Slide 1
Slide 1 text
ͭͷ"84ΞΧϯτʹ
ෳγεςϜ͕͋Δڥʹ͓͚Δ
ΞΫηε੍ޚΛ"#"$Ͱ࣮ݱ
ZIBOB
Ϋϥεϝιουגࣜձࣾ Ϋϥυࣄۀຊ෦
Slide 2
Slide 2 text
ࠓ͢͜ͱ
࣍ͷΑ͏ͳ "84ΞΧϯτʹରͯ͠ɺࣗͷϓϩδΣΫτʹؔ࿈͢ΔϦιʔ
ε͚ͩૢ࡞Մೳʹ͢Δӡ༻ऀ͚ͷΞΫηε੍ޚͷํ๏Λհ͠·͢ʢ˞ʣ
l ୯Ұ "84ΞΧϯτʹෳͷϓϩδΣΫτʢγεςϜʣ͕ࠞࡏ͢Δڥ
l ΞΧϯτʹ୯ҰϓϩδΣΫτͷ߹Ͱෳͷؔձ͕ࣾؔ༩͢Δڥ
˞͋Δఔ *".ͷ͕ࣝ͋Δલఏͷ༰Ͱ͢
Slide 3
Slide 3 text
ࠓ͢͜ͱ
"#"$ʢ"UUSJCVUF#BTFE"DDFTT$POUSPMɿଐੑϕʔεͷΞΫηε੍ޚʣΛ
ར༻͢Δํ๏ͷհͰ͢
Ҿ༻ݩɿ"#"$ೝՄͰଐੑʹج͍ͮͯΞΫηεڐՄΛఆٛ͢Δ "84*EFOUJUZBOE"DDFTT.BOBHFNFOU
Slide 4
Slide 4 text
͘͡
l "84*".ʹ͓͚Δ "#"$
l "84*".*EFOUJUZ$FOUFSʹ͓͚Δ "#"$
l "#"$ͷ 5JQTςΫχοΫू
Slide 5
Slide 5 text
"84*".ʹ͓͚Δ "#"$
Slide 6
Slide 6 text
"84*".ͷ "#"$λάͰ੍ޚ
*".ϢʔβʔͷλάͱϦιʔεͷλάͷҰகʹΑΓૢ࡞ͷڐՄ͕Մೳ
Slide 7
Slide 7 text
*".ϙϦγʔͷྫ
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:List*", "ec2:Describe*", "ec2:Get*"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances"],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Project": "${aws:PrincipalTag/Project}"
}
}
}
]
}
1SPKFDUλάͷͷҰகΑΓ
&$Πϯελϯεͷىಈɾ
ఀࢭΛڐՄ͢ΔϙϦγʔྫ
Slide 8
Slide 8 text
"84Ϛωδϝϯτίϯιʔϧ্ͷݟ͑ํ
Ϛωδϝϯτίϯιʔϧ্Ͱ
ࣗͷϓϩδΣΫτͰͳ͍
λά͕Ұக͠ͳ͍
&$
ΠϯελϯεΛఀࢭ͠Α͏ͱ
ͨ͠ͱ͖ͷΤϥʔը໘
Slide 9
Slide 9 text
"#"$ͷϝϦοτ
l ཧ͢ΔϙϦγʔ͕গͳ͘ͳΔ
l ར༻ͷ֦େʹ߹Θͤͯεέʔϧ͍͢͠
Slide 10
Slide 10 text
*".ϢʔβʔͷλάΛར༻͢Δ߹ͷ՝
*".Ϣʔβʔʹରͯ͠ɺಉ͡ ,FZ໊ͷλά ͭͷΈͷઃఆͱͳΔͨΊɺ
ෳϓϩδΣΫτʹؔ༩͍ͯ͠Δར༻ऀෳͷ *".Ϣʔβʔͷ͍͚
*".Ϣʔβʔͷ͍ճ͕͠ඞཁͱͳΔ
Slide 11
Slide 11 text
*".Ϣʔβʔͱ *".ϩʔϧΛΈ߹ͤͨํ๏
ղܾઌͱͯ͠ɺϓϩδΣΫτຖʹ *".ϩʔϧΛ༻ҙͯ͠ *".Ϣʔβʔ͔Β
εΠονϩʔϧͯ͠ར༻͢Δํ๏͕͋Δ
Slide 12
Slide 12 text
*".Ϣʔβʔͱ *".ϩʔϧΛΈ߹ͤͨํ๏
*".ϩʔϧͷڐՄϙϦγʔ ɺ*".ϢʔβʔͷλάΛར༻͢Δ߹ͱಉ༷ʹ
ڞ௨ͷ *".ϙϦγʔͰ࣮ݱ
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:List*", "ec2:Describe*", "ec2:Get*"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances"],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Project": "${aws:PrincipalTag/Project}"
}
}
}
]
}
ڐՄϙϦγʔ
৴པϙϦγʔ
ڐՄϙϦγʔ
৴པϙϦγʔ
Slide 13
Slide 13 text
*".Ϣʔβʔͱ *".ϩʔϧΛΈ߹ͤͨํ๏
*".ϩʔϧͷ৴པϙϦγʔʹ͓͍ͯɺεΠονϩʔϧͰ͖ΔϢʔβʔΛ੍ݶ
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/test-user",
"arn:aws:iam::111122223333:user/test-user2"
]
},
"Action": "sts:AssumeRole",}
]
}
ڐՄϙϦγʔ
৴པϙϦγʔ
Slide 14
Slide 14 text
"84ΞΧϯτͷߏ
*".Ϣʔβʔͱ *".ϩʔϧಉҰ "84ΞΧϯτͰߏՄೳ
Slide 15
Slide 15 text
"84ΞΧϯτͷߏ
*".Ϣʔβʔͱ *".ϩʔϧΛҟͳΔ "84ΞΧϯτͰߏՄೳ
Slide 16
Slide 16 text
*".ϢʔβʔΛҰݩཧ͢ΔΞΧϯτΛ࡞Δ߹
*".ϢʔβʔΛू͢ΔϢʔβʔཧΞΧϯτʢผ໊ɿ+VNQΞΧϯτʣ
Λ࡞͢ΔϊϋࡢͷొஃࢿྉΛࢀর͍ͩ͘͞
IUUQTEFWDMBTTNFUIPEKQBSUJDMFT
NVMUJBDDPVOUVTFSNBOBHFNFOU
Slide 17
Slide 17 text
"84*".*EFOUJUZ$FOUFSʹ͓͚Δ
"#"$
Slide 18
Slide 18 text
"84*".*EFOUJUZ$FOUFSϢʔβʔଐੑΛར༻
ϢʔβʔͷଐੑΩʔͱΛ "#"$ʹར༻ʢར༻Ͱ͖Δଐੑʹ੍ݶ͋Γʣ
Slide 19
Slide 19 text
"84*".*EFOUJUZ$FOUFSϢʔβʔଐੑΛར༻
ϢʔβʔͷଐੑΩʔͱΛ "#"$ʹར༻ʢར༻Ͱ͖Δଐੑʹ੍ݶ͋Γʣ
Slide 20
Slide 20 text
"84*".*EFOUJUZ$FOUFSϢʔβʔଐੑΛར༻
*".*EFOUJUZ$FOUFSͷઃఆͰɺҙͷΩʔ໊ͷͱͯ͠ଐੑͷΛؔ࿈͚
Slide 21
Slide 21 text
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:List*", "ec2:Describe*", "ec2:Get*"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances"],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Project": "${aws:PrincipalTag/Project}"
}
}
}
]
}
"84*".*EFOUJUZ$FOUFSϢʔβʔଐੑΛར༻
ΞΫηεڐՄηοτʹؔ࿈͚ΔϙϦγʔͰ 1SPKFDUΩʔΛࢦఆ
Slide 22
Slide 22 text
ϢʔβʔͷଐੑΩʔΛར༻͢Δ߹ͷ՝
*".*EFOUJUZ$FOUFSϢʔβʔͷଐੑΩʔ͝ͱʹઃఆͰ͖Δ ͭͷΈ
ͦͷͨΊɺෳϓϩδΣΫτʹؔ༩͢Δར༻ऀϓϩδΣΫτຖʹ࡞͞Εͨ
Ϣʔβʔͷ͍͚Ϣʔβʔͷ͍ճ͕͠ඞཁͱͳΔ
Slide 23
Slide 23 text
ղܾઌͱͯ͠ɺ"#"$Ͱ੍ޚ͍ͨ͠ΞΧϯτʹ͓͍ͯɺϓϩδΣΫτຖʹ
*".ϩʔϧΛ༻ҙͯ͠εΠονϩʔϧͯ͠ར༻͢Δํ๏͕͋Δ
*".*EFOUJUZ$FOUFSͱ *".ϩʔϧΛΈ߹ͤͨํ๏
Slide 24
Slide 24 text
*".*EFOUJUZ$FOUFSͱ *".ϩʔϧΛΈ߹ͤͨํ๏
"84ΞΫηεϙʔλϧ͔ΒϚωδϝϯτίϯιʔϧͷը໘ભҠΠϝʔδ
スイッチロール
Slide 25
Slide 25 text
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
]
}
ΞΫηεڐՄηοτʹεΠονϩʔϧͰ͖ΔݖݶΛΞλον
ΞΫηεڐՄηοτʹ
Ξλον͢ΔϙϦγʔ
*".*EFOUJUZ$FOUFSͱ *".ϩʔϧΛΈ߹ͤͨํ๏
Slide 26
Slide 26 text
લड़ͨ͠ *".ϢʔβʔϩʔϧͷλάΛ͏߹ͱ
ಉ༷ͷϙϦγʔ
*".ϩʔϧͷڐՄϙϦγʔɺ*".ϢʔβʔϩʔϧΛΈ߹Θͤͯ
ར༻͢Δ߹ͱಉ͡ϙϦγʔͰ࣮ݱՄೳ
ڐՄϙϦγʔ
৴པϙϦγʔ
ڐՄϙϦγʔ
৴པϙϦγʔ
*".*EFOUJUZ$FOUFSͱ *".ϩʔϧΛΈ߹ͤͨํ๏
Slide 27
Slide 27 text
*".ϩʔϧͷ৴པϙϦγʔͰɺ1SJODJQBMʹΞΫηεڐՄηοτʹରԠ͢Δ
*".ϩʔϧΛࢦఆ͠ɺ$POEJUJPOͰεΠονϩʔϧͰ͖ΔϢʔβʔΛ੍ޚ
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/aws-
reserved/sso.amazonaws.com/ap-northeast-
1/AWSReservedSSO_AssumeRoleOnlyAccess_22e9e155f6d2118f"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"identitystore:UserId": [
”aaaaaaaa-1111-aaaa-1111-aaaaaaaaaaaa",
”bbbbbbbb-2222-bbbb-2222-bbbbbbbbbbbb"
]
}
}
}
ڐՄϙϦγʔ
৴པϙϦγʔ
*".*EFOUJUZ$FOUFSͱ *".ϩʔϧΛΈ߹ͤͨํ๏
Slide 28
Slide 28 text
*".*EFOUJUZ$FOUFSϢʔβʔʹଐੑใͷઃఆෆཁ
*".*EFOUJUZ$FOUFSͱ *".ϩʔϧΛΈ߹ͤͨํ๏
Slide 29
Slide 29 text
"#"$ͷ 5JQTςΫχοΫू
Slide 30
Slide 30 text
"#"$ʹରԠ͍ͯ͠ΔαʔϏε͔
Ͳ͏͔ௐΔํ๏
Slide 31
Slide 31 text
"84ϢʔβʔΨΠυͰ "#"$ରԠ༗ແΛௐࠪ
֤αʔϏε͕ "#"$ʹରԠ͍ͯ͠Δ͔Ͳ͏͔ϢʔβʔΨΠυʹهࡌ͕͋Δ
Ҿ༻ݩɿ*".ͱ࿈ܞ͢Δ "84ͷαʔϏε "84*EFOUJUZBOE"DDFTT.BOBHFNFOU
Slide 32
Slide 32 text
ϢʔβʔΨΠυʹϙϦγʔྫͷهࡌ͕͋Δ߹
αʔϏεʹΑͬͯϢʔβʔΨΠυʹ "#"$ͷϙϦγʔྫͷܝࡌ͋Δ
Ҿ༻ݩɿଐੑϕʔεͷΞΫηε੍ޚ "#"$
Λ༻ͯ͠γʔΫϨοτͷΞΫηεΛ੍ޚ͢Δ "844FDSFUT.BOBHFS
Slide 33
Slide 33 text
ෳͷλάͷ݅Ͱ "#"$
Slide 34
Slide 34 text
ෳͷλάͷҰகʹΑΓ੍ޚ
ෳͷλάΛ݅ͱ͢Δ͜ͱՄೳʢԼਤ ͭͷλάΛ݅ͱ͍ͯ͠Δྫʣ
Slide 35
Slide 35 text
ෳͷλάͷҰகʹΑΓ੍ޚ
ෳͷλάΛ݅ͱ͢Δ͜ͱՄೳʢԼਤ ͭͷλάΛ݅ͱ͍ͯ͠Δྫʣ
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:List*", "ec2:Describe*", "ec2:Get*"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances"],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Project": "${aws:PrincipalTag/Project}",
"aws:ResourceTag/Environment": "${aws:PrincipalTag/Environment}"
}
}
}
]
}
ڐՄϙϦγʔ
৴པϙϦγʔ
Slide 36
Slide 36 text
$POEJUJPOͷධՁϩδοΫ
ෳͷ݅Ͱ࣮ݱ͍ͨ͠߹ɺ$POEJUJPOͷධՁϩδοΫΛߟྀͯ͠ઃܭ͢Δ
Ҿ༻ݩɿෳͷίϯςΩετΩʔ·ͨʹΑΔ݅ "84*EFOUJUZBOE"DDFTT.BOBHFNFOU
Slide 37
Slide 37 text
"#"$Ͱ੍ޚ͢Δ "DUJPOΛ
ϫΠϧυΧʔυͰࢦఆ
Slide 38
Slide 38 text
"DUJPOΛϫΠϧυΧʔυͰࢦఆՄೳ
"DUJPOΛʮFD
ʯͱهࡌͯ͠ରαʔϏεͷͯ͢ͷΞΫγϣϯΛؚΊΔ
ϫΠϧυΧʔυࢦఆՄೳ
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:List*", "ec2:Describe*", "ec2:Get*"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
”aws:ResourceTag/Project": "${aws:PrincipalTag/Project}"
}
}
}
]
}
ڐՄϙϦγʔ
৴པϙϦγʔ
ڐՄϙϦγʔ
৴པϙϦγʔ
Slide 39
Slide 39 text
ϫΠϧυΧʔυࢦఆͷཹҙ
ϫΠϧυΧʔυࢦఆ༰қʹ࣮ݱͰ͖ΔҰํͰɺ༩͑ΔݖݶΛѲͮ͠Β͘ͳΔ
ʹཹҙ͕ඞཁ
l কདྷతʹՃ͞ΕΔ৽͍͠ΞΫγϣϯࣗಈతʹڐՄ͞ΕΔ
l ༧ظ͠ͳ͍ΞΫγϣϯڐՄ͞ΕΔՄೳੑ͕͋Δ
○ ྫ͑ɺʮFD
ʯʹ 71$ʹؔ͢Δݖݶؚ·Ε͍ͯΔ
l BXT3FTPVSDF5BHΛαϙʔτ͍ͯ͠ͳ͍ "DUJPOͷ "MMPXڐՄ͞Εͳ͍
○ ྫ͑ɺʮFD$SFBUF7QDʯڐՄ͞Εͳ͍
Slide 40
Slide 40 text
4ͷ "#"$
ؔ࿈ϒϩάɿ*".ϩʔϧͷλάͷͱ 4όέοτ໊ͷ෦ҰகͰૢ࡞Ͱ͖Δ 4όέοτΛ੍ݶͯ͠Έͨ c%FWFMPQFST*0
ʲ"#"$ʳ4Ͱλάϕʔε੍ޚΛߦ͏ ੍ݶ͋Γ
c%FWFMPQFST*0
Slide 41
Slide 41 text
4ͷ "#"$ରԠ෦త
4ͷ "#"$෦తͳରԠͰ͋Γɺ൚༻όέοτະαϙʔτɺΦϒδΣΫτ
αϙʔτରͱͳΔ
Ҿ༻ݩɿ*".ͱ࿈ܞ͢Δ "84ͷαʔϏε "84*EFOUJUZBOE"DDFTT.BOBHFNFOU
Slide 42
Slide 42 text
4ΦϒδΣΫτͷ "#"$
4ΦϒδΣΫτຖͰλά͚͕Ͱ͖ɺΦϒδΣΫτͷλάΛར༻੍ͯ͠ޚՄೳ
Slide 43
Slide 43 text
4ΦϒδΣΫτͷ "#"$
4ΦϒδΣΫτ୯ҐͰλά͚͕Ͱ͖ɺΦϒδΣΫτͷλάΛར༻ͯ͠
ΞΫηε੍ޚ͕Ͱ͖Δ
ڐՄϙϦγʔ
৴པϙϦγʔ
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:List*", "s3:GetBucketLocation"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/Project": "${aws:PrincipalTag/Project}"
}
}
}
]
}
Slide 44
Slide 44 text
4ΦϒδΣΫτͷ "#"$
4ΦϒδΣΫτͷ "#"$Ͱ BXTͷΘΓʹ TΛར༻
Ҿ༻ݩɿ"NB[PO4Ͱͷ *".ͷػೳ "NB[PO4JNQMF4UPSBHF4FSWJDF
Slide 45
Slide 45 text
4ΦϒδΣΫτͷλά͚ͷ՝
4ΦϒδΣΫτͷλά͚ʹؔͯ͠ɺ࣍ͷ༰͕՝ͱͳΔ͜ͱ͕͋Δ
l ΦϒδΣΫτʹλά͚͢Δखؒ
l ΦϒδΣΫτͷλά͚༗ྉ
Ҿ༻ݩɿྉۚ "NB[PO4ʛ"84
Slide 46
Slide 46 text
4όέοτ໊Λར༻੍ͨ͠ޚ
ସࡦͱͯ͠ʮ4όέοτ໊ʯʹ *".ϩʔϧͷ "#"$༻λάͷؚ͕·Εͯ
͍Δ͜ͱΛ݅ͱ੍ͨ͠ޚͷํ๏͕͋Δ
Slide 47
Slide 47 text
4όέοτ໊Λར༻੍ͨ͠ޚ
*".ͷڐՄϙϦγʔʹ͓͍ͯɺ3FTPVSDFͰλάͷΛಈతʹࢀর
όέοτ໊ʹλάͷؚ͕·ΕΔҐஔϦιʔε໋໊نଇʹґଘ
ڐՄϙϦγʔ
৴པϙϦγʔ
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:List*", "s3:GetBucketLocation"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::*-${aws:PrincipalTag/Project}-*",
"arn:aws:s3:::*-${aws:PrincipalTag/Project}-*/*"
]
}
]
}
Slide 48
Slide 48 text
4όέοτ໊Λར༻੍ͨ͠ޚ
൚༻όέοτͷϥΠϑαΠΫϧϧʔϧϓϩύςΟͷมߋՄೳ
Slide 49
Slide 49 text
λά͕༩͞Ε͍ͯΔϦιʔεͷΈ
"#"$Ͱ੍ޚ͢Δํ๏
ؔ࿈ϒϩάɿ"NB[PO$MPVE8BUDIϩάάϧʔϓʹରͯ͠ "#"$༻λά͕͋Δ߹ "#"$ʹΑΓಡΈऔΓڐՄΛ੍ޚͯ͠ɺ"#"$༻
λά͕ͳ͍߹ಡΈऔΓΛڐՄ͢ΔϙϦγʔΛࢼͯ͠Έͨ c%FWFMPQFST*0
Slide 50
Slide 50 text
λά͕͋ΔϦιʔεͷΈ "#"$Ͱ੍ޚ͢Δํ๏
͜Ε·Ͱհ͖ͯͨ͠ɺλάͷҰகͰΞΫγϣϯΛڐՄ͢ΔϙϦγʔͰɺ
λά͕ͳ͍Ϧιʔεʹର͢Δૢ࡞ͷڐՄ༩͑ΒΕͳ͍
Slide 51
Slide 51 text
λά͕͋ΔϦιʔεͷΈ "#"$Ͱ੍ޚ͢Δํ๏
ҰํͰɺ$MPVE8BUDI-PHTͳͲͷαʔϏεʹ͓͍ͯɺಛʹอޢ͍ͨ͠Ϧιʔε
ͷΈ "#"$Ͱ੍ޚ͍ͨ͠߹͋Δ
Slide 52
Slide 52 text
λά͕͋ΔϦιʔεͷΈ "#"$Ͱ੍ޚ͢Δํ๏
ಡΈऔΓݖݶ
λά͕ଘࡏ͔ͭλά͕Ұக͠ͳ͍߹ʹ໌ࣔతͳ %FOZͱ͢Δ
͜ͱͰ࣮ݱՄೳ
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": ["logs:Get*", "logs:FilterLogEvents", "logs:StartQuery",
"logs:StopQuery", "logs:StartLiveTail", "logs:StopLiveTail", "logs:TestMetricFilter"],
"Resource": "arn:aws:logs:*:*:log-group:*",
"Condition": {
"Null": {
"aws:ResourceTag/Project": "false"
},
"StringNotEquals": {
"aws:ResourceTag/Project": "${aws:PrincipalTag/Project}"
}
}
}
]
}
ڐՄϙϦγʔ
৴པϙϦγʔ
ʮ$MPVE8BUDI-PHT3FBE0OMZ"DDFTTʯͷಡΈऔΓݖݶ
Slide 53
Slide 53 text
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": ["logs:Get*", "logs:FilterLogEvents", "logs:StartQuery",
"logs:StopQuery", "logs:StartLiveTail", "logs:StopLiveTail", "logs:TestMetricFilter"],
"Resource": "arn:aws:logs:*:*:log-group:*",
"Condition": {
"Null": {
"aws:ResourceTag/Project": "false"
},
"StringNotEquals": {
"aws:ResourceTag/Project": "${aws:PrincipalTag/Project}"
}
}
}
]
}
λά͕͋ΔϦιʔεͷΈ "#"$Ͱ੍ޚ͢Δํ๏
$POEJUJPOԼهͷ "OE͕݅ຬͨ͞Εͨ߹ʹ໌ࣔతʹ %FOZ
l ରϦιʔεʹ 1SPKFDUλά͕ଘࡏ͢Δʢ/VMM USVFͰଘࡏ͠ͳ͍ʣ
l 1SJODJQBM *".ϩʔϧ
ͱରϦιʔεͷ 1SPKFDUλάͷ͕Ұக͠ͳ͍
Slide 54
Slide 54 text
λά͕͋ΔϦιʔεͷΈ "#"$Ͱ੍ޚ͢Δํ๏
ݖݶͷΠϝʔδਤ
ಡΈऔΓΛڐՄ
$MPVE8BUDI-PHT3FBE0OMZ"DDFTT
"#"$Ͱ
໌ࣔతʹڋ൱
Slide 55
Slide 55 text
"#"$ͱڞʹ༻͍Δ
ಡΈऔΓݖݶͷύλʔϯ
Slide 56
Slide 56 text
ಡΈऔΓݖݶͷ༩ύλʔϯ
"#"$Ͱ੍ޚ͢ΔαʔϏεʹؔ͢ΔಡΈऔΓݖݶΛҰॹʹ༩͑Δඞཁ͕͋Δ
ಡΈऔΓݖݶɺ࠷খݖݶͱ͢Δํ๏ "84ཧϙϦγʔΛར༻͢Δํ๏ͳͲ
͕͋Δ
/P ํ๏ ݖݶͷ͞ ཧͷखؒ උߟ
ඞཁ࠷খݶͷΞΫγϣϯͷΈࢦఆ ࠷খ େ
-JTU
%FTDSJCF
(FU୯ҐͰࢦఆ ݶఆత த /Pͱಉ༷ͱͳΔ͜ͱ͋Δ
֤αʔϏεʹରԠͨ͠ "84ཧϙϦγʔ
ͷಡΈऔΓݖݶ
ݶఆత খ "NB[PO&$3FBE0OMZ"DDFTT
"84ཧϙϦγʔʮ3FBE0OMZ"DDFTTʯ Ҭ খ
4ΦϒδΣΫτΛμϯϩʔυͰ
͖Δݖݶؚ·ΕΔ
Slide 57
Slide 57 text
ඞཁ࠷খݶͷΞΫγϣϯͷΈࢦఆ
࠷খݖݶΛ࣮ݱͰ͖Δ͕ɺௐࠪʹख͕͔͔ؒΔɺϚωδϝϯτίϯιʔϧ্
Ͱݖݶ͕ແ͍Ӿཡʹର͢ΔΤϥʔϝοηʔδʹΑΓࢹೝੑ͕མͪΔ͕ݒ೦
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances"],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Project": "${aws:PrincipalTag/Project}"
}
}
}
]
}
Slide 58
Slide 58 text
-JTU
%FTDSJCF
(FU୯ҐͰࢦఆ
-JTU
%FTDSJCF
(FUؔ࿈ΞΫγϣϯΛϫΠϧυΧʔυͰ·ͱΊͯڐՄ
(FUܥΞΫγϣϯʹσʔλμϯϩʔυؚ͕·ΕΔ͜ͱ͋Δʹཁҙ
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:List*", "ec2:Describe*", "ec2:Get*"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances"],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Project": "${aws:PrincipalTag/Project}"
}
}
}
]
}
࠷খݖݶͱൺֱͯ͠ɺӾཡ࣌ʹΤϥʔϝοηʔδ͕
දࣔ͞ΕΔ͜ͱগͳ͍
Slide 59
Slide 59 text
-JTU
%FTDSJCF
(FU୯ҐͰࢦఆ
ಡΈऔΓݖݶʹؔ͢Δ -JTU
%FTDSJCF
(FUΞΫγϣϯͷ֬ೝɺ
*".ϙϦγʔ࡞࣌ͷϙϦγʔΤσΟλʢϏδϡΞϧʣ͕ચ͍ग़͠ͷࢀߟʹͳΔ
Slide 60
Slide 60 text
֤αʔϏεʹରԠͨ͠ "84ཧϙϦγʔͷಡΈऔΓݖݶ
"84ཧϙϦγʔͷ֤αʔϏεʹରԠͨ͠ಡΈऔΓݖݶΛར༻͢Δ͜ͱͰɺ
ϙϦγʔͷϝϯςϯεΛ͢Δඞཁ͕ͳ͘ͳΔϝϦοτ͋Γ
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances"],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Project": "${aws:PrincipalTag/Project}"
}
}
}
]
}
"84ཧϙϦγʔʮ"NB[PO&$3FBE0OMZ"DDFTTʯ
FDҎ֎ʹؔ࿈͢ΔαʔϏεͷ
Ұ෦ΞΫγϣϯؚ·Ε͍ͯΔ
l FMBTUJDMPBECBMBODJOH%FTDSJCF
l DMPVEXBUDI-JTU.FUSJDT
l DMPVEXBUDI(FU.FUSJD4UBUJTUJDT
l DMPVEXBUDI%FTDSJCF
l BVUPTDBMJOH%FTDSJCF
Slide 61
Slide 61 text
֤αʔϏεʹରԠͨ͠ "84ཧϙϦγʔͷಡΈऔΓݖݶ
*".ϩʔϧʹΞλονͰ͖Δ *".ϙϦγʔͷ্ݶ ͷͨΊɺ
ෳͷαʔϏεΛ ͭͷ *".ϩʔϧͰ੍ޚ͢Δ߹ʹཹҙ͕ඞཁ
Ҿ༻ݩɿ*".ͱ "84454ΫΥʔλ "84
*EFOUJUZBOE"DDFTT.BOBHFNFOU
Slide 62
Slide 62 text
"84ཧϙϦγʔʮ3FBE0OMZ"DDFTTʯ
"84શମͷಡΈऔΓݖݶ͕ ͭͷϙϦγʔͰ࣮ݱͰ͖Δ͕ັྗ
ҰํͰɺσʔλͷμϯϩʔυݖݶ͕Ұ෦ؚ·ΕͯΔʹཹҙ͕ඞཁ
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances"],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Project": "${aws:PrincipalTag/Project}"
}
}
}
]
}
"84ཧϙϦγʔʮ3FBE0OMZ"DDFTTʯ
4ΦϒδΣΫτͷμϯϩʔυͳͲɺ
σʔλΛऔಘͰ͖Δݖݶ͕Ұ෦ؚ·ΕΔ
"#"$Λಋೖ͢Δ "84ΞΧϯτͰɺ
ෳγεςϜ͕ࠞࡏ͍ͯ͠Δ͜ͱ͕ଟ͍
ͨΊɺؔ࿈͠ͳ͍γεςϜͷσʔλ͕औ
ಘͰ͖Δ͕ͳ͍͔ͷ֬ೝඞཁ
Slide 63
Slide 63 text
λάͷ༩ϛεͷݮɾੋਖ਼
ؔ࿈ϒϩάɿ"84ͷλάΤσΟλΛར༻ͯ͠ίετλάͷઃఆϛεͷमਖ਼طଘͷλάͷҰׅมߋΛࢼͯ͠Έͨ c%FWFMPQFST*0
Slide 64
Slide 64 text
λάΤσΟλʹΑΔλάͷੋਖ਼
λάΤσΟλػೳΛར༻ͯ͠ɺλά༩ϛεͷमਖ਼͕Մೳ
ྫ͑ɺ1SPKFDUλάʹؔ͢ΔԼදͷΑ͏ͳεϖϧϛεͷੋਖ਼ʹཱͭ
ޡͬͨλάͷΩʔ໊ ޡ͍ͬͯΔཧ༝
QSPKFDU 1͕খจࣈ
1SPKFU D͕ൈ͚͍ͯΔ
1SPKFUD Dͱ U͕ೖΕସΘ͍ͬͯΔ
1SPKFFDU F ͕ଟ͍
1SPKFDUT ࠷ޙʹ T͕͍͍ͭͯΔ
<1SPKFDU> ࠷ޙʹεϖʔε͕ೖ͍ͬͯΔ
<1SPKFDU> ࠷ॳʹεϖʔε͕ೖ͍ͬͯΔ
Slide 65
Slide 65 text
λάΤσΟλʹΑΔλάͷੋਖ਼
λάͷΩʔ໊Λࢦఆ͢ΔՕॴͰεϖϧϛεͷλάΛ֬ೝͰ͖Δ
Slide 66
Slide 66 text
λάΤσΟλʹΑΔλάͷੋਖ਼Πϝʔδ
ͦͷ··λάΤσΟλͰλάͷमਖ਼͕ՄೳʢෳϦιʔεͷҰׅมߋՄೳʣ
ਖ਼͍͠λάΩʔ໊ͷλάΛՃ
εϖϧϛεͷλάΩʔ໊ͷλάΛআ
Slide 67
Slide 67 text
λάΤσΟλʹΑΔλάͷੋਖ਼ͷࢀߟࢿྉ
λάΤσΟλΛར༻ͨ͠λάͷΩʔ໊ͷमਖ਼ύλʔϯͷ͍͔ͭ͘
ϒϩάͰެ։த
IUUQTEFWDMBTTNFUIPEKQBSUJDMFTNPEJGZ
DPTUBMMPDBUJPOUBHTJOUBHFEJUPS
Slide 68
Slide 68 text
"840SHBOJ[BUJPOTͷλάϙϦγʔ
"840SHBOJ[BUJPOTڥʹݶΔ͕ɺλάϙϦγʔʹΑΓλάͷඪ४Խ͕Մೳ
λάΩʔͷେจࣈɾখจࣈͷ౷Ұλάͱͯ͠ೖྗͰ͖Δͷࢦఆ͕Մೳ
Slide 69
Slide 69 text
"840SHBOJ[BUJPOTͷλάϙϦγʔ
"840SHBOJ[BUJPOTڥʹݶΔ͕ɺλάϙϦγʔʹΑΓλάͷඪ४Խ͕Մೳ
λάΩʔͷେจࣈɾখจࣈͷ౷Ұλάͱͯ͠ೖྗͰ͖Δͷࢦఆ͕Մೳ
1SPKFDUΩʔʹؔͯ͠ɺ࣍ͷΑ͏
ͳೖྗ͕ઃఆͰ͖ͳ͘ͳΓɺ
େจࣈখจࣈͷ౷Ұ͕Ͱ͖Δ
l QSPKFDU
l 130+&$5
l 130KFDU
Slide 70
Slide 70 text
"840SHBOJ[BUJPOTͷλάϙϦγʔ
"840SHBOJ[BUJPOTڥʹݶΔ͕ɺλάϙϦγʔʹΑΓλάͷඪ४Խ͕Մೳ
λάΩʔͷେจࣈɾখจࣈͷ౷Ұλάͱͯ͠ೖྗͰ͖Δͷࢦఆ͕Մೳ
1SPKFDUΩʔʹରͯ͠ɺࢦఆͨ͠
λάͷΈೖྗͰ͖ΔΑ͏ʹ͢Δ
l XBGGMFT
l NPDIJ
Slide 71
Slide 71 text
λάϙϦγʔʹΑΓ੍ݶ͞Εͨͱ͖ͷྫ
ʮେจࣈنଇʯʹඇ४ڌʢ1͕খจࣈʣ ʮڐՄ͞ΕΔʯʹඇ४ڌ
λάϙϦγʔʹΑΓλάͷߋ৽͕ڋ൱͞ΕͨࡍͷΤϥʔϝοηʔδ
Slide 72
Slide 72 text
+VNQΞΧϯτߏʹ͓͍ͯ
εΠονϩʔϧͰ͖Δ *".ϩʔϧ
"#"$Ͱ੍ޚ
ؔ࿈ϒϩάɿ+VNQΞΧϯτߏʹ͓͍ͯ *".ϢʔβʔͷλάΛར༻ͨ͠ "#"$ʹΑΓ &$ΠϯελϯεͷىಈɾఀࢭڐՄΛ༩͑Δ c
%FWFMPQFST*0
Slide 73
Slide 73 text
εΠονϩʔϧͰ͖Δ݅ "#"$Ͱ੍ޚ
*".ϢʔβʔͰ "#"$༻ͷλάΛཧ͢Δલఏͷ߹ɺ
*".Ϣʔβʔ͔ΒεΠονϩʔϧͰ͖Δ *".ϩʔϧͷڐՄʹ "#"$׆༻Մೳ
Slide 74
Slide 74 text
εΠονϩʔϧͰ͖Δ݅ "#"$Ͱ੍ޚ
*".ϢʔβʔͷڐՄϙϦγʔʹ͓͚Δ TUT"TTVNF3PMFͷ $POEJUJPOʹɺ
*".ϢʔβʔͷλάͱεΠονϩʔϧઌͷ *".ϩʔϧͷλάͷҰகΛؚΊΔ
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:ResourceTag/Project": "${aws:PrincipalTag/Project}"
}
}
}
]
}
ڐՄϙϦγʔ
Slide 75
Slide 75 text
"#"$ͷ͍͠ͱ͜Ζ
ʢηΩϡϦςΟάϧʔϓͷ "#"$ʣ
Slide 76
Slide 76 text
ηΩϡϦςΟάϧʔϓͷ "#"$
ηΩϡϦςΟάϧʔϓͷઃఆมߋ "#"$Ͱ࣮ݱՄೳʢͰ͋Δ͕ʜʣ
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:List*", "ec2:Describe*", "ec2:Get*"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Project": "${aws:PrincipalTag/Project}"
}
}
}
]
}
ڐՄϙϦγʔ
Slide 77
Slide 77 text
ηΩϡϦςΟάϧʔϓͷ "#"$
Ϛωδϝϯτίϯιʔϧ্Ͱૢ࡞͢Δલఏʹ͓͍ͯɺ
ϧʔϧͷՃɾআͰ͖Δ͕ɺมߋͰ͖ͳ͍ʢλάΛ͚Δ·Ͱʣ
ηΩϡϦςΟάϧʔϓ <1SPKFDUXBGGMFT>
Πϯόϯυϧʔϧ r 5$1ڐՄ
Slide 78
Slide 78 text
ηΩϡϦςΟάϧʔϓͷ "#"$
Ϛωδϝϯτίϯιʔϧ্Ͱૢ࡞͢Δલఏʹ͓͍ͯɺ
ϧʔϧͷՃɾআͰ͖Δ͕ɺมߋͰ͖ͳ͍ʢλάΛ͚Δ·Ͱʣ
ηΩϡϦςΟάϧʔϓ <1SPKFDUXBGGMFT>
ηΩϡϦςΟάϧʔϓʹର͢Δ
ΠϯόϯυϧʔϧͷՃՄೳ
Πϯόϯυϧʔϧ r 5$1ڐՄ
Πϯόϯυϧʔϧ r 5$1ڐՄ
Slide 79
Slide 79 text
ηΩϡϦςΟάϧʔϓͷ "#"$
Ϛωδϝϯτίϯιʔϧ্Ͱૢ࡞͢Δલఏʹ͓͍ͯɺ
ϧʔϧͷՃɾআͰ͖Δ͕ɺมߋͰ͖ͳ͍ʢλάΛ͚Δ·Ͱʣ
ηΩϡϦςΟάϧʔϓ <1SPKFDUXBGGMFT>
Πϯόϯυϧʔϧ r 5$1ڐՄ
Πϯόϯυϧʔϧʹର͢Δ
ߋ৽ෆՄೳ
Πϯόϯυϧʔϧ r 5$1ڐՄ ˠ
Slide 80
Slide 80 text
ηΩϡϦςΟάϧʔϓͷ "#"$
Ϛωδϝϯτίϯιʔϧ্Ͱૢ࡞͢Δલఏʹ͓͍ͯɺ
ϧʔϧͷՃɾআͰ͖Δ͕ɺมߋͰ͖ͳ͍ʢλάΛ͚Δ·Ͱʣ
ηΩϡϦςΟάϧʔϓ <1SPKFDUXBGGMFT>
Πϯόϯυϧʔϧ r 5$1ڐՄ
Πϯόϯυϧʔϧʹର͢Δ
ߋ৽ෆՄೳʢλά͕ͳ͍ͨΊʣ
Πϯόϯυϧʔϧ r 5$1ڐՄ <λάͳ͠>
Slide 81
Slide 81 text
ηΩϡϦςΟάϧʔϓͷ "#"$
Ϛωδϝϯτίϯιʔϧ্Ͱૢ࡞͢Δલఏʹ͓͍ͯɺ
ϧʔϧͷՃɾআͰ͖Δ͕ɺมߋͰ͖ͳ͍ʢλάΛ͚Δ·Ͱʣ
ηΩϡϦςΟάϧʔϓ <1SPKFDUXBGGMFT>
Πϯόϯυϧʔϧ r 5$1ڐՄ <1SPKFDUXBGGMFT>
λά͕͋Γɺ͕݅߹͍ͬͯΕ
ߋ৽Մೳ
Πϯόϯυϧʔϧ r 5$1ڐՄ <λάͳ͠>
Slide 82
Slide 82 text
ηΩϡϦςΟάϧʔϓͷ "#"$
Ϛωδϝϯτίϯιʔϧ্Ͱૢ࡞͢Δલఏʹ͓͍ͯɺ
ϧʔϧͷՃɾআͰ͖Δ͕ɺมߋͰ͖ͳ͍ʢλάΛ͚Δ·Ͱʣ
ηΩϡϦςΟάϧʔϓ <1SPKFDUXBGGMFT>
Πϯόϯυϧʔϧ r 5$1ڐՄ <1SPKFDUXBGGMFT>
Πϯόϯυϧʔϧ r 5$1ڐՄ <λάͳ͠>
ηΩϡϦςΟάϧʔϓʹର͢Δ
ΠϯόϯυϧʔϧͷআՄೳ
Slide 83
Slide 83 text
ηΩϡϦςΟάϧʔϓͷ "#"$
"84Ϛωδϝϯτίϯιʔϧͷ࡞ۀͰϧʔϧՃͱಉ࣌ʹλάΛ༩Ͱ͖ͳ͍
ߦ୯ҐͰϧʔϧͷՃͰ͖Δ͕ɺλά༩͞Εͳ͍
λά͕ແ͚ΕมߋͰ͖ͳ͍
Slide 84
Slide 84 text
ηΩϡϦςΟάϧʔϓͷ "#"$
ϧʔϧΛՃͨ͠ޙʹλάΛ༩͢Δ͜ͱࣗମՄೳͰ͋Δ͕ɺ
͜ͷૢ࡞ߋ৽࡞ۀͳͷͰલड़ͨ͠ "#"$ͷϙϦγʔͰλάΛ༩Ͱ͖ͳ͍
Slide 85
Slide 85 text
*".ϩʔϧͷҰׅ࡞
Slide 86
Slide 86 text
*".ϩʔϧͷҰׅ࡞
"#"$ͰλάͷҟͳΔ *".ϩʔϧΛෳ࡞͢Δඞཁ͕͋Δ
*".ϙϦγʔڞ༗ԽͰ͖ΔͨΊɺεΫϦϓτͳͲʹΑΓ *".ϩʔϧͷ࡞
ޮԽͰ͖Δ
Slide 87
Slide 87 text
*".ϩʔϧͷҰׅ࡞
ϓϩδΣΫτຖʹҟͳΔจࣈྻΛΠϯϓοτʹͯ͠ɺ*".ϩʔϧͷҰׅ࡞
खಈͰઃఆ͢Δ߹ͱൺͯɺλάͷઃఆϛεΛ͛ΔϝϦοτ͋Γ
BBB
CCC
DDD
⋮
CJOTI
⋮
DSFBUFJBNSPMFTTI
QSPKFDUTUYU
JOQVU Ұׅ࡞
Slide 88
Slide 88 text
*".ϩʔϧͷҰׅ࡞࣌ͷߟྀ
ҰํͰɺ৴པϙϦγʔ *".ϩʔϧຖʹҟͳΔ߹͋ΔͨΊɺҰׅ࡞࣌
$$P&ςετ༻ͷϢʔβʔΛԾͰࢦఆ͓ͯ͘͠ͷߟྀ͕ඞཁͱͳΔ
ҙͱͯ͠ *".Ϣʔβʔ࣮ݱ͠ͳ͚Ε *".ϩʔϧͷ࡞ʹࣦഊ͢Δ
Slide 89
Slide 89 text
͍͞͝ʹ
Slide 90
Slide 90 text
͍͞͝ʹ
୯ҰΞΧϯτʹෳͷϓϩδΣΫτ͕ࠞࡏ͢Δڥʹ͓͚Δ
ΞΫηε੍ޚΛ "#"$Ͱ࣮ݱ͢Δํ๏Λհ͠·ͨ͠
"#"$ศརͳҰํɺ͍͜ͳ͢ʹ *".ʹؔ͢ΔҰఆͷ͕ࣝඞཁͰ͢
3#"$ͱΈ߹Θͤͨར༻ "84ΞΧϯτΛϓϩδΣΫτຖʹ͚ͯΞ
Ϋηε੍ޚ͢Δํ๏͝ݕ౼͍ͩ͘͞
Pʢ·ͩ·ͩॻ͖͍ͨ͜ͱ͋ΔͷͰผͷػձʹΞτϓοτ͠·͢ʣ
Slide 91
Slide 91 text
͍͞͝ʹ
͍͞͝ʹ߹ΘͤͯಡΈ͍ͨࢿྉΛڞ༗͠·͢
IUUQTEFWDMBTTNFUIPEKQBSUJDMFTTIVUUZP
EFWJPLBXBIBSBBCBD
Slide 92
Slide 92 text
No content