Slide 1

Slide 1 text

*".Ͳ͏͠·͠ΐ͏ CZLFOTDBM

Slide 2

Slide 2 text

*".ͳʹ΋Θ͔ΒΜ

Slide 3

Slide 3 text

ࠓ೔ͷ໨త

Slide 4

Slide 4 text

LFOTDBM͕*".पΓΛ࿩͢

Slide 5

Slide 5 text

LFOTDBM͕࿩͢ *".पΓͷ૬ஊΛ͍ͨ͠ ڭ͑ͯ΄͍͠

Slide 6

Slide 6 text

BQQTMJEPFWFOU R[PW

Slide 7

Slide 7 text

4MJEP%FNP BQQTMJEPFWFOUR[PW

Slide 8

Slide 8 text

 *EFOUJUZ"OE"DDFTT.BOBHFNFOU  "84440  *EFOUJUZ"OE"DDFTT.BOBHFNFOU  *".1PMJDZ  JEFOUJUZCBTFE1PMJDZ  SFTPVSDFCBTFEQPMJDZ  QFSNJTTJPOCPVOEBSJFT   4$1T"$-T  TFTTJPOQPMJDJFT ࠓ೔ͷϑΥʔΧε*".

Slide 9

Slide 9 text

 ౰ͨΓલʹ΍Δ͜ͱ  3PPU޶΁ͷ.'"ઃఆ  ύεϫʔυϙϦγʔͷઃఆ  *E1ͱͷ440  *".Ϣʔβʔ ਓؒ ͸ͦ΋ͦ΋࢖Θͳ͍  ϚϧνΞΧ΢ϯτɾ0SHBOJ[BUJPOߏ੒ લఏ

Slide 10

Slide 10 text

લఏߏ੒

Slide 11

Slide 11 text

*".1PMJDJFT WT 3FTPVSDF1PMJDJFT

Slide 12

Slide 12 text

1PMJDZ%FDJTJPOϑϩʔ https://aws.amazon.com/jp/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

Slide 13

Slide 13 text

*".1PMJDJFT3FTPVSDF1PMJDJFT { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Principal": { "AWS": “arn:aws:iam::xxxxx:root"}, "Action": [ "s3:*", "s3:List*", "s3:Get*"], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Action": [ "s3:*", "s3:List*", "s3:Get*"], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } Կʹରͯ͠ԿΛͰ͖Δ͔ ୭͕ԿΛͰ͖Δ͔

Slide 14

Slide 14 text

*". 1PMJDJFT 3FTPVSDF 1PMJDJFT

Slide 15

Slide 15 text

"Principal": { “AWS": “arn:aws:iam::xxxxx:role/roleA“} } "Principal": { “AWS": “arn:aws:iam::xxxxx:role/roleB“} } “Effect": “Allow”, “Action": [“s3:*”], “Resource": [“arn:aws:s3:::bucketA” “arn:aws:s3:::bucketA/*”], "Principal": { “AWS": “arn:aws:iam::xxxxx:role/roleA“} }

Slide 16

Slide 16 text

"Principal": { “AWS": [ “arn:aws:iam::xxxxx:role/roleA“, “arn:aws:iam::xxxxx:role/roleB“] } “Effect": “Allow”, “Action": [“s3:*”], “Resource": [“arn:aws:s3:::bucketA” “arn:aws:s3:::bucketA/*”] “Effect": “Allow”, “Action": [“s3:*”], “Resource": [“arn:aws:s3:::bucketB” “arn:aws:s3:::bucketB/*”] “Effect": “Allow”, “Action": [“s3:*”], “Resource": [“arn:aws:s3:::bucketC” “arn:aws:s3:::bucketC/*”]

Slide 17

Slide 17 text

*".1PMJDJFTͱ3FTPVSDF1PMJDJFTͷ࢖͍෼͚  ݁ہ"/%৚݅ͳͷͰ྆ํఆٛ͠ͳ͚Ε͹ ͳΒͳ͍  Ͱ͸ɺجຊํ਑͸ʁ  LFOTDBMͷݸਓతݟղ*".1PMJDZଆͷ ੍ޚʹΑͤΔ

Slide 18

Slide 18 text

࠷ॳ͸͜͏ࢥͬͯͨ { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Principal": { "AWS": “arn:aws:iam::xxxxx:arn/roleA“} "Action": [“s3:List”, “s3:Get”], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Action": ["s3:*"], "Resource": [ "*"] }] } *".ͱ͍͏ʮೖΓޱʯΛ ֤छϦιʔεʹґଘͤͨ͘͞ͳ͍ ϦιʔεଆͰറΔ

Slide 19

Slide 19 text

ࠓ͸͜͏ { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Principal": { "AWS": “arn:aws:iam::xxxxx:root"}, "Action": ["s3:*"], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } { "Version": "2012-10-17", "Id": "Policy1581347975270", "Statement": [{ "Sid": "Stmt1581347973356", "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*"], "Resource": [ "arn:aws:s3:::secure-brigade-test", "arn:aws:s3:::secure-brigade-test/*"] }] } ࡉ੍͔͍ޚ͸*".1PMJDZͰ Ϧιʔεଆ͸؇͘ɻ "84޶Λ·ΔͬͱڐՄ  *EFOUJUZ΁ͷೝՄͱ͍͏ҙຯͰɺ*".ଆʹઃఆΛ͚ͭΔͷ ͕ɺࢥ૝తʹͨͩͦ͠͏  5BH౳Λ͔ͭͬͨৄࡉͳ੍ޚ͸*".ଆ͔Β͔͠Ͱ͖ͳ͍  Ϧιʔεຖͷ੍ޚ͸ӡ༻తʹେม

Slide 20

Slide 20 text

*".ͳʹ΋Θ͔ΒΜ

Slide 21

Slide 21 text

1FSNJTTJPO#PVOEBSZ

Slide 22

Slide 22 text

1FSNJTTJPO#PVOEBSZͷ࢖͍ಓ  ׂͱ࢖͍ॴ͕Θ͔Βͳ͍

Slide 23

Slide 23 text

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html { "Sid": "Stmt1581347973356", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::xxx:role/roleA"]}, "Action": [“s3:*"], "Resource": [ "arn:aws:s3:::bucketA", "arn:aws:s3:::bucketA/*"] } { "Effect": “Allow", "Action": [“s3:List*”, “s3:Get*”], "Resource": [“*”] } { "Effect": “Allow", "Action": [“*”], "Resource": [“*”] } #VDLFU"΁ͷ શ"DUJPO͕ڐՄ

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

1FSNJTTJPO#PVOEBSZͷ࢖͍ಓ  ԿΛ%FMFHBUF͍ͨ͠ͷ͔Θ͔ͬͯΔͳΒɺ࠷ॳ͔Β*EFOUJUZ #BTFEʹ͢Ε͹͍͍ͷͰ͸ʁ  *EFOUJUZͰ΋3FTPVSDFͰ΋΍Βͤͨ͘ͳ͍1FSNJTTJPOΛఆٛ ʹ࢖͏ͷͰ͋Ε͹ɺͦΕ͸*EFOUJUZ಺ʹఆٛͩͬͨ͜ͱ͔͠ͳ͍  ํ਑جຊతʹ࢖Θͣɺ*EFOUJUZ#BTFE1PMJDZΛ࠷ॳ͔Βར༻ ͢Δʁ

Slide 26

Slide 26 text

*".ͳʹ΋Θ͔ΒΜ

Slide 27

Slide 27 text

5BH#BTFE"DDFTT

Slide 28

Slide 28 text

{ "Sid": "VisualEditor1", "Effect": "Allow", "Action": eadBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"], "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/Owner": "frontend", "s3:ExistingObjectTag/Confidentiality": "public" } } }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": ["s3:PutObject","s3:PutObjectTagging"], "Resource": "*", "Condition": { "StringEquals": { "s3:RequestObjectTag/Owner": "frontend", "s3:RequestObjectTag/Confidentiality": "public" } } } 0XOFSGSPOUFOE $POpQVCMJD 0XOFSGSPOUFOE $POpTFOTJUJWF 0XOFS GSPOUFOE

Slide 29

Slide 29 text

{ "Sid": "VisualEditor1", "Effect": "Allow", "Action": eadBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"], "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/Owner": "frontend", "s3:ExistingObjectTag/Confidentiality": "public" } } }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": ["s3:PutObject","s3:PutObjectTagging"], "Resource": "*", "Condition": { "StringEquals": { "s3:RequestObjectTag/Owner": "frontend", "s3:RequestObjectTag/Confidentiality": "public" } } } 0XOFSGSPOUFOE $POpQVCMJD 0XOFS GSPOUFOE 0XOFSGSPOUFOE $POpTFOTJUJWF

Slide 30

Slide 30 text

{ "Sid": "VisualEditor1", "Effect": "Allow", "Action": adBucket","s3:ListAllMyBuckets","s3:ListBucket*","s3:GetBucket*"], "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/Owner": "backend", "s3:ExistingObjectTag/Confidentiality": "public" } } }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": ["s3:PutObject","s3:PutObjectTagging"], "Resource": "*", "Condition": { "StringEquals": { "s3:RequestObjectTag/Owner": "backend", "s3:RequestObjectTag/Confidentiality": [ “confidential”,“public”,”sensitive”] }, “ForAllValues:StringEquals": { “s3:RequestObjectTagKeys”:[ “Owner”, “Confidentiality”, ”Description”] }, } } 0XOFSCBDLFOE $POpTFOTJUJWF 0XOFSCBDLFOE $POpTFOTJUJWF %FTDOBOEFNP

Slide 31

Slide 31 text

࣮ࡍͷӡ༻  "#"$΍͍͖͍ͬͯͨؾ࣋ͪ͸͋Δ  "#"$ͦͷ΋ͷΑΓλάӡ༻͕ॏཁखؒͦ͏  λάͷϧʔϧ  λάʹ͚ͭΔ஋  λάܯ࡯ര஀ͷػӡ  0SHBOJ[BUJPOͷ5BH1PMJDJFTͱηοτͰ΍Βͳ͍ͱ͍͚ͳͦ͞͏  &$4λεΫͷ3PMFʹ4FSWJDFλά͚ͭͯɺ3%4ΞΫηεΛλά੍ޚ͢Δͱເ͕޿͕Δ  4FTTJPOλά͸ͪΐͬͱௐ΂͖Εͳ͔ͬͨɺ͢·ͳ͍

Slide 32

Slide 32 text

d*".ͳʹ΋Θ͔ΒΜd ͜͜͸Θ͔ͬͨ

Slide 33

Slide 33 text

"84440WT"84*".

Slide 34

Slide 34 text

ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘ ೝূํࣜ 4".- 4".- ϓϩϏδϣ χϯά ͋Γ ͳ͠ 1FSNJTTJPO ܗࣜ 1FSNJTTJPO4FUT ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ ੒ *".3PMF 3FHJPO BQOPSUIFBTUͳ͠ ͋Γ $-* DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ ͍ ͱΕΔ

Slide 35

Slide 35 text

ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘ ೝূํࣜ 4".- 4".- ϓϩϏδϣ χϯά ͋Γ ͳ͠ 1FSNJTTJPO ܗࣜ 1FSNJTTJPO4FUT ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ ੒ *".3PMF 3FHJPO BQOPSUIFBTUͳ͠ ͋Γ $-* DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ ͍ ͱΕΔ

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘ ೝূํࣜ 4".- 4".- ϓϩϏδϣ χϯά ͋Γ ͳ͠ 1FSNJTTJP Oܗࣜ 1FSNJTTJPO4FUT ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ ੒ *".3PMF 3FHJPO BQOPSUIFBTUͳ͠ ͋Γ $-* DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ ͍ ͱΕΔ

Slide 39

Slide 39 text

"84440಺Ͱ1FSNJTTJPOΛҰݴ ؅ཧͰ͖Δ͕

Slide 40

Slide 40 text

1PMJDZ%PDVNFOU XJUI *B$࢖͑͹ɺ"84440Ͱͳ͘ͱ΋ Ұݩ؅ཧՄೳ

Slide 41

Slide 41 text

No content

Slide 42

Slide 42 text

$VTUPN1PMJDZ͸ 1FSNJTTJPO SPMF ͱ

Slide 43

Slide 43 text

ೖΓޱ ϙʔλϧ͕༻ҙ *E1ଆͷઃఆํ๏ʹґଘ ೝূํࣜ 4".- 4".- ϓϩϏδϣ χϯά ͋Γ ͳ͠ 1FSNJTTJPO ܗࣜ 1FSNJTTJPO4FUT ׂΓ౰ͯͨ"84ΞΧ΢ϯτʹ3PMFΛࣗಈతʹੜ ੒ *".3PMF 3FHJPO BQOPSUIFBTUͳ͠ ͋Γ $-* DMJͰ"DDFTT,FZ 5PLFO 4FTTJPOΛҰൃͰͱΕͳ ͍ͱΕΔ मਖ਼ ͱΕΔ

Slide 44

Slide 44 text

$ aws sso login --profile AdministratorAccess-master $ aws sso get-role-credentials --role-name "AdministratorAccess" --account-id "xxxx" --access- token $(cat ~/.aws/sso/cache/SOMETHING.json | jq -r ".accessToken") --region ap-southeast-1 { "roleCredentials": { "accessKeyId": “ACCESS_KEY_ID”, "secretAccessKey": “SECRET_ACCESS_KEY”, "sessionToken": “SESSION_TOKEN”, "expiration": 1581669130000 } } ################ 2020/02/15 मਖ਼ɻaws version 2Ͱ͸ࣗಈͰ΍ͬͯ͘ΕΔ $ aws sso login --profile AdministratorAccess-master $ aws s3 ls s3://secure-brigade-test-main --profile AdministratorAccess-master

Slide 45

Slide 45 text

 BXTDMJͷॆ࣮  DVTUPNQFSNJTTJPOQPMJDZͷςϯϓϨԽ  DVTUPNQFSNJTTJPOQPMJDZͷෳ਺ར༻  "1*؅ཧ͕Ͱ͖ΔΑ͏ʹͳͬͨ"84440  ݱ࣌఺ͷϕετ͸ɺ"84ͷதͷਓͷߟ͑Λฉ͔ͳ͍ͱͳΜͱ΋  ֎෦ϑΣσϨʔγϣϯΛ*".3PMFʹ͍ͨ͠ͷ͔ɺ"84440ʹ͍ͨ͠ͷ͔  ࢥ૝Λฉ͖͍ͨ  ݸਓͰ͸ͱΓ͋͑ͣ྆ํηοτΞοϓͯ͠Δ কདྷతͳϕετʢཁ๬ʣ

Slide 46

Slide 46 text

*".ͳʹ΋Θ͔ΒΜ

Slide 47

Slide 47 text

ͱ͍͏Θ͚Ͱ

Slide 48

Slide 48 text

*".

Slide 49

Slide 49 text

ͳʹ΋

Slide 50

Slide 50 text

Θ͔ΒΜ

Slide 51

Slide 51 text

*".ͳʹ΋Θ͔ΒΜ ऴ ੍࡞ɾஶ࡞ ᴸᴸᴸᴸᴸ ɹɹɹ

Slide 52

Slide 52 text

͓·͚

Slide 53

Slide 53 text

3PPU޶ͷ)8σόΠεෳ਺ొ࿥·ͩʁʁʁ

Slide 54

Slide 54 text

ऴ ੍࡞ɾஶ࡞ ᴸᴸᴸᴸᴸ ɹɹɹɹɹɹɹɹɹɹ