AWS Control Towe r ಋೖͨ͠Αͬͯ࿩ ABEJA Tech LT #1 at 2021/11/19
 Shogo Muranushi

2012 Who is ໊લ ɿ ଜओ ૖ޛʢΉΒ͵͠ ͠ΐ͏͝ʣ ձࣾ ɿ ABEJA, Inc. ʢલ৬ ɿ cloudpackʣ ϩʔϧ ɿ SREʢInfrastructure EngineerʣɺΫϥ΢υΞʔΩςΫτ ॴଐɿج൫ϓϩμΫτGɺٕज़ઓུGɺ৘γεηΩϡϦςΟɺΧελϚʔ αΫηεGɺetc … झຯ ɿ গ೥໺ٿख఻͍ɺגࣜ౤ࢿɺΩϟϯϓ ޷͖ͳٕज़ɿKubernetesɺTerraform 2

ࠓ೔͸AWSͷϚϧνΞΧ΢ϯτ؀ڥͰ ηΩϡϦςΟΛߴΊΔ࿩Λ͠·͢ ʢओʹAWS Control Towerʣ

AWSͷηΩϡϦςΟશൠ͸ ͪ͜Β͕ྑ͍ͱࢥ͍·͢

՝୊

1. ՝୊ • 20ݸ΄ͲAWSΞΧ΢ϯτ͕ଘࡏ͢Δ • ੥ٻ୅ߦܦ༝ͰAWSΛܖ໿͍ͯ͠ΔͨΊɺAWS Organizations ౳͸ར༻Ͱ͖ ͍ͯͳ͔ͬͨ • ͦͷͨΊɺAWSΞΧ΢ϯτΛԣஅͯ͠ηΩϡϦςΟ؅ཧΛ͢Δ͜ͱ͕؆୯ Ͱ͸ͳ͔ͬͨɻCloudTrail౳͸ࣗಈOnʹ͸ͯͨ͠΋ͷͷ • ؅ཧܥαʔϏεɿCon fi g, CloudTrail, Security Hub, Guard Duty, etc … • ֤AWSΞΧ΢ϯτͷηΩϡϦςΟϨϕϧ͸֤ࣄۀ෦ʹͯอͬͯ΋Βͬͯͨ • ຊ౰ʹʁೖୀ͕ࣾଟ͍தͰҰఆϨϕϧอͯͯΔʁͣͬͱϞϠϞϠ͍ͯ͠ ͨ

2. ΍ͬͨ͜ͱ • ੥ٻ୅ߦͷձࣾͱަবʹަবΛॏͶͯɺAWS Organizations, AWS SSO, AWS Control Tower Λར༻Մೳʹͨ͠ʢݫີʹ͸BillingܥҎ֎͸΄΅શͯར༻Մೳʣ • ্ͷ੍໿͸Ϧηϥʔͱͯ͠ͷ੍໿͕͋Δ໛༷ • ͦͯ͠ɺAWS Control Tower Λத৺ʹϚϧνΞΧ΢ϯτ؀ڥΛ੔උͨ͠

3. AWS Control Towerͱ͸ • ͓٬༷͕ෳ਺ͷ AWS ΞΧ΢ϯτ΍νʔϜΛ༗͍ͯ͠Δ৔߹ɺΫϥ΢υͷηοτΞοϓͱ؅ཧ͸ෳࡶͰ࣌ ؒͷ͔͔Δ࡞ۀʹͳΓ͕ͪͰɺ؊৺ͷֵ৽ʹ࣌ؒΛ͔͚ΒΕͳ͘ͳͬͯ͠·͍·͢ɻAWS Control Tower ͸ɺϥϯσΟϯάκʔϯͱݺ͹ΕΔ҆શͳϚϧνΞΧ΢ϯτ AWS ؀ڥΛηοτΞοϓ͓Αͼ؅ཧ͢Δͨ Ίͷ࠷΋؆୯ͳํ๏Λఏڙ͠·͢ɻAWS Control Tower ͸ɺAWS Organizations Λ࢖༻ͯ͠ϥϯσΟϯά κʔϯΛ࡞੒͠ɺܧଓతͳΞΧ΢ϯτ؅ཧͱΨόφϯεɺ͓ΑͼΫϥ΢υʹҠߦ͢Δ਺ઍͷ͓٬༷ͱ࿈ܞ ͖ͯͨ͠ AWS ͷܦݧʹج͍࣮ͮͨ૷ͷϕετϓϥΫςΟεΛఏڙ͠·͢ɻAWS Control Tower Ͱ͸ɺϏ ϧυ୲౰ऀ͸৽͍͠ AWS ΞΧ΢ϯτΛ਺ΫϦοΫ͚ͩͰϓϩϏδϣχϯάͰ͖ɺ͔͠΋ΞΧ΢ϯτ͸و ࣾશମͷϙϦγʔʹ४ڌ͍ͯ͠Δͱ͍͏҆৺ײ͕ಘΒΕ·͢ɻAWS ͷ͓٬༷͸ɺAWS Control Tower Λ ࣮૷͠ɺΨόφϯεΛ৽ن·ͨ͸طଘͷΞΧ΢ϯτʹ֦ுͯ͠ɺίϯϓϥΠΞϯεεςʔλεΛ͢͹΍͘ ֬ೝͰ͖·͢ɻ৽͍͠ AWS ؀ڥΛߏஙதɺAWS ͰͷδϟʔχʔΛ࢝Ίͨ͹͔Γɺ·ͨ͸৽͍͠Ϋϥ΢υ ͷऔΓ૊ΈΛ։࢝͠Α͏ͱ͍ͯ͠Δ৔߹ɺControl Tower ͸ɺطʹ૊Έࠐ·Ε͍ͯΔΨόφϯε͓Αͼϕ ετϓϥΫςΟεΛඋ͓͑ͯΓɺਝ଎ʹ։࢝͢Δͷʹ໾ཱͪ·͢ɻ

3. AWS Control Towerͱ͸ • ؆୯ʹݴ͏ͱɺطଘͷػೳΛ༻͍ͯ҆શͳ؀ڥΛηοτΞοϓ͠ɺͦΕʹ४ͯ͡ AWSΞΧ΢ϯτΛ৽ن࡞੒ɺల։ͯ͘͠ΕΔαʔϏε • ओͳطଘͷػೳͱ͸ • AWS Organization s • ෳ਺ͷAWSΞΧ΢ϯτΛ؅ཧ • SCP ʢαʔϏείϯτϩʔϧϙϦγʔʣ • AWS API ʹର͢ΔΞΫηε੍ݶɻಛఆͷϦʔδϣϯΛ੍ݶͳͲ • AWS Con fig • ݱঢ়ͷঢ়ଶΛνΣοΫ͠ҧ൓͍ͯͨ͠Β௨஌౳ʹར༻ • Ξλον͞Εͯͳ͍EBS, ϑϧ։์͞Ε͍ͯΔηΩϡϦςΟάϧʔϓͳͲ

4. AWS Control Tower ؀ڥ΁Ҡߦ • Ҡߦॱং • ৽؀ڥͰ AWS Control Tower Λ࣮૷ • લ؀ڥͰ AWS Organizations ʹࢀՃ͢ΔʢࢀՃͯ͠ͳ͚Ε͹ʣ • ৽؀ڥ͔Βট଴ → چ؀ڥͰάϧʔϓ͔Β֎͢ → ট଴Λड͚ೖΕΔ

4. AWS Control Tower ؀ڥ΁Ҡߦ • ஫ҙ఺ • CloudTrail͸৽͘͠উखʹઃఆ͞ΕΔ͔ΒɺલͷCloudTrail͸ফͨ͠ํ͕͍͍ɻ2ఆٛ໨͔Β ՝ۚ͞ΕͪΌ͏͔΋ • Con fi g͸εΫϦϓτΛྲྀͯ͠Offʹ͢Δඞཁ༗Γɻ͜ΕΛ͠ͳ͍ͱJoinޙ͸Con fi gͷ࡟আݖݶ ౳͕SCPͰୣΘΕ͍ͯΔͷͰมߋͰ͖ͳ͍ɻҰ౓AWS Control Tower؅ཧ֎ʹͯ͠ɺCon fi g ֎ͯ͠ɻΈ͍ͨͳ͜ͱΛ͢Δඞཁ͋Γ • ಛʹઃఆ࿔Βͳ͚Ε͹ΫϦςΟΧϧͳSCP͸ͳ͍͔Β໰୊ͳ͍͚ͲɺSCPͰ੍໿ΛڧΊΔͱ Ҡߦ࣌ʹ໰୊ʹͳΔ͜ͱ΋ • ॳظ࣌͸Con fi g΍CloudTrailΛมߋͰ͖ͳ͍Α͏ͳSCP͕ೖͬͯΔ • Ϧʔδϣϯ੍ݶΛՃ͑ͯҠߦ͢Δͱɺ֘౰Ϧʔδϣϯ࢖ͬͯΔAWSΞΧ΢ϯτͰ໰୊͕ ى͖ͨΓͱ͔

4. Ҡߦޙ • AWS SSOͷಋೖ • લ͔Β100೔௒͑ΔͱউखʹIAMϢʔβΛফͯͨ͠ͷͰɺͲ͔͜ͷγεςϜʹݸਓͷ IAMΫϨσϯγϟϧ͕૊Έࠐ·ΕͯͨΓͱ͔͸ແ͍લఏ • Google WorkspaceΛར༻͍ͯ͠ΔͷͰIdPʹͨ͠ • ྑ͔ͬͨ఺ • ೝূͱMFAͷར༻͕GoogleʹدͤΕͨͷͰඇৗʹศརʹͳͬͨ • ݸਓຖͷΫϨσϯγϟϧΛൃߦͰ͖ͳ͘ͳͬͨͷͰηΩϡΞɻݸਓ͕ϩʔΧϧ Ͱར༻͍ͨ͠৔߹͸Ұ࣌ΫϨσϯγϟϧΛར༻͢Δ͚ͩ • IAMϢʔβͰ࢒ͬͯΔͷ͸جຊCI/CDܥ͕΄ͱΜͲʹͳͬͨɻओʹCircleC I • AWS Client VPNʢࣾ֎ʹݻఆIPͰग़͍ͯ͘ͷʹར༻ʣ΋AWS SSO

4. Ҡߦޙ • AWS Control Tower ͷ Managed Con fi g ʹ४ڌͤͭͭ͞1ΞΧ΢ϯτͣͭҠߦ • ηΩϡϦςΟάϧʔϓͷϑϧ։์Λ࡟আ • Ξλον͞Ε͍ͯͳ͍EBSΛ࡟আ • S3ͷϑϧ։์Λด͡Δ • Security Hub, IAM Access Analyzer, Guard DutyͳͲΛ༗ޮʹͭͭ͠ɺվળ

5. ͳͤͨ͘͜ͱʢେ͖͘վળͰ͖ͨ͜ͱʣ·ͱΊ • ݸਓͷIAMϢʔβͱΫϨσϯγϟϧ • ࿙Εͯେ໰୊ʹͳΔϦεΫେ෯ݮগ • ෳ਺ΞΧ΢ϯτ؀ڥԼͰͷയવͱͨ͠ηΩϡϦςΟͷෆ҆ • AWS Organizations ͱ Security Hub ͳͲͷηΩϡϦςΟαʔϏε͕࿈ಈͯ͘͠Ε ΔͷͰɺશ؀ڥΛݟΔඞཁ͕ͳ͘ͳΓɺ1ՕॴݟΔ͚ͩͰ֬ೝͰ͖ΔΑ͏ʹͳͬͨ • BillingपΓ • ෳ਺ͷ՝ۚঢ়گΛ1ͭͷίετΤΫεϓϩʔϥʔͰ؅ཧ • ϦβʔϒυΠϯελϯεɺSavings PlansΛෳ਺ΞΧ΢ϯτͰڞ༗͠ίετ࡟ݮ

6. ·ͩಓ൒͹ • ηΩϡϦςΟνΣοΫΛΦʔϧάϦʔϯʹ͸ग़དྷ͍ͯͳ͍ • աڈ͔Β͋Δ࢓༷ͳͲ • ΧελϜͨ͠ηΩϡϦςΟج४ΛಋೖͰ͖͍ͯͳ͍ • ҧ൓࣌౳ʹ௨஌Ͱ͖͍ͯͳ͍ • ͜ΕΒΛఆظνΣοΫͯ͠ҡ͍͖͍࣋ͯͨ͠

No content