Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Eva...
Search
YukihiroChiba
October 06, 2021
Technology
14k
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Evaluation Logic
YukihiroChiba
October 06, 2021
More Decks by YukihiroChiba
See All by YukihiroChiba
DevelopersIO 2025 RIとSP基礎講座
yukihirochiba
1
2.4k
わたしの業務の中に住み着いたCacoo/Cacoo has taken up residence in my work routine
yukihirochiba
0
1.3k
Amazon VPCでの IPv6利用に向けた はじめの一歩/first-step-towards-using-ipv6-in-amazon-vpc
yukihirochiba
0
1.2k
AWS IAM の結果整合性を避けるためセッションポリシーを用いてポリシーの動作確認を行う、を解説する
yukihirochiba
0
1.2k
SSMエージェントはIAMロールの夢を見るか/ Do SSM Agents Dream Of IAM Roles?
yukihirochiba
0
3.2k
AWS IAM の知っておくべき話と知らなくてもいい話 DevIO2023/ AWS IAM DevIO 2023
yukihirochiba
0
3.7k
デジタルアイデンティティWGミニウェビナー第4回「IaaSとアイデンティティ」/ jnsa-iaas-identity
yukihirochiba
0
860
学習エンジンがうなりを上げているチームの作り方 / How to build a team with a learning engine humming along
yukihirochiba
0
7.4k
Amazon Route 53 Application Recovery Controller zonal shift 試してみた
yukihirochiba
0
2.4k
Other Decks in Technology
See All in Technology
AI 不只幫你寫 Code: 當專案從 300 暴增到 1500, 我們如何撐住 DevOps
appleboy
0
260
ぼっちではじめた登壇が「51名」「241件」の発信に化けた
subroh0508
1
320
IaC コードを資産へ:AWS CDK 社内ライブラリと横断展開 / aws-summit-japan-2026
gotok365
10
1.6k
OTel × Datadog で 「AI活用」を計測し、改善に繋げる
shihochan
2
1k
AI時代のコスト管理を考えよう〜明日から使える実践AWSノウハウ~
yoshimi0227
0
910
【Snowflake Summit 2026 Recap!!】Snowflake Summit Deep Dive: Security & Governance
civitaspo
1
320
現場のトークンマネジメント
dak2
1
190
飲食店もAIで。レジ締めやハンディシステムをつくってる話 / Using AI for restaurant management
vtryo
0
190
時期が悪い!それでもRaspberry Piを買って遊んで活用するには / 20260627-osc26do-rpi-jikigawarui
akkiesoft
1
870
元・セキュリティ学習経験0大学生による業務紹介 / An Introduction to the Job by a Former College Student with Zero Security Training Experience
nttcom
0
550
AIAU_UMEMOGU_ninomiya_slide
ninomiya_ii
0
270
FPC(フレキシブル)基板にZephyr実装してみた。
iotengineer22
0
180
Featured
See All Featured
The Art of Programming - Codeland 2020
erikaheidi
57
14k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4.3k
Site-Speed That Sticks
csswizardry
13
1.2k
New Earth Scene 8
popppiees
3
2.4k
YesSQL, Process and Tooling at Scale
rocio
174
15k
Sam Torres - BigQuery for SEOs
techseoconnect
PRO
0
290
Music & Morning Musume
bryan
47
7.2k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
The Impact of AI in SEO - AI Overviews June 2024 Edition
aleyda
5
1.1k
Organizational Design Perspectives: An Ontology of Organizational Design Elements
kimpetersen
PRO
1
750
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
Claude Code どこまでも/ Claude Code Everywhere
nwiizo
65
56k
Transcript
"84ࣄۀຊ෦ίϯαϧςΟϯά෦ઍ༿ ΜΘΓԡ͑͞Α͏*".ͷධՁཧ
։ນҰ൪ ಥવͰ͕͢Ͱ͢
࣍ͷ͏ͪ ʮIAM ʹ͓͚ΔϙϦγʔʯ ͲΕͰ͠ΐ͏ʁ ʢෳճՄʣ
ݸҎ্ͷਖ਼ղͷબࢶ͕͋Γ·͢ ΠϯϥΠϯϙϦγʔ AdministratorAccess ReadOnlyAccess ηογϣϯϙϦγʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ S3όέοτϙϦγʔ KMSΩʔϙϦγʔ S3ΞΫηείϯτϩʔϧϦετ
ΞΫηεڐՄͷڥք Organizations SCP ΧελϚʔཧϙϦγʔ EC2FullAccess ϦιʔεϕʔεϙϦγʔ VPCΤϯυϙΠϯτϙϦγʔ LambdaΞΫηεϙϦγʔ ৬ػೳͷAWSཧϙϦγʔ SNSτϐοΫϙϦγʔ ৴པϙϦγʔ
ਖ਼ղ……
શ෦Ͱ͢ʂʂʂ
ΈΜͳ͍ҙຯͰͷʮ*".ͷϙϦγʔʯ ΠϯϥΠϯϙϦγʔ AdministratorAccess ReadOnlyAccess ηογϣϯϙϦγʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ S3όέοτϙϦγʔ KMSΩʔϙϦγʔ S3ΞΫηείϯτϩʔϧϦετ
ΞΫηεڐՄͷڥք Organizations SCP ΧελϚʔཧϙϦγʔ EC2FullAccess ϦιʔεϕʔεϙϦγʔ VPCΤϯυϙΠϯτϙϦγʔ LambdaΞΫηεϙϦγʔ ৬ػೳͷAWSཧϙϦγʔ SNSτϐοΫϙϦγʔ ৴པϙϦγʔ
*".ͷϙϦγʔͷΈ߹Θͤ ը૾ͯ͢AWSυΩϡϝϯτΑΓ
*".ϜζΧγΠ 🤔 🤔 🤔 എܠը૾ͯ͢AWSυΩϡϝϯτΑΓ
શ෦Λཧղ͢Δͷ͍͠ͷͰ ΜΘΓԡ͑͞·͠ΐ͏
࠷ऴతʹ͜Μͳײ͡Ͱԡ͑͞·͢
ΞδΣϯμ 1.IAM JSON ϙϦγʔ 2.ಉҰΞΧϯτͰͷධՁཧ 3.ΫϩεΞΧϯτͰͷධՁཧ 4.ΨʔυϨʔϧ 5.ҟʂVPCΤϯυϙΠϯτϙϦγʔ
ࣗݾհ ઍ༿ ɾAWS ࣄۀຊ෦ ɹίϯαϧςΟϯά෦ ɹϚωʔδϟʔ ɾ20201݄JOIN ɾ2021
APN AWS Top Engineer ɾ͖ͳΞΫγϣϯ: sts:AssumeRole
*".+40/ϙϦγʔ
*".ʹ͓͚ΔϙϦγʔλΠϓ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ϙϦγʔλΠϓ͝ͱͷॏཁʢࢲݟʣ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ϙϦγʔλΠϓ΄ͱΜͲ+40/ JSON JSON JSON JSON JSON JSONͰͳ͍
ݟ͍ͯ͜͏ IAM JSON ϙϦγʔͷߏཁૉ
*".+40/ϙϦγʔߏཁૉ ϦιʔεϕʔεϙϦγʔ ͰͷΈࢦఆՄ ⭐…ࢦఆඞਢͷ߲
Θ͔Γ͍͢Πϝʔδ ʮAWSʹ͓͚ΔABACͷخ͠͞ɺਏ͞ΛޠΓ·ͨ͠ #AKIBAAWSʯΑΓ ɹhttps://dev.classmethod.jp/articles/akibaaws-06-iam-abac/
1SJODJQBMཁૉɿʮ୭͕ʯΛఆٛ *".άϧʔϓ ࢦఆͰ͖ͳ͍ ϦιʔεϕʔεϙϦγʔ ͰͷΈࢦఆ
"DUJPOཁૉɿʮԿΛʯΛఆٛ ec2 : StartInstances s3 : PutObject kms :
Decrypt ΞΫγϣϯϓϨϑΟοΫε αʔϏε໊લۭؒ ϚωδϝϯτίϯιʔϧɺAWS CLIɺAWS SDKͳͲͷ ΦϖϨʔγϣϯͷछผʹґΒͣධՁ͞ΕΔɻ ΞΫγϣϯʹΑΓ ରԠ͢ΔϦιʔελΠϓ͕ҟͳΔɻ
3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID • arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID
ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓҟͳΔɻ ҟͳΔϦιʔελΠϓ
3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:s3:::όέοτ໊/* • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID
• arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓҟͳΔɻ ҟͳΔϦιʔελΠϓ ϫΠϧυΧʔυͷ༻Մ • arn:aws:ec2:${Region}:${Account}:instance/*
3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:s3:::όέοτ໊/* • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID
• arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓҟͳΔɻ ҟͳΔϦιʔελΠϓ • * ϫΠϧυΧʔυͷ༻Մ • arn:aws:ec2:${Region}:${Account}:instance/* ΞΫγϣϯʹΑͬͯͯ͢(*)ͷࢦఆ͕ඞਢ ʢϦετܥͷΞΫγϣϯʹଟ͍ʣ
۩ମྫɿ"84ཧϙϦγʔʮ"ENJOJTUSBUPS"DDFTTʯ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow",
"Action": "*", "Resource": "*" } ] } ͯ͢ͷϦιʔεͷ ͯ͢ͷΞΫγϣϯʹ ʢ݅ͳ͠Ͱʣ AllowΛ༩͑Δ
۩ମྫɿΧελϚʔཧϙϦγʔ { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny",
"Action": "*", "NotResource": “arn:aws:ec2:ap-northeast-1: 012345678910:instance/i-xxxxx” } ] } ಛఆͷϦιʔεҎ֎ͷ ͯ͢ͷΞΫγϣϯΛ Deny͢Δ ର͕͜ͷΠϯελϯεͰ͋ͬͯɺ EFTDSJCFܥͳͲɺϦιʔελΠϓJOTUBODFʹ ରԠ͍ͯ͠ͳ͍ΞΫγϣϯڋ൱͞ΕΔ
"MMPX͘͠%FOZ εςʔτϝϯτ͝ͱʹ Allow ͘͠ Deny ͕ఆٛ͞ΕΔɻ ϦΫΤετͷ༰ʹ͍ͭͯҎԼͷ͍ͣΕ͔ͷঢ়ଶͱͳΔɻ ঢ়ଶ ֓ཁ
҉తͳڋ൱ %FOZ"MMPX༩͑ΒΕ͍ͯͳ͍ɻ σϑΥϧτɻ ໌ࣔతͳڋ൱ %FOZ͕༩͑ΒΕ͍ͯΔঢ়ଶɻ ໌ࣔతͳڐՄΑΓ༏ઌ͞ΕΔɻ ໌ࣔతͳڐՄ "MMPX͕༩͑ΒΕ͍ͯΔঢ়ଶɻ %FOZͱॏෳ͢Δ߹ɺଧͪফ͞ΕΔɻ ୭͕Կʹରͯ͠ʢͲΜͳ݅ͰʣԿΛ͢Δ͔
ಉҰΞΧϯτͰͷධՁཧ
*".ʹ͓͚ΔϙϦγʔλΠϓʢ࠶ܝʣ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ࠓճͷൃදͰׂѪ͠·͢ ࠓճͷର֎
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ຊষ͜ͷ̎ͭΛऔΓ্͛·͢ ຊষͷର
ΞΠσϯςΟςΟϕʔεϙϦγʔ *".Ϣʔβʔ *".άϧʔϓ *".ϩʔϧ Ξλον ͍ΘΏΔʮIAMϙϦγʔʯɻΞΠσϯςΟςΟʹΞλονɻ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ҰͭͷIAM ΤϯςΟςΟʹຒΊ͜Έɻ ಠཱͨ͠ϦιʔεͰͳ͍ɻ ग़དྷ߹͍ͷϙϦγʔɻ ʮ৬ػೳͷAWSཧϙϦγʔʯͱ͍͏ࡉԽՄೳɻ AdministratorAccessɺReadOnly AccessͳͲɻ ΧελϚʔ͕ಠࣗʹ࡞͢ΔϙϦγʔɻ
όʔδϣϯཧɺෳΤϯςΟςΟͷΞλον͕Մೳɻ *".Ϣʔβʔ *".άϧʔϓ *".ϩʔϧ Ξλον ͍ΘΏΔʮIAMϙϦγʔʯɻΞΠσϯςΟςΟʹΞλονɻ
ϦιʔεϕʔεϙϦγʔ … • ϦιʔεଆʹΞλον͢ΔϙϦγʔ • S3όέοτ • KMSΩʔ •
Lambdaؔ • SNSτϐοΫ …ଞଟ • ͯ͢ͷϦιʔε͕ରԠ͍ͯ͠ΔΘ͚Ͱͳ͍ • Principalཁૉͷఆ͕ٛՄೳ • ΠϯϥΠϯϙϦγʔʢϦιʔεʹຒΊ͜Έʣ
ΞΠσϯςΟςΟϕʔεͱϦιʔεϕʔε IAMϢʔβʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ S3όέοτ EC2Πϯελϯε IAMϢʔβʔ Ϧιʔεϕʔε ϙϦγʔඇରԠ
s3:PutObject ec2:StartInstances
͍Β͢ͱͰߟ͑Α͏ IAMϢʔβʔ AWSϦιʔε
σϑΥϧτͰ͜Ε 1.҉తͳڋ൱
྆ऀͷϙϦγʔͷΠϝʔδ IAMϢʔβʔ AWSϦιʔε Θͨ͜͠ͷϦΫΤετΛ ࣮ߦͰ͖Δ ͜ͷਓ͔ΒͷϦΫΤετ ڐՄͯ͋͛͠Δ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
σϑΥϧτͰͲͪΒͷఆٛͳ͍ IAMϢʔβʔ AWSϦιʔε ʜʜ ʜʜ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
ͲͪΒͰڐՄ͕ͳ͍ͷͰ݁Ռతʹڋ൱ IAMϢʔβʔ AWSϦιʔε ͓ؼΓ͍ͩ͘͞˝ εΠʔ
୯ͳΔʮڐՄʯͱ 2.໌ࣔతͳڐՄ
ͲͪΒ͔ͰڐՄ͕༩͑ΒΕ͍ͯΔ IAMϢʔβʔ AWSϦιʔε Θͨ͠ ͜Ε͕Ͱ͖Δ ͜ͷਓʹ ͜ΕΛڐ͢ खͿΒ
ڐՄ͞ΕΔ IAMϢʔβʔ AWSϦιʔε εΠʔ ͋ͳͨ௨͍͍ͬͯͱ ݴΘΕ͍ͯ·͢ ͋ͳͨ௨ΔݖརΛ ͍࣋ͬͯΔΑ͏Ͱ͢Ͷ εΠʔ
ϦιʔεϕʔεϙϦγʔΛ ΞλονͰ͖ͳ͍Ϧιʔεͷ߹ɺ ΞΠσϯςΟςΟଆͰݖݶͷ֬อ͕ඞཁ
ͪΐͬͱิ ΞΧϯτ୯ҐͷڐՄͱ ΤϯςΟςΟ୯ҐͷڐՄ
ΞΧϯτΛ֗ͱͯ͠ߟ͑ͯΈΔ ֗ʢΞΧϯτʣA ֗B ֗C rootϢʔβʔ IAMϢʔβʔ 1,2,3 AWSϦιʔε
ϦιʔεϕʔεϙϦγʔͰͷڐՄͷํ ֗ʢΞΧϯτʣA ֗B ֗C IAMϢʔβʔ
खͿΒͰ௨ΕΔͷΤϯςΟςΟ୯ҐͰڐՄ͞Εͨͷ ֗"ͷ*".Ϣʔβʔ͔ΒͷΞΫηεΛڐՄ खͿΒ खͿΒ IAMϢʔβʔ1 IAMϢʔβʔ2 IAMϢʔβʔ3
Ұ൪ڧ͍ 3.໌ࣔతͳڋ൱
Ͳ͔͜Ͱ%FOZ͕༩͑ΒΕ͍ͯΕڋ൱ IAMϢʔβʔ AWSϦιʔε
໌ࣔతͳڋ൱ԿΑΓڧ͍ IAMϢʔβʔ AWSϦιʔε εΠʔ ௨͍͍ͯ͠ͱ ݴΘΕ͍͚ͯͨͲ ڋ൱͞Ε͍ͯΔΑ͏Ͱ͢Ͷ ௨͍͚ͯ͠ͳ͍ͱ ݴΘΕ͍ͯ·͢
εΠʔ
ΫϩεΞΧϯτͰͷධՁཧ
ΞΧϯτΛލ͍ͩΞΫηε IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧϯτʣA ֗ʢΞΧϯτʣB
جຊతͳߟ͑ํมΘΒͳ͍ • ҉తͳڋ൱ɺ໌ࣔతͳڐՄɺ໌ࣔతͳڋ൱ͷߟ͑ํมΘΒͳ͍ • ΞΠσϯςΟςΟͱϦιʔεͷ྆ํͰAllow͕༩͑ΒΕ͍ͯͳ͍ͱ ҉తͳڋ൱ͱͳΔ • ϦιʔεଆͰͷڐՄɺΞΧϯτ୯ҐɾΤϯςΟςΟ୯ҐͷͲͪ ΒͰྑ͍
྆ํͰͷڐՄ͕ඞཁ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧϯτʣA ֗ʢΞΧϯτʣB
ϦιʔεଆͰͷڐՄ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧϯτʣA ֗ʢΞΧϯτʣB ֗"ͷ*".Ϣʔβʔ͔ΒͷΞΫηεΛڐՄ ֗"͔ΒͷΞΫηεΛڐՄ ͲͪΒͰOK
ยํ͚ͩͷڐՄͩͱ҉తͳڋ൱ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧϯτʣA ֗ʢΞΧϯτʣB ͋ͳͨট٬Ϧετʹ ࡌ͍ͬͯΔ͚Ͳ ڐՄূΛ࣋ͬͯͳ͍Ͱ͢Ͷ
Α͘͏ྫ ΫϩεΞΧϯτͰͷεΠονϩʔϧ
ผΞΧϯτͷૢ࡞ʹεΠονϩʔϧΛ͏͜ͱ͕ଟ͍ IAMϢʔβʔ IAMϩʔϧ
*".ϩʔϧΛҾ͖ड͚Δͱ IAMϢʔβʔ IAMϩʔϧ IAMϩʔϧΛ Ҿ͖ड͚ͨηογϣϯ ʢ੍࣌ؒݶ͋Γʣ IAMϩʔϧͱ ಉͷݖݶ IAMϙϦγʔ
sts:AssumeRole
*".ϩʔϧΛҾ͖ड͚ΔʹڐՄ͕ඞཁ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ʢ৴པϙϦγʔʣ ϦιʔεϕʔεϙϦγʔ ΫϩεΞΧϯτ
ΞΫηε ಉ͡ΞΧϯτͰͷ ΞΫηε
ΨʔυϨʔϧ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ຊষͷର ຊষͷର
ΨʔυϨʔϧʁ • ͍͍ͬͯ͜ͱͷ্ݶΛઃ͚ΔΑ͏ʹػೳ͢Δͷ • ΞΠσϯςΟςΟϕʔεϙϦγʔͱϦιʔεϕʔεϙϦγʔͷ֎ଆ Ͱఆٛ͢Δ • ͏͔ͬΓ͍ڐՄΛ༩͑ͯ͠·ͬͯΨʔυϨʔϧʹΑΓ͙ •
ΨʔυϨʔϧࣗମͰԿ͔ΛڐՄͰ͖ΔͷͰͳ͍ • ࠓճऔΓ্͛ΔͷҎԼ • Organizations SCPʢΞΧϯτશମʹద༻ʣ • Permissions boundaryʢݸผͷΤϯςΟςΟʹద༻ʣ • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍ͷ҉తͳڋ൱ʹ ͳΔ
0SHBOJ[BUJPOTͱ ϚωδϝϯτΞΧϯτ ΞΧϯτA ΞΧϯτB ΞΧϯτC SCP ෳͷAWSΞΧϯτΛ ֊Խͯ͠ཧͰ͖Δػೳɻ ݸʑͷAWSΞΧϯτʹ
SCPΛׂΓͯΒΕΔɻ
0SHBOJ[BUJPOT4$1͕ద༻͞ΕΔͱ IAMϢʔβʔ AWSϦιʔε rootϢʔβʔ Organizations SCP ΞΧϯτͷrootϢʔβʔΛؚΉશͯͷΤϯςΟςΟͷΞΫγϣϯSCPʹΑΔධՁΛड͚Δɻ ϩʔϧΛҾ͖ड͚ͨ ηογϣϯ
0SHBOJ[BUJPOT4$1͕ద༻͞ΕΔͱ SCPͰڐՄ͕༩͑ΒΕ͍ͯͳ͍ϦΫΤετଞͷύʔϛογϣϯʹؔͳ͘҉తͳڋ൱ͱͳΔ Organizations SCP ͜͜ͰڐՄ͞Ε͍ͯΔ ͜ͱ͕ͯ͢ ͪΖΜ%FOZ͕͋Ε ໌ࣔతͳڋ൱
1FSNJTTJPOTCPVOEBSZͱ ʮΞΫηεڐՄͷڥքʯͱɻ ΞΠσϯςΟςΟϕʔεϙϦγʔ ͱηοτͰߟ͑Δɻ IAMϢʔβʔ͘͠IAMϩʔϧ ʹׂΓͯՄೳͰɺIAMάϧʔϓ ʹׂΓͯෆՄɻ
1FSNJTTJPOTCPVOEBSZͷΠϝʔδ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ηοτͰ༻͢Δ
ΞΠσϯςΟςΟϕʔεϙϦγʔͷ ධՁͷλΠϛϯάͰΨʔυϨʔϧͱͯ͠ػೳ
ϦιʔεϕʔεϙϦγʔͰͷ"MMPX͕ͳ͍߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ʮ͜ͷϢʔβʔ͕ ͍͍ͬͯͷ͜͜·Ͱʯ
Permissions boundaryͰAllow͕ͳ͍߹ɺ҉తͳڋ൱ͱͳΔ 1FSNJTTJPOTCPVOEBSZͰ ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ ͪΖΜ%FOZ͕͋Ε ໌ࣔతͳڋ൱ ΞΠσϯςΟςΟϕʔεϙϦγʔ ͰڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ
ϦιʔεϕʔεϙϦγʔͰ"MMPX͕͋Δ߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ͋ͳͨট͞Ε͍ͯΔͷͰ
ڐՄূݟͤͯΒΘͳͯ͘ େৎͰ͢ɻ ϦιʔεϕʔεϙϦγʔͰͷධՁ͕ઌʹߦΘΕΔͨΊͦ͜ͰAllow͕͋ΕڐՄ͞ΕΔ ʮ͜ͷϢʔβʔ͕ ͍͍ͬͯͷ͜͜·Ͱʯ ͪΖΜ%FOZ͕͋Ε ໌ࣔతͳڋ൱
ΫϩεΞΧϯτͷ߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ΫϩεΞΧϯτͷ߹ɺΞΠσϯςΟςΟϕʔεϙϦγʔධՁ͞ΕΔͨΊΨʔυϨʔϧ͕ൃಈ
ʮ͜ͷϢʔβʔ͕ ͍͍ͬͯͷ͜͜·Ͱʯ 1FSNJTTJPOTCPVOEBSZͰ ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ ଞͷϙϦγʔͰ ڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ
͜͜·Ͱݟ͖ͯͨ༰ͷཧ https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-black-belt-online-seminar-aws-identity-and- access-management-iam-part1 20190129 AWS Black Belt Online Seminar
AWS Identity and Access Management (AWS IAM) Part1 ʮ͜ͷϢʔβʔ͕ ͍͍ͬͯͷ͜͜·Ͱʯ ΞΧϯτΛލ͍ͩ߹ͷҧ͍
ҟʂ 71$ΤϯυϙΠϯτϙϦγʔ
ྨ্ϦιʔεϕʔεϙϦγʔ͕ͩಛघ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
71$ΤϯυϙΠϯτϙϦγʔ VPC EC2ͳͲ VPCΤϯυϙΠϯτ VPCͷϦιʔε͕αʔϏεΤϯυϙΠϯτʹ௨৴Λߦ͏ͨΊʹ༻Ͱ͖ΔVPCΤϯυϙΠϯτɻ αʔϏεͷछผʹΑͬͯΤϯυϙΠϯτʹϙϦγʔΛઃఆͰ͖Δɻ
ΨʔυϨʔϧͱͯ͠ػೳ IAMϢʔβʔ AWSϦιʔε VPCΤϯυϙΠϯτ ͜͜Λܦ༝ͨ͠௨৴Ͱ ڐՄ͢Δͷ͜Ε͚ͩ ڐՄ͕ͳ͍ͷ ҉తͳڋ൱
71$ΤϯυϙΠϯτϙϦγʔͷ༻ྫ VPC VPCΤϯυϙΠϯτ VPC෦ͷϦιʔε͔Β֎෦ͷS3όέοτͷΞΫηε͕ෆՄͱͳΔΑ͏ VPCΤϯυϙΠϯτϙϦγʔΛ༻͢Δɻ
·ͱΊ
հͨ͠ͷͷશ෦Γ VPCΤϯυϙΠϯτ VPC ΫϩεΞΧϯτΞΫηε
հͨ͠ͷͷશ෦Γ VPCΤϯυϙΠϯτ VPC ΫϩεΞΧϯτΞΫηε 1FSNJTTJPOT CPVOEBSZ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ
0SHBOJ[BUJPOT 4$1 71$ΤϯυϙΠϯτ ϙϦγʔ ϦιʔεϕʔεϙϦγʔ
·ͱΊ • IAMͷධՁཧͷ݁ՌҎԼͷ͍ͣΕ͔ͱͳΔ • ҉తͳڋ൱ʢσϑΥϧτʣ • ໌ࣔతͳڐՄʢΨʔυϨʔϧͰ༩͑ΒΕͳ͍ʣ • ໌ࣔతͳڋ൱ʢͲ͔͜ͰDeny͕͋Εඞͣ͜ΕʹͳΔʣ
• ҉తͳڋ൱ͱͳΔྫҎԼ • ΞΠσϯςΟςΟͰϦιʔεͰAllow͕༩͑ΒΕ͍ͯͳ͍ • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍ • ΫϩεΞΧϯτͷ߹ʹํͰڐՄ͞Ε͍ͯͳ͍
None