͷσϝϦοτ • SSM Agent
ͷಋೖ͕ඞཁ • OS ΞΧϯτ͕ ssm-user ͱ͍͏ͷݻఆ • no pass Ͱ sudo ՄೳͳݖݶΛ͍࣋ͬͯΔ • IAM Ϣʔβຖʹར༻ίϚϯυΛ੍ݶ͍ͨ͠ɺͱ͍͏͜ͱ ͕Ͱ͖ͳ͍ • ↑ͷέʔε EC2 Instance Connect Ͱղܾ͠Α͏ʂ ݱ࣌Ͱɺ͜ΕΒͷ σϝϦοτ͕ϋʔυϧʹ ͳΔ͜ͱͳ͍ͨΊɺ ՄೳͳݶΓ࠾༻͍ͯ͘͠