Upgrade to Pro — share decks privately, control downloads, hide ads and more …

やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Evaluation Logic

YukihiroChiba
October 06, 2021
Technology
0
8.3k

やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Evaluation Logic

YukihiroChiba

October 06, 2021
Tweet

More Decks by YukihiroChiba

See All by YukihiroChiba
AWS IAM の知っておくべき話と知らなくてもいい話 DevIO2023/ AWS IAM DevIO 2023
yukihirochiba
0
2.4k
デジタルアイデンティティWGミニウェビナー第4回「IaaSとアイデンティティ」/ jnsa-iaas-identity
yukihirochiba
0
360
学習エンジンがうなりを上げているチームの作り方 / How to build a team with a learning engine humming along
yukihirochiba
0
3k
Amazon Route 53 Application Recovery Controller zonal shift 試してみた
yukihirochiba
0
1.1k
re:Growth 2022 Amazon Verified Permissions/妄想を膨らませる_チバユキ
yukihirochiba
0
4k
どこで動いてるの?AWS IAM のコントロールプレーンとデータプレーンに思いを馳せる/iam-background
yukihirochiba
0
3.2k
ここが好きだよAWS管理ポリシー_devio2022/i_am_iam_lover
yukihirochiba
0
4.4k
AWS Service Namespace を流行らせたい/ AWS Service Namespace to become popular
yukihirochiba
0
1.7k
1年ぶりにAWS Nitroに想いを馳せる/Nitro-ni-shinitro
yukihirochiba
0
1.2k

Other Decks in Technology

See All in Technology
セルフホストランナーとインターネットとの間の転送量を削減している話
defaultcf
0
130
Create the DTO System of your Dreams: stateOptions + entityClass
weaverryan
1
490
Kotlin Dynamic type
coe
0
120
【IoT-Tech Meetup #5】IoTとは?WireGuard概要とIoTで通信を守る理由
soracom
PRO
0
130
Aurora MySQL v1 から v3 へ一段飛ばしのバージョンアップをした話
hmatsu47
PRO
0
150
IoTだからこそ、サーバーレスを活用すべき3つの理由
soracom
PRO
2
700
AWS 初心者が取り組んだセキュリティ強化の2年間とこれから/Two years of security enhancement efforts by AWS beginners and the future
yayoi_dd
0
280
LLM 時代におさえておきたい Azure Serverless ファミリーまとめ / serverlessdaystokyo2023-llm-aoai
miyake
5
830
F0推定アルゴリズムHarvestは中で何をしているのか
nagiss
2
330
ログから学ぶgo build
nasa_desu
0
230
セキュアエレメントによるWireGuardのセキュリティ強化
kmwebnet
0
140
今改めて見直してみるラズパイの真価
hamadakoji
1
160

Featured

See All Featured
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
1.9k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
RailsConf 2023
tenderlove
0
240
The Power of CSS Pseudo Elements
geoffreycrofte
56
4.6k
4 Signs Your Business is Dying
shpigford
172
21k
Navigating Team Friction
lara
177
12k
The Invisible Customer
myddelton
113
12k
Designing the Hi-DPI Web
ddemaree
274
33k
The Language of Interfaces
destraynor
149
22k
A better future with KSS
kneath
230
16k
What the flash - Photography Introduction
edds
64
11k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
112
17k

Transcript


  1. "84ࣄۀຊ෦ίϯαϧςΟϯά෦ઍ༿޾޺
    ΍ΜΘΓԡ͑͞Α͏*".ͷධՁ࿦ཧ

    View Slide

  2. ։ນҰ൪
    ಥવͰ͕͢໰୊Ͱ͢

    View Slide


  3. ࣍ͷ͏ͪ


    ʮIAM ʹ͓͚ΔϙϦγʔʯ͸


    ͲΕͰ͠ΐ͏ʁ


    ʢෳ਺ճ౴Մʣ

    View Slide

  4. ݸҎ্ͷਖ਼ղͷબ୒ࢶ͕͋Γ·͢
    ΠϯϥΠϯϙϦγʔ
    AdministratorAccess
    ReadOnlyAccess
    ηογϣϯϙϦγʔ
    ΞΠσϯςΟςΟϕʔεϙϦγʔ
    S3όέοτϙϦγʔ
    KMSΩʔϙϦγʔ
    S3ΞΫηείϯτϩʔϧϦετ
    ΞΫηεڐՄͷڥք
    Organizations SCP
    ΧελϚʔ؅ཧϙϦγʔ EC2FullAccess
    ϦιʔεϕʔεϙϦγʔ
    VPCΤϯυϙΠϯτϙϦγʔ
    LambdaΞΫηεϙϦγʔ
    ৬຿ػೳͷAWS؅ཧϙϦγʔ
    SNSτϐοΫϙϦγʔ
    ৴པϙϦγʔ

    View Slide


  5. ਖ਼ղ͸……

    View Slide


  6. શ෦Ͱ͢ʂʂʂ

    View Slide

  7. ΈΜͳ޿͍ҙຯͰͷʮ*".ͷϙϦγʔʯ
    ΠϯϥΠϯϙϦγʔ
    AdministratorAccess
    ReadOnlyAccess
    ηογϣϯϙϦγʔ
    ΞΠσϯςΟςΟϕʔεϙϦγʔ
    S3όέοτϙϦγʔ
    KMSΩʔϙϦγʔ
    S3ΞΫηείϯτϩʔϧϦετ
    ΞΫηεڐՄͷڥք
    Organizations SCP
    ΧελϚʔ؅ཧϙϦγʔ EC2FullAccess
    ϦιʔεϕʔεϙϦγʔ
    VPCΤϯυϙΠϯτϙϦγʔ
    LambdaΞΫηεϙϦγʔ
    ৬຿ػೳͷAWS؅ཧϙϦγʔ
    SNSτϐοΫϙϦγʔ
    ৴པϙϦγʔ

    View Slide

  8. *".ͷϙϦγʔͷ૊Έ߹Θͤ
    ը૾͸͢΂ͯAWSυΩϡϝϯτΑΓ

    View Slide

  9. *".ϜζΧγΠ
    🤔
    🤔
    🤔
    എܠը૾͸͢΂ͯAWSυΩϡϝϯτΑΓ

    View Slide

  10. શ෦Λཧղ͢Δͷ͸೉͍͠ͷͰ
    ΍ΜΘΓԡ͑͞·͠ΐ͏

    View Slide

  11. ࠷ऴతʹ͜Μͳײ͡Ͱԡ͑͞·͢

    View Slide

  12. ΞδΣϯμ
    1.IAM JSON ϙϦγʔ


    2.ಉҰΞΧ΢ϯτͰͷධՁ࿦ཧ


    3.ΫϩεΞΧ΢ϯτͰͷධՁ࿦ཧ


    4.ΨʔυϨʔϧ


    5.ҟ୺ʂVPCΤϯυϙΠϯτϙϦγʔ

    View Slide

  13. ࣗݾ঺հ
    ઍ༿ ޾޺
    ɾAWS ࣄۀຊ෦


    ɹίϯαϧςΟϯά෦


    ɹϚωʔδϟʔ
    ɾ2020೥1݄JOIN
    ɾ2021 APN AWS Top Engineer
    ɾ޷͖ͳΞΫγϣϯ: sts:AssumeRole

    View Slide


  14. *".+40/ϙϦγʔ

    View Slide

  15. *".ʹ͓͚ΔϙϦγʔλΠϓ
    ΞΠσϯςΟςΟϕʔεϙϦγʔ
    ϦιʔεϕʔεϙϦγʔ

    View Slide

  16. ΞΠσϯςΟςΟϕʔεϙϦγʔ
    ϦιʔεϕʔεϙϦγʔ
    ϙϦγʔλΠϓ͝ͱͷॏཁ౓ʢࢲݟʣ

    View Slide

  17. ΞΠσϯςΟςΟϕʔεϙϦγʔ
    ϦιʔεϕʔεϙϦγʔ
    ϙϦγʔλΠϓ͸΄ͱΜͲ+40/
    JSON
    JSON
    JSON
    JSON
    JSON
    JSONͰͳ͍

    View Slide

  18. ݟ͍ͯ͜͏
    IAM JSON ϙϦγʔͷߏ੒ཁૉ

    View Slide

  19. *".+40/ϙϦγʔߏ੒ཁૉ
    ϦιʔεϕʔεϙϦγʔ
    ͰͷΈࢦఆՄ
    ⭐…ࢦఆඞਢͷ߲໨

    View Slide

  20. Θ͔Γ΍͍͢Πϝʔδ
    ʮAWSʹ͓͚ΔABACͷخ͠͞ɺਏ͞ΛޠΓ·ͨ͠ #AKIBAAWSʯΑΓ


    ɹhttps://dev.classmethod.jp/articles/akibaaws-06-iam-abac/

    View Slide

  21. 1SJODJQBMཁૉɿʮ୭͕ʯΛఆٛ
    *".άϧʔϓ͸
    ࢦఆͰ͖ͳ͍
    ϦιʔεϕʔεϙϦγʔ
    ͰͷΈࢦఆ

    View Slide

  22. "DUJPOཁૉɿʮԿΛʯΛఆٛ
    ec2 : StartInstances
    s3 : PutObject
    kms : Decrypt
    ΞΫγϣϯϓϨϑΟοΫε͸
    αʔϏε໊લۭؒ
    ϚωδϝϯτίϯιʔϧɺAWS CLIɺAWS SDKͳͲͷ


    ΦϖϨʔγϣϯͷछผʹґΒͣධՁ͞ΕΔɻ
    ΞΫγϣϯʹΑΓ


    ରԠ͢ΔϦιʔελΠϓ͕ҟͳΔɻ

    View Slide

  23. 3FTPVDFཁૉɿʮԿʹʯΛఆٛ
    • arn:aws:s3:::όέοτ໊
    • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊
    • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID
    • arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID
    ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓ͸ҟͳΔɻ
    ҟͳΔϦιʔελΠϓ

    View Slide

  24. 3FTPVDFཁૉɿʮԿʹʯΛఆٛ
    • arn:aws:s3:::όέοτ໊
    • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊
    • arn:aws:s3:::όέοτ໊/*
    • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID
    • arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID
    ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓ͸ҟͳΔɻ
    ҟͳΔϦιʔελΠϓ
    ϫΠϧυΧʔυͷ࢖༻Մ
    • arn:aws:ec2:${Region}:${Account}:instance/*

    View Slide

  25. 3FTPVDFཁૉɿʮԿʹʯΛఆٛ
    • arn:aws:s3:::όέοτ໊
    • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊
    • arn:aws:s3:::όέοτ໊/*
    • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID
    • arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID
    ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓ͸ҟͳΔɻ
    ҟͳΔϦιʔελΠϓ
    • *
    ϫΠϧυΧʔυͷ࢖༻Մ
    • arn:aws:ec2:${Region}:${Account}:instance/*
    ΞΫγϣϯʹΑͬͯ͸͢΂ͯ(*)ͷࢦఆ͕ඞਢ
    ʢϦετܥͷΞΫγϣϯʹଟ͍ʣ

    View Slide

  26. ۩ମྫɿ"84؅ཧϙϦγʔʮ"ENJOJTUSBUPS"DDFTTʯ
    {


    "Version": "2012-10-17",


    "Statement": [


    {


    "Effect": "Allow",


    "Action": "*",


    "Resource": "*"


    }


    ]


    }
    ͢΂ͯͷϦιʔε΁ͷ


    ͢΂ͯͷΞΫγϣϯʹ


    ʢ৚݅ͳ͠Ͱʣ


    AllowΛ༩͑Δ

    View Slide

  27. ۩ମྫɿΧελϚʔ؅ཧϙϦγʔ
    {


    "Version": "2012-10-17",


    "Statement": [


    {


    "Effect": "Deny",


    "Action": "*",


    "NotResource": “arn:aws:ec2:ap-northeast-1:


    012345678910:instance/i-xxxxx”


    }


    ]


    }
    ಛఆͷϦιʔεҎ֎΁ͷ


    ͢΂ͯͷΞΫγϣϯΛ


    Deny͢Δ
    ର৅͕͜ͷΠϯελϯεͰ͋ͬͯ΋ɺ
    EFTDSJCFܥͳͲɺϦιʔελΠϓJOTUBODFʹ
    ରԠ͍ͯ͠ͳ͍ΞΫγϣϯ͸ڋ൱͞ΕΔ

    View Slide

  28. "MMPX΋͘͠͸%FOZ
    εςʔτϝϯτ͝ͱʹ Allow ΋͘͠͸ Deny ͕ఆٛ͞ΕΔɻ


    ϦΫΤετͷ಺༰ʹ͍ͭͯҎԼͷ͍ͣΕ͔ͷঢ়ଶͱͳΔɻ


    ঢ়ଶ ֓ཁ
    ҉໧తͳڋ൱
    %FOZ΋"MMPX΋༩͑ΒΕ͍ͯͳ͍ɻ
    σϑΥϧτɻ
    ໌ࣔతͳڋ൱
    %FOZ͕༩͑ΒΕ͍ͯΔঢ়ଶɻ
    ໌ࣔతͳڐՄΑΓ༏ઌ͞ΕΔɻ
    ໌ࣔతͳڐՄ
    "MMPX͕༩͑ΒΕ͍ͯΔঢ়ଶɻ
    %FOZͱॏෳ͢Δ৔߹ɺଧͪফ͞ΕΔɻ
    ୭͕Կʹରͯ͠ʢͲΜͳ৚݅ͰʣԿΛ͢Δ͔

    View Slide


  29. ಉҰΞΧ΢ϯτͰͷධՁ࿦ཧ

    View Slide

  30. *".ʹ͓͚ΔϙϦγʔλΠϓʢ࠶ܝʣ
    ΞΠσϯςΟςΟϕʔεϙϦγʔ
    ϦιʔεϕʔεϙϦγʔ

    View Slide

  31. ΞΠσϯςΟςΟϕʔεϙϦγʔ
    ϦιʔεϕʔεϙϦγʔ
    ࠓճͷൃදͰ͸ׂѪ͠·͢
    ࠓճͷର৅֎

    View Slide

  32. ΞΠσϯςΟςΟϕʔεϙϦγʔ
    ϦιʔεϕʔεϙϦγʔ
    ຊষ͸͜ͷ̎ͭΛऔΓ্͛·͢
    ຊষͷର৅

    View Slide

  33. ΞΠσϯςΟςΟϕʔεϙϦγʔ
    *".Ϣʔβʔ
    *".άϧʔϓ
    *".ϩʔϧ
    Ξλον
    ͍ΘΏΔʮIAMϙϦγʔʯɻΞΠσϯςΟςΟʹΞλονɻ

    View Slide

  34. ΞΠσϯςΟςΟϕʔεϙϦγʔ
    ҰͭͷIAM ΤϯςΟςΟʹ௚઀ຒΊ͜Έɻ


    ಠཱͨ͠ϦιʔεͰ͸ͳ͍ɻ
    ग़དྷ߹͍ͷϙϦγʔɻ


    ʮ৬຿ػೳͷAWS؅ཧϙϦγʔʯͱ͍͏ࡉ෼Խ΋Մೳɻ


    AdministratorAccessɺReadOnly AccessͳͲɻ
    ΧελϚʔ͕ಠࣗʹ࡞੒͢ΔϙϦγʔɻ


    όʔδϣϯ؅ཧɺෳ਺ΤϯςΟςΟ΁ͷΞλον͕Մೳɻ
    *".Ϣʔβʔ
    *".άϧʔϓ
    *".ϩʔϧ
    Ξλον
    ͍ΘΏΔʮIAMϙϦγʔʯɻΞΠσϯςΟςΟʹΞλονɻ

    View Slide

  35. ϦιʔεϕʔεϙϦγʔ

    • ϦιʔεଆʹΞλον͢ΔϙϦγʔ


    • S3όέοτ


    • KMSΩʔ


    • Lambdaؔ਺


    • SNSτϐοΫ …ଞଟ਺


    • ͢΂ͯͷϦιʔε͕ରԠ͍ͯ͠ΔΘ͚Ͱ͸ͳ͍


    • Principalཁૉͷఆ͕ٛՄೳ


    • ΠϯϥΠϯϙϦγʔʢϦιʔεʹ௚઀ຒΊ͜Έʣ


    View Slide

  36. ΞΠσϯςΟςΟϕʔεͱϦιʔεϕʔε
    IAMϢʔβʔ
    ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
    S3όέοτ
    EC2Πϯελϯε
    IAMϢʔβʔ
    Ϧιʔεϕʔε
    ϙϦγʔඇରԠ
    s3:PutObject
    ec2:StartInstances

    View Slide

  37. ͍Β͢ͱͰߟ͑Α͏
    IAMϢʔβʔ AWSϦιʔε

    View Slide

  38. σϑΥϧτͰ͜Ε
    1.҉໧తͳڋ൱

    View Slide

  39. ྆ऀͷϙϦγʔͷΠϝʔδ
    IAMϢʔβʔ AWSϦιʔε
    Θͨ͠͸͜ͷϦΫΤετΛ
    ࣮ߦͰ͖Δ
    ͜ͷਓ͔ΒͷϦΫΤετ͸
    ڐՄͯ͋͛͠Δ
    ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

    View Slide

  40. σϑΥϧτͰ͸ͲͪΒͷఆٛ΋ͳ͍
    IAMϢʔβʔ AWSϦιʔε
    ʜʜ ʜʜ
    ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

    View Slide

  41. ͲͪΒͰ΋ڐՄ͕ͳ͍ͷͰ݁Ռతʹڋ൱
    IAMϢʔβʔ AWSϦιʔε
    ͓ؼΓ͍ͩ͘͞˝
    εΠʔ

    View Slide

  42. ୯ͳΔʮڐՄʯͱ΋
    2.໌ࣔతͳڐՄ

    View Slide

  43. ͲͪΒ͔ͰڐՄ͕༩͑ΒΕ͍ͯΔ
    IAMϢʔβʔ AWSϦιʔε
    Θͨ͠͸
    ͜Ε͕Ͱ͖Δ
    ͜ͷਓʹ͸
    ͜ΕΛڐ͢
    खͿΒ

    View Slide

  44. ڐՄ͞ΕΔ
    IAMϢʔβʔ AWSϦιʔε
    εΠʔ ͋ͳͨ͸௨͍͍ͬͯͱ
    ݴΘΕ͍ͯ·͢
    ͋ͳͨ͸௨ΔݖརΛ
    ͍࣋ͬͯΔΑ͏Ͱ͢Ͷ
    εΠʔ
    ϦιʔεϕʔεϙϦγʔΛ
    ΞλονͰ͖ͳ͍Ϧιʔεͷ৔߹ɺ
    ΞΠσϯςΟςΟଆͰݖݶͷ֬อ͕ඞཁ

    View Slide

  45. ͪΐͬͱิ଍
    ΞΧ΢ϯτ୯ҐͷڐՄͱ


    ΤϯςΟςΟ୯ҐͷڐՄ

    View Slide

  46. ΞΧ΢ϯτΛ֗ͱͯ͠ߟ͑ͯΈΔ
    ֗ʢΞΧ΢ϯτʣA ֗B
    ֗C
    rootϢʔβʔ
    IAMϢʔβʔ


    1,2,3
    AWSϦιʔε

    View Slide

  47. ϦιʔεϕʔεϙϦγʔͰͷڐՄͷ࢓ํ
    ֗ʢΞΧ΢ϯτʣA ֗B
    ֗C
    IAMϢʔβʔ


    View Slide

  48. खͿΒͰ௨ΕΔͷ͸ΤϯςΟςΟ୯ҐͰڐՄ͞Εͨ΋ͷ
    ֗"ͷ*".Ϣʔβʔ͔ΒͷΞΫηεΛڐՄ
    खͿΒ
    खͿΒ
    IAMϢʔβʔ1
    IAMϢʔβʔ2
    IAMϢʔβʔ3

    View Slide

  49. Ұ൪ڧ͍
    3.໌ࣔతͳڋ൱

    View Slide

  50. Ͳ͔͜Ͱ%FOZ͕༩͑ΒΕ͍ͯΕ͹ڋ൱
    IAMϢʔβʔ AWSϦιʔε

    View Slide

  51. ໌ࣔతͳڋ൱͸ԿΑΓ΋ڧ͍
    IAMϢʔβʔ AWSϦιʔε
    εΠʔ ௨͍͍ͯ͠ͱ
    ݴΘΕ͍͚ͯͨͲ
    ڋ൱͞Ε͍ͯΔΑ͏Ͱ͢Ͷ
    ௨ͯ͠͸͍͚ͳ͍ͱ
    ݴΘΕ͍ͯ·͢
    εΠʔ

    View Slide


  52. ΫϩεΞΧ΢ϯτͰͷධՁ࿦ཧ

    View Slide

  53. ΞΧ΢ϯτΛލ͍ͩΞΫηε
    IAMϢʔβʔ AWSϦιʔε
    ֗ʢΞΧ΢ϯτʣA ֗ʢΞΧ΢ϯτʣB

    View Slide

  54. جຊతͳߟ͑ํ͸มΘΒͳ͍
    • ҉໧తͳڋ൱ɺ໌ࣔతͳڐՄɺ໌ࣔతͳڋ൱ͷߟ͑ํ͸มΘΒͳ͍


    • ΞΠσϯςΟςΟͱϦιʔεͷ྆ํͰAllow͕༩͑ΒΕ͍ͯͳ͍ͱ
    ҉໧తͳڋ൱ͱͳΔ


    • ϦιʔεଆͰͷڐՄ͸ɺΞΧ΢ϯτ୯ҐɾΤϯςΟςΟ୯ҐͷͲͪ
    ΒͰ΋ྑ͍

    View Slide

  55. ྆ํͰͷڐՄ͕ඞཁ
    IAMϢʔβʔ AWSϦιʔε
    ֗ʢΞΧ΢ϯτʣA ֗ʢΞΧ΢ϯτʣB

    View Slide

  56. ϦιʔεଆͰͷڐՄ
    IAMϢʔβʔ AWSϦιʔε
    ֗ʢΞΧ΢ϯτʣA ֗ʢΞΧ΢ϯτʣB
    ֗"ͷ*".Ϣʔβʔ͔ΒͷΞΫηεΛڐՄ
    ֗"͔ΒͷΞΫηεΛڐՄ
    ͲͪΒͰ΋OK

    View Slide

  57. ยํ͚ͩͷڐՄͩͱ҉໧తͳڋ൱
    IAMϢʔβʔ AWSϦιʔε
    ֗ʢΞΧ΢ϯτʣA ֗ʢΞΧ΢ϯτʣB
    ͋ͳͨ͸ট଴٬Ϧετʹ
    ࡌ͍ͬͯΔ͚Ͳ
    ڐՄূΛ࣋ͬͯͳ͍Ͱ͢Ͷ

    View Slide

  58. Α͘࢖͏ྫ
    ΫϩεΞΧ΢ϯτͰͷεΠονϩʔϧ

    View Slide

  59. ผΞΧ΢ϯτͷૢ࡞ʹεΠονϩʔϧΛ࢖͏͜ͱ͕ଟ͍
    IAMϢʔβʔ
    IAMϩʔϧ

    View Slide

  60. *".ϩʔϧΛҾ͖ड͚Δͱ͸
    IAMϢʔβʔ IAMϩʔϧ
    IAMϩʔϧΛ


    Ҿ͖ड͚ͨηογϣϯ


    ʢ੍࣌ؒݶ͋Γʣ
    IAMϩʔϧͱ


    ಉ౳ͷݖݶ
    IAMϙϦγʔ
    sts:AssumeRole

    View Slide

  61. *".ϩʔϧΛҾ͖ड͚Δʹ͸ڐՄ͕ඞཁ
    ΞΠσϯςΟςΟ
    ϕʔεϙϦγʔ
    ΞΠσϯςΟςΟ
    ϕʔεϙϦγʔ
    ϦιʔεϕʔεϙϦγʔ


    ʢ৴པϙϦγʔʣ
    ϦιʔεϕʔεϙϦγʔ
    ΫϩεΞΧ΢ϯτ


    ΞΫηε
    ಉ͡ΞΧ΢ϯτͰͷ
    ΞΫηε

    View Slide


  62. ΨʔυϨʔϧ

    View Slide

  63. ΞΠσϯςΟςΟϕʔεϙϦγʔ
    ϦιʔεϕʔεϙϦγʔ
    ຊষͷର৅
    ຊষͷର৅

    View Slide

  64. ΨʔυϨʔϧʁ
    • ΍͍͍ͬͯ͜ͱͷ্ݶΛઃ͚ΔΑ͏ʹػೳ͢Δ΋ͷ


    • ΞΠσϯςΟςΟϕʔεϙϦγʔͱϦιʔεϕʔεϙϦγʔͷ֎ଆ
    Ͱఆٛ͢Δ


    • ͏͔ͬΓ޿͍ڐՄΛ༩͑ͯ͠·ͬͯ΋ΨʔυϨʔϧʹΑΓ๷͙


    • ΨʔυϨʔϧࣗମͰԿ͔ΛڐՄͰ͖Δ΋ͷͰ͸ͳ͍


    • ࠓճऔΓ্͛Δͷ͸ҎԼ


    • Organizations SCPʢΞΧ΢ϯτશମʹద༻ʣ


    • Permissions boundaryʢݸผͷΤϯςΟςΟʹద༻ʣ


    • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍΋ͷ͸҉໧తͳڋ൱ʹ
    ͳΔ

    View Slide

  65. 0SHBOJ[BUJPOTͱ͸
    ϚωδϝϯτΞΧ΢ϯτ
    ΞΧ΢ϯτA ΞΧ΢ϯτB ΞΧ΢ϯτC
    SCP
    ෳ਺ͷAWSΞΧ΢ϯτΛ


    ֊૚Խͯ͠؅ཧͰ͖Δػೳɻ


    ݸʑͷAWSΞΧ΢ϯτʹ


    SCPΛׂΓ౰ͯΒΕΔɻ

    View Slide

  66. 0SHBOJ[BUJPOT4$1͕ద༻͞ΕΔͱ
    IAMϢʔβʔ
    AWSϦιʔε
    rootϢʔβʔ
    Organizations SCP
    ΞΧ΢ϯτ಺ͷrootϢʔβʔΛؚΉશͯͷΤϯςΟςΟͷΞΫγϣϯ͸SCPʹΑΔධՁΛड͚Δɻ
    ϩʔϧΛҾ͖ड͚ͨ


    ηογϣϯ

    View Slide

  67. 0SHBOJ[BUJPOT4$1͕ద༻͞ΕΔͱ
    SCPͰڐՄ͕༩͑ΒΕ͍ͯͳ͍ϦΫΤετ͸ଞͷύʔϛογϣϯʹؔ܎ͳ͘҉໧తͳڋ൱ͱͳΔ
    Organizations SCP
    ͜͜ͰڐՄ͞Ε͍ͯΔ
    ͜ͱ͕͢΂ͯ
    ΋ͪΖΜ%FOZ͕͋Ε͹
    ໌ࣔతͳڋ൱

    View Slide

  68. 1FSNJTTJPOTCPVOEBSZͱ͸
    ʮΞΫηεڐՄͷڥքʯͱ΋ɻ


    ΞΠσϯςΟςΟϕʔεϙϦγʔ
    ͱηοτͰߟ͑Δɻ


    IAMϢʔβʔ΋͘͠͸IAMϩʔϧ
    ʹׂΓ౰ͯՄೳͰɺIAMάϧʔϓ
    ʹ͸ׂΓ౰ͯෆՄɻ

    View Slide

  69. 1FSNJTTJPOTCPVOEBSZͷΠϝʔδ
    IAMϢʔβʔ AWSϦιʔε
    Permissions boundary ΞΠσϯςΟςΟ


    ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
    ηοτͰ࢖༻͢Δ ΞΠσϯςΟςΟϕʔεϙϦγʔͷ
    ධՁͷλΠϛϯάͰΨʔυϨʔϧͱͯ͠ػೳ

    View Slide

  70. ϦιʔεϕʔεϙϦγʔͰͷ"MMPX͕ͳ͍৔߹
    IAMϢʔβʔ AWSϦιʔε
    Permissions boundary ΞΠσϯςΟςΟ


    ϕʔεϙϦγʔ
    ʮ͜ͷϢʔβʔ͕
    ΍͍͍ͬͯͷ͸͜͜·Ͱʯ
    Permissions boundaryͰAllow͕ͳ͍৔߹ɺ҉໧తͳڋ൱ͱͳΔ
    1FSNJTTJPOTCPVOEBSZͰ
    ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ
    ΋ͪΖΜ%FOZ͕͋Ε͹
    ໌ࣔతͳڋ൱
    ΞΠσϯςΟςΟϕʔεϙϦγʔ
    Ͱ͸ڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ

    View Slide

  71. ϦιʔεϕʔεϙϦγʔͰ"MMPX͕͋Δ৔߹
    IAMϢʔβʔ AWSϦιʔε
    Permissions boundary ΞΠσϯςΟςΟ


    ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
    ͋ͳͨ͸ট଴͞Ε͍ͯΔͷͰ
    ڐՄূ͸ݟͤͯ΋ΒΘͳͯ͘΋
    େৎ෉Ͱ͢ɻ
    ϦιʔεϕʔεϙϦγʔͰͷධՁ͕ઌʹߦΘΕΔͨΊͦ͜ͰAllow͕͋Ε͹ڐՄ͞ΕΔ
    ʮ͜ͷϢʔβʔ͕
    ΍͍͍ͬͯͷ͸͜͜·Ͱʯ
    ΋ͪΖΜ%FOZ͕͋Ε͹
    ໌ࣔతͳڋ൱

    View Slide

  72. ΫϩεΞΧ΢ϯτͷ৔߹
    IAMϢʔβʔ AWSϦιʔε
    Permissions boundary ΞΠσϯςΟςΟ


    ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
    ΫϩεΞΧ΢ϯτͷ৔߹ɺΞΠσϯςΟςΟϕʔεϙϦγʔ΋ධՁ͞ΕΔͨΊΨʔυϨʔϧ͕ൃಈ
    ʮ͜ͷϢʔβʔ͕
    ΍͍͍ͬͯͷ͸͜͜·Ͱʯ
    1FSNJTTJPOTCPVOEBSZͰ
    ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ
    ଞͷϙϦγʔͰ͸
    ڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ

    View Slide

  73. ͜͜·Ͱݟ͖ͯͨ಺༰ͷ੔ཧ
    https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-black-belt-online-seminar-aws-identity-and-
    access-management-iam-part1
    20190129 AWS Black Belt Online Seminar AWS Identity and Access Management (AWS IAM) Part1
    ʮ͜ͷϢʔβʔ͕
    ΍͍͍ͬͯͷ͸͜͜·Ͱʯ
    ΞΧ΢ϯτΛލ͍ͩ৔߹ͷҧ͍

    View Slide


  74. ҟ୺ʂ
    71$ΤϯυϙΠϯτϙϦγʔ

    View Slide

  75. ෼ྨ্͸ϦιʔεϕʔεϙϦγʔ͕ͩಛघ
    ΞΠσϯςΟςΟϕʔεϙϦγʔ
    ϦιʔεϕʔεϙϦγʔ

    View Slide

  76. 71$ΤϯυϙΠϯτϙϦγʔ
    VPC
    EC2ͳͲ
    VPCΤϯυϙΠϯτ
    VPC಺ͷϦιʔε͕αʔϏεΤϯυϙΠϯτʹ௨৴Λߦ͏ͨΊʹ࢖༻Ͱ͖ΔVPCΤϯυϙΠϯτɻ


    αʔϏεͷछผʹΑͬͯ͸ΤϯυϙΠϯτʹϙϦγʔΛઃఆͰ͖Δɻ

    View Slide

  77. ΨʔυϨʔϧͱͯ͠ػೳ
    IAMϢʔβʔ AWSϦιʔε
    VPCΤϯυϙΠϯτ
    ͜͜Λܦ༝ͨ͠௨৴Ͱ
    ڐՄ͢Δͷ͸͜Ε͚ͩ
    ڐՄ͕ͳ͍΋ͷ͸
    ҉໧తͳڋ൱

    View Slide

  78. 71$ΤϯυϙΠϯτϙϦγʔͷ࢖༻ྫ
    VPC
    VPCΤϯυϙΠϯτ
    VPC಺෦ͷϦιʔε͔Β֎෦ͷS3όέοτ΁ͷΞΫηε͕ෆՄͱͳΔΑ͏


    VPCΤϯυϙΠϯτϙϦγʔΛ࢖༻͢Δɻ

    View Slide


  79. ·ͱΊ

    View Slide

  80. ঺հͨ͠΋ͷͷશ෦੝Γ

    VPCΤϯυϙΠϯτ
    VPC
    ΫϩεΞΧ΢ϯτΞΫηε

    View Slide

  81. ঺հͨ͠΋ͷͷશ෦੝Γ

    VPCΤϯυϙΠϯτ
    VPC
    ΫϩεΞΧ΢ϯτΞΫηε
    1FSNJTTJPOT
    CPVOEBSZ
    ΞΠσϯςΟςΟ
    ϕʔεϙϦγʔ
    0SHBOJ[BUJPOT
    4$1
    71$ΤϯυϙΠϯτ
    ϙϦγʔ
    ϦιʔεϕʔεϙϦγʔ

    View Slide

  82. ·ͱΊ
    • IAMͷධՁ࿦ཧͷ݁Ռ͸ҎԼͷ͍ͣΕ͔ͱͳΔ


    • ҉໧తͳڋ൱ʢσϑΥϧτʣ


    • ໌ࣔతͳڐՄʢΨʔυϨʔϧͰ͸༩͑ΒΕͳ͍ʣ


    • ໌ࣔతͳڋ൱ʢͲ͔͜ͰDeny͕͋Ε͹ඞͣ͜ΕʹͳΔʣ


    • ҉໧తͳڋ൱ͱͳΔྫ͸ҎԼ


    • ΞΠσϯςΟςΟͰ΋ϦιʔεͰ΋Allow͕༩͑ΒΕ͍ͯͳ͍


    • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍


    • ΫϩεΞΧ΢ϯτͷ৔߹ʹ૒ํͰڐՄ͞Ε͍ͯͳ͍

    View Slide

  83. View Slide