Tweet
Tweet

Slide 1

Slide 1 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE mediba ʹ͓͚Δ IAM Ϣʔβ؅ཧͷྺ࢙ ΠϯϑϥɾωοτϫʔΫΤϯδχΞษڧձ Vol.1

Slide 2

Slide 2 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ࣗݾ঺հ ໊લ: প୔ Ұथ ॴଐ: ɹגࣜձࣾmediba ΠϯϑϥετϥΫνϟʔ෦ ΍ͬͯΔ͜ͱ: ɹओʹ AWS Λ࢖ͬͨγεςϜΠϯϑϥͷઃܭɾߏஙɾӡ༻ AWS ྺ: 7೥ ɹ2016೥ AWS ΢ϧτϥΫΠζνϟϯϐΦϯ

Slide 3

Slide 3 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾ঺հ גࣜձࣾmediba ۀ຿಺༰: KDDI גࣜձࣾͷ au εϚʔτύεΛத৺ͱͨ͠ au ؔ࿈αʔϏεӡӦ ͷଞɺࠃ಺֎ʹͯΧϧνϟʔɾήʔϜɾࢠҭͯ౳ɺ෯޿͍෼໺Ͱαʔ ϏεΛల։͠ɺϢʔβʔ͕ΠϯλʔωοτΛ௨ͯ͡ඞཁͳ࣌ʹඞཁͳ ৘ใʹΞΫηεͰ͖Δ؀ڥͮ͘ΓͷͨΊͷαʔϏεΛఏڙ͍ͯ͠· ͢ɻ ※auεϚʔτύε ͸KDDI גࣜձࣾͷ঎ඪ·ͨ͸ొ࿥঎ඪͰ͢ɻ https://www.mediba.jp/company/info.html ΑΓൈਮ

Slide 4

Slide 4 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾ঺հ ؆୯ʹݴ͏ͱɺ • au ؔ࿈αʔϏε΍ͬͯ·͢ • au ֎ͷαʔϏε΋ॾʑ΍ͬͯ·͢ ͜ΕΒΛ௨ͯ͡ ʮώτʹ“HAPPY”Λʯಧ͚Δͷ͕ զʑͷϛογϣϯͰ͢ɻ

Slide 5

Slide 5 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾ঺հ ѻ͍ͬͯΔ au ؔ࿈αʔϏε(Ұ෦) • au Web ϙʔλϧ ( https://auone.jp/ ) • au Web ϙʔλϧͷχϡʔε໘ ( https://article.auone.jp/ ) • au ఱؾ ( https://tenki.auone.jp/ ) • ϙΠϯτஷΊΔ ( https://enjoy.point.auone.jp/ ) • au εϚʔτύεͷҰ෦ίϯςϯπ • ձһಛయɺΞϓϦऔΓ์୊ɺೖୀձɺetc…

Slide 6

Slide 6 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ຊ୊

Slide 7

Slide 7 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE [૲૑ظ] (2013೥ʙ2015೥ࠒ)

Slide 8

Slide 8 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβ؅ཧ[૲૑ظ] • mediba ʹ͓͚Δ AWS ར༻͸ 2013೥ࠒ͔Β • ๭ϒϩάͷձࣾܦ༝Ͱ AWS ΞΧ΢ϯτΛൃߦ ͯ͠ར༻ • ͳͷͰɺ͕͢͞ʹʮroot ϢʔβΛར༻͢Δʯͱ ͍͏ΞϯνύλʔϯதͷΞϯνύλʔϯঢ়ଶ͸ ආ͚ΒΕ͍ͯͨ

Slide 9

Slide 9 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ͪͳΈʹલ৬Ͱ͸΍ͬͯͨYOʂ(খ੠)

Slide 10

Slide 10 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβ؅ཧ[૲૑ظ] • ࠷ॳͷࠒ͸ɺ·ͩ • ΞΧ΢ϯτ΋਺ݸఔ౓ • ར༻ऀ΋਺ਓఔ౓ • ͦͷ౰࣌ͷ IAM Ϣʔβ • ֤ AWS ΞΧ΢ϯτͦΕͧΕʹ
 ݸਓ༻ IAM ϢʔβΛ࡞੒

Slide 11

Slide 11 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβ؅ཧ[૲૑ظ]

Slide 12

Slide 12 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE [సػ] (2015೥)

Slide 13

Slide 13 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[సػ] ࣌͸2015೥ ؾ෇͚͹ΞΧ΢ϯτ਺͕େྔʹ → ࣗવͱ IAM Ϣʔβ਺΋๲େʹ

Slide 14

Slide 14 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE Why ?

Slide 15

Slide 15 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[సػ] • AWS Λར༻ͨ͠ϓϩμΫτ͕૿͑Δͨͼʹ3ͭ ͣͭΞΧ΢ϯτ͕૿͑Δঢ়ଶ • 2015೥ࠒʹ͸40͍ۙΞΧ΢ϯτ͕͋ͬͨͱ͔ͳ ͔ͬͨͱ͔ • ΞΧ΢ϯτ͝ͱʹ IAM ϢʔβΛ࡞੒ɾ؅ཧ͢Δ ͷ͸ਖ਼௚͖ͭ͘ͳ͖ͬͯͨ • ར༻ऀଆ΋ɺ౎౓ϩάΠϯɾϩάΞ΢τΛ܁Γ ฦ͢ͷ͕͠ΜͲ͔ͬͨͱࢥ͏

Slide 16

Slide 16 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[సػ] • ͍ͭͰʹɺ͜ͷࠒ͔ΒηΩϡϦςΟ໘͕ؾʹͳ Γͩ͢ • ͜͜·Ͱ͸ɺID/ύεϫʔυ ͷΈͰϩάΠϯ

Slide 17

Slide 17 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE [స׵ظ] (2015೥)

Slide 18

Slide 18 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[స׵ظ] • IAM Ϣʔβͷ؅ཧ͕൥ࡶ • IAM ϢʔβͷηΩϡϦςΟ໘͕ؾʹͳΔ

Slide 19

Slide 19 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ͜ͷ2ͭΛಉ࣌ʹղܾ͢ΔͨΊ

Slide 20

Slide 20 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ʮ౿Έ୆ AWS ΞΧ΢ϯτํࣜʯ Λ࠾༻

Slide 21

Slide 21 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[స׵ظ]

Slide 22

Slide 22 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[స׵ظ] • Πϝʔδ͸౿Έ୆αʔόͱಉ͡ • ֤ϓϩμΫτͷ֤؀ڥ΁ͷೖΓޱͱ͚ͯͩ͠ͷ AWS ΞΧ΢ϯτΛ༻ҙ • ೖΓޱ͕1ͭʹͳΔͷͰɺ͜͜ͷ CloudTrail Λ ༗ޮԽͯ͠ɺϩάΠϯه࿥Λอଘɺ؂ࢹ • ౿Έ୆্ͷ IAM Ϣʔβͷ MFA ઃఆΛඞਢͱ͢ Δ͜ͱͰηΩϡϦςΟΛ޲্

Slide 23

Slide 23 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE [੒ख़ظ] (2016೥ʙݱࡏ)

Slide 24

Slide 24 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ͔͜͜Β͸ɺ࣮ࡍʹͲ͏͍͏ ઃఆʹͳ͍ͬͯΔ͔Λ͝঺հ͠·͢ɻ

Slide 25

Slide 25 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ֤ϓϩμΫτͷ֤؀ڥͷ AWS ΞΧ΢ϯτଆ (࣮؀ڥ)

Slide 26

Slide 26 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ࣮؀ڥଆ • ৽ن AWS ΞΧ΢ϯτൃߦޙɺ࠷ॳʹ
 ΫϩεΞΧ΢ϯτΞΫηε༻ͷ IAM ϩʔϧΛ༻ҙ • ͜ͷ IAM ϩʔϧʹɺ౿Έ୆ΞΧ΢ϯτ͔Βͷ
 ར༻ڐՄΛઃఆ • ʮMFA ඞਢʯΛ৚݅ʹઃఆ

Slide 27

Slide 27 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ࣮؀ڥଆ • IAM ϩʔϧ͸େ·͔ʹҎԼͷछྨͷ΋ͷΛ༻ҙ • ؅ཧऀ༻ • Administrator • ਖ਼ࣾһ༻ • IAM ͷҰ෦ݖݶҎ֎͸શͯڐՄ • (ਖ਼ࣾһҎ֎ͷ)։ൃऀ༻ • ୲౰͍ͯ͠ΔϓϩμΫτͰར༻͢ΔαʔϏεͷݖݶͷΈڐՄ • ReadOnly ༻ • ROMઐ

Slide 28

Slide 28 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ࣮؀ڥଆ ͪͳΈʹɺ స׵ظʹ͜ͷ࢓૊Λಋೖͨ͠ࡍ͸ɺͦͷ౰࣌ଘࡏ͍ͯͨ͠ AWSΞΧ΢ϯτશͯʹલड़ͷϩʔϧΛ࡞੒ɻ ͦͷޙɺ౿Έ୆ AWS ΞΧ΢ϯτʹݸਓ༻ IAM Ϣʔβͷ ࡞੒ͱεΠον֬ೝ͕औΕͨஈ֊Ͱɺ࣮؀ڥଆͷݸਓ༻ IAM ϢʔβΛશͯ࡟আͨ͠ɻ

Slide 29

Slide 29 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ࣮؀ڥଆ • ͜ΕҎ߱ɺIAM Ϣʔβͷ࡞੒Λݪଇېࢭ • IAM ϩʔϧͷར༻Λܒ໤ɾਪਐ • ͨͩ͠ɺͨ·ʔʹΞΫηεΩʔ/γʔΫϨοτΞΫηε ΩʔͰ͔͠ରԠͰ͖ͳ͍ύςΟʔϯ͕͋Δ • ͜ͷ৔߹͸૬ஊͷ্Ͱɺྫ֎తʹ IAM ϢʔβΛ࡞੒

Slide 30

Slide 30 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έ୆ AWS ΞΧ΢ϯτଆ

Slide 31

Slide 31 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έ୆ଆ • ݸਓ༻ͷ IAM Ϣʔβ͸͜͜ʹ͔͠࡞Βͳ͍ • IAM Ϣʔβʹ͸ MFA Λઃఆ • ؅ཧऀܥͷ IAM ϢʔβҎ֎͸ɺҎԼͷݖݶͷΈ෇༩ • εΠον͢ΔͨΊͷݖݶ (sts:AssumeRole) • ࣗ਎ͷ MFA ઃఆΛ͢Δݖݶ • ࣗ਎ͷύεϫʔυΛઃఆ͢Δݖݶ

Slide 32

Slide 32 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έ୆ଆ • MFA ͷઃఆΛ͍ͯ͠ͳͯ͘΋౿Έ୆΁ͷϩάΠϯ͸ Ͱ͖ͯ͠·͏ • લड़ͷʮMFA ඞਢʯͷ৚͕݅ΫϩεΞΧ΢ϯτ༻ͷ ϩʔϧʹ͸෇͍͍ͯΔ • ͜ͷ৚݅ͰɺMFA ະઃఆऀͷεΠονΛ཈੍ • ͜ΕʹΑΓɺMFA ͕ઃఆ͞Εͳ͍··ͷར༻Λ๷͙

Slide 33

Slide 33 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έ୆ଆ • ਖ਼ࣾһҎ֎ͷ IAM Ϣʔβ͸ Source IP Ͱͷૢ࡞੍ݶ ΋෇༩ • AWS ͸ίϯιʔϧ΁ͷΞΫηεΛ੍ݶͰ͖ͳ͍ͷ Ͱɺ౿Έ୆΁ͷϩάΠϯ͸Ͳ͔͜ΒͰ΋Ͱ͖Δ • ͨͩɺਖ਼ࣾһҎ֎͸ɺΦϑΟε֎Ͱͷར༻Λ૝ఆ ͍ͯ͠ͳ͍ • ͦͷҝͷ Source IP ʹΑΔૢ࡞੍ݶ

Slide 34

Slide 34 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ

Slide 35

Slide 35 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ • ਖ਼ࣾһ • ձ͔ࣾΒۀ຿༻୺຤ͱͯ͠
 εϚʔτϑΥϯΛࢧڅ͞Ε͍ͯΔ • ͦͷۀ຿୺຤ʹ MFA ༻ͷΞϓϦ
 (mediba Ͱ͸ Authy ͷར༻Λਪ঑)Λ
 Πϯετʔϧͯ͠ར༻

Slide 36

Slide 36 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ • ਖ਼ࣾһҎ֎ • Χʔυܕͷ෺ཧ MFA σόΠεΛར༻ • ਖ਼ࣾһಉ༷ɺձࣾ؅ཧͷσόΠεʹඥ෇͚͔ͨͬ ͨͨΊɺձࣾͰΧʔυΛ༻ҙ • ؅ཧऀଆͰMFA Λઃఆͯ͠ΧʔυΛି༩

Slide 37

Slide 37 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE [ݱࡏ]

Slide 38

Slide 38 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[ݱࡏ] ݱࡏ͸͜Ε·Ͱઆ໌ͨ͠ঢ়ଶͰӡ༻ AWS ΞΧ΢ϯτ਺͸80ఔ౓ ·͊ಛʹେ͖ͳࢧো͸ແ͍

Slide 39

Slide 39 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE [ະདྷ]

Slide 40

Slide 40 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[ະདྷ] • MFA ΧʔυܕσόΠε΍Ί͍ͨ • ୯७ʹɺ෺ཧΧʔυͷ؅ཧ͕໘౗ • mediba Ͱ͸χΞγϣΞ։ൃΛ͍ͯ͠Δ • ஍ํڌ఺ͷձࣾʹσόΠεΛି༩Ͱ͖ͳ͍ • IP ΞυϨεʹΑΔར༻ڌ఺ͷ੍ݶΛ͍ͯ͠Δ͔Β ݸਓ୺຤Ͱྑ͍ͷͰ͸ʁ࿦ͷొ৔

Slide 41

Slide 41 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[ະདྷ] • MFA ΧʔυܕσόΠε΍Ί͍ͨ • ୯७ʹɺ෺ཧΧʔυͷ؅ཧ͕໘౗ • mediba Ͱ͸χΞγϣΞ։ൃΛ͍ͯ͠Δ • ஍ํڌ఺ͷձࣾʹσόΠεΛି༩Ͱ͖ͳ͍ • IP ΞυϨεʹΑΔར༻ڌ఺ͷ੍ݶΛ͍ͯ͠Δ͔Β ݸਓ୺຤Ͱྑ͍ͷͰ͸ʁ࿦ͷొ৔ ͜ΕΒͷ఺͔Βɺ ΍ΊΔํ޲Ͱௐ੔த

Slide 42

Slide 42 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[ະདྷ] • OS ΞΧ΢ϯτ΋ IAM Ϣʔβ͚ͩͰ؅ཧ • Systems Manager ͷ Session Manager Λར༻ • طʹ Session Manager ͚ͩͰ։ൃΛߦͬͯ΋Βͬ ͍ͯΔϓϩμΫτ΋͋Δ • ࠓޙɺ৽نʹߏங͢ΔϓϩμΫτͰ͸جຊతʹ Session Manager Λ࠾༻͍ͯ͘͠

Slide 43

Slide 43 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[ະདྷ] • Session Manager ͷϝϦοτ • SSH ͷ͚݀͋ෆཁ • ౿Έ୆αʔόෆཁ • Private Subnet ʹ͋ͬͯ΋ར༻Մೳ • ૢ࡞ϩάΛ S3 ͱ CloudWatch Logs ʹग़ྗՄೳ • IAM ϙϦγʔͰ EC2 ΠϯελϯεͷΞΫηε੍ݶՄೳ

Slide 44

Slide 44 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[ະདྷ] • Session Manager ͷσϝϦοτ • SSM Agent ͷಋೖ͕ඞཁ • OS ΞΧ΢ϯτ͕ ssm-user ͱ͍͏΋ͷݻఆ • no pass Ͱ sudo ՄೳͳݖݶΛ͍࣋ͬͯΔ • IAM Ϣʔβຖʹར༻ίϚϯυΛ੍ݶ͍ͨ͠ɺͱ͍͏͜ͱ ͕Ͱ͖ͳ͍ • ↑ͷέʔε͸ EC2 Instance Connect Ͱղܾ͠Α͏ʂ

Slide 45

Slide 45 text

$PQZSJHIU˜NFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβ؅ཧ[ະདྷ] • Session Manager ͷσϝϦοτ • SSM Agent ͷಋೖ͕ඞཁ • OS ΞΧ΢ϯτ͕ ssm-user ͱ͍͏΋ͷݻఆ • no pass Ͱ sudo ՄೳͳݖݶΛ͍࣋ͬͯΔ • IAM Ϣʔβຖʹར༻ίϚϯυΛ੍ݶ͍ͨ͠ɺͱ͍͏͜ͱ ͕Ͱ͖ͳ͍ • ↑ͷέʔε͸ EC2 Instance Connect Ͱղܾ͠Α͏ʂ ݱ࣌఺Ͱɺ͜ΕΒͷ σϝϦοτ͕ϋʔυϧʹ ͳΔ͜ͱ͸ͳ͍ͨΊɺ ՄೳͳݶΓ࠾༻͍ͯ͘͠