AWS IAMどうしましょ

by Kengo Suzuki

Slide 1

Slide 1 text

*".Ͳ͏͠·͠ΐ͏ CZLFOTDBM

Slide 2

Slide 2 text

*".ͳʹ΋Θ͔ΒΜ

Slide 3

Slide 3 text

ࠓ೔ͷ໨త

Slide 4

Slide 4 text

LFOTDBM͕*".पΓΛ࿩͢

Slide 5

Slide 5 text

LFOTDBM͕࿩͢ *".पΓͷ૬ஊΛ͍ͨ͠ ڭ͑ͯ΄͍͠

Slide 6

Slide 6 text

BQQTMJEPFWFOU R[PW

Slide 7

Slide 7 text

4MJEP%FNP BQQTMJEPFWFOUR[PW

Slide 8

Slide 8 text

*EFOUJUZ"OE"DDFTT.BOBHFNFOU "84440 *EFOUJUZ"OE"DDFTT.BOBHFNFOU *".1PMJDZ JEFOUJUZCBTFE1PMJDZ SFTPVSDFCBTFEQPMJDZ QFSNJTTJPOCPVOEBSJFT 4$1T"$-T TFTTJPOQPMJDJFT ࠓ೔ͷϑΥʔΧε*".

Slide 9

Slide 9 text

౰ͨΓલʹ΍Δ͜ͱ 3PPU޶΁ͷ.'"ઃఆ ύεϫʔυϙϦγʔͷઃఆ *E1ͱͷ440 *".Ϣʔβʔ ਓؒ ͸ͦ΋ͦ΋࢖Θͳ͍ ϚϧνΞΧ΢ϯτɾ0SHBOJ[BUJPOߏ੒ લఏ

Slide 10

Slide 10 text

લఏߏ੒

Slide 11

Slide 11 text

*".1PMJDJFT WT 3FTPVSDF1PMJDJFT

Slide 12

Slide 12 text

1PMJDZ%FDJTJPOϑϩʔ https://aws.amazon.com/jp/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

Slide 13

Slide 13 text

*".1PMJDJFT3FTPVSDF1PMJDJFT { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Principal": { "AWS": “arn:aws:iam::xxxxx:root"}, "Action": [ "s3:*", "s3:List*", "s3:Get*"], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Action": [ "s3:*", "s3:List*", "s3:Get*"], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } Կʹରͯ͠ԿΛͰ͖Δ͔ ୭͕ԿΛͰ͖Δ͔

Slide 14

Slide 14 text

*". 1PMJDJFT 3FTPVSDF 1PMJDJFT

Slide 15

Slide 15 text

"Principal": { “AWS": “arn:aws:iam::xxxxx:role/roleA“} } "Principal": { “AWS": “arn:aws:iam::xxxxx:role/roleB“} } “Effect": “Allow”, “Action": [“s3:*”], “Resource": [“arn:aws:s3:::bucketA” “arn:aws:s3:::bucketA/*”], "Principal": { “AWS": “arn:aws:iam::xxxxx:role/roleA“} }

Slide 16

Slide 16 text

"Principal": { “AWS": [ “arn:aws:iam::xxxxx:role/roleA“, “arn:aws:iam::xxxxx:role/roleB“] } “Effect": “Allow”, “Action": [“s3:*”], “Resource": [“arn:aws:s3:::bucketA” “arn:aws:s3:::bucketA/*”] “Effect": “Allow”, “Action": [“s3:*”], “Resource": [“arn:aws:s3:::bucketB” “arn:aws:s3:::bucketB/*”] “Effect": “Allow”, “Action": [“s3:*”], “Resource": [“arn:aws:s3:::bucketC” “arn:aws:s3:::bucketC/*”]

Slide 17

Slide 17 text

*".1PMJDJFTͱ3FTPVSDF1PMJDJFTͷ࢖͍෼͚ ݁ہ"/%৚݅ͳͷͰ྆ํఆٛ͠ͳ͚Ε͹ ͳΒͳ͍ Ͱ͸ɺجຊํ਑͸ʁ LFOTDBMͷݸਓతݟղ*".1PMJDZଆͷ ੍ޚʹΑͤΔ

Slide 18

Slide 18 text

࠷ॳ͸͜͏ࢥͬͯͨ { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Principal": { "AWS": “arn:aws:iam::xxxxx:arn/roleA“} "Action": [“s3:List”, “s3:Get”], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Action": ["s3:*"], "Resource": [ "*"] }] } *".ͱ͍͏ʮೖΓޱʯΛ ֤छϦιʔεʹґଘͤͨ͘͞ͳ͍ ϦιʔεଆͰറΔ

Slide 19

Slide 19 text

ࠓ͸͜͏ { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Principal": { "AWS": “arn:aws:iam::xxxxx:root"}, "Action": ["s3:*"], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*"], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } ࡉ੍͔͍ޚ͸*".1PMJDZͰ Ϧιʔεଆ͸؇͘ɻ "84޶Λ·ΔͬͱڐՄ *EFOUJUZ΁ͷೝՄͱ͍͏ҙຯͰɺ*".ଆʹઃఆΛ͚ͭΔͷ ͕ɺࢥ૝తʹͨͩͦ͠͏ 5BH౳Λ͔ͭͬͨৄࡉͳ੍ޚ͸*".ଆ͔Β͔͠Ͱ͖ͳ͍ Ϧιʔεຖͷ੍ޚ͸ӡ༻తʹେม

Slide 20

Slide 20 text

*".ͳʹ΋Θ͔ΒΜ

Slide 21

Slide 21 text

1FSNJTTJPO#PVOEBSZ

Slide 22

Slide 22 text

1FSNJTTJPO#PVOEBSZͷ࢖͍ಓ ׂͱ࢖͍ॴ͕Θ͔Βͳ͍

Slide 23

Slide 23 text

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html { "Sid": "Stmt1581347973356", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::xxx:role/roleA"]}, "Action": [“s3:*"], "Resource": [ "arn:aws:s3:::bucketA", "arn:aws:s3:::bucketA/*"] } { "Effect": “Allow", "Action": [“s3:List*”, “s3:Get*”], "Resource": [“*”] } { "Effect": “Allow", "Action": [“*”], "Resource": [“*”] } #VDLFU"΁ͷ શ"DUJPO͕ڐՄ

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

1FSNJTTJPO#PVOEBSZͷ࢖͍ಓ ԿΛ%FMFHBUF͍ͨ͠ͷ͔Θ͔ͬͯΔͳΒɺ࠷ॳ͔Β*EFOUJUZ #BTFEʹ͢Ε͹͍͍ͷͰ͸ʁ *EFOUJUZͰ΋3FTPVSDFͰ΋΍Βͤͨ͘ͳ͍1FSNJTTJPOΛఆٛ ʹ࢖͏ͷͰ͋Ε͹ɺͦΕ͸*EFOUJUZ಺ʹఆٛͩͬͨ͜ͱ͔͠ͳ͍ ํ਑جຊతʹ࢖Θͣɺ*EFOUJUZ#BTFE1PMJDZΛ࠷ॳ͔Βར༻ ͢Δʁ

Slide 26

Slide 26 text

*".ͳʹ΋Θ͔ΒΜ

Slide 27

Slide 27 text

5BH#BTFE"DDFTT

Slide 28

Slide 28 text

{ "Sid": "VisualEditor1", "Effect": "Allow", "Action": eadBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"], "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/Owner": "frontend", "s3:ExistingObjectTag/Confidentiality": "public" } } }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": ["s3:PutObject","s3:PutObjectTagging"], "Resource": "*", "Condition": { "StringEquals": { "s3:RequestObjectTag/Owner": "frontend", "s3:RequestObjectTag/Confidentiality": "public" } } } 0XOFSGSPOUFOE $POpQVCMJD 0XOFSGSPOUFOE $POpTFOTJUJWF 0XOFS GSPOUFOE

Slide 29

Slide 29 text

Slide 30

Slide 30 text

{ "Sid": "VisualEditor1", "Effect": "Allow", "Action": adBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"], "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/Owner": "backend", "s3:ExistingObjectTag/Confidentiality": "public" } } }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": ["s3:PutObject","s3:PutObjectTagging"], "Resource": "*", "Condition": { "StringEquals": { "s3:RequestObjectTag/Owner": "backend", "s3:RequestObjectTag/Confidentiality": [ “confidential”,“public”,”sensitive”] }, “ForAllValues:StringEquals": { “s3:RequestObjectTagKeys”:[ “Owner”, “Confidentiality”, ”Description”] }, } } 0XOFSCBDLFOE $POpTFOTJUJWF 0XOFSCBDLFOE $POpTFOTJUJWF %FTDOBOEFNP

Slide 31

Slide 31 text

࣮ࡍͷӡ༻ "#"$΍͍͖͍ͬͯͨؾ࣋ͪ͸͋Δ "#"$ͦͷ΋ͷΑΓλάӡ༻͕ॏཁखؒͦ͏ λάͷϧʔϧ λάʹ͚ͭΔ஋ λάܯ࡯ര஀ͷػӡ 0SHBOJ[BUJPOͷ5BH1PMJDJFTͱηοτͰ΍Βͳ͍ͱ͍͚ͳͦ͞͏ &$4λεΫͷ3PMFʹ4FSWJDFλά͚ͭͯɺ3%4ΞΫηεΛλά੍ޚ͢Δͱເ͕޿͕Δ 4FTTJPOλά͸ͪΐͬͱௐ΂͖Εͳ͔ͬͨɺ͢·ͳ͍

Slide 32

Slide 32 text

d*".ͳʹ΋Θ͔ΒΜd ͜͜͸Θ͔ͬͨ

Slide 33

Slide 33 text

"84440WT"84*".

Slide 34

Slide 34 text

ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘ ೝূํࣜ 4".- 4".- ϓϩϏδϣ χϯά ͋Γ ͳ͠ 1FSNJTTJPO ܗࣜ 1FSNJTTJPO4FUT ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ ੒ *".3PMF 3FHJPO BQOPSUIFBTUͳ͠ ͋Γ $-* DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ ͍ ͱΕΔ

Slide 35

Slide 35 text

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘ ೝূํࣜ 4".- 4".- ϓϩϏδϣ χϯά ͋Γ ͳ͠ 1FSNJTTJP Oܗࣜ 1FSNJTTJPO4FUT ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ ੒ *".3PMF 3FHJPO BQOPSUIFBTUͳ͠ ͋Γ $-* DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ ͍ ͱΕΔ

Slide 39

Slide 39 text

"84440಺Ͱ1FSNJTTJPOΛҰݴ ؅ཧͰ͖Δ͕

Slide 40

Slide 40 text

1PMJDZ%PDVNFOU XJUI *B$࢖͑͹ɺ"84440Ͱͳ͘ͱ΋ Ұݩ؅ཧՄೳ

Slide 41

Slide 41 text

No content

Slide 42

Slide 42 text

$VTUPN1PMJDZ͸ 1FSNJTTJPO SPMF ͱ

Slide 43

Slide 43 text

Slide 44

Slide 44 text

$ aws sso login --profile AdministratorAccess-master $ aws sso get-role-credentials --role-name "AdministratorAccess" --account-id "xxxx" --accesstoken $(cat ~/.aws/sso/cache/SOMETHING.json | jq -r ".accessToken") --region ap-southeast-1 { "roleCredentials": { "accessKeyId": “ACCESS_KEY_ID”, "secretAccessKey": “SECRET_ACCESS_KEY”, "sessionToken": “SESSION_TOKEN”, "expiration": 1581669130000 } } ################ 2020/02/15 मਖ਼ɻaws version 2Ͱ͸ࣗಈͰ΍ͬͯ͘ΕΔ $ aws sso login --profile AdministratorAccess-master $ aws s3 ls s3://secure-brigade-test-main --profile AdministratorAccess-master

Slide 45

Slide 45 text

BXTDMJͷॆ࣮ DVTUPNQFSNJTTJPOQPMJDZͷςϯϓϨԽ DVTUPNQFSNJTTJPOQPMJDZͷෳ਺ར༻ "1*؅ཧ͕Ͱ͖ΔΑ͏ʹͳͬͨ"84440 ݱ࣌఺ͷϕετ͸ɺ"84ͷதͷਓͷߟ͑Λฉ͔ͳ͍ͱͳΜͱ΋ ֎෦ϑΣσϨʔγϣϯΛ*".3PMFʹ͍ͨ͠ͷ͔ɺ"84440ʹ͍ͨ͠ͷ͔ ࢥ૝Λฉ͖͍ͨ ݸਓͰ͸ͱΓ͋͑ͣ྆ํηοτΞοϓͯ͠Δ কདྷతͳϕετʢཁ๬ʣ