medibaにおけるIAMユーザ管理の歴史 / instudystyle LT mediba IAM Management History

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE mediba ʹ͓͚Δ IAM Ϣʔβ؅ཧͷྺ࢙ ΠϯϑϥɾωοτϫʔΫΤϯδχΞษڧձ Vol.1

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣗݾ঺հ ໊લ: প୔ Ұथ ॴଐ: ɹגࣜձࣾmediba ΠϯϑϥετϥΫνϟʔ෦ ΍ͬͯΔ͜ͱ: ɹओʹ
AWS Λ࢖ͬͨγεςϜΠϯϑϥͷઃܭɾߏஙɾӡ༻ AWS ྺ: 7೥ ɹ2016೥ AWS ΢ϧτϥΫΠζνϟϯϐΦϯ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾ঺հ גࣜձࣾmediba ۀ຿಺༰: KDDI גࣜձࣾͷ au εϚʔτύεΛத৺ͱͨ͠ au ؔ࿈αʔϏεӡӦ
ͷଞɺࠃ಺֎ʹͯΧϧνϟʔɾήʔϜɾࢠҭͯ౳ɺ෯޿͍෼໺Ͱαʔ ϏεΛల։͠ɺϢʔβʔ͕ΠϯλʔωοτΛ௨ͯ͡ඞཁͳ࣌ʹඞཁͳ ৘ใʹΞΫηεͰ͖Δ؀ڥͮ͘ΓͷͨΊͷαʔϏεΛఏڙ͍ͯ͠· ͢ɻ ※auεϚʔτύε ͸KDDI גࣜձࣾͷ঎ඪ·ͨ͸ొ࿥঎ඪͰ͢ɻ https://www.mediba.jp/company/info.html ΑΓൈਮ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾ঺հ ؆୯ʹݴ͏ͱɺ • au ؔ࿈αʔϏε΍ͬͯ·͢ • au ֎ͷαʔϏε΋ॾʑ΍ͬͯ·͢ ͜ΕΒΛ௨ͯ͡
ʮώτʹ“HAPPY”Λʯಧ͚Δͷ͕ զʑͷϛογϣϯͰ͢ɻ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾ঺հ ѻ͍ͬͯΔ au ؔ࿈αʔϏε(Ұ෦) • au Web ϙʔλϧ (
https://auone.jp/ ) • au Web ϙʔλϧͷχϡʔε໘ ( https://article.auone.jp/ ) • au ఱؾ ( https://tenki.auone.jp/ ) • ϙΠϯτஷΊΔ ( https://enjoy.point.auone.jp/ ) • au εϚʔτύεͷҰ෦ίϯςϯπ • ձһಛయɺΞϓϦऔΓ์୊ɺೖୀձɺetc…

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ຊ୊

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [૲૑ظ] (2013೥ʙ2015೥ࠒ)

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβ؅ཧ[૲૑ظ] • mediba ʹ͓͚Δ AWS ར༻͸ 2013೥ࠒ͔Β • ๭ϒϩάͷձࣾܦ༝Ͱ
AWS ΞΧ΢ϯτΛൃߦ ͯ͠ར༻ • ͳͷͰɺ͕͢͞ʹʮroot ϢʔβΛར༻͢Δʯͱ ͍͏ΞϯνύλʔϯதͷΞϯνύλʔϯঢ়ଶ͸ ආ͚ΒΕ͍ͯͨ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͪͳΈʹલ৬Ͱ͸΍ͬͯͨYOʂ(খ੠)

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβ؅ཧ[૲૑ظ] • ࠷ॳͷࠒ͸ɺ·ͩ • ΞΧ΢ϯτ΋਺ݸఔ౓ • ར༻ऀ΋਺ਓఔ౓ • ͦͷ౰࣌ͷ
IAM Ϣʔβ • ֤ AWS ΞΧ΢ϯτͦΕͧΕʹ  ݸਓ༻ IAM ϢʔβΛ࡞੒

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβ؅ཧ[૲૑ظ]

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [సػ] (2015೥)

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[సػ] ࣌͸2015೥ ؾ෇͚͹ΞΧ΢ϯτ਺͕େྔʹ → ࣗવͱ IAM Ϣʔβ਺΋๲େʹ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE Why ?

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[సػ] • AWS Λར༻ͨ͠ϓϩμΫτ͕૿͑Δͨͼʹ3ͭ ͣͭΞΧ΢ϯτ͕૿͑Δঢ়ଶ • 2015೥ࠒʹ͸40͍ۙΞΧ΢ϯτ͕͋ͬͨͱ͔ͳ ͔ͬͨͱ͔
• ΞΧ΢ϯτ͝ͱʹ IAM ϢʔβΛ࡞੒ɾ؅ཧ͢Δ ͷ͸ਖ਼௚͖ͭ͘ͳ͖ͬͯͨ • ར༻ऀଆ΋ɺ౎౓ϩάΠϯɾϩάΞ΢τΛ܁Γ ฦ͢ͷ͕͠ΜͲ͔ͬͨͱࢥ͏

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[సػ] • ͍ͭͰʹɺ͜ͷࠒ͔ΒηΩϡϦςΟ໘͕ؾʹͳ Γͩ͢ • ͜͜·Ͱ͸ɺID/ύεϫʔυ ͷΈͰϩάΠϯ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [స׵ظ] (2015೥)

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[స׵ظ] • IAM Ϣʔβͷ؅ཧ͕൥ࡶ • IAM ϢʔβͷηΩϡϦςΟ໘͕ؾʹͳΔ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͜ͷ2ͭΛಉ࣌ʹղܾ͢ΔͨΊ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ʮ౿Έ୆ AWS ΞΧ΢ϯτํࣜʯ Λ࠾༻

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[స׵ظ]

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[స׵ظ] • Πϝʔδ͸౿Έ୆αʔόͱಉ͡ • ֤ϓϩμΫτͷ֤؀ڥ΁ͷೖΓޱͱ͚ͯͩ͠ͷ AWS ΞΧ΢ϯτΛ༻ҙ •
ೖΓޱ͕1ͭʹͳΔͷͰɺ͜͜ͷ CloudTrail Λ ༗ޮԽͯ͠ɺϩάΠϯه࿥Λอଘɺ؂ࢹ • ౿Έ୆্ͷ IAM Ϣʔβͷ MFA ઃఆΛඞਢͱ͢ Δ͜ͱͰηΩϡϦςΟΛ޲্

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [੒ख़ظ] (2016೥ʙݱࡏ)

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͔͜͜Β͸ɺ࣮ࡍʹͲ͏͍͏ ઃఆʹͳ͍ͬͯΔ͔Λ͝঺հ͠·͢ɻ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ֤ϓϩμΫτͷ֤؀ڥͷ AWS ΞΧ΢ϯτଆ (࣮؀ڥ)

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮؀ڥଆ • ৽ن AWS ΞΧ΢ϯτൃߦޙɺ࠷ॳʹ  ΫϩεΞΧ΢ϯτΞΫηε༻ͷ IAM ϩʔϧΛ༻ҙ •
͜ͷ IAM ϩʔϧʹɺ౿Έ୆ΞΧ΢ϯτ͔Βͷ  ར༻ڐՄΛઃఆ • ʮMFA ඞਢʯΛ৚݅ʹઃఆ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮؀ڥଆ • IAM ϩʔϧ͸େ·͔ʹҎԼͷछྨͷ΋ͷΛ༻ҙ • ؅ཧऀ༻ • Administrator •
ਖ਼ࣾһ༻ • IAM ͷҰ෦ݖݶҎ֎͸શͯڐՄ • (ਖ਼ࣾһҎ֎ͷ)։ൃऀ༻ • ୲౰͍ͯ͠ΔϓϩμΫτͰར༻͢ΔαʔϏεͷݖݶͷΈڐՄ • ReadOnly ༻ • ROMઐ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮؀ڥଆ ͪͳΈʹɺ స׵ظʹ͜ͷ࢓૊Λಋೖͨ͠ࡍ͸ɺͦͷ౰࣌ଘࡏ͍ͯͨ͠ AWSΞΧ΢ϯτશͯʹલड़ͷϩʔϧΛ࡞੒ɻ ͦͷޙɺ౿Έ୆ AWS ΞΧ΢ϯτʹݸਓ༻ IAM Ϣʔβͷ
࡞੒ͱεΠον֬ೝ͕औΕͨஈ֊Ͱɺ࣮؀ڥଆͷݸਓ༻ IAM ϢʔβΛશͯ࡟আͨ͠ɻ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮؀ڥଆ • ͜ΕҎ߱ɺIAM Ϣʔβͷ࡞੒Λݪଇېࢭ • IAM ϩʔϧͷར༻Λܒ໤ɾਪਐ • ͨͩ͠ɺͨ·ʔʹΞΫηεΩʔ/γʔΫϨοτΞΫηε
ΩʔͰ͔͠ରԠͰ͖ͳ͍ύςΟʔϯ͕͋Δ • ͜ͷ৔߹͸૬ஊͷ্Ͱɺྫ֎తʹ IAM ϢʔβΛ࡞੒

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έ୆ AWS ΞΧ΢ϯτଆ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έ୆ଆ • ݸਓ༻ͷ IAM Ϣʔβ͸͜͜ʹ͔͠࡞Βͳ͍ • IAM Ϣʔβʹ͸ MFA
Λઃఆ • ؅ཧऀܥͷ IAM ϢʔβҎ֎͸ɺҎԼͷݖݶͷΈ෇༩ • εΠον͢ΔͨΊͷݖݶ (sts:AssumeRole) • ࣗ਎ͷ MFA ઃఆΛ͢Δݖݶ • ࣗ਎ͷύεϫʔυΛઃఆ͢Δݖݶ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έ୆ଆ • MFA ͷઃఆΛ͍ͯ͠ͳͯ͘΋౿Έ୆΁ͷϩάΠϯ͸ Ͱ͖ͯ͠·͏ • લड़ͷʮMFA ඞਢʯͷ৚͕݅ΫϩεΞΧ΢ϯτ༻ͷ ϩʔϧʹ͸෇͍͍ͯΔ
• ͜ͷ৚݅ͰɺMFA ະઃఆऀͷεΠονΛ཈੍ • ͜ΕʹΑΓɺMFA ͕ઃఆ͞Εͳ͍··ͷར༻Λ๷͙

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έ୆ଆ • ਖ਼ࣾһҎ֎ͷ IAM Ϣʔβ͸ Source IP Ͱͷૢ࡞੍ݶ ΋෇༩
• AWS ͸ίϯιʔϧ΁ͷΞΫηεΛ੍ݶͰ͖ͳ͍ͷ Ͱɺ౿Έ୆΁ͷϩάΠϯ͸Ͳ͔͜ΒͰ΋Ͱ͖Δ • ͨͩɺਖ਼ࣾһҎ֎͸ɺΦϑΟε֎Ͱͷར༻Λ૝ఆ ͍ͯ͠ͳ͍ • ͦͷҝͷ Source IP ʹΑΔૢ࡞੍ݶ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ • ਖ਼ࣾһ • ձ͔ࣾΒۀ຿༻୺຤ͱͯ͠  εϚʔτϑΥϯΛࢧڅ͞Ε͍ͯΔ • ͦͷۀ຿୺຤ʹ
MFA ༻ͷΞϓϦ  (mediba Ͱ͸ Authy ͷར༻Λਪ঑)Λ  Πϯετʔϧͯ͠ར༻

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ • ਖ਼ࣾһҎ֎ • Χʔυܕͷ෺ཧ MFA σόΠεΛར༻ •
ਖ਼ࣾһಉ༷ɺձࣾ؅ཧͷσόΠεʹඥ෇͚͔ͨͬ ͨͨΊɺձࣾͰΧʔυΛ༻ҙ • ؅ཧऀଆͰMFA Λઃఆͯ͠ΧʔυΛି༩

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ݱࡏ]

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[ݱࡏ] ݱࡏ͸͜Ε·Ͱઆ໌ͨ͠ঢ়ଶͰӡ༻ AWS ΞΧ΢ϯτ਺͸80ఔ౓ ·͊ಛʹେ͖ͳࢧো͸ແ͍

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ະདྷ]

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[ະདྷ] • MFA ΧʔυܕσόΠε΍Ί͍ͨ • ୯७ʹɺ෺ཧΧʔυͷ؅ཧ͕໘౗ • mediba
Ͱ͸χΞγϣΞ։ൃΛ͍ͯ͠Δ • ஍ํڌ఺ͷձࣾʹσόΠεΛି༩Ͱ͖ͳ͍ • IP ΞυϨεʹΑΔར༻ڌ఺ͷ੍ݶΛ͍ͯ͠Δ͔Β ݸਓ୺຤Ͱྑ͍ͷͰ͸ʁ࿦ͷొ৔

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[ະདྷ] • MFA ΧʔυܕσόΠε΍Ί͍ͨ • ୯७ʹɺ෺ཧΧʔυͷ؅ཧ͕໘౗ • mediba
Ͱ͸χΞγϣΞ։ൃΛ͍ͯ͠Δ • ஍ํڌ఺ͷձࣾʹσόΠεΛି༩Ͱ͖ͳ͍ • IP ΞυϨεʹΑΔར༻ڌ఺ͷ੍ݶΛ͍ͯ͠Δ͔Β ݸਓ୺຤Ͱྑ͍ͷͰ͸ʁ࿦ͷొ৔ ͜ΕΒͷ఺͔Βɺ ΍ΊΔํ޲Ͱௐ੔த

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[ະདྷ] • OS ΞΧ΢ϯτ΋ IAM Ϣʔβ͚ͩͰ؅ཧ • Systems
Manager ͷ Session Manager Λར༻ • طʹ Session Manager ͚ͩͰ։ൃΛߦͬͯ΋Βͬ ͍ͯΔϓϩμΫτ΋͋Δ • ࠓޙɺ৽نʹߏங͢ΔϓϩμΫτͰ͸جຊతʹ Session Manager Λ࠾༻͍ͯ͘͠

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[ະདྷ] • Session Manager ͷϝϦοτ • SSH ͷ͚݀͋ෆཁ
• ౿Έ୆αʔόෆཁ • Private Subnet ʹ͋ͬͯ΋ར༻Մೳ • ૢ࡞ϩάΛ S3 ͱ CloudWatch Logs ʹग़ྗՄೳ • IAM ϙϦγʔͰ EC2 ΠϯελϯεͷΞΫηε੍ݶՄೳ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[ະདྷ] • Session Manager ͷσϝϦοτ • SSM Agent
ͷಋೖ͕ඞཁ • OS ΞΧ΢ϯτ͕ ssm-user ͱ͍͏΋ͷݻఆ • no pass Ͱ sudo ՄೳͳݖݶΛ͍࣋ͬͯΔ • IAM Ϣʔβຖʹར༻ίϚϯυΛ੍ݶ͍ͨ͠ɺͱ͍͏͜ͱ ͕Ͱ͖ͳ͍ • ↑ͷέʔε͸ EC2 Instance Connect Ͱղܾ͠Α͏ʂ

$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[ະདྷ] • Session Manager ͷσϝϦοτ • SSM Agent
ͷಋೖ͕ඞཁ • OS ΞΧ΢ϯτ͕ ssm-user ͱ͍͏΋ͷݻఆ • no pass Ͱ sudo ՄೳͳݖݶΛ͍࣋ͬͯΔ • IAM Ϣʔβຖʹར༻ίϚϯυΛ੍ݶ͍ͨ͠ɺͱ͍͏͜ͱ ͕Ͱ͖ͳ͍ • ↑ͷέʔε͸ EC2 Instance Connect Ͱղܾ͠Α͏ʂ ݱ࣌఺Ͱɺ͜ΕΒͷ σϝϦοτ͕ϋʔυϧʹ ͳΔ͜ͱ͸ͳ͍ͨΊɺ ՄೳͳݶΓ࠾༻͍ͯ͘͠

medibaにおけるIAMユーザ管理の歴史 / instudystyle LT mediba IAM Management History

medibaにおけるIAMユーザ管理の歴史 / instudystyle LT mediba IAM Management History

More Decks by Kazuki Numazawa

Other Decks in Technology

Featured

Transcript