Slide 1
Slide 1 text
Ops JAWS Meetup#17
re:Invent2019 Recap
IAMͷຯͳUpdateΛ͝հ
Slide 2
Slide 2 text
ࠓΛҾͨ͘͘͞Μͷൃද͕͋Γ·ͨ͠
w&,4͕͍ͭʹ'BSHFUFରԠʂ
IUUQTBXTBNB[PODPNKQCMPHTOFXTBNB[POFLTPOBXTGBSHBUFOPXHFOFSBMMZBWBJMBCMF
w%FFQγϦʔζͱͯ͠%FFQ$PNQPTFS͕ؒೖΓʂ
IUUQTBXTBNB[PODPNKQEFFQDPNQPTFS
w"*ܥαʔϏεͷ6QEBUF͕നԡ͠ʂ
Slide 3
Slide 3 text
ओཁαʔϏεͷհଞͷํʹ͓ͤͯ͠ɺ
ࢲ͔Βຯͳ6QEBUFΛҰ͚ͭͩ͝հ͠·͢
Slide 4
Slide 4 text
͝հ͢Δ6QEBUF
*".ϩʔϧೝূใͷ࠷ऴ༻͕࣌
औಘͰ͖ΔΑ͏ʹͳΓ·ͨ͠ʂʂ
https://aws.amazon.com/jp/about-aws/whats-new/2019/11/identify-unused-iam-roles-easily-and-remove-them-confidently-by-using-the-last-used-timestamp/
Slide 5
Slide 5 text
Ϛωδϝϯτίϯιʔϧ
Slide 6
Slide 6 text
BXTJBNHFUSPMFSPMFOBNFUFTUSPMF
\
3PMF\
ɾ
ɾ
ɾ
3PMF-BTU6TFE\
-BTU6TFE%BUF5YYYYYY;
3FHJPOBQOPSUIFBTU
$-*
Slide 7
Slide 7 text
ຯ͗͢ΔΞοϓσʔτ
wϖʔδʹٴͿ#MBDL#FMUࢿྉʹ
هࡌແ͠
w"84+ُా͞ΜͷϒϩάͰߦ͚ͩ
հ
Slide 8
Slide 8 text
࠷ऴ༻͕࣌औಘͰ͖ΔͱͲ͏͍͏໘Ͱ
ϋοϐʔʹͳΕΔ͔આ໌͍͖ͯ͠·͢
Slide 9
Slide 9 text
ͪΐͬͱ࣭
Έͳ͞Μ*".ͬͯ·͔͢ʁ
Slide 10
Slide 10 text
"84ͬͯΔ㲈*".ͬͯΔ
"84Λ༻͢Δ্Ͱɺ*".΄΅ඞਢ
Slide 11
Slide 11 text
*".͓͞Β͍
*". "84*EFOUJUZBOE.BOBHFNFOU
"84ར༻ʹؔ͢ΔೝূೝՄΛ࢘ΔαʔϏε
w*".Ϣʔβ
‣ "84αʔϏεͷΞΫηεΛߦ͏ݸਓɺγεςϜ͕ར༻͢Δ
w*".άϧʔϓ
‣ ಉҰׂΛ࣋ͭ*".ϢʔβΛάϧʔϓԽ͢Δ
w*".ϩʔϧɹɹˡࠓͷϝΠϯ
‣ "84αʔϏεʹରͯ͠"84αʔϏεͷૢ࡞ݖݶΛ༩͑Δ
w*".ϙϦγʔ
‣ "84αʔϏεͷΞΫηεݖݶΛ·ͱΊͨͷ
Slide 12
Slide 12 text
*".ϩʔϧ૿৩͕ͪ͠
wϦιʔεϨϕϧͰ༩͢ΔݖݶΛ͚Α͏ͱ͢ΔͱϦιʔε*".ϩʔ
ϧ͕ඞཁʹͳΔ
wϚωδϝϯτίϯιʔϧ͔ΒͷϦιʔε࡞࣌ʹϙϦγʔΛΑ͠ͳʹ༩
ͨ͠*".ϩʔϧΛ࡞ͯ͘͠ΕΔ͜ͱ͕͋Δ
Slide 13
Slide 13 text
ະ༻ͷ*".ϩʔϧΓ͍͢
wϦιʔεআ࣌Ұॹʹআͯ͘͠Εͳ͍
w*".ϩʔϧࣗମʹ՝͕ۚൃੜ͠ͳ͍ͷͰɺ
ҙࣝతʹআ͠Α͏ͱͳΓʹ͍͘
w୨Է͠͠Α͏ʹɺ֤ؔॴ͕ଟ͗͢Δͱɺ
͍͍ͪͪώΞϦϯάͯ͠ΒΕͳ͍
Slide 14
Slide 14 text
ະ༻ͷ*".ϩʔϧ͕͋Δͱμϝʁ
wཧෛՙ͕૿͑Δ
wҙਤ͠ͳ͍"84αʔϏεʹؔ࿈͚ͮΒΕΔϦεΫ͕૿͑Δ
Slide 15
Slide 15 text
ະ༻ͷ*".ϩʔϧ
ͪΌΜͱແޮԽPSআ͠·͠ΐ͏ʂ
Slide 16
Slide 16 text
ະ༻ͷ*".ϩʔϧΛݟ͚ͭΔ
࠷ऴ༻͔࣌Β
Ұఆظؒܦա͍ͯ͠Δ*".ϩʔϧΛະ༻ͱΈͳ͢
Slide 17
Slide 17 text
୨Էࣗ͠ಈԽ
खಈ୨Է͠৭ʑͱ൵͠Έ͕ଟ͍ͷͰ
"84$POpH3VMFTΛͬͯࣗಈԽ͠Α͏ʂ
Slide 18
Slide 18 text
"84$POpH3VMFT͓͞Β͍
w"84$POpH3VMFT
‣"84αʔϏε͕ɺఆٛͨ͠ઃఆঢ়ଶͱͳ͍ͬͯΔ͔ΛධՁ
‣"84͕ఏڙ͢ΔϚωʔδυϧʔϧͱϢʔβଆͰࣗ༝ʹධՁ༰Λ
ఆٛͰ͖ΔΧελϜϧʔϧ͕͋Δ
‣ධՁճʹର͢Δ՝ۚͱͳ͓ͬͯΓ͓͍҆ ݄d
Slide 19
Slide 19 text
"84$POpH3VMFTΛ༻͍ͨࣗಈ୨Է͠
ఆظతʹ$POpH3VMFΛىಈ
-BNCEBΛݺͼग़͢
*".ϩʔϧͷྻڍͱ࠷ऴ༻࣌Λऔಘ͢Δ"1*Λݺͼग़͢
*"."1*ͷ݁ՌΛ-BNCEBʹฦ͢
४ڌඇ४ڌͷ݁ՌΛ$POpHʹઃఆ
࠷ऴ༻͔࣌Βʓʓؒܦա͍ͯ͠Δ͔ΛνΣοΫ͢ΔΧελϜϧʔϧ
https://aws.amazon.com/jp/blogs/security/continuously-monitor-unused-iam-roles-aws-config/
Slide 20
Slide 20 text
"84$POpH3VMFT݁Ռ
Slide 21
Slide 21 text
ࣗಈम෮Մೳʂ
44."VUPNBUJPOͱ࿈ܞͨ͠ඇ४ڌϦιʔεͷࣗಈम෮
wϩʔϧࣗମͷআ
wϩʔϧอ࣋͢Δ͕ɺશڋ൱͢ΔϙϦγʔΛΞλον
Slide 22
Slide 22 text
·ͱΊ
w *".ϩʔϧͷ࠷ऴར༻͕͔࣌ΔΑ͏ʹͳΓ·ͨ͠
w ະ༻*".ϩʔϧΛࣗಈ୨Էͯ͠͠ɺηΩϡϦςΟΛ୲อ
͠·͠ΐ͏
Slide 23
Slide 23 text
͝੩ௌ
͋Γ͕ͱ͏͍͟͝·ͨ͠