Ops JAWS Meetup#17 re:Invent2019 Recap IAMͷ஍ຯͳUpdateΛ͝঺հ

ࠓ೥΋໨ΛҾͨ͘͘͞Μͷൃද͕͋Γ·ͨ͠ w&,4͕͍ͭʹ'BSHFUFରԠʂ IUUQTBXTBNB[PODPNKQCMPHTOFXTBNB[POFLTPOBXTGBSHBUFOPXHFOFSBMMZBWBJMBCMF w%FFQγϦʔζͱͯ͠%FFQ$PNQPTFS͕஥ؒೖΓʂ IUUQTBXTBNB[PODPNKQEFFQDPNQPTFS w"*ܥαʔϏεͷ6QEBUF͕໨നԡ͠ʂ

ओཁαʔϏεͷ঺հ͸ଞͷํʹ͓೚ͤͯ͠ɺ ࢲ͔Β͸஍ຯͳ6QEBUFΛҰ͚ͭͩ͝঺հ͠·͢

͝঺հ͢Δ6QEBUF *".ϩʔϧೝূ৘ใͷ࠷ऴ࢖༻೔͕࣌ औಘͰ͖ΔΑ͏ʹͳΓ·ͨ͠ʂʂ https://aws.amazon.com/jp/about-aws/whats-new/2019/11/identify-unused-iam-roles-easily-and-remove-them-confidently-by-using-the-last-used-timestamp/

Ϛωδϝϯτίϯιʔϧ

BXTJBNHFUSPMFSPMFOBNFUFTUSPMF \ 3PMF\ ɾ ɾ ɾ 3PMF-BTU6TFE\ -BTU6TFE%BUF5YYYYYY; 3FHJPOBQOPSUIFBTU $-*

஍ຯ͗͢ΔΞοϓσʔτ wϖʔδʹٴͿ#MBDL#FMUࢿྉʹ ͸هࡌແ͠ w"84+ُా͞ΜͷϒϩάͰ͸ߦ͚ͩ ঺հ

࠷ऴ࢖༻೔͕࣌औಘͰ͖ΔͱͲ͏͍͏৔໘Ͱ ϋοϐʔʹͳΕΔ͔આ໌͍͖ͯ͠·͢

ͪΐͬͱ࣭໰ Έͳ͞Μ*".࢖ͬͯ·͔͢ʁ

"84࢖ͬͯΔ㲈*".࢖ͬͯΔ "84Λ࢖༻͢Δ্Ͱɺ*".͸΄΅ඞਢ

*".͓͞Β͍ *". "84*EFOUJUZBOE.BOBHFNFOU "84ར༻ʹؔ͢ΔೝূೝՄΛ࢘ΔαʔϏε w*".Ϣʔβ ‣ "84αʔϏε΁ͷΞΫηεΛߦ͏ݸਓɺγεςϜ͕ར༻͢Δ w*".άϧʔϓ ‣ ಉҰ໾ׂΛ࣋ͭ*".ϢʔβΛάϧʔϓԽ͢Δ w*".ϩʔϧɹɹˡࠓ೔ͷϝΠϯ ‣ "84αʔϏεʹରͯ͠"84αʔϏε΁ͷૢ࡞ݖݶΛ༩͑Δ w*".ϙϦγʔ ‣ "84αʔϏε΁ͷΞΫηεݖݶΛ·ͱΊͨ΋ͷ

*".ϩʔϧ͸૿৩͕ͪ͠ wϦιʔεϨϕϧͰ෇༩͢ΔݖݶΛ෼͚Α͏ͱ͢ΔͱϦιʔε਺෼*".ϩʔ ϧ͕ඞཁʹͳΔ wϚωδϝϯτίϯιʔϧ͔ΒͷϦιʔε࡞੒࣌ʹϙϦγʔΛΑ͠ͳʹ෇༩ ͨ͠*".ϩʔϧΛ࡞੒ͯ͘͠ΕΔ͜ͱ͕͋Δ

ະ࢖༻ͷ*".ϩʔϧ࢒Γ΍͍͢໰୊ wϦιʔε࡟আ࣌͸Ұॹʹ࡟আͯ͘͠Εͳ͍ w*".ϩʔϧࣗମʹ͸՝͕ۚൃੜ͠ͳ͍ͷͰɺ
 ҙࣝతʹ࡟আ͠Α͏ͱͳΓʹ͍͘ w୨Է͠͠Α͏ʹ΋ɺؔ܎֤ॴ͕ଟ͗͢Δͱɺ
 ͍͍ͪͪώΞϦϯάͯ͠ΒΕͳ͍

ະ࢖༻ͷ*".ϩʔϧ͕͋Δͱμϝʁ w؅ཧෛՙ͕૿͑Δ wҙਤ͠ͳ͍"84αʔϏεʹؔ࿈͚ͮΒΕΔϦεΫ͕૿͑Δ

ະ࢖༻ͷ*".ϩʔϧ͸ ͪΌΜͱແޮԽPS࡟আ͠·͠ΐ͏ʂ

ະ࢖༻ͷ*".ϩʔϧΛݟ͚ͭΔ ࠷ऴ࢖༻೔͔࣌Β Ұఆظؒܦա͍ͯ͠Δ*".ϩʔϧΛະ࢖༻ͱΈͳ͢

୨Էࣗ͠ಈԽ खಈ୨Է͠͸৭ʑͱ൵͠Έ͕ଟ͍ͷͰ "84$POpH3VMFTΛ࢖ͬͯࣗಈԽ͠Α͏ʂ

"84$POpH3VMFT͓͞Β͍ w"84$POpH3VMFT ‣"84αʔϏε͕ɺఆٛͨ͠ઃఆঢ়ଶͱͳ͍ͬͯΔ͔ΛධՁ ‣"84͕ఏڙ͢ΔϚωʔδυϧʔϧͱϢʔβଆͰࣗ༝ʹධՁ಺༰Λ ఆٛͰ͖ΔΧελϜϧʔϧ͕͋Δ ‣ධՁճ਺ʹର͢Δ՝ۚͱͳ͓ͬͯΓ͓͍҆ ೥݄d

"84$POpH3VMFTΛ༻͍ͨࣗಈ୨Է͠ ఆظతʹ$POpH3VMFΛىಈ -BNCEBΛݺͼग़͢ *".ϩʔϧͷྻڍͱ࠷ऴ࢖༻೔࣌Λऔಘ͢Δ"1*Λݺͼग़͢ *"."1*ͷ݁ՌΛ-BNCEBʹฦ͢ ४ڌඇ४ڌͷ݁ՌΛ$POpHʹઃఆ ࠷ऴ࢖༻೔͔࣌Βʓʓ೔ؒܦա͍ͯ͠Δ͔ΛνΣοΫ͢ΔΧελϜϧʔϧ https://aws.amazon.com/jp/blogs/security/continuously-monitor-unused-iam-roles-aws-config/

"84$POpH3VMFT݁Ռ

ࣗಈम෮΋Մೳʂ 44."VUPNBUJPOͱ࿈ܞͨ͠ඇ४ڌϦιʔεͷࣗಈम෮ wϩʔϧࣗମͷ࡟আ wϩʔϧ͸อ࣋͢Δ͕ɺશڋ൱͢ΔϙϦγʔΛΞλον

·ͱΊ w *".ϩʔϧͷ࠷ऴར༻೔͕࣌෼͔ΔΑ͏ʹͳΓ·ͨ͠ w ະ࢖༻*".ϩʔϧΛࣗಈ୨Էͯ͠͠ɺηΩϡϦςΟΛ୲อ ͠·͠ΐ͏

͝੩ௌ ͋Γ͕ͱ͏͍͟͝·ͨ͠