Upgrade to Pro — share decks privately, control downloads, hide ads and more …

やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Evaluation Logic

325ce6fcd0a74ff78990b8632817da55?s=47 YukihiroChiba
October 06, 2021

やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Evaluation Logic

325ce6fcd0a74ff78990b8632817da55?s=128

YukihiroChiba

October 06, 2021
Tweet

Transcript

  1.  "84ࣄۀຊ෦ίϯαϧςΟϯά෦ઍ༿޾޺ ΍ΜΘΓԡ͑͞Α͏*".ͷධՁ࿦ཧ

  2. ։ນҰ൪  ಥવͰ͕͢໰୊Ͱ͢

  3.  ࣍ͷ͏ͪ ʮIAM ʹ͓͚ΔϙϦγʔʯ͸ ͲΕͰ͠ΐ͏ʁ ʢෳ਺ճ౴Մʣ

  4. ݸҎ্ͷਖ਼ղͷબ୒ࢶ͕͋Γ·͢  ΠϯϥΠϯϙϦγʔ AdministratorAccess ReadOnlyAccess ηογϣϯϙϦγʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ S3όέοτϙϦγʔ KMSΩʔϙϦγʔ S3ΞΫηείϯτϩʔϧϦετ

    ΞΫηεڐՄͷڥք Organizations SCP ΧελϚʔ؅ཧϙϦγʔ EC2FullAccess ϦιʔεϕʔεϙϦγʔ VPCΤϯυϙΠϯτϙϦγʔ LambdaΞΫηεϙϦγʔ ৬຿ػೳͷAWS؅ཧϙϦγʔ SNSτϐοΫϙϦγʔ ৴པϙϦγʔ
  5.  ਖ਼ղ͸……

  6.  શ෦Ͱ͢ʂʂʂ

  7. ΈΜͳ޿͍ҙຯͰͷʮ*".ͷϙϦγʔʯ  ΠϯϥΠϯϙϦγʔ AdministratorAccess ReadOnlyAccess ηογϣϯϙϦγʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ S3όέοτϙϦγʔ KMSΩʔϙϦγʔ S3ΞΫηείϯτϩʔϧϦετ

    ΞΫηεڐՄͷڥք Organizations SCP ΧελϚʔ؅ཧϙϦγʔ EC2FullAccess ϦιʔεϕʔεϙϦγʔ VPCΤϯυϙΠϯτϙϦγʔ LambdaΞΫηεϙϦγʔ ৬຿ػೳͷAWS؅ཧϙϦγʔ SNSτϐοΫϙϦγʔ ৴པϙϦγʔ
  8. *".ͷϙϦγʔͷ૊Έ߹Θͤ  ը૾͸͢΂ͯAWSυΩϡϝϯτΑΓ

  9. *".ϜζΧγΠ  🤔 🤔 🤔 എܠը૾͸͢΂ͯAWSυΩϡϝϯτΑΓ

  10. શ෦Λཧղ͢Δͷ͸೉͍͠ͷͰ  ΍ΜΘΓԡ͑͞·͠ΐ͏

  11. ࠷ऴతʹ͜Μͳײ͡Ͱԡ͑͞·͢ 

  12. ΞδΣϯμ  1.IAM JSON ϙϦγʔ 2.ಉҰΞΧ΢ϯτͰͷධՁ࿦ཧ 3.ΫϩεΞΧ΢ϯτͰͷධՁ࿦ཧ 4.ΨʔυϨʔϧ 5.ҟ୺ʂVPCΤϯυϙΠϯτϙϦγʔ

  13. ࣗݾ঺հ  ઍ༿ ޾޺ ɾAWS ࣄۀຊ෦ ɹίϯαϧςΟϯά෦ ɹϚωʔδϟʔ ɾ2020೥1݄JOIN ɾ2021

    APN AWS Top Engineer ɾ޷͖ͳΞΫγϣϯ: sts:AssumeRole
  14.  *".+40/ϙϦγʔ

  15. *".ʹ͓͚ΔϙϦγʔλΠϓ  ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

  16. ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ϙϦγʔλΠϓ͝ͱͷॏཁ౓ʢࢲݟʣ 

  17. ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ϙϦγʔλΠϓ͸΄ͱΜͲ+40/  JSON JSON JSON JSON JSON JSONͰͳ͍

  18. ݟ͍ͯ͜͏  IAM JSON ϙϦγʔͷߏ੒ཁૉ

  19. *".+40/ϙϦγʔߏ੒ཁૉ  ϦιʔεϕʔεϙϦγʔ ͰͷΈࢦఆՄ ⭐…ࢦఆඞਢͷ߲໨

  20. Θ͔Γ΍͍͢Πϝʔδ  ʮAWSʹ͓͚ΔABACͷخ͠͞ɺਏ͞ΛޠΓ·ͨ͠ #AKIBAAWSʯΑΓ ɹhttps://dev.classmethod.jp/articles/akibaaws-06-iam-abac/

  21. 1SJODJQBMཁૉɿʮ୭͕ʯΛఆٛ  *".άϧʔϓ͸ ࢦఆͰ͖ͳ͍ ϦιʔεϕʔεϙϦγʔ ͰͷΈࢦఆ

  22. "DUJPOཁૉɿʮԿΛʯΛఆٛ  ec2 : StartInstances s3 : PutObject kms :

    Decrypt ΞΫγϣϯϓϨϑΟοΫε͸ αʔϏε໊લۭؒ ϚωδϝϯτίϯιʔϧɺAWS CLIɺAWS SDKͳͲͷ ΦϖϨʔγϣϯͷछผʹґΒͣධՁ͞ΕΔɻ ΞΫγϣϯʹΑΓ ରԠ͢ΔϦιʔελΠϓ͕ҟͳΔɻ
  23. 3FTPVDFཁૉɿʮԿʹʯΛఆٛ  • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID • arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID

    ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓ͸ҟͳΔɻ ҟͳΔϦιʔελΠϓ
  24. 3FTPVDFཁૉɿʮԿʹʯΛఆٛ  • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:s3:::όέοτ໊/* • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID

    • arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓ͸ҟͳΔɻ ҟͳΔϦιʔελΠϓ ϫΠϧυΧʔυͷ࢖༻Մ • arn:aws:ec2:${Region}:${Account}:instance/*
  25. 3FTPVDFཁૉɿʮԿʹʯΛఆٛ  • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:s3:::όέοτ໊/* • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID

    • arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓ͸ҟͳΔɻ ҟͳΔϦιʔελΠϓ • * ϫΠϧυΧʔυͷ࢖༻Մ • arn:aws:ec2:${Region}:${Account}:instance/* ΞΫγϣϯʹΑͬͯ͸͢΂ͯ(*)ͷࢦఆ͕ඞਢ ʢϦετܥͷΞΫγϣϯʹଟ͍ʣ
  26. ۩ମྫɿ"84؅ཧϙϦγʔʮ"ENJOJTUSBUPS"DDFTTʯ  { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow",

    "Action": "*", "Resource": "*" } ] } ͢΂ͯͷϦιʔε΁ͷ ͢΂ͯͷΞΫγϣϯʹ ʢ৚݅ͳ͠Ͱʣ AllowΛ༩͑Δ
  27. ۩ମྫɿΧελϚʔ؅ཧϙϦγʔ  { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny",

    "Action": "*", "NotResource": “arn:aws:ec2:ap-northeast-1: 012345678910:instance/i-xxxxx” } ] } ಛఆͷϦιʔεҎ֎΁ͷ ͢΂ͯͷΞΫγϣϯΛ Deny͢Δ ର৅͕͜ͷΠϯελϯεͰ͋ͬͯ΋ɺ EFTDSJCFܥͳͲɺϦιʔελΠϓJOTUBODFʹ ରԠ͍ͯ͠ͳ͍ΞΫγϣϯ͸ڋ൱͞ΕΔ
  28. "MMPX΋͘͠͸%FOZ  εςʔτϝϯτ͝ͱʹ Allow ΋͘͠͸ Deny ͕ఆٛ͞ΕΔɻ ϦΫΤετͷ಺༰ʹ͍ͭͯҎԼͷ͍ͣΕ͔ͷঢ়ଶͱͳΔɻ ঢ়ଶ ֓ཁ

    ҉໧తͳڋ൱ %FOZ΋"MMPX΋༩͑ΒΕ͍ͯͳ͍ɻ σϑΥϧτɻ ໌ࣔతͳڋ൱ %FOZ͕༩͑ΒΕ͍ͯΔঢ়ଶɻ ໌ࣔతͳڐՄΑΓ༏ઌ͞ΕΔɻ ໌ࣔతͳڐՄ "MMPX͕༩͑ΒΕ͍ͯΔঢ়ଶɻ %FOZͱॏෳ͢Δ৔߹ɺଧͪফ͞ΕΔɻ ୭͕Կʹରͯ͠ʢͲΜͳ৚݅ͰʣԿΛ͢Δ͔
  29.  ಉҰΞΧ΢ϯτͰͷධՁ࿦ཧ

  30. *".ʹ͓͚ΔϙϦγʔλΠϓʢ࠶ܝʣ  ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

  31. ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ࠓճͷൃදͰ͸ׂѪ͠·͢  ࠓճͷର৅֎

  32. ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ຊষ͸͜ͷ̎ͭΛऔΓ্͛·͢  ຊষͷର৅

  33. ΞΠσϯςΟςΟϕʔεϙϦγʔ  *".Ϣʔβʔ *".άϧʔϓ *".ϩʔϧ Ξλον ͍ΘΏΔʮIAMϙϦγʔʯɻΞΠσϯςΟςΟʹΞλονɻ

  34. ΞΠσϯςΟςΟϕʔεϙϦγʔ  ҰͭͷIAM ΤϯςΟςΟʹ௚઀ຒΊ͜Έɻ ಠཱͨ͠ϦιʔεͰ͸ͳ͍ɻ ग़དྷ߹͍ͷϙϦγʔɻ ʮ৬຿ػೳͷAWS؅ཧϙϦγʔʯͱ͍͏ࡉ෼Խ΋Մೳɻ AdministratorAccessɺReadOnly AccessͳͲɻ ΧελϚʔ͕ಠࣗʹ࡞੒͢ΔϙϦγʔɻ

    όʔδϣϯ؅ཧɺෳ਺ΤϯςΟςΟ΁ͷΞλον͕Մೳɻ *".Ϣʔβʔ *".άϧʔϓ *".ϩʔϧ Ξλον ͍ΘΏΔʮIAMϙϦγʔʯɻΞΠσϯςΟςΟʹΞλονɻ
  35. ϦιʔεϕʔεϙϦγʔ  … • ϦιʔεଆʹΞλον͢ΔϙϦγʔ • S3όέοτ • KMSΩʔ •

    Lambdaؔ਺ • SNSτϐοΫ …ଞଟ਺ • ͢΂ͯͷϦιʔε͕ରԠ͍ͯ͠ΔΘ͚Ͱ͸ͳ͍ • Principalཁૉͷఆ͕ٛՄೳ • ΠϯϥΠϯϙϦγʔʢϦιʔεʹ௚઀ຒΊ͜Έʣ
  36. ΞΠσϯςΟςΟϕʔεͱϦιʔεϕʔε  IAMϢʔβʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ S3όέοτ EC2Πϯελϯε IAMϢʔβʔ Ϧιʔεϕʔε ϙϦγʔඇରԠ

    s3:PutObject ec2:StartInstances
  37. ͍Β͢ͱͰߟ͑Α͏  IAMϢʔβʔ AWSϦιʔε

  38. σϑΥϧτͰ͜Ε  1.҉໧తͳڋ൱

  39. ྆ऀͷϙϦγʔͷΠϝʔδ  IAMϢʔβʔ AWSϦιʔε Θͨ͠͸͜ͷϦΫΤετΛ ࣮ߦͰ͖Δ ͜ͷਓ͔ΒͷϦΫΤετ͸ ڐՄͯ͋͛͠Δ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

  40. σϑΥϧτͰ͸ͲͪΒͷఆٛ΋ͳ͍  IAMϢʔβʔ AWSϦιʔε ʜʜ ʜʜ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

  41. ͲͪΒͰ΋ڐՄ͕ͳ͍ͷͰ݁Ռతʹڋ൱  IAMϢʔβʔ AWSϦιʔε ͓ؼΓ͍ͩ͘͞˝ εΠʔ

  42. ୯ͳΔʮڐՄʯͱ΋  2.໌ࣔతͳڐՄ

  43. ͲͪΒ͔ͰڐՄ͕༩͑ΒΕ͍ͯΔ  IAMϢʔβʔ AWSϦιʔε Θͨ͠͸ ͜Ε͕Ͱ͖Δ ͜ͷਓʹ͸ ͜ΕΛڐ͢ खͿΒ

  44. ڐՄ͞ΕΔ  IAMϢʔβʔ AWSϦιʔε εΠʔ ͋ͳͨ͸௨͍͍ͬͯͱ ݴΘΕ͍ͯ·͢ ͋ͳͨ͸௨ΔݖརΛ ͍࣋ͬͯΔΑ͏Ͱ͢Ͷ εΠʔ

    ϦιʔεϕʔεϙϦγʔΛ ΞλονͰ͖ͳ͍Ϧιʔεͷ৔߹ɺ ΞΠσϯςΟςΟଆͰݖݶͷ֬อ͕ඞཁ
  45. ͪΐͬͱิ଍  ΞΧ΢ϯτ୯ҐͷڐՄͱ ΤϯςΟςΟ୯ҐͷڐՄ

  46. ΞΧ΢ϯτΛ֗ͱͯ͠ߟ͑ͯΈΔ  ֗ʢΞΧ΢ϯτʣA ֗B ֗C rootϢʔβʔ IAMϢʔβʔ 1,2,3 AWSϦιʔε

  47. ϦιʔεϕʔεϙϦγʔͰͷڐՄͷ࢓ํ  ֗ʢΞΧ΢ϯτʣA ֗B ֗C IAMϢʔβʔ

  48. खͿΒͰ௨ΕΔͷ͸ΤϯςΟςΟ୯ҐͰڐՄ͞Εͨ΋ͷ  ֗"ͷ*".Ϣʔβʔ͔ΒͷΞΫηεΛڐՄ खͿΒ खͿΒ IAMϢʔβʔ1 IAMϢʔβʔ2 IAMϢʔβʔ3

  49. Ұ൪ڧ͍  3.໌ࣔతͳڋ൱

  50. Ͳ͔͜Ͱ%FOZ͕༩͑ΒΕ͍ͯΕ͹ڋ൱  IAMϢʔβʔ AWSϦιʔε

  51. ໌ࣔతͳڋ൱͸ԿΑΓ΋ڧ͍  IAMϢʔβʔ AWSϦιʔε εΠʔ ௨͍͍ͯ͠ͱ ݴΘΕ͍͚ͯͨͲ ڋ൱͞Ε͍ͯΔΑ͏Ͱ͢Ͷ ௨ͯ͠͸͍͚ͳ͍ͱ ݴΘΕ͍ͯ·͢

    εΠʔ
  52.  ΫϩεΞΧ΢ϯτͰͷධՁ࿦ཧ

  53. ΞΧ΢ϯτΛލ͍ͩΞΫηε  IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧ΢ϯτʣA ֗ʢΞΧ΢ϯτʣB

  54. جຊతͳߟ͑ํ͸มΘΒͳ͍  • ҉໧తͳڋ൱ɺ໌ࣔతͳڐՄɺ໌ࣔతͳڋ൱ͷߟ͑ํ͸มΘΒͳ͍ • ΞΠσϯςΟςΟͱϦιʔεͷ྆ํͰAllow͕༩͑ΒΕ͍ͯͳ͍ͱ ҉໧తͳڋ൱ͱͳΔ • ϦιʔεଆͰͷڐՄ͸ɺΞΧ΢ϯτ୯ҐɾΤϯςΟςΟ୯ҐͷͲͪ ΒͰ΋ྑ͍

  55. ྆ํͰͷڐՄ͕ඞཁ  IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧ΢ϯτʣA ֗ʢΞΧ΢ϯτʣB

  56. ϦιʔεଆͰͷڐՄ  IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧ΢ϯτʣA ֗ʢΞΧ΢ϯτʣB ֗"ͷ*".Ϣʔβʔ͔ΒͷΞΫηεΛڐՄ ֗"͔ΒͷΞΫηεΛڐՄ ͲͪΒͰ΋OK

  57. ยํ͚ͩͷڐՄͩͱ҉໧తͳڋ൱  IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧ΢ϯτʣA ֗ʢΞΧ΢ϯτʣB ͋ͳͨ͸ট଴٬Ϧετʹ ࡌ͍ͬͯΔ͚Ͳ ڐՄূΛ࣋ͬͯͳ͍Ͱ͢Ͷ

  58. Α͘࢖͏ྫ  ΫϩεΞΧ΢ϯτͰͷεΠονϩʔϧ

  59. ผΞΧ΢ϯτͷૢ࡞ʹεΠονϩʔϧΛ࢖͏͜ͱ͕ଟ͍  IAMϢʔβʔ IAMϩʔϧ

  60. *".ϩʔϧΛҾ͖ड͚Δͱ͸  IAMϢʔβʔ IAMϩʔϧ IAMϩʔϧΛ Ҿ͖ड͚ͨηογϣϯ ʢ੍࣌ؒݶ͋Γʣ IAMϩʔϧͱ ಉ౳ͷݖݶ IAMϙϦγʔ

    sts:AssumeRole
  61. *".ϩʔϧΛҾ͖ड͚Δʹ͸ڐՄ͕ඞཁ  ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ʢ৴པϙϦγʔʣ ϦιʔεϕʔεϙϦγʔ ΫϩεΞΧ΢ϯτ

    ΞΫηε ಉ͡ΞΧ΢ϯτͰͷ ΞΫηε
  62.  ΨʔυϨʔϧ

  63. ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ຊষͷର৅  ຊষͷର৅

  64. ΨʔυϨʔϧʁ  • ΍͍͍ͬͯ͜ͱͷ্ݶΛઃ͚ΔΑ͏ʹػೳ͢Δ΋ͷ • ΞΠσϯςΟςΟϕʔεϙϦγʔͱϦιʔεϕʔεϙϦγʔͷ֎ଆ Ͱఆٛ͢Δ • ͏͔ͬΓ޿͍ڐՄΛ༩͑ͯ͠·ͬͯ΋ΨʔυϨʔϧʹΑΓ๷͙ •

    ΨʔυϨʔϧࣗମͰԿ͔ΛڐՄͰ͖Δ΋ͷͰ͸ͳ͍ • ࠓճऔΓ্͛Δͷ͸ҎԼ • Organizations SCPʢΞΧ΢ϯτશମʹద༻ʣ • Permissions boundaryʢݸผͷΤϯςΟςΟʹద༻ʣ • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍΋ͷ͸҉໧తͳڋ൱ʹ ͳΔ
  65. 0SHBOJ[BUJPOTͱ͸  ϚωδϝϯτΞΧ΢ϯτ ΞΧ΢ϯτA ΞΧ΢ϯτB ΞΧ΢ϯτC SCP ෳ਺ͷAWSΞΧ΢ϯτΛ ֊૚Խͯ͠؅ཧͰ͖Δػೳɻ ݸʑͷAWSΞΧ΢ϯτʹ

    SCPΛׂΓ౰ͯΒΕΔɻ
  66. 0SHBOJ[BUJPOT4$1͕ద༻͞ΕΔͱ  IAMϢʔβʔ AWSϦιʔε rootϢʔβʔ Organizations SCP ΞΧ΢ϯτ಺ͷrootϢʔβʔΛؚΉશͯͷΤϯςΟςΟͷΞΫγϣϯ͸SCPʹΑΔධՁΛड͚Δɻ ϩʔϧΛҾ͖ड͚ͨ ηογϣϯ

  67. 0SHBOJ[BUJPOT4$1͕ద༻͞ΕΔͱ  SCPͰڐՄ͕༩͑ΒΕ͍ͯͳ͍ϦΫΤετ͸ଞͷύʔϛογϣϯʹؔ܎ͳ͘҉໧తͳڋ൱ͱͳΔ Organizations SCP ͜͜ͰڐՄ͞Ε͍ͯΔ ͜ͱ͕͢΂ͯ ΋ͪΖΜ%FOZ͕͋Ε͹ ໌ࣔతͳڋ൱

  68. 1FSNJTTJPOTCPVOEBSZͱ͸  ʮΞΫηεڐՄͷڥքʯͱ΋ɻ ΞΠσϯςΟςΟϕʔεϙϦγʔ ͱηοτͰߟ͑Δɻ IAMϢʔβʔ΋͘͠͸IAMϩʔϧ ʹׂΓ౰ͯՄೳͰɺIAMάϧʔϓ ʹ͸ׂΓ౰ͯෆՄɻ

  69. 1FSNJTTJPOTCPVOEBSZͷΠϝʔδ  IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ηοτͰ࢖༻͢Δ

    ΞΠσϯςΟςΟϕʔεϙϦγʔͷ ධՁͷλΠϛϯάͰΨʔυϨʔϧͱͯ͠ػೳ
  70. ϦιʔεϕʔεϙϦγʔͰͷ"MMPX͕ͳ͍৔߹  IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ʮ͜ͷϢʔβʔ͕ ΍͍͍ͬͯͷ͸͜͜·Ͱʯ

    Permissions boundaryͰAllow͕ͳ͍৔߹ɺ҉໧తͳڋ൱ͱͳΔ 1FSNJTTJPOTCPVOEBSZͰ ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ ΋ͪΖΜ%FOZ͕͋Ε͹ ໌ࣔతͳڋ൱ ΞΠσϯςΟςΟϕʔεϙϦγʔ Ͱ͸ڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ
  71. ϦιʔεϕʔεϙϦγʔͰ"MMPX͕͋Δ৔߹  IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ͋ͳͨ͸ট଴͞Ε͍ͯΔͷͰ

    ڐՄূ͸ݟͤͯ΋ΒΘͳͯ͘΋ େৎ෉Ͱ͢ɻ ϦιʔεϕʔεϙϦγʔͰͷධՁ͕ઌʹߦΘΕΔͨΊͦ͜ͰAllow͕͋Ε͹ڐՄ͞ΕΔ ʮ͜ͷϢʔβʔ͕ ΍͍͍ͬͯͷ͸͜͜·Ͱʯ ΋ͪΖΜ%FOZ͕͋Ε͹ ໌ࣔతͳڋ൱
  72. ΫϩεΞΧ΢ϯτͷ৔߹  IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ΫϩεΞΧ΢ϯτͷ৔߹ɺΞΠσϯςΟςΟϕʔεϙϦγʔ΋ධՁ͞ΕΔͨΊΨʔυϨʔϧ͕ൃಈ

    ʮ͜ͷϢʔβʔ͕ ΍͍͍ͬͯͷ͸͜͜·Ͱʯ 1FSNJTTJPOTCPVOEBSZͰ ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ ଞͷϙϦγʔͰ͸ ڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ
  73. ͜͜·Ͱݟ͖ͯͨ಺༰ͷ੔ཧ  https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-black-belt-online-seminar-aws-identity-and- access-management-iam-part1 20190129 AWS Black Belt Online Seminar

    AWS Identity and Access Management (AWS IAM) Part1 ʮ͜ͷϢʔβʔ͕ ΍͍͍ͬͯͷ͸͜͜·Ͱʯ ΞΧ΢ϯτΛލ͍ͩ৔߹ͷҧ͍
  74.  ҟ୺ʂ 71$ΤϯυϙΠϯτϙϦγʔ

  75. ෼ྨ্͸ϦιʔεϕʔεϙϦγʔ͕ͩಛघ  ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

  76. 71$ΤϯυϙΠϯτϙϦγʔ  VPC EC2ͳͲ VPCΤϯυϙΠϯτ VPC಺ͷϦιʔε͕αʔϏεΤϯυϙΠϯτʹ௨৴Λߦ͏ͨΊʹ࢖༻Ͱ͖ΔVPCΤϯυϙΠϯτɻ αʔϏεͷछผʹΑͬͯ͸ΤϯυϙΠϯτʹϙϦγʔΛઃఆͰ͖Δɻ

  77. ΨʔυϨʔϧͱͯ͠ػೳ  IAMϢʔβʔ AWSϦιʔε VPCΤϯυϙΠϯτ ͜͜Λܦ༝ͨ͠௨৴Ͱ ڐՄ͢Δͷ͸͜Ε͚ͩ ڐՄ͕ͳ͍΋ͷ͸ ҉໧తͳڋ൱

  78. 71$ΤϯυϙΠϯτϙϦγʔͷ࢖༻ྫ  VPC VPCΤϯυϙΠϯτ VPC಺෦ͷϦιʔε͔Β֎෦ͷS3όέοτ΁ͷΞΫηε͕ෆՄͱͳΔΑ͏ VPCΤϯυϙΠϯτϙϦγʔΛ࢖༻͢Δɻ

  79.  ·ͱΊ

  80. ঺հͨ͠΋ͷͷશ෦੝Γ   VPCΤϯυϙΠϯτ VPC ΫϩεΞΧ΢ϯτΞΫηε

  81. ঺հͨ͠΋ͷͷશ෦੝Γ   VPCΤϯυϙΠϯτ VPC ΫϩεΞΧ΢ϯτΞΫηε 1FSNJTTJPOT CPVOEBSZ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ

    0SHBOJ[BUJPOT 4$1 71$ΤϯυϙΠϯτ ϙϦγʔ ϦιʔεϕʔεϙϦγʔ
  82. ·ͱΊ  • IAMͷධՁ࿦ཧͷ݁Ռ͸ҎԼͷ͍ͣΕ͔ͱͳΔ • ҉໧తͳڋ൱ʢσϑΥϧτʣ • ໌ࣔతͳڐՄʢΨʔυϨʔϧͰ͸༩͑ΒΕͳ͍ʣ • ໌ࣔతͳڋ൱ʢͲ͔͜ͰDeny͕͋Ε͹ඞͣ͜ΕʹͳΔʣ

    • ҉໧తͳڋ൱ͱͳΔྫ͸ҎԼ • ΞΠσϯςΟςΟͰ΋ϦιʔεͰ΋Allow͕༩͑ΒΕ͍ͯͳ͍ • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍ • ΫϩεΞΧ΢ϯτͷ৔߹ʹ૒ํͰڐՄ͞Ε͍ͯͳ͍
  83. None