CloudTrail の証跡から IAM ポリシーを生成する IAM Access Analyzer の機能を AWS CLI から使ってみた話 /jawsug-asa-20-lt

by Yoshihiro ITO

Slide 1

Slide 1 text

2021.04.22 @michimani210 CloudTrail IAM IAM Access Analyzer AWS CLI [JAWS-UG #20] #jawsug_asa

Slide 2

Slide 2 text

# # AWS AWS CLI AWS Certificate Manager # : https://michimani.net / Yoshihiro Ito @michimani210

Slide 3

Slide 3 text

1. IAM Access Analyzer 2. AWS CLI 3. IAM Access Analyzer CloudTrail

Slide 4

Slide 4 text

1. IAM Access Analyzer CloudTrail IAM IAM 90 ( ) IAM JSON   IAM Access Analyzer makes it easier to implement least privilege permissions by generating IAM policies based on access activity https://aws.amazon.com/about-aws/whats-new/2021/04/iam-access-analyzer-easier-implement-least-privilege-permissions-generating-iam-policies-access-activity

Slide 5

Slide 5 text

2. AWS CLI IAM Access Analyzer aws accessanalyzer ・cancel-policy-generation ・get-generated-policy ・list-policy-generations ・start-policy-generation v1 1.19.47 v2 2.1.36 (2021/04/22 07:40 JST) 1.19.55 2.1.39

Slide 6

Slide 6 text

2. AWS CLI - start-policy-generation start-policy-generation CloudTrail ARN IAM IAM ARN

Slide 7

Slide 7 text

2. AWS CLI - start-policy-generation 1: IAM ( ) ARN AWS CLI ARN

Slide 8

Slide 8 text

2. AWS CLI - start-policy-generation 2: JSON

Slide 9

Slide 9 text

2. AWS CLI - start-policy-generation 2: JSON IAM ARN

Slide 10

Slide 10 text

2. AWS CLI - start-policy-generation 2: JSON IAM ARN ( 90 ) endTime

Slide 11

Slide 11 text

2. AWS CLI - start-policy-generation 2: JSON IAM ARN CloudTrail ARN ( 90 ) endTime

Slide 12

Slide 12 text

2. AWS CLI - start-policy-generation 2: JSON IAM ARN CloudTrail ARN ( 90 ) endTime

Slide 13

Slide 13 text

2. AWS CLI - start-policy-generation

Slide 14

Slide 14 text

2. AWS CLI - get-generated-policy

Slide 15

Slide 15 text

2. AWS CLI - get-generated-policy

Slide 16

Slide 16 text

2. AWS CLI - get-generated-policy

Slide 17

Slide 17 text

2. AWS CLI - get-generated-policy (JSON )

Slide 18

Slide 18 text

2. AWS CLI - get-generated-policy (JSON ) jq &

Slide 19

Slide 19 text

2. AWS CLI - get-generated-policy (JSON ) jq & : ReadOnly s3:PutObject s3:PutObject

Slide 20

Slide 20 text

2. AWS CLI - get-generated-policy (JSON ) jq & : ReadOnly s3:PutObject s3:PutObject

Slide 21

Slide 21 text

2. AWS CLI - get-generated-policy (JSON ) jq & : ReadOnly s3:PutObject s3:PutObject aws iam create-policy aws iam attach-role-policy

Slide 22

Slide 22 text

3. IAM Access Analyzer CloudTrail AWS CLI # CloudTrail IAM IAM Access Analyzer AWS CLI https://michimani.net/post/aws-get-started-generating-iam-policies-based-on-actual-activity/

Slide 23

Slide 23 text

#jawsug_asa