AWSを始めるにあたってのAWS IAM基礎 / jawsug-niigata-8

by kasacchiful

Slide 1

Slide 1 text

AWSΛ࢝ΊΔʹ͋ͨͬͯͷ AWS IAMجૅ 2020-05-09 JAWS-UG৽ׁ#8 @kasacchiful

Slide 2

Slide 2 text

ࣗݾ঺հ • ּݪ ޺ (@kasacchiful) • ৽ׁࢢ಺ࡏॅͷιϑτ΢ΣΞΤϯδχΞ • ޷͖ͳݴޠ: Ruby • ݱࡏΑ͘৮͍ͬͯΔAWSαʔϏε: WorkSpaces / Amplify

Slide 3

Slide 3 text

಺༰ • IAMͱ͸Կ͔Λͬ͘͟Γઆ໌ • IAMϢʔβʔ / άϧʔϓ / ϙϦγʔ / ϩʔϧ • ·ͣ͜Ε͚ͩ͸΍͓͖͍ͬͯͨ͜ͱ5ͭ

Slide 4

Slide 4 text

JAWS-UG৽ׁͷϋϯζΦϯͰ͸… • IAMϢʔβ࡞੒ͯ͠AdministratorAccessϙϦγʔΛIAM άϧʔϓʹΞλον͍ͯ͠ΔͷͰɺIAM͔ͳΓ৮͍ͬͯΔ IUUQTHJUIVCDPNLBTBDDIJGVMKBXTVHOJJHBUBCMPCNBTUFS@SFHJTUSBUJPONE

Slide 5

Slide 5 text

IAM is Կʁ

Slide 6

Slide 6 text

AWS Identity and Access Management (IAM) • AWSͷૢ࡞ΛΑΓηΩϡΞʹ͢ΔͨΊͷ࢓૊ Έ • ೝূɾೝՄ • AWSΛૢ࡞͢ΔͨΊͷϢʔβʔʗάϧʔϓʗϩʔϧͷ࡞੒ • Ϣʔβʔຖͷೝূ৘ใͷઃఆ • Ϣʔβʔʗάϧʔϓʗϩʔϧʹର࣮ͯ͠ߦͰ͖Δૢ࡞Λઃఆ

Slide 7

Slide 7 text

IAMΛ࢖͏ʹ͸ • AWSϚωδϝϯτίϯιʔϧ͔Βૢ࡞͢Δ͜ ͱ͕ଟ͍ • CLI΍SDK͔Β΋ΞΫηεՄೳ

Slide 8

Slide 8 text

IAMϢʔβʔʗάϧʔϓʗϙ Ϧγʔ

Slide 9

Slide 9 text

IAMϢʔβʔʗάϧʔϓʗϙϦγʔ • IAMϢʔβʔ: Ϣʔβʔͷ1୯Ґ • IAMάϧʔϓ: IAMϢʔβʔΛ·ͱΊͨ΋ͷ • IAMϙϦγʔ: ݖݶઃఆ

Slide 10

Slide 10 text

ରԠؔ܎ *".Ϣʔβ " *".Ϣʔβ # *".Ϣʔβ $

Slide 11

Slide 11 text

ରԠؔ܎ *".Ϣʔβ " *".Ϣʔβ # *".Ϣʔβ $ *".άϧʔϓ ؅ཧऀ *".άϧʔϓ ։ൃऀ

Slide 12

Slide 12 text

ରԠؔ܎ *".Ϣʔβ " *".Ϣʔβ # *".Ϣʔβ $ *".άϧʔϓ ؅ཧऀ *".άϧʔϓ ։ൃऀ ϙϦ γʔ ϙϦ γʔ

Slide 13

Slide 13 text

ରԠؔ܎ *".Ϣʔβ " *".Ϣʔβ # *".Ϣʔβ $ *".άϧʔϓ ؅ཧऀ *".άϧʔϓ ։ൃऀ ϙϦ γʔ ϙϦ γʔ ϙϦ γʔ

Slide 14

Slide 14 text

ରԠؔ܎ *".Ϣʔβ " *".Ϣʔβ # *".Ϣʔβ $ *".άϧʔϓ ؅ཧऀ *".άϧʔϓ ։ൃऀ ϙϦ γʔ ϙϦ γʔ ϙϦ γʔ "84ΞΧ΢ϯτ

Slide 15

Slide 15 text

AWSΞΧ΢ϯτ (ϧʔτϢʔβʔ) ͸جຊ࢖༻͠ͳ͍ • AWSΞΧ΢ϯτ͸ͳΜͰ΋Ͱ͖Δ͕Ώ͑ʹɺ ࿙Ӯͨ͠৔߹ɺऔΓฦ͠ͷ͔ͭͳ͍ࣄଶʹ • جຊతʹ໨తʹԠͯ͡IAMϢʔβʔ΍ϩʔϧ Λ࡞੒ͯ͠ΞΫηε͢Δ͜ͱͰɺ֤ʑͷΞΫ ηε؅ཧɾঝೝɾ؂ࠪ (CloudTrail) ͢Δ͜ͱ ͕Մೳʹ

Slide 16

Slide 16 text

IAMϢʔβ࡞੒࣌ͷ AWSΞΫηεͷछྨͷબ୒ "84$-*΍"844%,౳ɺ ϓϩάϥϜ͔Β"84ʹΞΫηε͢Δࡍʹඞཁ "84Ϛωδϝϯτίϯιʔϧʹ ΞΫηε͢Δࡍʹඞཁ

Slide 17

Slide 17 text

git-secretsͰΞΫηεΩʔ࿙Ӯ Λ๷͙ IUUQTHJUIVCDPNBXTMBCTHJUTFDSFUT

Slide 18

Slide 18 text

IAMϙϦγʔ • ͲͷAWSαʔϏεʢϦιʔεʣʹରͯ͠ • ͲͷΑ͏ͳΞΫγϣϯΛ • ڐՄ or ڋ൱ ͢Δ ΛJSONܗࣜͰهड़ͨ͠΋ͷ

Slide 19

Slide 19 text

IAMϙϦγʔ • ͲͷAWSαʔϏεʢϦιʔεʣʹରͯ͠ • ͲͷΑ͏ͳΞΫγϣϯΛ • ڐՄ or ڋ൱ ͢Δ ΛJSONܗࣜͰهड़ͨ͠΋ͷ 3FTPVSDF "DUJPO &⒎FDU

Slide 20

Slide 20 text

IAMϙϦγʔαϯϓϧ { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:*", "Resource": "*", "Condition": { "DateGreaterThan": {"aws:CurrentTime": "2017-07-01T00:00:00Z"}, "DateLessThan": {"aws:CurrentTime": "2017-12-31T23:59:59Z"} } } } IUUQTEPDTBXTBNB[PODPNKB@KQ*".MBUFTU6TFS(VJEFSFGFSFODF@QPMJDJFT@FYBNQMFT@BXTEBUFTIUNM ಛఆͷ೔෇಺ͰΞΫηεΛڐՄ͢Δ

Slide 21

Slide 21 text

ϙϦγʔͷධՁ݁Ռ • Կ΋໌ࣔ͞Ε͍ͯͳ͚Ε͹ɺσϑΥϧτͰ ʮڋ൱ʯ • ʮڐՄʯ͕͋Ε͹ɺʮڐՄʯ • ໌ࣔతʹʮڋ൱ʯ͕͋Ε͹ɺͨͱ͑ʮڐՄʯ ͕͋Ζ͏ͱ΋ɺʮڋ൱ʯ

Slide 22

Slide 22 text

ϙϦγʔͷධՁ݁Ռ ڐՄͷεςʔτϝϯτهड़͕ ͋Δ ͳ͍ ڋ൱ͷεςʔ τϝϯτهड़ ͕ ͋Δ ڋ൱ ڋ൱ ͳ͍ ڐՄ ڋ൱ ʢσϑΥϧτʣ

Slide 23

Slide 23 text

IAMϙϦγʔͷछྨ • AWS؅ཧϙϦγʔ • Α͘࢖͏ݖݶઃఆΛAWS͕༻ҙ͍ͯ͠ΔϙϦγʔ • ΧελϚʔ؅ཧϙϦγʔ • զʑࣗ਎͕࡞੒ͨ͠ϙϦγʔ • IAMϢʔβɺάϧʔϓɺϩʔϧʹΞλονͰ͖Δ • ΠϯϥΠϯϙϦγʔ • IAMϢʔβɺάϧʔϓɺϩʔϧʹ௚઀ॻ͖ࠐΜͩϙϦγʔ • ଞͷIAMϢʔβͳͲʹΞλονͰ͖ͳ͍͕ɺ1ର1ͷద༻ʹศར

Slide 24

Slide 24 text

Slide 25

Slide 25 text

IAM Policy Generator *".1PMJDZΛ બ୒ IUUQTBXTQPMJDZHFOTBNB[POBXTDPNQPMJDZHFOIUNM

Slide 26

Slide 26 text

IAMϩʔϧ

Slide 27

Slide 27 text

IAMϩʔϧ • ୈ3ऀʹʮݖݶΛҕৡʯ͢ΔͨΊʹ࢖༻ • AWSϦιʔε΍IAMϢʔβʹϩʔϧΛ௨ͯ͠ݖݶΛ෇༩Ͱ ͖Δ • Α͘࢖ΘΕΔྫ: • EC2ʹS3ΞΫηεՄೳͳIAMϩʔϧΛΞλον • LambdaʹS3ΞΫηεՄೳͳIAMϩʔϧΛΞλον

Slide 28

Slide 28 text

JAWS-UG৽ׁͷϋϯζΦϯͰ͸… • EC2΍LambdaͷϋϯζΦϯͰIAMϩʔϧΛ࢖༻ͯ͠ݖݶ Λ෇༩͍ͯ͠Δ IUUQTHJUIVCDPNLBTBDDIJGVMKBXTVHOJJHBUBCMPCNBTUFS@FD@BWBJMBCJMJUZNE IUUQKBXTVHOJJHBUBIBOETPOTXFCTJUFBQOPSUIFBTUBNB[POBXTDPN@MBNCEB@T@IBOETPOIUNM

Slide 29

Slide 29 text

Կ͕͏Ε͍͠ͷ͔ • ΞΫηεΩʔΛऔಘ͠ͳͯ͘ࡁΉͷͰɺηΩϡΞʹΞΫη εͰ͖ΔΑ͏ʹͳΔɻ IUUQTHJUIVCDPNLBTBDDIJGVMKBXTVHOJJHBUBCMPCNBTUFS@FD@BWBJMBCJMJUZNE IUUQKBXTVHOJJHBUBIBOETPOTXFCTJUFBQOPSUIFBTUBNB[POBXTDPN@MBNCEB@T@IBOETPOIUNM

Slide 30

Slide 30 text

ΫϩεΞΧ΢ϯτΞΫηε • ผͷAWSΞΧ΢ϯτʹ͋ΔϦιʔε΁ΞΫη εΛҕ೚͢Δํ๏ͰɺIAMϩʔϧΛ࢖༻͢Δ IUUQTEPDTBXTBNB[PODPNKB@KQ*".MBUFTU6TFS(VJEFUVUPSJBM@DSPTTBDDPVOUXJUISPMFTIUNM

Slide 31

Slide 31 text

·ͣ͜Ε͚ͩ͸΍͓͖ͬͯͨ ͍͜ͱ5ͭ

Slide 32

Slide 32 text

·ͣ͜Ε͚ͩ͸΍͓͖͍ͬͯͨ ͜ͱ5ͭ • IAMͷμογϡϘʔυʹܝࡌ͞Ε͍ͯΔ5ͭͷ߲໨Λશͯ׬ྃʹ͠ ͓͖͍ͯͨ • ͓·͚: IAMͷμογϡϘʔυʹܝࡌ͞Ε͍ͯΔIAMϢʔβʔͷα ΠϯΠϯϦϯΫΛΧελϚΠζ͓͖͍ͯͨ͠

Slide 33

Slide 33 text

ϧʔτΞΧ΢ϯτͷMFA༗ޮԽ • AWSΞΧ΢ϯτʢϧʔτΞΧ΢ϯτʣʹMFA ʢଟཁૉೝূʣΛઃఆ͓ͯ͜͠͏ • Google AuthenticatorɺAuthy౳ͷԾ૝MFA ΛઃఆͰ͖ΔΞϓϦΛ࢖༻͢ΔͱศརͰ͢ɻ

Slide 34

Slide 34 text

ݸʑͷIAMϢʔβʔͷ࡞੒ & άϧʔϓΛ࢖༻ͨ͠ΞΫηεڐՄͷׂΓ౰ͯ • IAMϢʔβ࡞੒ͯ͠ɺIAMάϧʔϓ࢖ͬͯIAM ϙϦγʔΛׂΓ౰ͯ·͠ΐ͏

Slide 35

Slide 35 text

IAMύεϫʔυϙϦγʔͷద༻ • ύεϫʔυϙϦγʔΛઃఆ͠Α͏

Slide 36

Slide 36 text

ΞΫηεΩʔͷϩʔςʔγϣϯ • ϓϩάϥϜͰ࢖༻͢ΔΞΫηεΩʔ͸গͳͯ͘΋೥1ճ͸มߋ͠· ͠ΐ͏ • ະ࢖༻ͷΞΫηεΩʔ͸࡟আ͠·͠ΐ͏

Slide 37

Slide 37 text

͓·͚: IAMϢʔβʔͷαΠϯ ΠϯϦϯΫͷΧελϚΠζ • σϑΥϧτ͸ʮAWSΞΧ΢ϯτIDʯ͕ઃఆ͞Ε͍ͯΔ • ΧελϚΠζ͓ͯ͘͠ͱɺϚωδϝϯτίϯιʔϧͷαΠϯΠϯ ʹͯɺAWSΞΧ΢ϯταΠϯΠϯը໘ͱIAMϢʔβʔαΠϯΠϯ ը໘Λ੾Γସ͑΍͘͢ͳΔ͸ͣ ΧελϚΠζͨ͠จࣈྻ ʢΞΧ΢ϯτΤΠϦΞεʣ

Slide 38

Slide 38 text

·ͱΊ

Slide 39

Slide 39 text

·ͱΊ • IAM͸ɺೝূɾೝՄΛ࢘ΔେࣄͳαʔϏε • AWSΞΧ΢ϯτͰ͸ͳ͘ɺIAMϢʔβͰૢ࡞͠Α͏ • ·ͣ͸ηΩϡϦςΟεςʔλε5߲໨͸શͯ׬͓ྃͯ͜͠͏ • IAMαΠϯΠϯϦϯΫͷΧελϚΠζ͓ͯ͘͠ͱศར • IAMϙϦγʔͰඞཁ࠷খݶͷݖݶΛઃఆͰ͖Ε͹ɺॳ৺ऀ͔Βதڃऀ΁ Ұา౿Έग़ͤΔ • αʔϏεؒ࿈ܞʹ͸IAMϩʔϧΛઃఆ͠Α͏

Slide 40

Slide 40 text

͓ΘΓ