キッチハイク社内勉強会 / 2021-03-03

IAMͷ͖΄Μ
2021/3/3
ΩονϋΠΫ ࣾ಺ษڧձ

View Slide

ຊ೔ͷςʔϚ

View Slide

ܰࢹ͞Ε͕ͪͳ
IAMͷجຊʹ͍ͭͯ
ֶΜͰΈΑ͏

View Slide

ΞδΣϯμ
● ͸͡Ίʹ: IAMΛ஌ΔͱͲΜͳ͍͍͜ͱ͕͋Δͷ
● IAM͸ͲΜͳ΋ͷ͔
○ IAMͷʮೝূʯ
○ IAMͷʮೝՄʯ
● IAMΛ҆શʹ͢ΔͨΊʹ
● ·ͱΊ

View Slide

͸͡Ίʹ

View Slide

AWS IAM
(Identity and Access Management)

View Slide

● AWSϦιʔε΁ͷΞΫηεΛ҆શʹ؅ཧ͢ΔͨΊͷαʔϏε
● ϦιʔεΞΫηε΁ͷೝূͱೝՄΛ͍࢘ͬͯΔ

View Slide

● AWSͷதͰ΋IAM͸༏ઌ౓Λ௿͘͞Ε͕ͪͳαʔϏε(ࣗ෼ͷ؍ଌ
ൣғௐ΂)
● ͳ͔ͥɾɾɾԿ΋ઃఆ͠ͳͯ͘΋࣮ӡ༻ʹ͸ࠔΒͳ͍

View Slide

● AWSͷதͰ΋IAM͸༏ઌ౓Λ௿͘͞Ε͕ͪͳαʔϏε(খ઒ͷ؍ଌ
ൣғௐ΂)
● ͳ͔ͥɾɾɾԿ΋ઃఆ͠ͳͯ͘΋࣮ӡ༻ʹ͸ࠔΒͳ͍
IAMʁΑ͘Θ͔Μͳ͍͚Ͳૣ͘αʔϏεϦϦʔε͠Α͏Αʂ

View Slide

ͦͷઌʹ͋Δͷ͸ɾɾɾ

View Slide

AWSͷෆਖ਼ར༻ʹΑΔ
ߴֹ੥ٻ

View Slide

ۚમతଛ֐͚ͩ͡Όͳ͍

View Slide

اۀͷ৔߹͸େ͖ͳηΩϡϦςΟΠϯγσϯτͱͳΔ
SSRF߈ܸʹΑΔCapital Oneͷݸਓ৘ใྲྀग़ʹ͍ͭͯ·ͱΊͯΈͨ
https://piyolog.hatenadiary.jp/entry/2019/08/06/062154

View Slide

IAMΛ஌Δ͜ͱ͸
͜ͷΑ͏ͳࣄଶΛ๷͙ୈҰาͱ
ͳΔͷͰ͢

View Slide

Ͱ΋AWS৮Βͳ͍͠ɾɾɾ
஌Δඞཁ͋Δͷʁ

View Slide

͋Γ·͢ʂ

View Slide

IAMΛ஌Δ͜ͱ͸
ϢʔβʔͷೝূɾೝՄ؅ཧ
ͷΑΓΑ͍ϞσϧΛ
ֶͿ͜ͱʹͭͳ͕Γ·͢

View Slide

ͱ͍͏Θ͚Ͱ
ݟ͍͖ͯ·͠ΐ͏

View Slide

IAMͱ͸ͲΜͳ΋ͷ͔

View Slide

IAM͸AWSϦιʔε΁ͷೝূͱೝՄͷ؅ཧ͕໾ׂ

View Slide

ೝূͱೝՄ
ೝূ(Authentication)
ύεϫʔυͳͲ(ޙड़)ͷखஈͰɺA͞Μ͔Ͳ͏͔
ͷಉҰੑ֬ೝΛ͢Δ
ೝՄ(Authorization)
A͞Μʹର͢ΔAWS্ͷϦιʔεݖݶΛ෇༩͢Δ

View Slide

ೝূͱೝՄ
ೝূ(Authentication)
ຊਓ͔͠஌Βͳ͍৘ใɺ࣋ͨͳ͍৘ใΛར༻͠
ͯɺຊਓͱͷಉҰੑΛ֬ೝ͢Δ͜ͱ
ೝՄ(Authorization)
Ϧιʔεʹର͢Δར༻ݖݶΛ༩͑Δ͜ͱ

View Slide

IAMͷೝূ

View Slide

IAMͷʮೝূʯ
● AWSͷαʔϏεར༻ʹର͢Δೝূ
● IAMϢʔβʔʹର͢ΔύεϫʔυϙϦγʔͷઃఆ
○ ύεϫʔυ͸XจࣈҎ্ɺه߸ͷ༗ແɺ༗ޮظݶͷઃఆ
● MFA(ଟཁૉೝূ)
○ ෳ਺ͷຊਓ͔͠஌Βͳ͍ / ࣋ͨͳ͍৘ใʹΑͬͯೝূڧ౓Λڧ͘
͢Δ
○ ύεϫʔυ + ຊਓͷ࣋ͭσόΠεͰੜ੒ͨ͠ίʔυ

View Slide

ʮೝূʯ͸Θ͔Γ΍͍͢
● ଞαʔϏεͱڞ௨ͨ֓͠೦ͰೃછΈ͕͋Δ
● AWS͔ͩΒͱ͍ͬͯಛผͳཁૉ͸ͦΜͳʹ
ͳ͍
● Ұൠతͳೝূ؅ཧͷϕετϓϥΫςΟε͕
ͦͷ··௨༻͢Δͱߟ͑ͯྑ͍
○ ύεϫʔυ͸௕͍΋ͷΛઃఆ
○ ଟཁૉೝূΛ༗ޮʹ͢ΔɾɾɾͳͲ

View Slide

IAMͷೝՄ

View Slide

IAMͷʮೝՄʯ
● AWSͷϦιʔεʹର͢Δݖݶͷ෇༩
○ ඇৗʹॊೈͰ͋ΔΏ͑ʹෳࡶͰ͋Δ
○ IAMϢʔβʔɺIAMϙϦγʔɺIAMάϧʔϓɺIAMϩʔϧɺΦʔΨ
φΠθʔγϣϯϢχοτ(OU)ͷ֓೦(ޙड़)
○ AWSͷαʔϏε x ͦΕͧΕͷαʔϏεͷݖݶ͕๲େʹ͋Δ
● ͜ͷʮೝՄʯͷઃఆϛε͕ॾʑͷΠϯγσϯτͷඃ֐Λඇৗʹਙେͳ
΋ͷʹ͍ͯ͠Δ

View Slide

ʮೝՄʯࣗମ͸೉͘͠ͳ͍
● ݖݶΛ෇༩͢ΔϞσϧ͸伴ͷΑ͏ͳ΋ͷ
○ Ή΍Έ΍ͨΒʹԿͰ΋։͚ΒΕΔ伴Λ౉ͨ͠
Γɺ෼͔Γ΍͍͢ͱ͜Ζʹஔ͍͓͚ͯ͹ɺϚζ
Πͷ͸͙͢Θ͔Δ͸ͣ
● Ͱ΋AWSͰ͸ͦ͏͍͏͜ͱ͕·͔Γ௨ͬͯ͠·
͏ɾɾɾͳͥʁ

View Slide

AWSͷʮೝՄʯ͸ͱ͖ͬͭʹ͍͘
● ෇༩͢Δݖݶ͕๲େͰ͋Δ
○ ๲େͳαʔϏεͷ਺ x ͦͷݖݶͷ૊Έ߹
Θͤ
● ΍Γ͍ͨ͜ͱʹൺͯ͠ɺ΍ΕΔ͜ͱ͕ඇৗʹଟ
͍
● ݖݶઃఆ͸೥ʑ࢖͍΍͘͢ͳ͍ͬͯΔ͕ɺͦ
ΕͰ΋೉͍͠
○ ӈͷΑ͏ͳJSONΛ௚઀मਖ਼͢Δػձ͸ଟ
͍
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetOpsItem",
"ssm:UpdateOpsItem",
"ssm:DescribeOpsItems",
"ssm:CreateOpsItem",
"ssm:CreateResourceDataSync",
"ssm:DeleteResourceDataSync",
"ssm:ListResourceDataSync",
"ssm:UpdateResourceDataSync"
],
"Resource": "*"
}
]
}

View Slide

ϧʔτϢʔβʔ࢖͍͕ͪ
● AWSͷαΠϯΞοϓ࣌ʹ࡞੒͞ΕΔΞΧ΢ϯτ
○ AWS΁ͷϦιʔεͷ͢΂ͯͷΞΫηεݖݶΛ࣋ͭ࠷ڧͷϢʔβʔ
○ IAMϢʔβʔͱ͸ҧ͏
● AWS͋Δ͋Δ: IAMϢʔβʔΛ࡞ΒͣɺϧʔτϢʔβʔΛͦͷ··࢖ͬͯ
͠·͏
○ AWSΛ࢖͏ਓ͸αʔϏεΛ࡞Γ͍ͨ
○ IAMͷઃఆΛௐ΂ͯ಄௧͕ͯ͘͠Δ→ϧʔτϢʔβʔ࢖͏
○ ԿͰ΋Ͱ͖Δݖݶ͔ͩΒαʔϏεΛ࡞Δͷʹ͸ࠔΒͳ͍

View Slide

ϧʔτϢʔβʔৗ༻ͷ຤࿏
● ͦͷ͏ͪɺϧʔτϢʔβʔ͕౰ͨΓલԽ͢Δ
○ IAMϢʔβʔͰద੾ͳݖݶ෇༩Λޙճ͠ʹ͢Δ
○ ϧʔτϢʔβʔͷΞΫηεΩʔ / γʔΫϨοτΩʔΛ࢖͏ͳͲɺ௒ة
ݥͳΦϖϨʔγϣϯ͕ৗଶԽ͢Δ
● ΞΫηεΩʔ / γʔΫϨοτΩʔ͸ͦΕͦͷ΋ͷ͕ೝূ৘ใ
○ ID / ύεϫʔυͷ૊Έ߹Θͤͱ΄΅ಉٛ
○ ޡͬͯϦϙδτϦʹPushͯ͠શੈքʹެ։ → ΞΧ΢ϯτ͕ୣΘΕΔ
○ ϧʔτϢʔβʔ͸ԿͰ΋ग़དྷΔͷͰඃ֐͕ਙେͳ΋ͷͱͳΔ

View Slide

͜͜·Ͱͷ·ͱΊ
● IAM(Identity and Access Management)͸AWSϦιʔε΁ͷೝূͱೝՄ
ͷ؅ཧ͕໾ׂ
● ʮೝূʯ͸ຊਓͱͷಉҰੑ֬ೝ
● ʮೝՄʯ͸Ϧιʔεʹର͢ΔݖݶΛ༩͑Δ͜ͱ
● AWSͷ৔߹ɺʮೝՄʯَ͕໳Ͱ͋Δ
○ ઃఆͷϋʔυϧ͕΍΍ߴ͘ޙճ͠ʹ͞Ε͕ͪ
○ ҰํͰAWS͸Ϣʔβʔͷ૝૾Ҏ্ʹͳΜͰ΋Ͱ͖Δ
○ ݁Ռɺྲྀग़࣌ʹμϝʔδ͕େ͖͍

View Slide

Ͱ΋
۩ମతʹ͸ԿΛ͢Ε͹͍͍ͷʁ

View Slide

IAMΛ
҆શʹ͢ΔͨΊʹ

View Slide

IAMηΩϡϦςΟϕετϓϥΫςΟεʹै͓͏
● AWS͕ެࣜʹग़͍ͯ͠ΔIAMͷ
ϕετϓϥΫςΟεू
● AWSϦιʔεͷηΩϡϦςΟ֬
อͷͨΊʹ16ͷਪ঑ࣄ߲Λڍ͛
͍ͯΔ
IUUQTEPDTBXTBNB[PODPNKB@KQ*".MBUFTU6TFS(VJEFCFTUQSBDUJDFTIUNM

View Slide

·ͣ͸খ͘͞ʮೝূʯ͔Β࢝ΊͯΈΔ
● 16ݸ΋ʂʁͱͳΔ͕ɺશͯΛ͍͖ͳΓ࢝ΊΔඞཁ͸ͳ
͍
○ ࠷ॳ͔Β͸ඞཁͳ͍΋ͷ΋͋Δ
● ͜͏͍͏ͱ͖͸՝୊Λ෼ׂɻ·ͣ͸ʮೝূʯ͔Β΍ͬͯ
ΈΑ͏
● ʮೝূʯ͸ͻͱΓͻͱΓͷಉҰੑ֬ೝɻͦͷ؍఺͔Β
ਐΊͯΈΔ
○ MFAͷ༗ޮԽ
○ IAMϢʔβʔΛڞ༻Ͱ͸ͳ͘ɺϢʔβʔ͝ͱʹൃ
ߦ͢Δ
○ ύεϫʔυϙϦγʔͷڧԽ
○ ΞΫηεΩʔͷແޮԽɾඇڞ༗
● ͜Ε͚ͩͰ΋େ෼ϚγʹͳΔ
ϕετϓϥΫςΟε಺Ͱͷʮೝূʯؔ࿈߲໨
ɾAWSΞΧ΢ϯτͷϧʔτϢʔβʔΞΫηεΩʔΛϩοΫ͢Δ
ɾݸʑͷIAMϢʔβʔΛ࡞੒͢Δ
ɾϢʔβʔͷͨΊʹڧ౓ͷߴ͍ύεϫʔυϙϦγʔΛઃఆ͢Δ
ɾMFAͷ༗ޮԽ
ɾΞΫηεΩʔΛڞ༗͠ͳ͍
ɾೝূ৘ใΛఆظతʹϩʔςʔγϣϯ͢Δ
ɾෆཁͳೝূ৘ใͷ࡟আ
ɾ௥ՃηΩϡϦςΟʹର͢ΔϙϦγʔ৚݅Λ࢖༻͢Δ

View Slide

͍ͭͮͯʮೝՄʯʹऔΓ૊ΜͰΈΑ͏
● ϩʔϧ΍άϧʔϓɺϙϦγʔͳͲͷݴ༿͕ग़ͯ
͖ͨɻͳʹ͜Εʁ
● ·ͣ͸͜ΕΒʹ͸໨ΛͭΉΖ͏ɻ
● ඞཁͳ͚ͩͷʮೝՄʯͷ෇༩ʹऔΓ૊Ή
● ۩ମతʹ͸ҎԼͷ߲໨
○ ࠷খݶͷಛݖΛೝΊΔ
○ AWS؅ཧϙϦγʔΛ࢖༻ͨ͠ΞΫηεڐ
Մͷ࢖༻։࢝
ϕετϓϥΫςΟε಺ͰͷʮೝՄʯؔ࿈߲໨
ɾIAMϢʔβʔͷΞΫηεڐՄΛׂΓ౰ͯΔͨΊʹάϧʔϓΛ࢖͍·͢
ɾ࠷খݶͷಛݖΛೝΊΔ
ɾΞΫηεϨϕϧΛ࢖༻ͯ͠ɺIAM ΞΫηεڐՄΛ֬ೝ͢Δ
ɾAWS؅ཧϙϦγʔΛ࢖༻ͨ͠ΞΫηεڐՄͷ࢖༻։࢝
ɾΠϯϥΠϯϙϦγʔͰ͸ͳ͘ΧελϚʔ؅ཧϙϦγʔΛ࢖༻͢Δ
ɾAmazon EC2ΠϯελϯεͰ࣮ߦ͢ΔΞϓϦέʔγϣϯʹର͠ɺϩʔ
ϧΛ࢖༻͢Δ
ɾϩʔϧΛ࢖༻ͯ͠ΞΫηεڐՄΛҕ೚͢Δ

View Slide

AWSͷϨʔϧʹ৐Δ
● ݖݶʁͲΕΛ͚͍͍ͭͯͷ͔෼͔Βͳ͍Αʂ
● ͦΜͳਓͷͨΊʹAWS͕ϏϧτΠϯͷ؅ཧϙ
Ϧγʔ(ݖݶͷηοτ)Λ༻ҙͯ͘͠Ε͍ͯΔ
○ αʔϏε͝ͱʹΞΫηεݖݶ͕ύοέʔ
δԽ͞Ε͍ͯΔ
○ ݖݶΛ࠷ॳ͔Βॻ͔ͳͯ͘ࡁΈɺϋʔυ
ϧ͕Լ͕Δ
○ ͜ͷϙϦγʔʹ௥Ճ͢ΔܗͰɺݸผͷη
ΩϡϦςΟϙϦγʔΛՃ͑Δͷ͕ఆੴ
ϧΛ࢖༻͢Δ

View Slide

ϢʔβʔɺϩʔϧɺάϧʔϓɺϙϦγʔΛཧղ͠Α͏
● ଓ͍ͯϢʔβʔɺϩʔϧɺάϧʔϓɺϙϦγʔͷ֓೦Λཧղ
͢Δ
○ IAMϢʔβʔ
○ IAMάϧʔϓ
○ IAMϙϦγʔ
○ IAMϩʔϧ
˔ ͜ΕΒΛཧղ͢Δ͜ͱ͸ϝϯςφϒϧͳIAMͷӡ༻ʹͭͳ͕
Δ
○ ٯʹ͍͑͹ɺ͜ΕΒΛཧղ͍ͯ͠ͳͯ͘΋࠷௿ݶͷೝ
Մ෇༩͸Ͱ͖Δ
■ Ϣʔβʔʹ௚઀ϙϦγʔΛ෇༩
○ ࠷ॳ͔Β͖ͬͪΓ΍Ζ͏ͱͯ͠࠳ં͢ΔΑΓ΋ɺ·ͣ
͸ϝϯςφϒϧͰͳͯ͘΋ೝՄΛ੔උ͢Δ΄͏͕Α͍
Α͏ʹࢥ͏
ϧΛ࢖༻͢Δ

View Slide

ϢʔβʔɺϩʔϧɺάϧʔϓɺϙϦγʔͷ໾ׂ
● IAMϢʔβʔ
○ AWS Λར༻͢Δ֤ར༻ऀ޲͚ʹ࡞੒͞ΕΔΞΧ΢ϯ
τ
● IAMάϧʔϓ
○ ಉҰͷ໾ׂΛ࣋ͭIAM ϢʔβʔΛάϧʔϓԽ͢Δػ
ೳɻIAM Ϣʔβʔಉ༷ʹΞΫηεݖݶΛ෇༩͢Δ͜ͱ
͕Ͱ͖Δɻ
● IAMϙϦγʔ
○ AWS Ϧιʔε΁ͷΞΫηεݖݶΛͻͱ·ͱΊʹͨ͠
΋ͷɻ
● IAMϩʔϧ
○ AWS αʔϏε΍ΞϓϦέʔγϣϯ(ඇϢʔβʔ)ʹର
ͯ͠AWS ͷૢ࡞ݖݶΛ༩͑Δ࢓૊ΈɻผΞΧ΢ϯτ
ͷϢʔβʔʹ෇༩͢Δ͜ͱ΋Ͱ͖Δɻ

View Slide

IAM͔ΒೝՄ؅ཧͷϕετϓϥΫςΟεΛֶ΅͏
● IAMͷϞσϧ͸ඇৗʹΑ͘Ͱ͖͍ͯΔ
● IAMϢʔβʔͰ͸ͳ͘ɺάϧʔϓʹϙϦγʔ(ݖݶͷηοτ)Λ
΋ͨͤΔ͜ͱͰɺϢʔβʔͷҟಈ͕͋ͬͯ΋ɺϢʔβʔ͔Β
άϧʔϓΛऔΓ֎͚ͩ͢Ͱ࡞ۀ͕ࡁΉɻ
● ϙϦγʔ(ݖݶͷ·ͱ·Γ)ͱ෇༩͢Δର৅(Ϣʔβʔɺάϧʔ
ϓɺϩʔϧ)͕ૄ݁߹ͳ͜ͱͰɺॊೈʹݖݶΛ؅ཧ͢Δ͜ͱ͕
Ͱ͖Δɻ
○ άϧʔϓ͕ϙϦγʔΛෳ਺࣋ͭ͜ͱ΋Ͱ͖Δ
○ άϧʔϓͷݖݶมߋΛϙϦγʔͷ෇͚֎͚ͩ͠ͰͰ͖Δ
○ ΧελϚʔ؅ཧϙϦγʔʹϓϥεͯ͠ɺΑΓৄࡉͳ੍ݶ
Λ෇༩ͨ͠ϙϦγʔΛ௥Ճ͢Δͱ͍ͬͨ͜ͱ΋Ͱ͖Δ

View Slide

IAMͷೝূೝՄ؅ཧͷߟ͑ํ͸৭Μͳͱ͜ΖͰ࢖͑Δ
● AWSͱ͍͏௒ڊେͰෳࡶͳγεςϜͷݖݶϞσϧ΍ͦͷϕ
ετϓϥΫςΟεΛֶͿ͜ͱ͸ɺଞͷγεςϜ΍αʔϏε
ʹ΋׆͔͢͜ͱ͕Ͱ͖Δ
○ GCP΍AzureͳͲڝ߹αʔϏεͰ΋େ࿮ͷߟ͑ํ͸ม
ΘΒͳ͍
○ ۀ຿γεςϜશൠʹ΋͜ͷϞσϧ͸ద༻Ͱ͖Δ
● ܾͯ͠AWSͰ͔͠࢖͑ͳ͍஌ࣝͰ͸ͳ͍

View Slide

·ͱΊ

View Slide

·ͱΊ
● IAMΛ஌Ζ͏
● IAMΛ஌Δ͜ͱͰɺΫϥ΢υഁ࢈΍ηΩϡϦςΟΠϯγσϯτͷՄೳ
ੑΛେ෯ʹ௿ݮͤ͞Δ͜ͱ͕Ͱ͖Δ
● ͱ͖ͬͭʹ͍͘ͷ΋ࣄ࣮ɻ͚ͩͲɺʮೝূʯ΍ʮೝՄʯʹண໨͢Ε͹ɺ
ϋʔυϧ௿͘ɺ͙͢ʹऔΓ૊Ή͜ͱ͕Ͱ͖Δ
● IAMΛֶͿ͜ͱ͸ɺAWSʹดͨ͡஌ࣝΛֶͿ͜ͱͰ͸ͳ͍ɻΑΓ޿͍
ೝূͱೝՄͷϞσϧΛֶͿ͜ͱͰ͋Δɻ

View Slide

キッチハイク社内勉強会 / 2021-03-03

キッチハイク社内勉強会 / 2021-03-03

taogawa

More Decks by taogawa

Other Decks in Programming

Featured

Transcript