AWS Service Namespace を流行らせたい/ AWS Service Namespace to become popular

by YukihiroChiba

Slide 1

Slide 1 text

ʜʜྲྀߦΒ͍ͤͨɺ "844FSWJDF/BNFTQBDFΛɻ ઍ༿޾޺ʢνόϢΩʣ

Slide 2

Slide 2 text

ࣗݾ঺հ ઍ༿ ޾޺ (νόϢΩ) ࣦޮ ͠·ͨ͠

Slide 3

Slide 3 text

ࣗݾ঺հ ઍ༿ ޾޺ (νόϢΩ) ɾ2020೥1݄ΫϥεϝιουJOINɹɹɹɹ ࣦޮ ͠·ͨ͠

Slide 4

Slide 4 text

ࣗݾ঺հ ઍ༿ ޾޺ (νόϢΩ) ɾ2020೥1݄ΫϥεϝιουJOINɹɹɹɹ ɾ2021 APN AWS Top Engineer ࣦޮ ͠·ͨ͠

Slide 5

Slide 5 text

ࣗݾ঺հ ઍ༿ ޾޺ (νόϢΩ) ɾ2020೥1݄ΫϥεϝιουJOINɹɹɹɹ ɾ2021 APN AWS Top Engineer ɾ޷͖ͳAWSαʔϏεɿIAM

Slide 6

Slide 6 text

޷͖ͳʜʜ ޷͖ͳAWSαʔϏεɿIAM

Slide 7

Slide 7 text

޷͖ͳʜʜ ޷͖ͳAWSαʔϏεɿIAM ޷͖ͳAWSϦιʔεɿIAMϩʔϧ

Slide 8

Slide 8 text

޷͖ͳʜʜ ޷͖ͳAWSαʔϏεɿIAM ޷͖ͳAWSϦιʔεɿIAMϩʔϧ ޷͖ͳΞΫγϣϯɿsts:AssumeRole

Slide 9

Slide 9 text

޷͖ͳʜʜ ޷͖ͳAWSαʔϏεɿIAM ޷͖ͳAWSϦιʔεɿIAMϩʔϧ ޷͖ͳΞΫγϣϯɿsts:AssumeRole ޷͖ͳAWS Service Namespaceɿtiros

Slide 10

Slide 10 text

޷͖ͳʜʜ ޷͖ͳAWSαʔϏεɿIAM ޷͖ͳAWSϦιʔεɿIAMϩʔϧ ޷͖ͳΞΫγϣϯɿsts:AssumeRole ޷͖ͳAWS Service Namespaceɿtiros φχίϨʁʁ

Slide 11

Slide 11 text

޷͖ͳ AWS Service Namespace Λ ܾΊ·͠ΐ͏ ϝΠϯςʔϚ

Slide 12

Slide 12 text

"HFOEB 1.AWSαʔϏε͋Δ͋Δ 2.AWS Service Namespace 1.ͱ͸ 2.ௐ΂ํ 3.ΫΠζ 1.ਖ਼Ҿ͖ 2.ٯҾ͖

Slide 13

Slide 13 text

AWS αʔϏε͋Δ͋Δ ݴ͍͍ͨ

Slide 14

Slide 14 text

"84αʔϏε͋Δ͋Δ ͦͷ1. ͦͷ2. ͦͷ3.

Slide 15

Slide 15 text

"84αʔϏε͋Δ͋Δ ͦͷ1. ଟ͍ɻ ͦͷ2. ͦͷ3.

Slide 16

Slide 16 text

ଟ͍ɻ ͳΜͰ΋223ݸ͋Δͱ͔…… ɹͳ͍ͱ͔…… ֮͑ΒΕͳ͍Α……

Slide 17

Slide 17 text

"84αʔϏε͋Δ͋Δ ͦͷ1. ଟ͍ɻ ͦͷ2. ͦͷ3.

Slide 18

Slide 18 text

"84αʔϏε͋Δ͋Δ ͦͷ1. ଟ͍ɻ ͦͷ2. ઀಄ࣙ AWS ͔ Amazon ͔໎͍͕ͪ ͦͷ3.

Slide 19

Slide 19 text

઀಄ࣙ"84͔"NB[PO͔໎͍͕ͪ Ұઆʹ͸ɻ ʮAWSʯ͕ͭ͘ͷ͸…… ɹɹଞͷAWSαʔϏεͱ૊Έ߹ΘͤΔલఏ ɹɹɹɹAWS LambdaɺAWS BackupɺAWS IAM... ʮAmazonʯ͕ͭ͘ͷ͸…… ɹɹ୯ಠͰ࢖͑Δ΋ͷ Amazon EC2ɺAmazon Route53ɺAmazon S3…

Slide 20

Slide 20 text

઀಄ࣙ"84͔"NB[PO͔໎͍͕ͪ ͪΐͬͱ೿ੜͯ͠ ਖ਼໊ࣜশ໎͍͕ͪ໰୊ •Amazon Elastic Compute Cloudʁ •Amazon EC2ʁ •Amazon Simple Storage Serviceʁ •Amazon S3ʁ ͳͲͳͲ…… ΋͔ͯ͠͠ʮAmazon Elastic Compute Cloud (EC2)ʯʁ

Slide 21

Slide 21 text

"84αʔϏε͋Δ͋Δ ͦͷ1. ଟ͍ɻ ͦͷ2. ઀಄ࣙ AWS ͔ Amazon ͔໎͍͕ͪ ͦͷ3.

Slide 22

Slide 22 text

"84αʔϏε͋Δ͋Δ ͦͷ1. ଟ͍ɻ ͦͷ2. ઀಄ࣙ AWS ͔ Amazon ͔໎͍͕ͪ ͦͷ3. ԿΛ΋ͬͯ”αʔϏε”͔೰Ή

Slide 23

Slide 23 text

ԿΛ΋ͬͯzαʔϏεz͔೰Ή Ϛωδϝϯτίϯιʔϧج४ʁ Ϋϥ΢υ੡඼Ұཡج४ʁ AWSυΩϡϝϯτج४ʁ

Slide 24

Slide 24 text

ԿΛ΋ͬͯzαʔϏεz͔೰Ή Ϛωίϯ ੡඼ϖʔδ υΩϡϝϯτ &-# ʮ&$ʯͷ Ұ෦ ͋Δ τοϓϖʔδ ʹ͋Δ 5SBOTJU(BUFXBZ ʮ71$ʯͷ Ұ෦ ͋Δ ʮ71$ʯʹ ͋Δ .BSLFUQMBDF αʔϏεը໘ ͕͋Δ ͳ͍ τοϓϖʔδ ʹ͋Δ ྫ͑͹……

Slide 25

Slide 25 text

"84αʔϏε͋Δ͋Δ ͦͷ1. ଟ͍ɻ ͦͷ2. ઀಄ࣙ AWS ͔ Amazon ͔໎͍͕ͪ ͦͷ3. ԿΛ΋ͬͯ”αʔϏε”͔೰Ή ͏ʔΉ…… 🤔

Slide 26

Slide 26 text

ͦ͜Ͱ AWS Service Namespace Ͱ͢Α ೰ΊΔ͋ͳͨ΁

Slide 27

Slide 27 text

"844FSWJDF/BNFTQBDF͸ ɾج४͕໌֬🤗 ɹɹϦϑΝϨϯεͰఆٛ͞ΕͯΔ ɾ ɾ

Slide 28

Slide 28 text

"844FSWJDF/BNFTQBDF͸ ɾج४͕໌֬🤗 ɹɹϦϑΝϨϯεͰఆٛ͞ΕͯΔ ɾAWS ΋ Amazon ΋͔ͭͳ͍🤗 ɹɹେମུশΛ͓͚֮͑ͯ͹OK ɾ

Slide 29

Slide 29 text

"844FSWJDF/BNFTQBDF͸ ɾج४͕໌֬🤗 ɹɹϦϑΝϨϯεͰఆٛ͞ΕͯΔ ɾAWS ΋ Amazon ΋͔ͭͳ͍🤗 ɹɹେମུশΛ͓͚֮͑ͯ͹OK ɾ਺͸AWSαʔϏεΑΓଟ͍🥺 ɹɹ2022/1/27࣌఺Ͱ301ݸ͋Γ·͢

Slide 30

Slide 30 text

AWS Service Namespace ͱ͸Կ͔ ࠓ೔ͷຊ୊

Slide 31

Slide 31 text

"844FSWJDF/BNFTQBDFͱ͸ arn:aws:s3:::my_corporate_bucket arn:aws:iam::123456789012:user/Test • AWS ੡඼Λࣝผ͢ΔͨΊͷαʔϏε໊લۭؒ • ARN ʹొ৔͠·͢

Slide 32

Slide 32 text

"844FSWJDF/BNFTQBDFͱ͸ • IAM JSON ϙϦγʔʹ΋ొ৔͠·͢ • Action • Condition • αʔϏεϓϨϑΟοΫεͱ΋

Slide 33

Slide 33 text

"844FSWJDF/BNFTQBDFͱ͸ • IAM JSON ϙϦγʔʹ΋ొ৔͠·͢ • Action • Condition • αʔϏεϓϨϑΟοΫεͱ΋ ec2:CreateVpc s3:GetObject Actionͷྫɻ ɹରԠ͢ΔAPI͕ແ͘ݖݶ෇༩ͷͨΊʹͷΈ͋Δ΋ͷ΋

Slide 34

Slide 34 text

"844FSWJDF/BNFTQBDFͱ͸ • IAM JSON ϙϦγʔʹ΋ొ৔͠·͢ • Action • Condition • αʔϏεϓϨϑΟοΫεͱ΋ ec2:CreateVpc s3:GetObject iam:AWSServiceName rds:DatabaseName Actionͷྫɻ ɹରԠ͢ΔAPI͕ແ͘ݖݶ෇༩ͷͨΊʹͷΈ͋Δ΋ͷ΋ Conditionͷྫɻ ɹάϩʔόϧ৚݅Ωʔʹରͯ͠ ɹ αʔϏεݻ༗ͷ৚݅Ωʔͱݺ͹ΕΔ

Slide 35

Slide 35 text

"844FSWJDF/BNFTQBDFͱ͸ • AWS CLI ͷίϚϯυ໊ʹͳ͍ͬͯΔ͜ͱ͕ଟ͍ • ྫ֎΋͋Γ·͢ʢaws con fi gserviceͱ͔ʣ aws sts get-caller-identity aws ecr put-image

Slide 36

Slide 36 text

"844FSWJDF/BNFTQBDFͱ"84αʔϏε • 1ର1ʹͳ͍ͬͯΔ͜ͱ͕ଟ͍ • ҰͭͷAWSαʔϏε͕ෳ਺ͷAWS Service NamespaceΛ࣋ͭ͜ͱ΋͋Δ • ҟͳΔAWSαʔϏε͕ಉ͡AWS Service Namespace Λ࣋ͭ͜ͱ΋͋Δ

Slide 37

Slide 37 text

Ͳ͏΍ͬͯ֬ೝ͢Ε͹Α͍͔ "844FSWJDF/BNFTQBDF

Slide 38

Slide 38 text

ίϚϯυΛୟ͜͏ i=`aws iam generate-service-last-accessed-details --arn arn:aws:iam::aws:policy/AdministratorAccess --output text` \ && sleep 1 \ && aws iam get-service-last-accessed-details --job-id $i --max-items 1000 \ | jq -c '.ServicesLastAccessed[] | [.ServiceName,.ServiceNamespace]' ࠓ೥ͷ AWS αʔϏε໊લۭؒɺࠓ೥ͷ͏ͪʹɻ 2021 https://dev.classmethod.jp/articles/aws-servicenamespace-2021/ ҎԼʹࡌͬͯ·͢ɻ

Slide 39

Slide 39 text

ͳʹɺͦͷίϚϯυʜʜ AdministratorAccessΛΞΫηεΞυόΠβʔͰ ݟΔͷͱಉ͜͡ͱΛ AWS CLI Ͱ΍ͬͯ·͢ɻ ΞΫηεՄೳͳ ʮαʔϏεʯͱ ࠷ऴΞΫηε࣌ؒΛ දࣔ͢ΔΑ

Slide 40

Slide 40 text

ͪΌΜͱϦϑΝϨϯεͰݟ͍ͨ • αʔϏεೝূϦϑΝϨϯεΛΈΑ͏ • Service Authorization Reference ͳͷͰʮೝՄʯͱ༁ͯ͠΄͘͠΋ ͋Δͱ͔ͳ͍ͱ͔ • αʔϏεϓϨϑΟοΫε͝ͱʹϖʔδ͕࡞ΒΕ͍ͯ·͢ ϙϦγʔઃܭ͢Δ࣌ʹ ֎ͤͳ͍Ͱ͢ΑͶ https://docs.aws.amazon.com/ja_jp/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html

Slide 41

Slide 41 text

ͪΌΜͱϦϑΝϨϯεͰݟ͍ͨ • ʮAWS IAMͱ࿈ܞ͢ΔαʔϏεʯϖʔδ΋େࣄ • AWS IAM ͷυΩϡϝϯτͷҰ෦Ͱ͢ • ͜͜ͰͷʮαʔϏεʯ͸αʔϏεϓϨϑΟοΫε͕ج४Ͱ͢ ϒοΫϚʔΫͯ͠ͳ͍…ʁ ͳΜͰ……ʁ https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

Slide 42

Slide 42 text

IAM ͱ஥ྑ͘ͳΔͳΒ AWSαʔϏε͡Όͳ͘ AWS Service Namespace Λҙࣝ͠Α͏ "844FSWJDF/BNFTQBDF

Slide 43

Slide 43 text

AWS Service Namespace ΫΠζʂʂʂʂʂ νϟϨϯδ͠Α͏

Slide 44

Slide 44 text

΍Δ͜ͱ • ਖ਼Ҿ͖ • AWSαʔϏε͔Β໊લۭؒΛߟ͑Δ • ٯҾ͖ • ໊લۭ͔ؒΒAWSαʔϏεΛߟ͑Δ ͜͜Ͱͷʮਖ਼Ҿ͖ʯͱ͔ʮٯҾ͖ʯ͸Θͨ͠ ͕উखʹͦ͏ݺΜͰΔ͚ͩͰ͢ɻ ΑͦͰݴ͏ͱ ஏΛ͔͖·͢Α

Slide 45

Slide 45 text

ਖ਼Ҿ͖ฤ "844FSWJDF/BNFTQBDFΫΠζ

Slide 46

Slide 46 text

ୈҰ໰ "NB[PO&$ ೉қ౓ɿ ʁ AWSαʔϏε AWS Service Namespace

Slide 47

Slide 47 text

ୈҰ໰ "NB[PO&$ FD ೉қ౓ɿ AWSαʔϏε AWS Service Namespace ؆୯Ͱ͢Ͷɻ

Slide 48

Slide 48 text

ୈೋ໰ "NB[PO4 ೉қ౓ɿ ʁ AWSαʔϏε AWS Service Namespace

Slide 49

Slide 49 text

ୈೋ໰ "NB[PO4 T ೉қ౓ɿ AWSαʔϏε AWS Service Namespace ๏ଇΘ͔͖ͬͯ·ͨ͠Ͷɻ

Slide 50

Slide 50 text

ୈࡾ໰ "NB[PO71$ ೉қ౓ɿ ʁ AWSαʔϏε AWS Service Namespace

Slide 51

Slide 51 text

ୈࡾ໰ "NB[PO71$ ೉қ౓ɿ AWSαʔϏε AWS Service Namespace FD ʮvpcʯͰ͸͋Γ·ͤΜΑɻ

Slide 52

Slide 52 text

໊લۭؒFDଟ͍Αʜʜ • Amazon EC2 actions • Amazon EBS actions • Amazon VPC actions • Amazon IPAM actions • AWS Transit Gateway actions • AWS PrivateLink actions • AWS Client VPN actions • AWS Site-to-Site VPN actions • AWS Outposts actions • AWS Wavelength actions • VM Import/Export actions • AWS Nitro Enclaves https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query.html

Slide 53

Slide 53 text

ٯҾ͖ฤ "844FSWJDF/BNFTQBDFΫΠζ

Slide 54

Slide 54 text

ୈҰ໰ "NB[PO3%4 ೉қ౓ɿ AWSαʔϏε AWS Service Namespace SET Amazon RDS Ҏ֎ͰԿ͕͋ΔͰ͠ΐ͏ʁ ʁ

Slide 55

Slide 55 text

ୈҰ໰ "NB[PO3%4 ೉қ౓ɿ AWSαʔϏε AWS Service Namespace SET "NB[PO %PDVNFOU%# ͦ͏ͳΜͩ……ɻ

Slide 56

Slide 56 text

ୈೋ໰ ೉қ౓ɿ AWSαʔϏε AWS Service Namespace NFEJBJNQPSU ϝσΟΞܥͷαʔϏε͔ͳʁʁʁʁ ʁ

Slide 57

Slide 57 text

ୈೋ໰ "NB[PO3%4 ೉қ౓ɿ AWSαʔϏε AWS Service Namespace Amazon RDS Custom for Oracle ͷ ɹΠϯετʔϧϝσΟΞʹର͢ΔݖݶΛ෇༩͢ΔͨΊͷ໊લۭؒɻɻ NFEJBJNQPSU

Slide 58

Slide 58 text

ୈࡾ໰ ೉қ౓ɿ AWSαʔϏε AWS Service Namespace UJSPT ฉ͍ͨ͜ͱ΋ͳ͍Α…… ʁ

Slide 59

Slide 59 text

ୈࡾ໰ ೉қ౓ɿ AWSαʔϏε AWS Service Namespace UJSPT ਖ਼֬ʹݴ͑͹ Amazon VPC Reachability Analyzer ͕ ɹ΋ͬͱ΋ؔΘΓ͕ڧ͍ "NB[PO71$ ڧ͍ͯݴ͑͹

Slide 60

Slide 60 text

UJSPTJTԿ https://aws.amazon.com/jp/security/provable-security/ • ਪ࿦πʔϧʁ෼ੳج൫ʁΈ͍ͨͳ΋ͷ • Inspector ΍ΞΫηεΞφϥΠβʔͰ΋࢖༻͞ΕΔ • ઐ༻ͷAPIΛୟ͚ΔΘ͚Ͱͳ͘ڐՄΛ༩͑ΔͨΊʹඞཁ • ྫ͑͹ Inspector v2 ͷαʔϏεϦϯΫϩʔϧͷIAMϙϦγʔΛோΊͯΈΑ͏

Slide 61

Slide 61 text

͋ͳͨ͸Կ໰ਖ਼ղͰ͖·͔ͨ͠ʁ "844FSWJDF/BNFTQBDFΫΠζ

Slide 62

Slide 62 text

·ͱΊ Α͏΍͘ऴΘΓͰ͢

Slide 63

Slide 63 text

"844FSWJDF/BNFTQBDF͸͍͍ͧ IAMʹৄ͘͠ͳΔͳΒආ͚ͯ௨Εͳ͍ 300ݸҎ্΋όϦΤʔγϣϯ͕͋Δ ਪ͠Λݟ͚ͭͯ௥͍͔͚Α͏

Slide 64

Slide 64 text

ऴΘΓʹɿΘͨ͠ͷࣥ೦ΛோΊ͍ͯͩ͘͞ https://dev.classmethod.jp/articles/aws-services-with-aws-servicenamespaces/ ೥຤೥࢝ͷ࣌ؒΛ๋͛·ͨ͠