AWS Management Services

Slide 1

Slide 1 text

AWS Management Services JAWSUG Yokohama #73 @ijin Sep 3, 2024

Slide 2

Slide 2 text

AWS Management services 1. Control Tower 2. IAM Identity Center 3. Organizations

Slide 3

Slide 3 text

• ϚϧνΞΧ΢ϯτઓུ • ؀ڥͷ෼཭؅ཧ • νʔϜɾϢʔβʔͷ෼཭؅ཧ • ηΩϡϦςΟͱ౷੍ͷ؅ཧ • ίετ؅ཧ AWS Organizations

Slide 4

Slide 4 text

AWS Organizations ߏ੒ྫɿ Organization UnitʢOUʣͰά ϧʔϐϯάΛ͠ɺOU୯ҐͰͷݖݶ ΍SCPઃఆ͕Մೳ

Slide 5

Slide 5 text

AWS Organizations ஫ҙ఺ “Unable to create the environment. You must verify your account before accessing CloudShell. To verify your account, contact AWS Support .” ৽ن࡞੒ΞΧ΢ϯτ͸͍Ζ͍Ζ੍ݶ͞ΕΔ৔߹͕͋Δɻverify͕ඞཁ ͩͬͨΓquota͕ஶ͘͠௿͔ͬͨΓɻ → Service Quotas request templatesͰΞΧ΢ϯτ࡞੒࣌ʹQuotaͷ ্ݶ؇࿨ΛϦΫΤετ͢ΔςϯϓϨʔτΛ࢖ͬͨΓ΋Ͱ͖Δ

Slide 6

Slide 6 text

• چAWS Single Sign-On • IAMϢʔβʔΛഇࢭ͠ɺSSOϢʔβʔͰSSOϩάΠϯ • Identity Source΋બ୒Մೳ • Identity Center • Active Directory • ֎෦Identity Provider (IdP) - GoogleϩάΠϯ౳ AWS IAM Identity Center

Slide 7

Slide 7 text

AWS IAM Identity Center Users x Groups x Permission Sets x Accounts ΞϓϦͷׂΓ౰ͯϩʔϧ (Permission Set) ʮʓʓΞϓϦBASEʯάϧʔϓʹଐ͍ͯ͠Δ৔߹ɺʓʓΞϓϦ༻ͷ֤؀ڥ ʢ։ൃ/εςʔδϯά/ڭҭ/ຊ൪ʣͷAWSΞΧ΢ϯτʹ ReadOnlyAccess ͕ Մೳ ʮʓʓΞϓϦ։ൃʯάϧʔϓʹଐ͍ͯ͠Δ৔߹ɺ։ൃ/εςʔδϯά؀ڥͷ AWSΞΧ΢ϯτʹରͯ͠ AdministratorAccess ͕Մೳ ʮʓʓΞϓϦADMINʯάϧʔϓʹଐ͍ͯ͠Δ৔߹ɺڭҭ/ຊ൪؀ڥͷAWSΞ Χ΢ϯτʹରͯ͠ AdministratorAccess ͕Մೳ ʮSandboxʯͷׂΓ౰ͯϩʔϧ͸ɺʮSandboxʯAWSΞΧ΢ϯτʹରͯ͠ AdministratorAccess ͕Մೳ

Slide 8

Slide 8 text

AWS IAM Identity Center Permission Set΍Groupsͷઃఆ Iac (Terraform)

Slide 9

Slide 9 text

AWS IAM Identity Center Iac (Terraform) Permission Set΍Groupsͷ࣮૷

Slide 10

Slide 10 text

AWS IAM Identity Center IaC (Terraform) • ୭Ͱ΋༰қʹϢʔβʔ௥Ճɾมߋɾ࡟আͰ͖ΔΑ͏ʹCSV؅ཧ

Slide 11

Slide 11 text

AWS IAM Identity Center ஫ҙ఺ • Ϧʔϯδϣϯ࡞੒ʹ஫ҙʢus-east-1Ͱ࡞ͬͪΌͬͨʣ • Access Portal URL (https://s9.awsapps.com/start )ઃఆ͸1ճͷΈʂ • TerraformͰsso user࡞੒ޙʹࣗಈϝʔϧૹ৴͸͞Εͳ͍ɻAPIͷ੍ݶΒ͍͠ɻ • https://github.com/hashicorp/terraform-provider-aws/issues/28102 • ॳճϩάΠϯ࣌ʹύεϫʔυઃఆϦϯΫ͸ϝʔϧૹ৴͞ΕΔ • ύεϫʔυڧ౓౳ͷཁ݅͸ݻఆ • https://docs.aws.amazon.com/singlesignon/latest/userguide/password- requirements.html

Slide 12

Slide 12 text

AWS Control Tower • ૊৫ͷ౷߹؅ཧ • ΞΧ΢ϯτൃߦ • SCP؅ཧʢControls͸چGuardrailsʣ • preventativeʢ༧๷ʣ • detectiveʢݕग़ʣ • proactiveʢϓϩΞΫςΟϒʣ • ࣮ଶ͸Con fi g rules, Security Hub΍Cloudformation Hooks/Guard

Slide 13

Slide 13 text

AWS Control Tower • SCP͸શ513छྨʂʢ2024/9/3ݱࡏʣ • Ͳ͏ద༻͢Δ͔ʁ • Strongly recommendʢڧ͘ਪ঑͞ΕΔʣcontrol͸جຊઃఆ͢Δ • AWS Foundational Best practices౳ͷΨΠυϥΠϯΛݩʹ͢Δ • ཁ݅ʹԠͯ͡ݸผOUΛઃఆ͍ͯ͘͠

Slide 14

Slide 14 text

AWS Control Tower ΨΠυϥΠϯ͔Β४ڌ͢ΔControlΛ൑ผʢۤߦɻɻʣ

Slide 15

Slide 15 text

AWS Control Tower • universal controls • શͯͷOUʹద༻͍ͨ͠control • main_ou_controls • Sandbox OU͸ಛघͳҝʢޙड़ʣɺ  ෼͚ͯΔ • Individual ou controls • ݸผʹద༻͍ͨ͠OU Iac (Terraform) Controlͷઃఆ

Slide 16

Slide 16 text

AWS Control Tower • Map͔Β͍͍ײ͡ʹՃ޻ͨ͠controlͱou ͷηοτΛ࡞੒ • ou x controlͰͦΕͧΕద༻ • ਌OUʹద༻ͯ͠΋ࢠOUʹ͸͸ޮ͔ͳ͍ • ݁ߏͳ૊Έ߹ΘͤʹͳΔͷͰ࣌ؒ͸͔͔Δ • Terraform΍CI/CDͷద੾ͳλΠϜΞ΢ τઃఆ͕ඞཁ Iac (Terraform) Controlͷ࣮૷

Slide 17

Slide 17 text

AWS Control Tower Accont Factory for Terraform • accountൃߦࣗମ͸AWSެࣜͷιϦϡʔγϣϯͰࣗಈԽ • ΍΍ෳࡶͳҹ৅ • 4ͭͷϦϙδτϦ͕ඞཁ

Slide 18

Slide 18 text

AWS Control Tower ஫ҙ఺ “Error: updating ControlTower Landing Zone (4BN0Z52M0WTJOIGE): operation error ControlTower: UpdateLandingZone, https response error StatusCode: 400, RequestID: af1803fb-35c6-40c6-9e2c-777db5d8956c, ValidationException: The LandingZoneManifest that you provided is not compliant with the LandingZoneManifest schema. For information about formatting, see https://docs.aws.amazon.com/controltower/latest/ userguide/lz-api-launch.html.”  Control TowerͷLanding zoneΛTerraformͰ؅ཧ͠Α͏ͱͨ͠ΒΤϥʔ͕ɻݱঢ়͸landing zoneʹݶͬͯ͸؅ཧର৅֎ʹ͢ΔͷΛਪ঑͢Δɻcontrol౳͸ok ɾͦ΋ͦ΋ৄࡉAPIυΩϡϝϯτͷෆ଍ ɾTerraform issue ɾhttps://github.com/hashicorp/terraform-provider-aws/issues/35763

Slide 19

Slide 19 text

AWS Control Tower ஫ҙ఺ Control Tower༗ޮԽʹ࡞੒͞ΕΔSecurity OUʢLog Archive΍ Audit account༻ʣ͸ಛผʹઃܭ͞Ε͓ͯΓɺಛఆͷ੍໿΍ඞਢͷ control͕ద༻͞Ε͍ͯΔͨΊɺ௥Ճͷબ୒తcontrolΛద༻͠Α͏ ͱ͢Δͱڝ߹ͯ͠ΤϥʔʹͳΔՄೳੑ͋Γ →ɹSecurity OU͸ผ࿮ͱͯ͠ѻ͏

Slide 20

Slide 20 text

AWS Control Tower ஫ҙ఺ ControlͷARN͸چGuardrailͷํ͕෼͔Γ΍͔ͬͨ͢ arn:aws:controltower:us-east-1::control/AWS- GR_CLOUDTRAIL_CHANGE_PROHIBITED ࠓ͸ϥϯμϜจࣈྻ͕ࣝผࢠɻ͔͠΋Ϧʔδϣϯ୯ҐͰҧ͏ʂ😱 CT.CLOUDFORMATION.PR.1 → ɾarn:aws:controltower:us-east-1::control/WTDSMKDKDNLE ɾarn:aws:controltower:ap-northeast-1::control/TUJJPJIYTMNX https://docs.aws.amazon.com/controltower/latest/controlreference/control-region- tables.html

Slide 21

Slide 21 text

AWS management services ࠓ΋ઈࢍऔΓࠐΈதʂ • Security Hub • Guardrails • Macie • Etc..