Tweet
Tweet

Slide 1

Slide 1 text

IAM Access AnalyzerΛ ׆༻ͯ͠࠷খݖݶΛ໨ࢦͦ͏ ઍ༿޾޺ʢνόϢΩʣ

Slide 2

Slide 2 text

͍͖ͳΓͰ͕͢ ͜Μͳ͜ͱΛࢥΘͳ͔ͬͨͩΖ͏͔

Slide 3

Slide 3 text

ʮ͔Ϳͬͯͳ͍ʜʜʁʯ

Slide 4

Slide 4 text

ࢲʮ͔ͿͬͯΔͳʜʜʯ

Slide 5

Slide 5 text

ΑΖ͓͘͠ئ͍͠·͢ ͓͞Β͍ɺ΋͘͠͸ τΠϨٳܜͷ࣌ؒͱͯ͠ ͝׆༻͍ͩ͘͞

Slide 6

Slide 6 text

ࣗݾ঺հ ઍ༿ ޾޺ • 2020 ΫϥεϝιουδϣΠϯ • 2021 APN AWS Top EngineerΑ • ޷͖ͳAWSΞΫγϣϯɿ • sts:AssumeRole

Slide 7

Slide 7 text

"HFOEB 1.࠷খݖݶͱ͸ 2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔ 3.IAM Access Analyzer ͱ͸ 4.࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ

Slide 8

Slide 8 text

࿩͢͜ͱ࿩͞ͳ͍͜ͱ •࿩͢͜ͱ •࠷খݖݶͱ͸Կ͔ͷલఏ஌ࣝ •࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳͷ֓ཁ •࿩͞ͳ͍͜ͱ •IAM Access Analyzerͷ۩ମతͳ׆༻ྫ

Slide 9

Slide 9 text

1. IAM ͷ࠷খݖݶͱ͸ ͸͡Ίʹ

Slide 10

Slide 10 text

Ͳ͜ʹॻ͍ͯ͋Δͷʁ *".ʹ͓͚Δ࠷খݖݶͷݪଇ

Slide 11

Slide 11 text

ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/ best-practices.html#grant-least-privilege

Slide 12

Slide 12 text

•ΞΫηεϨϕϧͷάϧʔϓԽͷ೺Ѳ •ॻ͖ࠐΈɺಡΈऔΓɺ؅ཧ…… •ϙϦγʔͷݕূ •ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ੒͢Δ •࠷ऴΞΫηε৘ใͷར༻ •AWS CloudTrail ͰͷΞΧ΢ϯτͷΠϕϯτͷ֬ೝ ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε

Slide 13

Slide 13 text

•ΞΫηεϨϕϧͷάϧʔϓԽͷ೺Ѳ •ॻ͖ࠐΈɺಡΈऔΓɺ؅ཧ…… •ϙϦγʔͷݕূ •ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ੒͢Δ •࠷ऴΞΫηε৘ใͷར༻ •AWS CloudTrail ͰͷΞΧ΢ϯτͷΠϕϯτͷ֬ೝ ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε

Slide 14

Slide 14 text

ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப https://docs.aws.amazon.com/wellarchitected/latest/ security-pillar/permissions-management.html

Slide 15

Slide 15 text

ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϚωʔδυϙϦγʔ • AWS ؅ཧϙϦγʔ • ΧελϚʔ؅ཧϙϦγʔ • ΠϯϥΠϯϙϦγʔ ʮ΄ͱΜͲͷ৔߹ɺ࠷খݖݶͷݪଇʹैͬͯɺ ɹಠࣗͷΧελϚʔ؅ཧϙϦγʔΛ࡞੒͢Δඞཁ͕͋Γ·͢ɻʯ

Slide 16

Slide 16 text

ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப • ৚݅ɺϦιʔεɺΞΫγϣϯΛ࠷খԽ͢Δ • άϧʔϓ΍ଐੑʹΑΓಈతʹΞΫηεڐՄΛ༩͑Δ ʢݸʑͷϢʔβʔʹ෇༩͠ͳ͍ʣ • Ϧιʔε΍IAMΤϯςΟςΟʹΞλον͢ΔϙϦ γʔʹΑΓΞΫηεΛ੍ޚ͢Δ • Permissions boundary΍ABACΛ׆༻͢Δ ʮ͜ͷݪଇʹج͍ͮͯӡ༻͢Δͱɺҙਤ͠ͳ͍ΞΫηε੍͕ݶ͞Εɺ ɹɹ୭͕ͲͷϦιʔεʹΞΫηεͰ͖Δ͔؂ࠪͰ͖ΔΑ͏ʹͳΓ·͢ɻʯ

Slide 17

Slide 17 text

࠷খݖݶ͕कΒΕ͍ͯͳ͍ͱͲ͏ͳΔʁ ࠷খݖݶͷݪଇ

Slide 18

Slide 18 text

࠷খݖݶ͕कΒΕ͍ͯͳ͍৔߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ɹ • ɹ

Slide 19

Slide 19 text

࠷খݖݶ͕कΒΕ͍ͯͳ͍৔߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ֐͕֦େ͢Δ • ɹ

Slide 20

Slide 20 text

࠷খݖݶ͕कΒΕ͍ͯͳ͍৔߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ֐͕֦େ͢Δ • ಺෦൜ߦʹΑΔඃ֐͕֦େ͢Δ

Slide 21

Slide 21 text

࠷খݖݶ͕कΒΕ͍ͯͳ͍৔߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ֐͕֦େ͢Δ • ಺෦൜ߦʹΑΔඃ֐͕֦େ͢Δ ʮڱ࢝͘ΊͯඞཁʹԠͯ͡௥Ճʯ͕ཧ૝

Slide 22

Slide 22 text

2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔ ࣍ʹ

Slide 23

Slide 23 text

ϙϦγʔͷछྨ ࠷খݖݶΛͲ͜Ͱ࣮ݱ͢Δ͔

Slide 24

Slide 24 text

ಥવͰ͕͢ AWSʹ͓͚ΔϙϦγʔλΠϓ ̒ͭશͯ౴͑ΒΕ·͔͢ʁ

Slide 25

Slide 25 text

ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ • Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ

Slide 26

Slide 26 text

ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ • Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ 71$ΤϯυϙΠϯτϙϦγʔ͸ ͜͜ʹଐ͢Δ͕ɺ ʮͪΐͬͱ܅͕ͪ͘ͳ͍ʁʯͱ ࢥ͍ͬͯΔ

Slide 27

Slide 27 text

ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ • Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ͍ΘΏΔʮIAMϙϦγʔʯ όέοτϙϦγʔɺIAMϩʔϧ৴པϙϦγʔͳͲ όέοτACLͳͲ IAMϩʔϧͷҾ͖ड͚࣌ʹઃఆՄೳ

Slide 28

Slide 28 text

ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ • Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ +40/ +40/ +40/ +40/ +40/

Slide 29

Slide 29 text

JSON ϙϦγʔͷཁૉ ࠷খݖݶΛͲ͜Ͱ࣮૷͢Δ͔

Slide 30

Slide 30 text

+40/ϙϦγʔͷཁૉ https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1

Slide 31

Slide 31 text

+40/ϙϦγʔͷཁૉ1SJODJQBM https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 1SJODJQBM ʢ/PU1SJODJQMʣ ϦιʔεϕʔεϙϦγʔͰ࢖༻ɻ ΞΫηεͷ࣮ߦݩʢओମʣΛ੍ݶɻ ʮ୭͕ʯ

Slide 32

Slide 32 text

+40/ϙϦγʔͷཁૉ"DUJPO https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 "DUJPO ʢ/PU"DUJPOʣ ࣮ߦՄೳͳΞΫγϣϯΛ੍ݶɻ ʮԿΛʯ

Slide 33

Slide 33 text

+40/ϙϦγʔͷཁૉ3FTPVSDF https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 ΞΫηεՄೳͳϦιʔεΛ੍ݶɻ 3FTPVSDF ʢ/PU3FTPVSDFʣ ʮԿʹରͯ͠ʯ

Slide 34

Slide 34 text

+40/ϙϦγʔͷཁૉ$POEJUJPO https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 ಛఆͷ৚݅ԼͰͷΈ ΞΫηεΛڐՄʢ͋Δ͍͸ڋ൱ʣɻ $POEJUJPO ʮͲΜͳ৔߹ʹʯ

Slide 35

Slide 35 text

࠷খݖݶΛͲ͜Ͱ࣮૷͢Δ͔ ΞΠσϯςΟςΟϕʔεϙϦγʔͰ ActionΛߜΔ͚͕ͩ ࠷খݖݶͷ࣮૷Ͱ͸ͳ͍

Slide 36

Slide 36 text

3. IAM Access Analyzerͱ͸ ࿩͸มΘͬͯ

Slide 37

Slide 37 text

IAM Access Analyzerͱ͸Կ͔ ͦ΋ͦ΋

Slide 38

Slide 38 text

*"."DDFTT"OBMZ[FSͱ͸Կ͔ ʮϦιʔεϕʔεϙϦγʔͷ PrincipalΛݟͯ͘ΕΔ΋ͷʯ͕ͩͬͨɺ ͍ͭͷؒʹ͔͍ΖΜͳ͜ͱ͕ Ͱ͖ΔΑ͏ʹͳ͍ͬͯͨ

Slide 39

Slide 39 text

*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛ෼ੳ

Slide 40

Slide 40 text

*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛ෼ੳ • 2021/01 ෼ੳର৅͕௥Ճ • Secrets Manager γʔΫϨοτʹରԠ

Slide 41

Slide 41 text

*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛ෼ੳ • 2021/01 ෼ੳର৅͕௥Ճ • Secrets Manager γʔΫϨοτʹରԠ • 2021/03 ʮࣄલݕূʯʹରԠ • ϦιʔεϕʔεϙϦγʔͷมߋલʹ෼ੳ͕Մೳ • ϚωδϝϯτίϯιʔϧͰ͸ S3 όέοτϙϦγʔͷΈ

Slide 42

Slide 42 text

*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛ෼ੳ • 2021/01 ෼ੳର৅͕௥Ճ • Secrets Manager γʔΫϨοτʹରԠ • 2021/03 ʮࣄલݕূʯʹରԠ • ϦιʔεϕʔεϙϦγʔͷมߋલʹ෼ੳ͕Մೳ • ϚωδϝϯτίϯιʔϧͰ͸ S3 όέοτϙϦγʔͷΈ ٸʹྲྀΕ͕มΘΔ

Slide 43

Slide 43 text

*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • 2021/01 ෼ੳର৅͕௥Ճ • 2021/03 ʮࣄલݕূʯʹରԠ • 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ • ϙϦγʔݕূʢValidationʣͱ΋ • ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ • AWS CLI Ͱ͸ SCP ΍ϦιʔεϕʔεϙϦγʔʹ΋ରԠ

Slide 44

Slide 44 text

*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • 2021/01 ෼ੳର৅͕௥Ճ • 2021/03 ʮࣄલݕূʯʹରԠ • 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ • ϙϦγʔݕূʢValidationʣͱ΋ • ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ • AWS CLI Ͱ͸ SCP ΍ϦιʔεϕʔεϙϦγʔʹ΋ରԠ • 2021/04 ʮϙϦγʔͷੜ੒ʯʹରԠ • ΞΠσϯςΟςΟϕʔεϙϦγʔͷΈ͕ର৅

Slide 45

Slide 45 text

ͬ͘͟ΓԿ͕ҧ͏͔ Region ΞφϥΠβʔ IAM Access Analyzer ϦιʔεϕʔεϙϦγʔͷ෼ੳ αʔϏεʹ ϦϯΫ͞Εͨ ϩʔϧ ϙϦγʔͷݕূ ϙϦγʔͷੜ੒ αʔϏε͕ ࢖༻͢Δ ϩʔϧ

Slide 46

Slide 46 text

ͬ͘͟ΓԿ͕ҧ͏͔ • ϦιʔεϕʔεϙϦγʔͷ෼ੳʹ͸ϦʔδϣφϧϦιʔεͰ ͋ΔʮΞφϥΠβʔʯͷ࡞੒͕ඞཁ • ϙϦγʔͷݕূʹ͸Ϧιʔε΋ϩʔϧ΋ཁΒͳ͍ • ϙϦγʔͷੜ੒ʹ͸ϩʔϧ͚ͩཁΔ

Slide 47

Slide 47 text

IAM ΞΫηεΞυόΠβʔ ͱԿ͕ҧ͏͔ ࠞཚ͕ͪ͠

Slide 48

Slide 48 text

ΞφϥΠβʔͱΞυόΠβʔ *"."DDFTT"OBMZ[FS *"."DDFTT"EWJTPS *".ΞΫηεʁ ΞφϥΠβʔʂ ΞυόΠβʔʂ Կ͕Ͱ͖Δ͔ ɾϦιʔεϕʔεϙϦγʔͷ෼ੳ ɾ֤छϙϦγʔͷݕূ ɾΞΠσϯςΟςΟϕʔεϙϦγʔͷੜ੒ ɾ*".Ϧιʔε୯ҐͰͷɺ ΞΫηεڐՄͱΞΫηεཤྺͷදࣔ αʔϏε͔Ͳ͏͔ ɾ"84αʔϏεͰ͋Δ ɾϦιʔε΋ଘࡏ͢Δ ɾαʔϏε༻ͷϩʔϧ΋ଘࡏ͢Δ ɾ"84αʔϏεͰ͸ͳ͍ ɾෳ਺ͷ"1*ʹΑΔػೳͷ໊শ ར༻ྉ ແྉͰࠓ͙͓͢࢖͍͍͚ͨͩ·͢ ແྉͰࠓ͙͓͢࢖͍͍͚ͨͩ·͢

Slide 49

Slide 49 text

ΞΫηεΞυόΠβʔͷ֓ཁ •ΞΠσϯςΟςΟϕʔεϙϦγʔΛج४ͱͨ͠ʮΞΫ ηεՄೳͳαʔϏεʯͷදࣔ •Cloud TrailΛϕʔεͱͨ͠ʮΞΫηεཤྺʯͷදࣔ

Slide 50

Slide 50 text

4. ࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ Α͏΍͘

Slide 51

Slide 51 text

औΓ্͛Δͷ͸͜ͷͭͰ͢

Slide 52

Slide 52 text

ͦͷ1. ϙϦγʔͷݕূ ࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ

Slide 53

Slide 53 text

ϙϦγʔͷݕূͱ͸ • IAM Access Analyzer ʹΑΔػೳ • ҎԼͷϙϦγʔʹର͍͍ͯ͠ײ͡ͷνΣοΫΛͯ͘͠ΕΔ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ※ϚωίϯෆՄ • ϦιʔεϕʔεϙϦγʔɹ※ϚωίϯෆՄ

Slide 54

Slide 54 text

ϙϦγʔͷݕূͱ͸ • ϙϦγʔͷνΣοΫͷ؍఺ • ηΩϡϦςΟɹηΩϡϦςΟϦεΫͱΈͳ͞ΕΔ಺༰ • ΤϥʔɹߏจΤϥʔ΍ແޮͳ஋ͳͲ • ܯࠂɹηΩϡϦςΟϦεΫͰ͸ͳ͍͕ϕετϓϥΫςΟεͰͳ͍ • ఏҊɹΞΫηεڐՄʹӨڹΛ༩͑ͳ͍ఏҊʢ৑௕ͳهड़ͳͲʣ

Slide 55

Slide 55 text

ϙϦγʔͷݕূͷྫ • ηΩϡϦςΟͷΧςΰϦͷνΣοΫ߲໨ྫ • NotPrincipalͰڐՄΛ༩͍͑ͯΔ • PassRoleΛڐՄ͢ΔResourceʢϩʔϧʣ͕޿͗͢Δ • PassRoleΛڐՄ͢ΔAction͕޿͗͢Δ

Slide 56

Slide 56 text

ϙϦγʔͷݕূ • Ϛωίϯ͔ΒΞΠσϯςΟςΟϕʔεϙϦγʔΛฤू͢Δͱ͖͸Կ ΋ߟ͑ͣศརʹ࢖͏ • ϙϦγʔΛ CI/CD ؅ཧ͍ͯ͠Δͱ͖͸ϓϩάϥϜʹΑΓࣗಈͰݕ ূͤ͞Δ࢖͍ํ΋͋Γ • ʮ࠷খݖݶΛ໨ࢦ͢ʯͱ͍͏؍఺Ͱ͸ͦ͜·Ͱڧ͘ͳ͍

Slide 57

Slide 57 text

ͦͷ2. ϙϦγʔͷੜ੒ ࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ

Slide 58

Slide 58 text

ϙϦγʔͷੜ੒ͱ͸ • IAM Access Analyzer ʹΑΔػೳ • աڈͷΞΫςΟϏςΟΛجʹɺΞΠσϯςΟςΟϕʔεϙϦγʔͷ ਽ܗΛੜ੒ͯ͘͠ΕΔ

Slide 59

Slide 59 text

ϙϦγʔͷੜ੒ʂخ͍͠ ͏͔ͬΓ৑௕ߏ੒ͰϒϩάԽ͞ΕΔ΄ͲͷΞπ͞

Slide 60

Slide 60 text

஫ҙ఺͕͋Γ·͢ ͍͔ͭ͘

Slide 61

Slide 61 text

஫ҙ఺ͦͷʢͨͪʣ •աڈͷΞΫςΟϏςΟ͕͋Δ͜ͱ͕લఏͳͷͰɺʮ࠷খͰελʔ τʯͷέʔεͰ͸࢖͑ͳ͍ •ର৅Ϣʔβʔ/ϩʔϧͱಉ͡ΞΧ΢ϯτͰ Trail ͕༗ޮʹͳ͍ͬͯ Δඞཁ͕͋Δ •ϕʔεͱͰ͖Δظؒ͸࠷େͰ90೔ؒ •ෳ਺ͷϢʔβʔ/ϩʔϧʹରͯ͠ಉ࣌ʹੜ੒Ͱ͖ͳ͍ •1೔ʹੜ੒Ͱ͖Δͷ͸5݅·Ͱ

Slide 62

Slide 62 text

஫ҙ఺ͦͷ •ਫ਼ࠪͯ͘͠ΕΔͷ͸ Action ͷΈ •Resource ΍ Codition ʹ͸աڈͷΞΫςΟϏςΟ͸൓ө͞Ε ͳ͍ ʮ͜ͷϢʔβʔ͸աڈ೔ؒͰ ಛఆͷ4όέοτʹରͯ͠ͷΈΞΫηεͯ͠Δ͔Β 3FTPVSDFͰ͜ͷ4όέοτ͚ͩʹߜΔͱ͍͍Αʯ ͳΜͯ͜ͱ͸ͯ͘͠Ε·ͤΜɻ

Slide 63

Slide 63 text

஫ҙ఺ͦͷ •͢΂ͯͷαʔϏεͰ Action ϨϕϧͰਫ਼ࠪͯ͘͠ΕΔΘ͚Ͱ͸ͳ͍ ্هҎ֎ͷαʔϏε͸ ʮαʔϏεϨϕϧʯͰͷ ચ͍ग़ͩ͠Α ◦ IAM
 ◦ AWS KMS
 ◦ AWS Lambda
 ◦ AWS RAM
 ◦ Amazon RDS
 ◦ AWS Resource Groups
 ◦ Amazon S3
 ◦ AWS Security Token Service
 ◦ AWS Systems Manager
 ◦ IAM Access Analyzer
 ◦ Amazon CloudWatch
 ◦ Amazon Cognito Identity
 ◦ Amazon Cognito user pools
 ◦ Amazon EC2
 ◦ Amazon ECS
 ◦ Elastic Load Balancing


Slide 64

Slide 64 text

ϙϦγʔͷੜ੒ •։ൃظؒͷ࣮੷Λ΋ͱʹʮ࠷খݖݶΛ໨ࢦ͢ʯͱ͍͏έʔεͰ ͸༗ޮ •ʮΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔʯʹ͔͠ ࢖͑ͳ͍ͷΛཧղ͢Δ •Action ͕͢΂ͯચ͍ग़͞ΕΔΘ͚Ͱ͸ͳ͍͜ͱΛཧղ͢Δ

Slide 65

Slide 65 text

ͦͷ3. ࠷ऴΞΫηε৘ใͷར༻ ࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ

Slide 66

Slide 66 text

࠷ऴΞΫηε৘ใͷར༻ͱ͸ • IAM ΞΫηεΞυόΠβʔ ʹΑΔػೳ • IAMϦιʔεʢϢʔβʔ/άϧʔϓ/ϩʔϧ/ϙϦγʔʣ୯ҐͰҎԼΛ֬ ೝͰ͖Δ • ΞΫηεՄೳͳAWSαʔϏε • ࠷ऴΞΫηεཤྺ • ҎԼͷAWSαʔϏεʹରͯ͠͸ΞΫγϣϯϨϕϧͰ֬ೝՄೳ • Amazon S3 • Amazon EC2 • AWS IAM • AWS Lambda

Slide 67

Slide 67 text

࠷ऴΞΫηε৘ใͷར༻ • ϚωίϯͩͬͨΒ͔͜͜Β؆୯ʹݟΕ·͢ɻ

Slide 68

Slide 68 text

࠷ऴΞΫηε৘ใͷར༻ •ΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔͷʹ࢖͑Δ •ʮϙϦγʔͷੜ੒ʯͱػೳ͸ࣅ͍ͯΔ͕ɺͰ͖Δ͜ͱ͕গͳ ͍෼ɺΑΓ͓खܰ •AWS CLI Ͱ΍Δͱ݁ߏָ͍͠

Slide 69

Slide 69 text

·ͱΊ ·ͱΊ

Slide 70

Slide 70 text

·ͱΊ • ʮ࠷খݖݶʯ͸͍ΖΜͳϙϦγʔͷ͍ΖΜͳཁૉ Λ࢖࣮ͬͯ૷͢Δ • IAM Access Analyzer(ͱΞυόΠβʔ)͸ͦͷҰ ෦Λνϡʔχϯά͢Δͷʹศར • ʮ͜Ε͑͞΍͓͚ͬͯ͹OKʯ͸ͳ͍ͷͰɺܧଓ ͯ͠಄Λ೰·ͤ·͠ΐ͏