20250903_1つのAWSアカウントに複数システムがある環境におけるアクセス制御をABACで実現.pdf

ͭͷ"84ΞΧ΢ϯτʹ ෳ਺γεςϜ͕͋Δ؀ڥʹ͓͚Δ ΞΫηε੍ޚΛ"#"$Ͱ࣮ݱ ZIBOB Ϋϥεϝιουגࣜձࣾ Ϋϥ΢υࣄۀຊ෦

ࠓ೔࿩͢͜ͱ ࣍ͷΑ͏ͳ "84ΞΧ΢ϯτʹରͯ͠ɺࣗ਎ͷϓϩδΣΫτʹؔ࿈͢ΔϦιʔ ε͚ͩૢ࡞Մೳʹ͢Δӡ༻ऀ޲͚ͷΞΫηε੍ޚͷํ๏Λ঺հ͠·͢ʢ˞ʣ l ୯Ұ "84ΞΧ΢ϯτʹෳ਺ͷϓϩδΣΫτʢγεςϜʣ͕ࠞࡏ͢Δ؀ڥ l ΞΧ΢ϯτ಺ʹ୯ҰϓϩδΣΫτͷ৔߹Ͱ΋ෳ਺ͷؔ܎ձ͕ࣾؔ༩͢Δ؀ڥ
˞͋Δఔ౓ *".ͷ஌͕ࣝ͋Δલఏͷ಺༰Ͱ͢

ࠓ೔࿩͢͜ͱ "#"$ʢ"UUSJCVUF#BTFE"DDFTT$POUSPMɿଐੑϕʔεͷΞΫηε੍ޚʣΛ ར༻͢Δํ๏ͷ঺հͰ͢ Ҿ༻ݩɿ"#"$ೝՄͰଐੑʹج͍ͮͯΞΫηεڐՄΛఆٛ͢Δ "84*EFOUJUZBOE"DDFTT.BOBHFNFOU

΋͘͡ l "84*".ʹ͓͚Δ "#"$ l "84*".*EFOUJUZ$FOUFSʹ͓͚Δ "#"$ l "#"$ͷ
5JQTςΫχοΫू

"84*".ʹ͓͚Δ "#"$

"84*".ͷ "#"$͸λάͰ੍ޚ *".ϢʔβʔͷλάͱϦιʔεͷλάͷҰகʹΑΓૢ࡞ͷڐՄ͕Մೳ

*".ϙϦγʔͷྫ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow",
"Action": ["ec2:List*", "ec2:Describe*", "ec2:Get*"], "Resource": "*" }, { "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances"], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Project": "${aws:PrincipalTag/Project}" } } } ] } 1SPKFDUλάͷ஋ͷҰகΑΓ &$Πϯελϯεͷىಈɾ ఀࢭΛڐՄ͢ΔϙϦγʔྫ

"84Ϛωδϝϯτίϯιʔϧ্ͷݟ͑ํ Ϛωδϝϯτίϯιʔϧ্Ͱ ࣗ਎ͷϓϩδΣΫτͰ͸ͳ͍ λά͕Ұக͠ͳ͍ &$ ΠϯελϯεΛఀࢭ͠Α͏ͱ ͨ͠ͱ͖ͷΤϥʔը໘

"#"$ͷϝϦοτ l ؅ཧ͢ΔϙϦγʔ͕গͳ͘ͳΔ l ར༻ͷ֦େʹ߹Θͤͯεέʔϧ͠΍͍͢

*".ϢʔβʔͷλάΛར༻͢Δ৔߹ͷ՝୊ *".Ϣʔβʔʹରͯ͠ɺಉ͡ ,FZ໊ͷλά͸ ͭͷΈͷઃఆͱͳΔͨΊɺ ෳ਺ϓϩδΣΫτʹؔ༩͍ͯ͠Δར༻ऀ͸ෳ਺ͷ *".Ϣʔβʔͷ࢖͍෼͚΍ *".Ϣʔβʔͷ࢖͍ճ͕͠ඞཁͱͳΔ

*".Ϣʔβʔͱ *".ϩʔϧΛ૊Έ߹ͤͨํ๏ ղܾઌͱͯ͠ɺϓϩδΣΫτຖʹ *".ϩʔϧΛ༻ҙͯ͠ *".Ϣʔβʔ͔Β εΠονϩʔϧͯ͠ར༻͢Δํ๏͕͋Δ

*".Ϣʔβʔͱ *".ϩʔϧΛ૊Έ߹ͤͨํ๏ *".ϩʔϧͷڐՄϙϦγʔ͸ ɺ*".ϢʔβʔͷλάΛར༻͢Δ৔߹ͱಉ༷ʹ ڞ௨ͷ *".ϙϦγʔͰ࣮ݱ { "Version": "2012-10-17",
"Statement": [ { "Effect": "Allow", "Action": ["ec2:List*", "ec2:Describe*", "ec2:Get*"], "Resource": "*" }, { "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances"], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Project": "${aws:PrincipalTag/Project}" } } } ] } ڐՄϙϦγʔ ৴པϙϦγʔ ڐՄϙϦγʔ ৴པϙϦγʔ

*".Ϣʔβʔͱ *".ϩʔϧΛ૊Έ߹ͤͨํ๏ *".ϩʔϧͷ৴པϙϦγʔʹ͓͍ͯɺεΠονϩʔϧͰ͖ΔϢʔβʔΛ੍ݶ { "Version": "2012-10-17", "Statement": [ {
"Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:user/test-user", "arn:aws:iam::111122223333:user/test-user2" ] }, "Action": "sts:AssumeRole",} ] } ڐՄϙϦγʔ ৴པϙϦγʔ

"84ΞΧ΢ϯτͷߏ੒ *".Ϣʔβʔͱ *".ϩʔϧ͸ಉҰ "84ΞΧ΢ϯτ಺Ͱߏ੒Մೳ

"84ΞΧ΢ϯτͷߏ੒ *".Ϣʔβʔͱ *".ϩʔϧΛҟͳΔ "84ΞΧ΢ϯτͰߏ੒΋Մೳ

*".ϢʔβʔΛҰݩ؅ཧ͢ΔΞΧ΢ϯτΛ࡞Δ৔߹ *".ϢʔβʔΛू໿͢ΔϢʔβʔ؅ཧΞΧ΢ϯτʢผ໊ɿ+VNQΞΧ΢ϯτʣ Λ࡞੒͢Δϊ΢ϋ΢͸ࡢ೥ͷొஃࢿྉΛࢀর͍ͩ͘͞ IUUQTEFWDMBTTNFUIPEKQBSUJDMFT NVMUJBDDPVOUVTFSNBOBHFNFOU

"84*".*EFOUJUZ$FOUFSʹ͓͚Δ "#"$

"84*".*EFOUJUZ$FOUFS͸ϢʔβʔଐੑΛར༻ ϢʔβʔͷଐੑΩʔͱ஋Λ "#"$ʹར༻ʢར༻Ͱ͖Δଐੑʹ੍ݶ͋Γʣ

"84*".*EFOUJUZ$FOUFS͸ϢʔβʔଐੑΛར༻ *".*EFOUJUZ$FOUFSͷઃఆͰɺ೚ҙͷΩʔ໊ͷ஋ͱͯ͠ଐੑͷ஋Λؔ࿈෇͚

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["ec2:List*",
"ec2:Describe*", "ec2:Get*"], "Resource": "*" }, { "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances"], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Project": "${aws:PrincipalTag/Project}" } } } ] } "84*".*EFOUJUZ$FOUFS͸ϢʔβʔଐੑΛར༻ ΞΫηεڐՄηοτʹؔ࿈෇͚ΔϙϦγʔͰ 1SPKFDUΩʔΛࢦఆ

ϢʔβʔͷଐੑΩʔΛར༻͢Δ৔߹ͷ՝୊ *".*EFOUJUZ$FOUFSϢʔβʔͷଐੑΩʔ͝ͱʹઃఆͰ͖Δ஋͸ ͭͷΈ ͦͷͨΊɺෳ਺ϓϩδΣΫτʹؔ༩͢Δར༻ऀ͸ϓϩδΣΫτຖʹ࡞੒͞Εͨ Ϣʔβʔͷ࢖͍෼͚΍Ϣʔβʔͷ࢖͍ճ͠౳͕ඞཁͱͳΔ

ղܾઌͱͯ͠ɺ"#"$Ͱ੍ޚ͍ͨ͠ΞΧ΢ϯτʹ͓͍ͯɺϓϩδΣΫτຖʹ *".ϩʔϧΛ༻ҙͯ͠εΠονϩʔϧͯ͠ར༻͢Δํ๏͕͋Δ *".*EFOUJUZ$FOUFSͱ *".ϩʔϧΛ૊Έ߹ͤͨํ๏

*".*EFOUJUZ$FOUFSͱ *".ϩʔϧΛ૊Έ߹ͤͨํ๏ "84ΞΫηεϙʔλϧ͔ΒϚωδϝϯτίϯιʔϧ΁ͷը໘ભҠΠϝʔδ スイッチロール

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action":
"sts:AssumeRole", "Resource": "*" } ] } ΞΫηεڐՄηοτʹ͸εΠονϩʔϧͰ͖ΔݖݶΛΞλον ΞΫηεڐՄηοτʹ Ξλον͢ΔϙϦγʔ *".*EFOUJUZ$FOUFSͱ *".ϩʔϧΛ૊Έ߹ͤͨํ๏

લड़ͨ͠ *".ϢʔβʔϩʔϧͷλάΛ࢖͏৔߹ͱ ಉ༷ͷϙϦγʔ *".ϩʔϧͷڐՄϙϦγʔ͸ɺ*".ϢʔβʔϩʔϧΛ૊Έ߹Θͤͯ ར༻͢Δ৔߹ͱಉ͡ϙϦγʔͰ࣮ݱՄೳ ڐՄϙϦγʔ ৴པϙϦγʔ ڐՄϙϦγʔ ৴པϙϦγʔ
*".*EFOUJUZ$FOUFSͱ *".ϩʔϧΛ૊Έ߹ͤͨํ๏

*".ϩʔϧͷ৴པϙϦγʔͰ͸ɺ1SJODJQBMʹΞΫηεڐՄηοτʹରԠ͢Δ *".ϩʔϧΛࢦఆ͠ɺ$POEJUJPOͰεΠονϩʔϧͰ͖ΔϢʔβʔΛ੍ޚ { "Version": "2012-10-17", "Statement": [ { "Effect":
"Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/aws- reserved/sso.amazonaws.com/ap-northeast- 1/AWSReservedSSO_AssumeRoleOnlyAccess_22e9e155f6d2118f" }, "Action": "sts:AssumeRole", "Condition": { "StringLike": { "identitystore:UserId": [ ”aaaaaaaa-1111-aaaa-1111-aaaaaaaaaaaa", ”bbbbbbbb-2222-bbbb-2222-bbbbbbbbbbbb" ] } } } ڐՄϙϦγʔ ৴པϙϦγʔ *".*EFOUJUZ$FOUFSͱ *".ϩʔϧΛ૊Έ߹ͤͨํ๏

*".*EFOUJUZ$FOUFSϢʔβʔʹ͸ଐੑ৘ใͷઃఆ͸ෆཁ *".*EFOUJUZ$FOUFSͱ *".ϩʔϧΛ૊Έ߹ͤͨํ๏

"#"$ͷ 5JQTςΫχοΫू

"#"$ʹରԠ͍ͯ͠ΔαʔϏε͔ Ͳ͏͔ௐ΂Δํ๏

"84ϢʔβʔΨΠυͰ "#"$ରԠ༗ແΛௐࠪ ֤αʔϏε͕ "#"$ʹରԠ͍ͯ͠Δ͔Ͳ͏͔͸ϢʔβʔΨΠυʹهࡌ͕͋Δ Ҿ༻ݩɿ*".ͱ࿈ܞ͢Δ "84ͷαʔϏε "84*EFOUJUZBOE"DDFTT.BOBHFNFOU

ϢʔβʔΨΠυʹϙϦγʔྫͷهࡌ͕͋Δ৔߹΋ αʔϏεʹΑͬͯ͸ϢʔβʔΨΠυʹ "#"$ͷϙϦγʔྫͷܝࡌ΋͋Δ Ҿ༻ݩɿଐੑϕʔεͷΞΫηε੍ޚ "#"$ Λ࢖༻ͯ͠γʔΫϨοτ΁ͷΞΫηεΛ੍ޚ͢Δ "844FDSFUT.BOBHFS

ෳ਺ͷλάͷ৚݅Ͱ "#"$

ෳ਺ͷλάͷҰகʹΑΓ੍ޚ ෳ਺ͷλάΛ৚݅ͱ͢Δ͜ͱ΋ՄೳʢԼਤ͸ ͭͷλάΛ৚݅ͱ͍ͯ͠Δྫʣ

ෳ਺ͷλάͷҰகʹΑΓ੍ޚ ෳ਺ͷλάΛ৚݅ͱ͢Δ͜ͱ΋ՄೳʢԼਤ͸ ͭͷλάΛ৚݅ͱ͍ͯ͠Δྫʣ { "Version": "2012-10-17", "Statement": [ {
"Effect": "Allow", "Action": ["ec2:List*", "ec2:Describe*", "ec2:Get*"], "Resource": "*" }, { "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances"], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Project": "${aws:PrincipalTag/Project}", "aws:ResourceTag/Environment": "${aws:PrincipalTag/Environment}" } } } ] } ڐՄϙϦγʔ ৴པϙϦγʔ

$POEJUJPOͷධՁϩδοΫ ෳ਺ͷ৚݅Ͱ࣮ݱ͍ͨ͠৔߹͸ɺ$POEJUJPOͷධՁϩδοΫΛߟྀͯ͠ઃܭ͢Δ Ҿ༻ݩɿෳ਺ͷίϯςΩετΩʔ·ͨ͸஋ʹΑΔ৚݅ "84*EFOUJUZBOE"DDFTT.BOBHFNFOU

"#"$Ͱ੍ޚ͢Δ "DUJPOΛ ϫΠϧυΧʔυͰࢦఆ

"DUJPOΛϫΠϧυΧʔυͰࢦఆ΋Մೳ "DUJPOΛʮFD ʯͱهࡌͯ͠ର৅αʔϏεͷ͢΂ͯͷΞΫγϣϯΛؚΊΔ ϫΠϧυΧʔυࢦఆ΋Մೳ { "Version": "2012-10-17", "Statement": [
{ "Effect": "Allow", "Action": ["ec2:List*", "ec2:Describe*", "ec2:Get*"], "Resource": "*" }, { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { ”aws:ResourceTag/Project": "${aws:PrincipalTag/Project}" } } } ] } ڐՄϙϦγʔ ৴པϙϦγʔ ڐՄϙϦγʔ ৴པϙϦγʔ

ϫΠϧυΧʔυࢦఆͷཹҙ఺ ϫΠϧυΧʔυࢦఆ͸༰қʹ࣮ݱͰ͖ΔҰํͰɺ༩͑ΔݖݶΛ೺Ѳͮ͠Β͘ͳΔ ఺ʹ͸ཹҙ͕ඞཁ l কདྷతʹ௥Ճ͞ΕΔ৽͍͠ΞΫγϣϯ΋ࣗಈతʹڐՄ͞ΕΔ l ༧ظ͠ͳ͍ΞΫγϣϯ΋ڐՄ͞ΕΔՄೳੑ͕͋Δ ◦ ྫ͑͹ɺʮFD
ʯʹ͸ 71$ʹؔ͢Δݖݶ΋ؚ·Ε͍ͯΔ l BXT3FTPVSDF5BHΛαϙʔτ͍ͯ͠ͳ͍ "DUJPOͷ "MMPX͸ڐՄ͞Εͳ͍ ◦ ྫ͑͹ɺʮFD$SFBUF7QDʯ͸ڐՄ͞Εͳ͍

4ͷ "#"$ ؔ࿈ϒϩάɿ*".ϩʔϧͷλάͷ஋ͱ 4όέοτ໊ͷ෦෼ҰகͰૢ࡞Ͱ͖Δ 4όέοτΛ੍ݶͯ͠Έͨ c%FWFMPQFST*0 ʲ"#"$ʳ4Ͱλάϕʔε੍ޚΛߦ͏ ੍ݶ͋Γ c%FWFMPQFST*0

4ͷ "#"$ରԠ͸෦෼త 4ͷ "#"$͸෦෼తͳରԠͰ͋Γɺ൚༻όέοτ͸ະαϙʔτɺΦϒδΣΫτ ͸αϙʔτର৅ͱͳΔ Ҿ༻ݩɿ*".ͱ࿈ܞ͢Δ "84ͷαʔϏε "84*EFOUJUZBOE"DDFTT.BOBHFNFOU

4ΦϒδΣΫτͷ "#"$ 4͸ΦϒδΣΫτຖͰλά෇͚͕Ͱ͖ɺΦϒδΣΫτͷλάΛར༻੍ͯ͠ޚՄೳ

4ΦϒδΣΫτͷ "#"$ 4͸ΦϒδΣΫτ୯ҐͰλά෇͚͕Ͱ͖ɺΦϒδΣΫτͷλάΛར༻ͯ͠ ΞΫηε੍ޚ͕Ͱ͖Δ ڐՄϙϦγʔ ৴པϙϦγʔ { "Version": "2012-10-17",
"Statement": [ { "Effect": "Allow", "Action": ["s3:List*", "s3:GetBucketLocation"], "Resource": "*" }, { "Effect": "Allow", "Action": "s3:*", "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/Project": "${aws:PrincipalTag/Project}" } } } ] }

4ΦϒδΣΫτͷ "#"$ 4ΦϒδΣΫτͷ "#"$Ͱ͸ BXTͷ୅ΘΓʹ TΛར༻ Ҿ༻ݩɿ"NB[PO4Ͱͷ *".ͷػೳ
"NB[PO4JNQMF4UPSBHF4FSWJDF

4ΦϒδΣΫτͷλά෇͚ͷ՝୊ 4ΦϒδΣΫτͷλά෇͚ʹؔͯ͠ɺ࣍ͷ಺༰͕՝୊ͱͳΔ͜ͱ͕͋Δ l ΦϒδΣΫτʹλά෇͚͢Δखؒ l ΦϒδΣΫτͷλά෇͚͸༗ྉ Ҿ༻ݩɿྉۚ "NB[PO4ʛ"84

4όέοτ໊Λར༻੍ͨ͠ޚ ୅ସࡦͱͯ͠ʮ4όέοτ໊ʯʹ *".ϩʔϧͷ "#"$༻λάͷ஋ؚ͕·Εͯ ͍Δ͜ͱΛ৚݅ͱ੍ͨ͠ޚͷํ๏͕͋Δ

4όέοτ໊Λར༻੍ͨ͠ޚ *".ͷڐՄϙϦγʔʹ͓͍ͯɺ3FTPVSDF಺Ͱλάͷ஋Λಈతʹࢀর όέοτ໊ʹλάͷ஋ؚ͕·ΕΔҐஔ͸Ϧιʔε໋໊نଇʹґଘ ڐՄϙϦγʔ ৴པϙϦγʔ { "Version": "2012-10-17", "Statement":
[ { "Effect": "Allow", "Action": ["s3:List*", "s3:GetBucketLocation"], "Resource": "*" }, { "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::*-${aws:PrincipalTag/Project}-*", "arn:aws:s3:::*-${aws:PrincipalTag/Project}-*/*" ] } ] }

4όέοτ໊Λར༻੍ͨ͠ޚ ൚༻όέοτͷϥΠϑαΠΫϧϧʔϧ΍ϓϩύςΟͷมߋ΋Մೳ

λά͕෇༩͞Ε͍ͯΔϦιʔεͷΈ "#"$Ͱ੍ޚ͢Δํ๏ ؔ࿈ϒϩάɿ"NB[PO$MPVE8BUDIϩάάϧʔϓʹରͯ͠ "#"$༻λά͕͋Δ৔߹͸ "#"$ʹΑΓಡΈऔΓڐՄΛ੍ޚͯ͠ɺ"#"$༻ λά͕ͳ͍৔߹͸ಡΈऔΓΛڐՄ͢ΔϙϦγʔΛࢼͯ͠Έͨ c%FWFMPQFST*0

λά͕͋ΔϦιʔεͷΈ "#"$Ͱ੍ޚ͢Δํ๏ ͜Ε·Ͱ঺հ͖ͯͨ͠ɺλάͷҰகͰΞΫγϣϯΛڐՄ͢ΔϙϦγʔͰ͸ɺ λά͕ͳ͍Ϧιʔεʹର͢Δૢ࡞ͷڐՄ͸༩͑ΒΕͳ͍

λά͕͋ΔϦιʔεͷΈ "#"$Ͱ੍ޚ͢Δํ๏ ҰํͰɺ$MPVE8BUDI-PHTͳͲͷαʔϏεʹ͓͍ͯɺಛʹอޢ͍ͨ͠Ϧιʔε ͷΈ "#"$Ͱ੍ޚ͍ͨ͠৔߹΋͋Δ

λά͕͋ΔϦιʔεͷΈ "#"$Ͱ੍ޚ͢Δํ๏ ಡΈऔΓݖݶ λά͕ଘࡏ͔ͭλά஋͕Ұக͠ͳ͍৔߹ʹ໌ࣔతͳ %FOZͱ͢Δ ͜ͱͰ࣮ݱՄೳ { "Version": "2012-10-17",
"Statement": [ { "Effect": "Deny", "Action": ["logs:Get*", "logs:FilterLogEvents", "logs:StartQuery", "logs:StopQuery", "logs:StartLiveTail", "logs:StopLiveTail", "logs:TestMetricFilter"], "Resource": "arn:aws:logs:*:*:log-group:*", "Condition": { "Null": { "aws:ResourceTag/Project": "false" }, "StringNotEquals": { "aws:ResourceTag/Project": "${aws:PrincipalTag/Project}" } } } ] } ڐՄϙϦγʔ ৴པϙϦγʔ ʮ$MPVE8BUDI-PHT3FBE0OMZ"DDFTTʯ౳ͷಡΈऔΓݖݶ

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": ["logs:Get*",
"logs:FilterLogEvents", "logs:StartQuery", "logs:StopQuery", "logs:StartLiveTail", "logs:StopLiveTail", "logs:TestMetricFilter"], "Resource": "arn:aws:logs:*:*:log-group:*", "Condition": { "Null": { "aws:ResourceTag/Project": "false" }, "StringNotEquals": { "aws:ResourceTag/Project": "${aws:PrincipalTag/Project}" } } } ] } λά͕͋ΔϦιʔεͷΈ "#"$Ͱ੍ޚ͢Δํ๏ $POEJUJPO͸Լهͷ "OE৚͕݅ຬͨ͞Εͨ৔߹ʹ໌ࣔతʹ %FOZ l ର৅Ϧιʔεʹ 1SPKFDUλά͕ଘࡏ͢Δʢ/VMM͸ USVFͰଘࡏ͠ͳ͍ʣ l 1SJODJQBM *".ϩʔϧ౳ ͱର৅Ϧιʔεͷ 1SPKFDUλάͷ஋͕Ұக͠ͳ͍

λά͕͋ΔϦιʔεͷΈ "#"$Ͱ੍ޚ͢Δํ๏ ݖݶͷΠϝʔδਤ ಡΈऔΓΛڐՄ $MPVE8BUDI-PHT3FBE0OMZ"DDFTT "#"$Ͱ ໌ࣔతʹڋ൱

"#"$ͱڞʹ༻͍Δ ಡΈऔΓݖݶͷύλʔϯ

ಡΈऔΓݖݶͷ෇༩ύλʔϯ "#"$Ͱ੍ޚ͢ΔαʔϏεʹؔ͢ΔಡΈऔΓݖݶΛҰॹʹ༩͑Δඞཁ͕͋Δ ಡΈऔΓݖݶ͸ɺ࠷খݖݶͱ͢Δํ๏΍ "84؅ཧϙϦγʔΛར༻͢Δํ๏ͳͲ ͕͋Δ /P ํ๏ ݖݶͷ޿͞ ؅ཧͷखؒ උߟ
ඞཁ࠷খݶͷΞΫγϣϯͷΈࢦఆ ࠷খ େ -JTU %FTDSJCF (FU୯ҐͰࢦఆ ݶఆత த /Pͱಉ༷ͱͳΔ͜ͱ΋͋Δ ֤αʔϏεʹରԠͨ͠ "84؅ཧϙϦγʔ ͷಡΈऔΓݖݶ ݶఆత খ "NB[PO&$3FBE0OMZ"DDFTT౳ "84؅ཧϙϦγʔʮ3FBE0OMZ"DDFTTʯ ޿Ҭ খ 4ΦϒδΣΫτΛμ΢ϯϩʔυͰ ͖Δݖݶ΋ؚ·ΕΔ

ඞཁ࠷খݶͷΞΫγϣϯͷΈࢦఆ ࠷খݖݶΛ࣮ݱͰ͖Δ͕ɺௐࠪʹख͕͔͔ؒΔ఺΍ɺϚωδϝϯτίϯιʔϧ্ Ͱݖݶ͕ແ͍Ӿཡʹର͢ΔΤϥʔϝοηʔδʹΑΓࢹೝੑ͕མͪΔ఺͕ݒ೦ { "Version": "2012-10-17", "Statement": [ { "Effect":
"Allow", "Action": "ec2:DescribeInstances", "Resource": "*" }, { "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances"], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Project": "${aws:PrincipalTag/Project}" } } } ] }

-JTU %FTDSJCF (FU୯ҐͰࢦఆ -JTU %FTDSJCF (FUؔ࿈ΞΫγϣϯΛϫΠϧυΧʔυͰ·ͱΊͯڐՄ (FUܥΞΫγϣϯʹ͸σʔλμ΢ϯϩʔυؚ͕·ΕΔ͜ͱ΋͋Δ఺ʹ͸ཁ஫ҙ { "Version":
"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["ec2:List*", "ec2:Describe*", "ec2:Get*"], "Resource": "*" }, { "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances"], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Project": "${aws:PrincipalTag/Project}" } } } ] } ࠷খݖݶͱൺֱͯ͠ɺӾཡ࣌ʹΤϥʔϝοηʔδ͕ දࣔ͞ΕΔ͜ͱ͸গͳ͍

-JTU %FTDSJCF (FU୯ҐͰࢦఆ ಡΈऔΓݖݶʹؔ͢Δ -JTU %FTDSJCF (FUΞΫγϣϯͷ֬ೝ͸ɺ *".ϙϦγʔ࡞੒࣌ͷϙϦγʔΤσΟλʢϏδϡΞϧʣ͕ચ͍ग़͠ͷࢀߟʹͳΔ

֤αʔϏεʹରԠͨ͠ "84؅ཧϙϦγʔͷಡΈऔΓݖݶ "84؅ཧϙϦγʔͷ֤αʔϏεʹରԠͨ͠ಡΈऔΓݖݶΛར༻͢Δ͜ͱͰɺ ϙϦγʔͷϝϯςϯεΛ͢Δඞཁ͕ͳ͘ͳΔϝϦοτ͋Γ { "Version": "2012-10-17", "Statement": [
{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances"], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Project": "${aws:PrincipalTag/Project}" } } } ] } "84؅ཧϙϦγʔʮ"NB[PO&$3FBE0OMZ"DDFTTʯ FDҎ֎ʹ΋ؔ࿈͢ΔαʔϏεͷ Ұ෦ΞΫγϣϯ΋ؚ·Ε͍ͯΔ l FMBTUJDMPBECBMBODJOH%FTDSJCF l DMPVEXBUDI-JTU.FUSJDT l DMPVEXBUDI(FU.FUSJD4UBUJTUJDT l DMPVEXBUDI%FTDSJCF l BVUPTDBMJOH%FTDSJCF

֤αʔϏεʹରԠͨ͠ "84؅ཧϙϦγʔͷಡΈऔΓݖݶ *".ϩʔϧʹΞλονͰ͖Δ *".ϙϦγʔͷ্ݶ͸ ͷͨΊɺ ෳ਺ͷαʔϏεΛ ͭͷ *".ϩʔϧͰ੍ޚ͢Δ৔߹ʹ͸ཹҙ͕ඞཁ Ҿ༻ݩɿ*".ͱ
"84454ΫΥʔλ "84 *EFOUJUZBOE"DDFTT.BOBHFNFOU

"84؅ཧϙϦγʔʮ3FBE0OMZ"DDFTTʯ "84શମͷಡΈऔΓݖݶ͕ ͭͷϙϦγʔͰ࣮ݱͰ͖Δ఺͕ັྗ ҰํͰɺσʔλͷμ΢ϯϩʔυݖݶ͕Ұ෦ؚ·ΕͯΔ఺ʹ͸ཹҙ͕ඞཁ { "Version": "2012-10-17", "Statement": [
{ "Effect": "Allow", "Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances"], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Project": "${aws:PrincipalTag/Project}" } } } ] } "84؅ཧϙϦγʔʮ3FBE0OMZ"DDFTTʯ 4ΦϒδΣΫτͷμ΢ϯϩʔυͳͲɺ σʔλΛऔಘͰ͖Δݖݶ͕Ұ෦ؚ·ΕΔ "#"$Λಋೖ͢Δ "84ΞΧ΢ϯτͰ͸ɺ ෳ਺γεςϜ͕ࠞࡏ͍ͯ͠Δ͜ͱ͕ଟ͍ ͨΊɺؔ࿈͠ͳ͍γεςϜͷσʔλ͕औ ಘͰ͖Δ఺͕໰୊ͳ͍͔ͷ֬ೝ͸ඞཁ

λάͷ෇༩ϛεͷ௿ݮɾੋਖ਼ ؔ࿈ϒϩάɿ"84ͷλάΤσΟλΛར༻ͯ͠ίετ഑෼λάͷઃఆϛεͷमਖ਼΍طଘͷλά஋ͷҰׅมߋΛࢼͯ͠Έͨ c%FWFMPQFST*0

λάΤσΟλʹΑΔλάͷੋਖ਼ λάΤσΟλػೳΛར༻ͯ͠ɺλά෇༩ϛεͷमਖ਼͕Մೳ ྫ͑͹ɺ1SPKFDUλάʹؔ͢ΔԼදͷΑ͏ͳεϖϧϛεͷੋਖ਼ʹ໾ཱͭ ޡͬͨλάͷΩʔ໊ ޡ͍ͬͯΔཧ༝ QSPKFDU 1͕খจࣈ 1SPKFU D͕ൈ͚͍ͯΔ
1SPKFUD Dͱ U͕ೖΕସΘ͍ͬͯΔ 1SPKFFDU F ͕ଟ͍ 1SPKFDUT ࠷ޙʹ T͕͍͍ͭͯΔ <1SPKFDU> ࠷ޙʹεϖʔε͕ೖ͍ͬͯΔ <1SPKFDU> ࠷ॳʹεϖʔε͕ೖ͍ͬͯΔ

λάΤσΟλʹΑΔλάͷੋਖ਼ λάͷΩʔ໊Λࢦఆ͢ΔՕॴͰεϖϧϛεͷλάΛ֬ೝͰ͖Δ

λάΤσΟλʹΑΔλάͷੋਖ਼Πϝʔδ ͦͷ··λάΤσΟλͰλάͷमਖ਼͕Մೳʢෳ਺ϦιʔεͷҰׅมߋ΋Մೳʣ ਖ਼͍͠λάΩʔ໊ͷλάΛ௥Ճ εϖϧϛεͷλάΩʔ໊ͷλάΛ࡟আ

λάΤσΟλʹΑΔλάͷੋਖ਼ͷࢀߟࢿྉ λάΤσΟλΛར༻ͨ͠λάͷΩʔ໊ͷमਖ਼ύλʔϯͷ͍͔ͭ͘͸ ϒϩάͰ΋ެ։த IUUQTEFWDMBTTNFUIPEKQBSUJDMFTNPEJGZ DPTUBMMPDBUJPOUBHTJOUBHFEJUPS

"840SHBOJ[BUJPOTͷλάϙϦγʔ "840SHBOJ[BUJPOT؀ڥʹݶΔ͕ɺλάϙϦγʔʹΑΓλάͷඪ४Խ͕Մೳ λάΩʔͷେจࣈɾখจࣈͷ౷Ұ΍λά஋ͱͯ͠ೖྗͰ͖Δ஋ͷࢦఆ͕Մೳ

"840SHBOJ[BUJPOTͷλάϙϦγʔ "840SHBOJ[BUJPOT؀ڥʹݶΔ͕ɺλάϙϦγʔʹΑΓλάͷඪ४Խ͕Մೳ λάΩʔͷେจࣈɾখจࣈͷ౷Ұ΍λά஋ͱͯ͠ೖྗͰ͖Δ஋ͷࢦఆ͕Մೳ 1SPKFDUΩʔʹؔͯ͠ɺ࣍ͷΑ͏ ͳೖྗ͕ઃఆͰ͖ͳ͘ͳΓɺ େจࣈখจࣈͷ౷Ұ͕Ͱ͖Δ l QSPKFDU l
130+&$5 l 130KFDU

"840SHBOJ[BUJPOTͷλάϙϦγʔ "840SHBOJ[BUJPOT؀ڥʹݶΔ͕ɺλάϙϦγʔʹΑΓλάͷඪ४Խ͕Մೳ λάΩʔͷେจࣈɾখจࣈͷ౷Ұ΍λά஋ͱͯ͠ೖྗͰ͖Δ஋ͷࢦఆ͕Մೳ 1SPKFDUΩʔʹରͯ͠ɺࢦఆͨ͠ λά஋ͷΈೖྗͰ͖ΔΑ͏ʹ͢Δ l XBGGMFT l NPDIJ

λάϙϦγʔʹΑΓ੍ݶ͞Εͨͱ͖ͷྫ ʮେจࣈنଇʯʹඇ४ڌʢ1͕খจࣈʣ ʮڐՄ͞ΕΔ஋ʯʹඇ४ڌ λάϙϦγʔʹΑΓλάͷߋ৽͕ڋ൱͞ΕͨࡍͷΤϥʔϝοηʔδ

+VNQΞΧ΢ϯτߏ੒ʹ͓͍ͯ εΠονϩʔϧͰ͖Δ *".ϩʔϧ΋ "#"$Ͱ੍ޚ ؔ࿈ϒϩάɿ+VNQΞΧ΢ϯτߏ੒ʹ͓͍ͯ *".ϢʔβʔͷλάΛར༻ͨ͠ "#"$ʹΑΓ &$ΠϯελϯεͷىಈɾఀࢭڐՄΛ༩͑Δ c %FWFMPQFST*0

εΠονϩʔϧͰ͖Δ৚݅΋ "#"$Ͱ੍ޚ *".ϢʔβʔͰ "#"$༻ͷλάΛ؅ཧ͢Δલఏͷ৔߹͸ɺ *".Ϣʔβʔ͔ΒεΠονϩʔϧͰ͖Δ *".ϩʔϧͷڐՄʹ "#"$΋׆༻Մೳ

εΠονϩʔϧͰ͖Δ৚݅΋ "#"$Ͱ੍ޚ *".ϢʔβʔͷڐՄϙϦγʔʹ͓͚Δ TUT"TTVNF3PMFͷ $POEJUJPOʹɺ *".ϢʔβʔͷλάͱεΠονϩʔϧઌͷ *".ϩʔϧͷλάͷҰகΛؚΊΔ { "Version":
"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*", "Condition": { "StringEquals": { "iam:ResourceTag/Project": "${aws:PrincipalTag/Project}" } } } ] } ڐՄϙϦγʔ

"#"$ͷ೉͍͠ͱ͜Ζ ʢηΩϡϦςΟάϧʔϓͷ "#"$ʣ

ηΩϡϦςΟάϧʔϓͷ "#"$ ηΩϡϦςΟάϧʔϓͷઃఆมߋ΋ "#"$Ͱ࣮ݱՄೳʢͰ͋Δ͕ʜʣ { "Version": "2012-10-17", "Statement": [
{ "Effect": "Allow", "Action": ["ec2:List*", "ec2:Describe*", "ec2:Get*"], "Resource": "*" }, { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project": "${aws:PrincipalTag/Project}" } } } ] } ڐՄϙϦγʔ

ηΩϡϦςΟάϧʔϓͷ "#"$ Ϛωδϝϯτίϯιʔϧ্Ͱૢ࡞͢Δલఏʹ͓͍ͯɺ ϧʔϧͷ௥Ճɾ࡟আ͸Ͱ͖Δ͕ɺมߋ͸Ͱ͖ͳ͍ʢλάΛ෇͚Δ·Ͱ͸ʣ ηΩϡϦςΟάϧʔϓ <1SPKFDUXBGGMFT> Πϯό΢ϯυϧʔϧ r 5$1ڐՄ

ηΩϡϦςΟάϧʔϓͷ "#"$ Ϛωδϝϯτίϯιʔϧ্Ͱૢ࡞͢Δલఏʹ͓͍ͯɺ ϧʔϧͷ௥Ճɾ࡟আ͸Ͱ͖Δ͕ɺมߋ͸Ͱ͖ͳ͍ʢλάΛ෇͚Δ·Ͱ͸ʣ ηΩϡϦςΟάϧʔϓ <1SPKFDUXBGGMFT> ηΩϡϦςΟάϧʔϓʹର͢Δ Πϯό΢ϯυϧʔϧͷ௥Ճ͸Մೳ Πϯό΢ϯυϧʔϧ
r 5$1ڐՄ Πϯό΢ϯυϧʔϧ r 5$1ڐՄ

Πϯό΢ϯυϧʔϧʹର͢Δ ߋ৽͸ෆՄೳ Πϯό΢ϯυϧʔϧ r 5$1ڐՄ ˠ

Πϯό΢ϯυϧʔϧʹର͢Δ ߋ৽͸ෆՄೳʢλά͕ͳ͍ͨΊʣ Πϯό΢ϯυϧʔϧ r 5$1ڐՄ <λάͳ͠>

<1SPKFDUXBGGMFT> λά͕͋Γɺ৚͕݅߹͍ͬͯΕ͹ ߋ৽Մೳ Πϯό΢ϯυϧʔϧ r 5$1ڐՄ <λάͳ͠>

<1SPKFDUXBGGMFT> Πϯό΢ϯυϧʔϧ r 5$1ڐՄ <λάͳ͠> ηΩϡϦςΟάϧʔϓʹର͢Δ Πϯό΢ϯυϧʔϧͷ࡟আ͸Մೳ

ηΩϡϦςΟάϧʔϓͷ "#"$ "84Ϛωδϝϯτίϯιʔϧͷ࡞ۀͰ͸ϧʔϧ௥Ճͱಉ࣌ʹλάΛ෇༩Ͱ͖ͳ͍ ߦ୯ҐͰϧʔϧͷ௥Ճ͸Ͱ͖Δ͕ɺλά͸෇༩͞Εͳ͍ λά͕ແ͚Ε͹มߋ͸Ͱ͖ͳ͍

ηΩϡϦςΟάϧʔϓͷ "#"$ ϧʔϧΛ௥Ճͨ͠ޙʹλάΛ෇༩͢Δ͜ͱࣗମ͸ՄೳͰ͋Δ͕ɺ ͜ͷૢ࡞͸ߋ৽࡞ۀͳͷͰલड़ͨ͠ "#"$ͷϙϦγʔͰ͸λάΛ෇༩Ͱ͖ͳ͍

*".ϩʔϧͷҰׅ࡞੒

*".ϩʔϧͷҰׅ࡞੒ "#"$Ͱ͸λά஋ͷҟͳΔ *".ϩʔϧΛෳ਺࡞੒͢Δඞཁ͕͋Δ *".ϙϦγʔ͸ڞ༗ԽͰ͖ΔͨΊɺεΫϦϓτͳͲʹΑΓ *".ϩʔϧͷ࡞੒΋ ޮ཰ԽͰ͖Δ

*".ϩʔϧͷҰׅ࡞੒ ϓϩδΣΫτຖʹҟͳΔจࣈྻΛΠϯϓοτʹͯ͠ɺ*".ϩʔϧͷҰׅ࡞੒ खಈͰઃఆ͢Δ৔߹ͱൺ΂ͯɺλάͷઃఆϛεΛ๷͛ΔϝϦοτ΋͋Γ BBB CCC DDD ⋮ CJOTI ⋮
DSFBUFJBNSPMFTTI QSPKFDUTUYU JOQVU Ұׅ࡞੒

*".ϩʔϧͷҰׅ࡞੒࣌ͷߟྀ఺ ҰํͰɺ৴པϙϦγʔ͸ *".ϩʔϧຖʹҟͳΔ৔߹΋͋ΔͨΊɺҰׅ࡞੒࣌͸ $$P&΍ςετ༻ͷϢʔβʔΛԾͰࢦఆ͓ͯ͘͠౳ͷߟྀ͕ඞཁͱͳΔ ஫ҙ఺ͱͯ͠ *".Ϣʔβʔ͸࣮ݱ͠ͳ͚Ε͹ *".ϩʔϧͷ࡞੒ʹࣦഊ͢Δ

͍͞͝ʹ

͍͞͝ʹ ୯ҰΞΧ΢ϯτ಺ʹෳ਺ͷϓϩδΣΫτ͕ࠞࡏ͢Δ؀ڥʹ͓͚Δ ΞΫηε੍ޚΛ "#"$Ͱ࣮ݱ͢Δํ๏Λ঺հ͠·ͨ͠ "#"$͸ศརͳҰํɺ࢖͍͜ͳ͢ʹ͸ *".ʹؔ͢ΔҰఆͷ஌͕ࣝඞཁͰ͢ 3#"$ͱ૊Έ߹Θͤͨར༻΍ "84ΞΧ΢ϯτΛϓϩδΣΫτຖʹ෼͚ͯΞ Ϋηε੍ޚ͢Δํ๏΋͝ݕ౼͍ͩ͘͞
Pʢ·ͩ·ͩॻ͖͍ͨ͜ͱ͸͋ΔͷͰผͷػձʹΞ΢τϓοτ͠·͢ʣ

͍͞͝ʹ ͍͞͝ʹ߹ΘͤͯಡΈ͍ͨࢿྉΛڞ༗͠·͢ IUUQTEFWDMBTTNFUIPEKQBSUJDMFTTIVUUZP EFWJPLBXBIBSBBCBD

20250903_1つのAWSアカウントに複数システムがある環境におけるアクセス制御をABA...

20250903_1つのAWSアカウントに複数システムがある環境におけるアクセス制御をABACで実現.pdf

More Decks by yhana

Other Decks in Technology

Featured

Transcript