やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Evaluation Logic

by YukihiroChiba

Slide 1

Slide 1 text

"84ࣄۀຊ෦ίϯαϧςΟϯά෦ઍ༿޾޺ ΍ΜΘΓԡ͑͞Α͏*".ͷධՁ࿦ཧ

Slide 2

Slide 2 text

։ນҰ൪ ಥવͰ͕͢໰୊Ͱ͢

Slide 3

Slide 3 text

࣍ͷ͏ͪ ʮIAM ʹ͓͚ΔϙϦγʔʯ͸ ͲΕͰ͠ΐ͏ʁ ʢෳ਺ճ౴Մʣ

Slide 4

Slide 4 text

ݸҎ্ͷਖ਼ղͷબ୒ࢶ͕͋Γ·͢ ΠϯϥΠϯϙϦγʔ AdministratorAccess ReadOnlyAccess ηογϣϯϙϦγʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ S3όέοτϙϦγʔ KMSΩʔϙϦγʔ S3ΞΫηείϯτϩʔϧϦετ ΞΫηεڐՄͷڥք Organizations SCP ΧελϚʔ؅ཧϙϦγʔ EC2FullAccess ϦιʔεϕʔεϙϦγʔ VPCΤϯυϙΠϯτϙϦγʔ LambdaΞΫηεϙϦγʔ ৬຿ػೳͷAWS؅ཧϙϦγʔ SNSτϐοΫϙϦγʔ ৴པϙϦγʔ

Slide 5

Slide 5 text

ਖ਼ղ͸……

Slide 6

Slide 6 text

શ෦Ͱ͢ʂʂʂ

Slide 7

Slide 7 text

ΈΜͳ޿͍ҙຯͰͷʮ*".ͷϙϦγʔʯ ΠϯϥΠϯϙϦγʔ AdministratorAccess ReadOnlyAccess ηογϣϯϙϦγʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ S3όέοτϙϦγʔ KMSΩʔϙϦγʔ S3ΞΫηείϯτϩʔϧϦετ ΞΫηεڐՄͷڥք Organizations SCP ΧελϚʔ؅ཧϙϦγʔ EC2FullAccess ϦιʔεϕʔεϙϦγʔ VPCΤϯυϙΠϯτϙϦγʔ LambdaΞΫηεϙϦγʔ ৬຿ػೳͷAWS؅ཧϙϦγʔ SNSτϐοΫϙϦγʔ ৴པϙϦγʔ

Slide 8

Slide 8 text

*".ͷϙϦγʔͷ૊Έ߹Θͤ ը૾͸͢΂ͯAWSυΩϡϝϯτΑΓ

Slide 9

Slide 9 text

*".ϜζΧγΠ 🤔 🤔 🤔 എܠը૾͸͢΂ͯAWSυΩϡϝϯτΑΓ

Slide 10

Slide 10 text

શ෦Λཧղ͢Δͷ͸೉͍͠ͷͰ ΍ΜΘΓԡ͑͞·͠ΐ͏

Slide 11

Slide 11 text

࠷ऴతʹ͜Μͳײ͡Ͱԡ͑͞·͢

Slide 12

Slide 12 text

ΞδΣϯμ 1.IAM JSON ϙϦγʔ 2.ಉҰΞΧ΢ϯτͰͷධՁ࿦ཧ 3.ΫϩεΞΧ΢ϯτͰͷධՁ࿦ཧ 4.ΨʔυϨʔϧ 5.ҟ୺ʂVPCΤϯυϙΠϯτϙϦγʔ

Slide 13

Slide 13 text

ࣗݾ঺հ ઍ༿ ޾޺ ɾAWS ࣄۀຊ෦ ɹίϯαϧςΟϯά෦ ɹϚωʔδϟʔ ɾ2020೥1݄JOIN ɾ2021 APN AWS Top Engineer ɾ޷͖ͳΞΫγϣϯ: sts:AssumeRole

Slide 14

Slide 14 text

*".+40/ϙϦγʔ

Slide 15

Slide 15 text

*".ʹ͓͚ΔϙϦγʔλΠϓ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

Slide 16

Slide 16 text

ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ϙϦγʔλΠϓ͝ͱͷॏཁ౓ʢࢲݟʣ

Slide 17

Slide 17 text

ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ϙϦγʔλΠϓ͸΄ͱΜͲ+40/ JSON JSON JSON JSON JSON JSONͰͳ͍

Slide 18

Slide 18 text

ݟ͍ͯ͜͏ IAM JSON ϙϦγʔͷߏ੒ཁૉ

Slide 19

Slide 19 text

*".+40/ϙϦγʔߏ੒ཁૉ ϦιʔεϕʔεϙϦγʔ ͰͷΈࢦఆՄ ⭐…ࢦఆඞਢͷ߲໨

Slide 20

Slide 20 text

Θ͔Γ΍͍͢Πϝʔδ ʮAWSʹ͓͚ΔABACͷخ͠͞ɺਏ͞ΛޠΓ·ͨ͠ #AKIBAAWSʯΑΓ ɹhttps://dev.classmethod.jp/articles/akibaaws-06-iam-abac/

Slide 21

Slide 21 text

1SJODJQBMཁૉɿʮ୭͕ʯΛఆٛ *".άϧʔϓ͸ ࢦఆͰ͖ͳ͍ ϦιʔεϕʔεϙϦγʔ ͰͷΈࢦఆ

Slide 22

Slide 22 text

"DUJPOཁૉɿʮԿΛʯΛఆٛ ec2 : StartInstances s3 : PutObject kms : Decrypt ΞΫγϣϯϓϨϑΟοΫε͸ αʔϏε໊લۭؒ ϚωδϝϯτίϯιʔϧɺAWS CLIɺAWS SDKͳͲͷ ΦϖϨʔγϣϯͷछผʹґΒͣධՁ͞ΕΔɻ ΞΫγϣϯʹΑΓ ରԠ͢ΔϦιʔελΠϓ͕ҟͳΔɻ

Slide 23

Slide 23 text

3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID • arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓ͸ҟͳΔɻ ҟͳΔϦιʔελΠϓ

Slide 24

Slide 24 text

3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:s3:::όέοτ໊/* • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID • arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓ͸ҟͳΔɻ ҟͳΔϦιʔελΠϓ ϫΠϧυΧʔυͷ࢖༻Մ • arn:aws:ec2:${Region}:${Account}:instance/*

Slide 25

Slide 25 text

3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:s3:::όέοτ໊/* • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID • arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓ͸ҟͳΔɻ ҟͳΔϦιʔελΠϓ • * ϫΠϧυΧʔυͷ࢖༻Մ • arn:aws:ec2:${Region}:${Account}:instance/* ΞΫγϣϯʹΑͬͯ͸͢΂ͯ(*)ͷࢦఆ͕ඞਢ ʢϦετܥͷΞΫγϣϯʹଟ͍ʣ

Slide 26

Slide 26 text

۩ମྫɿ"84؅ཧϙϦγʔʮ"ENJOJTUSBUPS"DDFTTʯ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } ͢΂ͯͷϦιʔε΁ͷ ͢΂ͯͷΞΫγϣϯʹ ʢ৚݅ͳ͠Ͱʣ AllowΛ༩͑Δ

Slide 27

Slide 27 text

۩ମྫɿΧελϚʔ؅ཧϙϦγʔ { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "*", "NotResource": “arn:aws:ec2:ap-northeast-1: 012345678910:instance/i-xxxxx” } ] } ಛఆͷϦιʔεҎ֎΁ͷ ͢΂ͯͷΞΫγϣϯΛ Deny͢Δ ର৅͕͜ͷΠϯελϯεͰ͋ͬͯ΋ɺ EFTDSJCFܥͳͲɺϦιʔελΠϓJOTUBODFʹ ରԠ͍ͯ͠ͳ͍ΞΫγϣϯ͸ڋ൱͞ΕΔ

Slide 28

Slide 28 text

"MMPX΋͘͠͸%FOZ εςʔτϝϯτ͝ͱʹ Allow ΋͘͠͸ Deny ͕ఆٛ͞ΕΔɻ ϦΫΤετͷ಺༰ʹ͍ͭͯҎԼͷ͍ͣΕ͔ͷঢ়ଶͱͳΔɻ ঢ়ଶ ֓ཁ ҉໧తͳڋ൱ %FOZ΋"MMPX΋༩͑ΒΕ͍ͯͳ͍ɻ σϑΥϧτɻ ໌ࣔతͳڋ൱ %FOZ͕༩͑ΒΕ͍ͯΔঢ়ଶɻ ໌ࣔతͳڐՄΑΓ༏ઌ͞ΕΔɻ ໌ࣔతͳڐՄ "MMPX͕༩͑ΒΕ͍ͯΔঢ়ଶɻ %FOZͱॏෳ͢Δ৔߹ɺଧͪফ͞ΕΔɻ ୭͕Կʹରͯ͠ʢͲΜͳ৚݅ͰʣԿΛ͢Δ͔

Slide 29

Slide 29 text

ಉҰΞΧ΢ϯτͰͷධՁ࿦ཧ

Slide 30

Slide 30 text

*".ʹ͓͚ΔϙϦγʔλΠϓʢ࠶ܝʣ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

Slide 31

Slide 31 text

ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ࠓճͷൃදͰ͸ׂѪ͠·͢ ࠓճͷର৅֎

Slide 32

Slide 32 text

ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ຊষ͸͜ͷ̎ͭΛऔΓ্͛·͢ ຊষͷର৅

Slide 33

Slide 33 text

ΞΠσϯςΟςΟϕʔεϙϦγʔ *".Ϣʔβʔ *".άϧʔϓ *".ϩʔϧ Ξλον ͍ΘΏΔʮIAMϙϦγʔʯɻΞΠσϯςΟςΟʹΞλονɻ

Slide 34

Slide 34 text

ΞΠσϯςΟςΟϕʔεϙϦγʔ ҰͭͷIAM ΤϯςΟςΟʹ௚઀ຒΊ͜Έɻ ಠཱͨ͠ϦιʔεͰ͸ͳ͍ɻ ग़དྷ߹͍ͷϙϦγʔɻ ʮ৬຿ػೳͷAWS؅ཧϙϦγʔʯͱ͍͏ࡉ෼Խ΋Մೳɻ AdministratorAccessɺReadOnly AccessͳͲɻ ΧελϚʔ͕ಠࣗʹ࡞੒͢ΔϙϦγʔɻ όʔδϣϯ؅ཧɺෳ਺ΤϯςΟςΟ΁ͷΞλον͕Մೳɻ *".Ϣʔβʔ *".άϧʔϓ *".ϩʔϧ Ξλον ͍ΘΏΔʮIAMϙϦγʔʯɻΞΠσϯςΟςΟʹΞλονɻ

Slide 35

Slide 35 text

ϦιʔεϕʔεϙϦγʔ … • ϦιʔεଆʹΞλον͢ΔϙϦγʔ • S3όέοτ • KMSΩʔ • Lambdaؔ਺ • SNSτϐοΫ …ଞଟ਺ • ͢΂ͯͷϦιʔε͕ରԠ͍ͯ͠ΔΘ͚Ͱ͸ͳ͍ • Principalཁૉͷఆ͕ٛՄೳ • ΠϯϥΠϯϙϦγʔʢϦιʔεʹ௚઀ຒΊ͜Έʣ

Slide 36

Slide 36 text

ΞΠσϯςΟςΟϕʔεͱϦιʔεϕʔε IAMϢʔβʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ S3όέοτ EC2Πϯελϯε IAMϢʔβʔ Ϧιʔεϕʔε ϙϦγʔඇରԠ s3:PutObject ec2:StartInstances

Slide 37

Slide 37 text

͍Β͢ͱͰߟ͑Α͏ IAMϢʔβʔ AWSϦιʔε

Slide 38

Slide 38 text

σϑΥϧτͰ͜Ε 1.҉໧తͳڋ൱

Slide 39

Slide 39 text

྆ऀͷϙϦγʔͷΠϝʔδ IAMϢʔβʔ AWSϦιʔε Θͨ͠͸͜ͷϦΫΤετΛ ࣮ߦͰ͖Δ ͜ͷਓ͔ΒͷϦΫΤετ͸ ڐՄͯ͋͛͠Δ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

Slide 40

Slide 40 text

σϑΥϧτͰ͸ͲͪΒͷఆٛ΋ͳ͍ IAMϢʔβʔ AWSϦιʔε ʜʜ ʜʜ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

Slide 41

Slide 41 text

ͲͪΒͰ΋ڐՄ͕ͳ͍ͷͰ݁Ռతʹڋ൱ IAMϢʔβʔ AWSϦιʔε ͓ؼΓ͍ͩ͘͞˝ εΠʔ

Slide 42

Slide 42 text

୯ͳΔʮڐՄʯͱ΋ 2.໌ࣔతͳڐՄ

Slide 43

Slide 43 text

ͲͪΒ͔ͰڐՄ͕༩͑ΒΕ͍ͯΔ IAMϢʔβʔ AWSϦιʔε Θͨ͠͸ ͜Ε͕Ͱ͖Δ ͜ͷਓʹ͸ ͜ΕΛڐ͢ खͿΒ

Slide 44

Slide 44 text

ڐՄ͞ΕΔ IAMϢʔβʔ AWSϦιʔε εΠʔ ͋ͳͨ͸௨͍͍ͬͯͱ ݴΘΕ͍ͯ·͢ ͋ͳͨ͸௨ΔݖརΛ ͍࣋ͬͯΔΑ͏Ͱ͢Ͷ εΠʔ ϦιʔεϕʔεϙϦγʔΛ ΞλονͰ͖ͳ͍Ϧιʔεͷ৔߹ɺ ΞΠσϯςΟςΟଆͰݖݶͷ֬อ͕ඞཁ

Slide 45

Slide 45 text

ͪΐͬͱิ଍ ΞΧ΢ϯτ୯ҐͷڐՄͱ ΤϯςΟςΟ୯ҐͷڐՄ

Slide 46

Slide 46 text

ΞΧ΢ϯτΛ֗ͱͯ͠ߟ͑ͯΈΔ ֗ʢΞΧ΢ϯτʣA ֗B ֗C rootϢʔβʔ IAMϢʔβʔ 1,2,3 AWSϦιʔε

Slide 47

Slide 47 text

ϦιʔεϕʔεϙϦγʔͰͷڐՄͷ࢓ํ ֗ʢΞΧ΢ϯτʣA ֗B ֗C IAMϢʔβʔ

Slide 48

Slide 48 text

खͿΒͰ௨ΕΔͷ͸ΤϯςΟςΟ୯ҐͰڐՄ͞Εͨ΋ͷ ֗"ͷ*".Ϣʔβʔ͔ΒͷΞΫηεΛڐՄ खͿΒ खͿΒ IAMϢʔβʔ1 IAMϢʔβʔ2 IAMϢʔβʔ3

Slide 49

Slide 49 text

Ұ൪ڧ͍ 3.໌ࣔతͳڋ൱

Slide 50

Slide 50 text

Ͳ͔͜Ͱ%FOZ͕༩͑ΒΕ͍ͯΕ͹ڋ൱ IAMϢʔβʔ AWSϦιʔε

Slide 51

Slide 51 text

໌ࣔతͳڋ൱͸ԿΑΓ΋ڧ͍ IAMϢʔβʔ AWSϦιʔε εΠʔ ௨͍͍ͯ͠ͱ ݴΘΕ͍͚ͯͨͲ ڋ൱͞Ε͍ͯΔΑ͏Ͱ͢Ͷ ௨ͯ͠͸͍͚ͳ͍ͱ ݴΘΕ͍ͯ·͢ εΠʔ

Slide 52

Slide 52 text

ΫϩεΞΧ΢ϯτͰͷධՁ࿦ཧ

Slide 53

Slide 53 text

ΞΧ΢ϯτΛލ͍ͩΞΫηε IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧ΢ϯτʣA ֗ʢΞΧ΢ϯτʣB

Slide 54

Slide 54 text

جຊతͳߟ͑ํ͸มΘΒͳ͍ • ҉໧తͳڋ൱ɺ໌ࣔతͳڐՄɺ໌ࣔతͳڋ൱ͷߟ͑ํ͸มΘΒͳ͍ • ΞΠσϯςΟςΟͱϦιʔεͷ྆ํͰAllow͕༩͑ΒΕ͍ͯͳ͍ͱ ҉໧తͳڋ൱ͱͳΔ • ϦιʔεଆͰͷڐՄ͸ɺΞΧ΢ϯτ୯ҐɾΤϯςΟςΟ୯ҐͷͲͪ ΒͰ΋ྑ͍

Slide 55

Slide 55 text

྆ํͰͷڐՄ͕ඞཁ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧ΢ϯτʣA ֗ʢΞΧ΢ϯτʣB

Slide 56

Slide 56 text

ϦιʔεଆͰͷڐՄ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧ΢ϯτʣA ֗ʢΞΧ΢ϯτʣB ֗"ͷ*".Ϣʔβʔ͔ΒͷΞΫηεΛڐՄ ֗"͔ΒͷΞΫηεΛڐՄ ͲͪΒͰ΋OK

Slide 57

Slide 57 text

ยํ͚ͩͷڐՄͩͱ҉໧తͳڋ൱ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧ΢ϯτʣA ֗ʢΞΧ΢ϯτʣB ͋ͳͨ͸ট଴٬Ϧετʹ ࡌ͍ͬͯΔ͚Ͳ ڐՄূΛ࣋ͬͯͳ͍Ͱ͢Ͷ

Slide 58

Slide 58 text

Α͘࢖͏ྫ ΫϩεΞΧ΢ϯτͰͷεΠονϩʔϧ

Slide 59

Slide 59 text

ผΞΧ΢ϯτͷૢ࡞ʹεΠονϩʔϧΛ࢖͏͜ͱ͕ଟ͍ IAMϢʔβʔ IAMϩʔϧ

Slide 60

Slide 60 text

*".ϩʔϧΛҾ͖ड͚Δͱ͸ IAMϢʔβʔ IAMϩʔϧ IAMϩʔϧΛ Ҿ͖ड͚ͨηογϣϯ ʢ੍࣌ؒݶ͋Γʣ IAMϩʔϧͱ ಉ౳ͷݖݶ IAMϙϦγʔ sts:AssumeRole

Slide 61

Slide 61 text

*".ϩʔϧΛҾ͖ड͚Δʹ͸ڐՄ͕ඞཁ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ʢ৴པϙϦγʔʣ ϦιʔεϕʔεϙϦγʔ ΫϩεΞΧ΢ϯτ ΞΫηε ಉ͡ΞΧ΢ϯτͰͷ ΞΫηε

Slide 62

Slide 62 text

ΨʔυϨʔϧ

Slide 63

Slide 63 text

ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ຊষͷର৅ ຊষͷର৅

Slide 64

Slide 64 text

ΨʔυϨʔϧʁ • ΍͍͍ͬͯ͜ͱͷ্ݶΛઃ͚ΔΑ͏ʹػೳ͢Δ΋ͷ • ΞΠσϯςΟςΟϕʔεϙϦγʔͱϦιʔεϕʔεϙϦγʔͷ֎ଆ Ͱఆٛ͢Δ • ͏͔ͬΓ޿͍ڐՄΛ༩͑ͯ͠·ͬͯ΋ΨʔυϨʔϧʹΑΓ๷͙ • ΨʔυϨʔϧࣗମͰԿ͔ΛڐՄͰ͖Δ΋ͷͰ͸ͳ͍ • ࠓճऔΓ্͛Δͷ͸ҎԼ • Organizations SCPʢΞΧ΢ϯτશମʹద༻ʣ • Permissions boundaryʢݸผͷΤϯςΟςΟʹద༻ʣ • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍΋ͷ͸҉໧తͳڋ൱ʹ ͳΔ

Slide 65

Slide 65 text

0SHBOJ[BUJPOTͱ͸ ϚωδϝϯτΞΧ΢ϯτ ΞΧ΢ϯτA ΞΧ΢ϯτB ΞΧ΢ϯτC SCP ෳ਺ͷAWSΞΧ΢ϯτΛ ֊૚Խͯ͠؅ཧͰ͖Δػೳɻ ݸʑͷAWSΞΧ΢ϯτʹ SCPΛׂΓ౰ͯΒΕΔɻ

Slide 66

Slide 66 text

0SHBOJ[BUJPOT4$1͕ద༻͞ΕΔͱ IAMϢʔβʔ AWSϦιʔε rootϢʔβʔ Organizations SCP ΞΧ΢ϯτ಺ͷrootϢʔβʔΛؚΉશͯͷΤϯςΟςΟͷΞΫγϣϯ͸SCPʹΑΔධՁΛड͚Δɻ ϩʔϧΛҾ͖ड͚ͨ ηογϣϯ

Slide 67

Slide 67 text

0SHBOJ[BUJPOT4$1͕ద༻͞ΕΔͱ SCPͰڐՄ͕༩͑ΒΕ͍ͯͳ͍ϦΫΤετ͸ଞͷύʔϛογϣϯʹؔ܎ͳ͘҉໧తͳڋ൱ͱͳΔ Organizations SCP ͜͜ͰڐՄ͞Ε͍ͯΔ ͜ͱ͕͢΂ͯ ΋ͪΖΜ%FOZ͕͋Ε͹ ໌ࣔతͳڋ൱

Slide 68

Slide 68 text

1FSNJTTJPOTCPVOEBSZͱ͸ ʮΞΫηεڐՄͷڥքʯͱ΋ɻ ΞΠσϯςΟςΟϕʔεϙϦγʔ ͱηοτͰߟ͑Δɻ IAMϢʔβʔ΋͘͠͸IAMϩʔϧ ʹׂΓ౰ͯՄೳͰɺIAMάϧʔϓ ʹ͸ׂΓ౰ͯෆՄɻ

Slide 69

Slide 69 text

1FSNJTTJPOTCPVOEBSZͷΠϝʔδ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ηοτͰ࢖༻͢Δ ΞΠσϯςΟςΟϕʔεϙϦγʔͷ ධՁͷλΠϛϯάͰΨʔυϨʔϧͱͯ͠ػೳ

Slide 70

Slide 70 text

ϦιʔεϕʔεϙϦγʔͰͷ"MMPX͕ͳ͍৔߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ʮ͜ͷϢʔβʔ͕ ΍͍͍ͬͯͷ͸͜͜·Ͱʯ Permissions boundaryͰAllow͕ͳ͍৔߹ɺ҉໧తͳڋ൱ͱͳΔ 1FSNJTTJPOTCPVOEBSZͰ ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ ΋ͪΖΜ%FOZ͕͋Ε͹ ໌ࣔతͳڋ൱ ΞΠσϯςΟςΟϕʔεϙϦγʔ Ͱ͸ڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ

Slide 71

Slide 71 text

ϦιʔεϕʔεϙϦγʔͰ"MMPX͕͋Δ৔߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ͋ͳͨ͸ট଴͞Ε͍ͯΔͷͰ ڐՄূ͸ݟͤͯ΋ΒΘͳͯ͘΋ େৎ෉Ͱ͢ɻ ϦιʔεϕʔεϙϦγʔͰͷධՁ͕ઌʹߦΘΕΔͨΊͦ͜ͰAllow͕͋Ε͹ڐՄ͞ΕΔ ʮ͜ͷϢʔβʔ͕ ΍͍͍ͬͯͷ͸͜͜·Ͱʯ ΋ͪΖΜ%FOZ͕͋Ε͹ ໌ࣔతͳڋ൱

Slide 72

Slide 72 text

ΫϩεΞΧ΢ϯτͷ৔߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ΫϩεΞΧ΢ϯτͷ৔߹ɺΞΠσϯςΟςΟϕʔεϙϦγʔ΋ධՁ͞ΕΔͨΊΨʔυϨʔϧ͕ൃಈ ʮ͜ͷϢʔβʔ͕ ΍͍͍ͬͯͷ͸͜͜·Ͱʯ 1FSNJTTJPOTCPVOEBSZͰ ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ ଞͷϙϦγʔͰ͸ ڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ

Slide 73

Slide 73 text

͜͜·Ͱݟ͖ͯͨ಺༰ͷ੔ཧ https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-black-belt-online-seminar-aws-identity-and- access-management-iam-part1 20190129 AWS Black Belt Online Seminar AWS Identity and Access Management (AWS IAM) Part1 ʮ͜ͷϢʔβʔ͕ ΍͍͍ͬͯͷ͸͜͜·Ͱʯ ΞΧ΢ϯτΛލ͍ͩ৔߹ͷҧ͍

Slide 74

Slide 74 text

ҟ୺ʂ 71$ΤϯυϙΠϯτϙϦγʔ

Slide 75

Slide 75 text

෼ྨ্͸ϦιʔεϕʔεϙϦγʔ͕ͩಛघ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

Slide 76

Slide 76 text

71$ΤϯυϙΠϯτϙϦγʔ VPC EC2ͳͲ VPCΤϯυϙΠϯτ VPC಺ͷϦιʔε͕αʔϏεΤϯυϙΠϯτʹ௨৴Λߦ͏ͨΊʹ࢖༻Ͱ͖ΔVPCΤϯυϙΠϯτɻ αʔϏεͷछผʹΑͬͯ͸ΤϯυϙΠϯτʹϙϦγʔΛઃఆͰ͖Δɻ

Slide 77

Slide 77 text

ΨʔυϨʔϧͱͯ͠ػೳ IAMϢʔβʔ AWSϦιʔε VPCΤϯυϙΠϯτ ͜͜Λܦ༝ͨ͠௨৴Ͱ ڐՄ͢Δͷ͸͜Ε͚ͩ ڐՄ͕ͳ͍΋ͷ͸ ҉໧తͳڋ൱

Slide 78

Slide 78 text

71$ΤϯυϙΠϯτϙϦγʔͷ࢖༻ྫ VPC VPCΤϯυϙΠϯτ VPC಺෦ͷϦιʔε͔Β֎෦ͷS3όέοτ΁ͷΞΫηε͕ෆՄͱͳΔΑ͏ VPCΤϯυϙΠϯτϙϦγʔΛ࢖༻͢Δɻ

Slide 79

Slide 79 text

·ͱΊ

Slide 80

Slide 80 text

঺հͨ͠΋ͷͷશ෦੝Γ VPCΤϯυϙΠϯτ VPC ΫϩεΞΧ΢ϯτΞΫηε

Slide 81

Slide 81 text

঺հͨ͠΋ͷͷશ෦੝Γ VPCΤϯυϙΠϯτ VPC ΫϩεΞΧ΢ϯτΞΫηε 1FSNJTTJPOT CPVOEBSZ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ 0SHBOJ[BUJPOT 4$1 71$ΤϯυϙΠϯτ ϙϦγʔ ϦιʔεϕʔεϙϦγʔ

Slide 82

Slide 82 text

·ͱΊ • IAMͷධՁ࿦ཧͷ݁Ռ͸ҎԼͷ͍ͣΕ͔ͱͳΔ • ҉໧తͳڋ൱ʢσϑΥϧτʣ • ໌ࣔతͳڐՄʢΨʔυϨʔϧͰ͸༩͑ΒΕͳ͍ʣ • ໌ࣔతͳڋ൱ʢͲ͔͜ͰDeny͕͋Ε͹ඞͣ͜ΕʹͳΔʣ • ҉໧తͳڋ൱ͱͳΔྫ͸ҎԼ • ΞΠσϯςΟςΟͰ΋ϦιʔεͰ΋Allow͕༩͑ΒΕ͍ͯͳ͍ • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍ • ΫϩεΞΧ΢ϯτͷ৔߹ʹ૒ํͰڐՄ͞Ε͍ͯͳ͍

Slide 83

Slide 83 text

No content