Upgrade to Pro — share decks privately, control downloads, hide ads and more …

やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Eva...

やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Evaluation Logic

YukihiroChiba

October 06, 2021
Tweet

More Decks by YukihiroChiba

Other Decks in Technology

Transcript

  1. ݸҎ্ͷਖ਼ղͷબ୒ࢶ͕͋Γ·͢  ΠϯϥΠϯϙϦγʔ AdministratorAccess ReadOnlyAccess ηογϣϯϙϦγʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ S3όέοτϙϦγʔ KMSΩʔϙϦγʔ S3ΞΫηείϯτϩʔϧϦετ

    ΞΫηεڐՄͷڥք Organizations SCP ΧελϚʔ؅ཧϙϦγʔ EC2FullAccess ϦιʔεϕʔεϙϦγʔ VPCΤϯυϙΠϯτϙϦγʔ LambdaΞΫηεϙϦγʔ ৬຿ػೳͷAWS؅ཧϙϦγʔ SNSτϐοΫϙϦγʔ ৴པϙϦγʔ
  2. ΈΜͳ޿͍ҙຯͰͷʮ*".ͷϙϦγʔʯ  ΠϯϥΠϯϙϦγʔ AdministratorAccess ReadOnlyAccess ηογϣϯϙϦγʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ S3όέοτϙϦγʔ KMSΩʔϙϦγʔ S3ΞΫηείϯτϩʔϧϦετ

    ΞΫηεڐՄͷڥք Organizations SCP ΧελϚʔ؅ཧϙϦγʔ EC2FullAccess ϦιʔεϕʔεϙϦγʔ VPCΤϯυϙΠϯτϙϦγʔ LambdaΞΫηεϙϦγʔ ৬຿ػೳͷAWS؅ཧϙϦγʔ SNSτϐοΫϙϦγʔ ৴པϙϦγʔ
  3. "DUJPOཁૉɿʮԿΛʯΛఆٛ  ec2 : StartInstances s3 : PutObject kms :

    Decrypt ΞΫγϣϯϓϨϑΟοΫε͸ αʔϏε໊લۭؒ ϚωδϝϯτίϯιʔϧɺAWS CLIɺAWS SDKͳͲͷ ΦϖϨʔγϣϯͷछผʹґΒͣධՁ͞ΕΔɻ ΞΫγϣϯʹΑΓ ରԠ͢ΔϦιʔελΠϓ͕ҟͳΔɻ
  4. 3FTPVDFཁૉɿʮԿʹʯΛఆٛ  • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:s3:::όέοτ໊/* • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID

    • arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓ͸ҟͳΔɻ ҟͳΔϦιʔελΠϓ ϫΠϧυΧʔυͷ࢖༻Մ • arn:aws:ec2:${Region}:${Account}:instance/*
  5. 3FTPVDFཁૉɿʮԿʹʯΛఆٛ  • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:s3:::όέοτ໊/* • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID

    • arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓ͸ҟͳΔɻ ҟͳΔϦιʔελΠϓ • * ϫΠϧυΧʔυͷ࢖༻Մ • arn:aws:ec2:${Region}:${Account}:instance/* ΞΫγϣϯʹΑͬͯ͸͢΂ͯ(*)ͷࢦఆ͕ඞਢ ʢϦετܥͷΞΫγϣϯʹଟ͍ʣ
  6. ۩ମྫɿ"84؅ཧϙϦγʔʮ"ENJOJTUSBUPS"DDFTTʯ  { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow",

    "Action": "*", "Resource": "*" } ] } ͢΂ͯͷϦιʔε΁ͷ ͢΂ͯͷΞΫγϣϯʹ ʢ৚݅ͳ͠Ͱʣ AllowΛ༩͑Δ
  7. ۩ମྫɿΧελϚʔ؅ཧϙϦγʔ  { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny",

    "Action": "*", "NotResource": “arn:aws:ec2:ap-northeast-1: 012345678910:instance/i-xxxxx” } ] } ಛఆͷϦιʔεҎ֎΁ͷ ͢΂ͯͷΞΫγϣϯΛ Deny͢Δ ର৅͕͜ͷΠϯελϯεͰ͋ͬͯ΋ɺ EFTDSJCFܥͳͲɺϦιʔελΠϓJOTUBODFʹ ରԠ͍ͯ͠ͳ͍ΞΫγϣϯ͸ڋ൱͞ΕΔ
  8. "MMPX΋͘͠͸%FOZ  εςʔτϝϯτ͝ͱʹ Allow ΋͘͠͸ Deny ͕ఆٛ͞ΕΔɻ ϦΫΤετͷ಺༰ʹ͍ͭͯҎԼͷ͍ͣΕ͔ͷঢ়ଶͱͳΔɻ ঢ়ଶ ֓ཁ

    ҉໧తͳڋ൱ %FOZ΋"MMPX΋༩͑ΒΕ͍ͯͳ͍ɻ σϑΥϧτɻ ໌ࣔతͳڋ൱ %FOZ͕༩͑ΒΕ͍ͯΔঢ়ଶɻ ໌ࣔతͳڐՄΑΓ༏ઌ͞ΕΔɻ ໌ࣔతͳڐՄ "MMPX͕༩͑ΒΕ͍ͯΔঢ়ଶɻ %FOZͱॏෳ͢Δ৔߹ɺଧͪফ͞ΕΔɻ ୭͕Կʹରͯ͠ʢͲΜͳ৚݅ͰʣԿΛ͢Δ͔
  9. ϦιʔεϕʔεϙϦγʔ  … • ϦιʔεଆʹΞλον͢ΔϙϦγʔ • S3όέοτ • KMSΩʔ •

    Lambdaؔ਺ • SNSτϐοΫ …ଞଟ਺ • ͢΂ͯͷϦιʔε͕ରԠ͍ͯ͠ΔΘ͚Ͱ͸ͳ͍ • Principalཁૉͷఆ͕ٛՄೳ • ΠϯϥΠϯϙϦγʔʢϦιʔεʹ௚઀ຒΊ͜Έʣ
  10. ڐՄ͞ΕΔ  IAMϢʔβʔ AWSϦιʔε εΠʔ ͋ͳͨ͸௨͍͍ͬͯͱ ݴΘΕ͍ͯ·͢ ͋ͳͨ͸௨ΔݖརΛ ͍࣋ͬͯΔΑ͏Ͱ͢Ͷ εΠʔ

    ϦιʔεϕʔεϙϦγʔΛ ΞλονͰ͖ͳ͍Ϧιʔεͷ৔߹ɺ ΞΠσϯςΟςΟଆͰݖݶͷ֬อ͕ඞཁ
  11. ΨʔυϨʔϧʁ  • ΍͍͍ͬͯ͜ͱͷ্ݶΛઃ͚ΔΑ͏ʹػೳ͢Δ΋ͷ • ΞΠσϯςΟςΟϕʔεϙϦγʔͱϦιʔεϕʔεϙϦγʔͷ֎ଆ Ͱఆٛ͢Δ • ͏͔ͬΓ޿͍ڐՄΛ༩͑ͯ͠·ͬͯ΋ΨʔυϨʔϧʹΑΓ๷͙ •

    ΨʔυϨʔϧࣗମͰԿ͔ΛڐՄͰ͖Δ΋ͷͰ͸ͳ͍ • ࠓճऔΓ্͛Δͷ͸ҎԼ • Organizations SCPʢΞΧ΢ϯτશମʹద༻ʣ • Permissions boundaryʢݸผͷΤϯςΟςΟʹద༻ʣ • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍΋ͷ͸҉໧తͳڋ൱ʹ ͳΔ
  12. ϦιʔεϕʔεϙϦγʔͰͷ"MMPX͕ͳ͍৔߹  IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ʮ͜ͷϢʔβʔ͕ ΍͍͍ͬͯͷ͸͜͜·Ͱʯ

    Permissions boundaryͰAllow͕ͳ͍৔߹ɺ҉໧తͳڋ൱ͱͳΔ 1FSNJTTJPOTCPVOEBSZͰ ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ ΋ͪΖΜ%FOZ͕͋Ε͹ ໌ࣔతͳڋ൱ ΞΠσϯςΟςΟϕʔεϙϦγʔ Ͱ͸ڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ
  13. ϦιʔεϕʔεϙϦγʔͰ"MMPX͕͋Δ৔߹  IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ͋ͳͨ͸ট଴͞Ε͍ͯΔͷͰ

    ڐՄূ͸ݟͤͯ΋ΒΘͳͯ͘΋ େৎ෉Ͱ͢ɻ ϦιʔεϕʔεϙϦγʔͰͷධՁ͕ઌʹߦΘΕΔͨΊͦ͜ͰAllow͕͋Ε͹ڐՄ͞ΕΔ ʮ͜ͷϢʔβʔ͕ ΍͍͍ͬͯͷ͸͜͜·Ͱʯ ΋ͪΖΜ%FOZ͕͋Ε͹ ໌ࣔతͳڋ൱
  14. ·ͱΊ  • IAMͷධՁ࿦ཧͷ݁Ռ͸ҎԼͷ͍ͣΕ͔ͱͳΔ • ҉໧తͳڋ൱ʢσϑΥϧτʣ • ໌ࣔతͳڐՄʢΨʔυϨʔϧͰ͸༩͑ΒΕͳ͍ʣ • ໌ࣔతͳڋ൱ʢͲ͔͜ͰDeny͕͋Ε͹ඞͣ͜ΕʹͳΔʣ

    • ҉໧తͳڋ൱ͱͳΔྫ͸ҎԼ • ΞΠσϯςΟςΟͰ΋ϦιʔεͰ΋Allow͕༩͑ΒΕ͍ͯͳ͍ • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍ • ΫϩεΞΧ΢ϯτͷ৔߹ʹ૒ํͰڐՄ͞Ε͍ͯͳ͍