Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Eva...
Search
YukihiroChiba
October 06, 2021
Technology
0
12k
やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Evaluation Logic
YukihiroChiba
October 06, 2021
Tweet
Share
More Decks by YukihiroChiba
See All by YukihiroChiba
わたしの業務の中に住み着いたCacoo/Cacoo has taken up residence in my work routine
yukihirochiba
0
840
Amazon VPCでの IPv6利用に向けた はじめの一歩/first-step-towards-using-ipv6-in-amazon-vpc
yukihirochiba
0
330
AWS IAM の結果整合性を避けるためセッションポリシーを用いてポリシーの動作確認を行う、を解説する
yukihirochiba
0
730
SSMエージェントはIAMロールの夢を見るか/ Do SSM Agents Dream Of IAM Roles?
yukihirochiba
0
2.2k
AWS IAM の知っておくべき話と知らなくてもいい話 DevIO2023/ AWS IAM DevIO 2023
yukihirochiba
0
3.2k
デジタルアイデンティティWGミニウェビナー第4回「IaaSとアイデンティティ」/ jnsa-iaas-identity
yukihirochiba
0
650
学習エンジンがうなりを上げているチームの作り方 / How to build a team with a learning engine humming along
yukihirochiba
0
3.9k
Amazon Route 53 Application Recovery Controller zonal shift 試してみた
yukihirochiba
0
1.7k
re:Growth 2022 Amazon Verified Permissions/妄想を膨らませる_チバユキ
yukihirochiba
0
5.1k
Other Decks in Technology
See All in Technology
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
200
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.4k
iOSチームとAndroidチームでブランチ運用が違ったので整理してます
sansantech
PRO
0
130
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
2
600
Why does continuous profiling matter to developers? #appdevelopercon
salaboy
0
190
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
590
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
470
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.8k
Evangelismo técnico: ¿qué, cómo y por qué?
trishagee
0
360
[FOSS4G 2024 Japan LT] LLMを使ってGISデータ解析を自動化したい!
nssv
1
210
ハイパーパラメータチューニングって何をしているの
toridori_dev
0
140
Featured
See All Featured
The Art of Programming - Codeland 2020
erikaheidi
52
13k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
GraphQLとの向き合い方2022年版
quramy
43
13k
Designing for humans not robots
tammielis
250
25k
A better future with KSS
kneath
238
17k
Statistics for Hackers
jakevdp
796
220k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Thoughts on Productivity
jonyablonski
67
4.3k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
Building Your Own Lightsaber
phodgson
103
6.1k
Automating Front-end Workflow
addyosmani
1366
200k
Transcript
"84ࣄۀຊ෦ίϯαϧςΟϯά෦ઍ༿ ΜΘΓԡ͑͞Α͏*".ͷධՁཧ
։ນҰ൪ ಥવͰ͕͢Ͱ͢
࣍ͷ͏ͪ ʮIAM ʹ͓͚ΔϙϦγʔʯ ͲΕͰ͠ΐ͏ʁ ʢෳճՄʣ
ݸҎ্ͷਖ਼ղͷબࢶ͕͋Γ·͢ ΠϯϥΠϯϙϦγʔ AdministratorAccess ReadOnlyAccess ηογϣϯϙϦγʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ S3όέοτϙϦγʔ KMSΩʔϙϦγʔ S3ΞΫηείϯτϩʔϧϦετ
ΞΫηεڐՄͷڥք Organizations SCP ΧελϚʔཧϙϦγʔ EC2FullAccess ϦιʔεϕʔεϙϦγʔ VPCΤϯυϙΠϯτϙϦγʔ LambdaΞΫηεϙϦγʔ ৬ػೳͷAWSཧϙϦγʔ SNSτϐοΫϙϦγʔ ৴པϙϦγʔ
ਖ਼ղ……
શ෦Ͱ͢ʂʂʂ
ΈΜͳ͍ҙຯͰͷʮ*".ͷϙϦγʔʯ ΠϯϥΠϯϙϦγʔ AdministratorAccess ReadOnlyAccess ηογϣϯϙϦγʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ S3όέοτϙϦγʔ KMSΩʔϙϦγʔ S3ΞΫηείϯτϩʔϧϦετ
ΞΫηεڐՄͷڥք Organizations SCP ΧελϚʔཧϙϦγʔ EC2FullAccess ϦιʔεϕʔεϙϦγʔ VPCΤϯυϙΠϯτϙϦγʔ LambdaΞΫηεϙϦγʔ ৬ػೳͷAWSཧϙϦγʔ SNSτϐοΫϙϦγʔ ৴པϙϦγʔ
*".ͷϙϦγʔͷΈ߹Θͤ ը૾ͯ͢AWSυΩϡϝϯτΑΓ
*".ϜζΧγΠ 🤔 🤔 🤔 എܠը૾ͯ͢AWSυΩϡϝϯτΑΓ
શ෦Λཧղ͢Δͷ͍͠ͷͰ ΜΘΓԡ͑͞·͠ΐ͏
࠷ऴతʹ͜Μͳײ͡Ͱԡ͑͞·͢
ΞδΣϯμ 1.IAM JSON ϙϦγʔ 2.ಉҰΞΧϯτͰͷධՁཧ 3.ΫϩεΞΧϯτͰͷධՁཧ 4.ΨʔυϨʔϧ 5.ҟʂVPCΤϯυϙΠϯτϙϦγʔ
ࣗݾհ ઍ༿ ɾAWS ࣄۀຊ෦ ɹίϯαϧςΟϯά෦ ɹϚωʔδϟʔ ɾ20201݄JOIN ɾ2021
APN AWS Top Engineer ɾ͖ͳΞΫγϣϯ: sts:AssumeRole
*".+40/ϙϦγʔ
*".ʹ͓͚ΔϙϦγʔλΠϓ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ϙϦγʔλΠϓ͝ͱͷॏཁʢࢲݟʣ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ϙϦγʔλΠϓ΄ͱΜͲ+40/ JSON JSON JSON JSON JSON JSONͰͳ͍
ݟ͍ͯ͜͏ IAM JSON ϙϦγʔͷߏཁૉ
*".+40/ϙϦγʔߏཁૉ ϦιʔεϕʔεϙϦγʔ ͰͷΈࢦఆՄ ⭐…ࢦఆඞਢͷ߲
Θ͔Γ͍͢Πϝʔδ ʮAWSʹ͓͚ΔABACͷخ͠͞ɺਏ͞ΛޠΓ·ͨ͠ #AKIBAAWSʯΑΓ ɹhttps://dev.classmethod.jp/articles/akibaaws-06-iam-abac/
1SJODJQBMཁૉɿʮ୭͕ʯΛఆٛ *".άϧʔϓ ࢦఆͰ͖ͳ͍ ϦιʔεϕʔεϙϦγʔ ͰͷΈࢦఆ
"DUJPOཁૉɿʮԿΛʯΛఆٛ ec2 : StartInstances s3 : PutObject kms :
Decrypt ΞΫγϣϯϓϨϑΟοΫε αʔϏε໊લۭؒ ϚωδϝϯτίϯιʔϧɺAWS CLIɺAWS SDKͳͲͷ ΦϖϨʔγϣϯͷछผʹґΒͣධՁ͞ΕΔɻ ΞΫγϣϯʹΑΓ ରԠ͢ΔϦιʔελΠϓ͕ҟͳΔɻ
3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID • arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID
ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓҟͳΔɻ ҟͳΔϦιʔελΠϓ
3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:s3:::όέοτ໊/* • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID
• arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓҟͳΔɻ ҟͳΔϦιʔελΠϓ ϫΠϧυΧʔυͷ༻Մ • arn:aws:ec2:${Region}:${Account}:instance/*
3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:s3:::όέοτ໊/* • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID
• arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓҟͳΔɻ ҟͳΔϦιʔελΠϓ • * ϫΠϧυΧʔυͷ༻Մ • arn:aws:ec2:${Region}:${Account}:instance/* ΞΫγϣϯʹΑͬͯͯ͢(*)ͷࢦఆ͕ඞਢ ʢϦετܥͷΞΫγϣϯʹଟ͍ʣ
۩ମྫɿ"84ཧϙϦγʔʮ"ENJOJTUSBUPS"DDFTTʯ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow",
"Action": "*", "Resource": "*" } ] } ͯ͢ͷϦιʔεͷ ͯ͢ͷΞΫγϣϯʹ ʢ݅ͳ͠Ͱʣ AllowΛ༩͑Δ
۩ମྫɿΧελϚʔཧϙϦγʔ { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny",
"Action": "*", "NotResource": “arn:aws:ec2:ap-northeast-1: 012345678910:instance/i-xxxxx” } ] } ಛఆͷϦιʔεҎ֎ͷ ͯ͢ͷΞΫγϣϯΛ Deny͢Δ ର͕͜ͷΠϯελϯεͰ͋ͬͯɺ EFTDSJCFܥͳͲɺϦιʔελΠϓJOTUBODFʹ ରԠ͍ͯ͠ͳ͍ΞΫγϣϯڋ൱͞ΕΔ
"MMPX͘͠%FOZ εςʔτϝϯτ͝ͱʹ Allow ͘͠ Deny ͕ఆٛ͞ΕΔɻ ϦΫΤετͷ༰ʹ͍ͭͯҎԼͷ͍ͣΕ͔ͷঢ়ଶͱͳΔɻ ঢ়ଶ ֓ཁ
҉తͳڋ൱ %FOZ"MMPX༩͑ΒΕ͍ͯͳ͍ɻ σϑΥϧτɻ ໌ࣔతͳڋ൱ %FOZ͕༩͑ΒΕ͍ͯΔঢ়ଶɻ ໌ࣔతͳڐՄΑΓ༏ઌ͞ΕΔɻ ໌ࣔతͳڐՄ "MMPX͕༩͑ΒΕ͍ͯΔঢ়ଶɻ %FOZͱॏෳ͢Δ߹ɺଧͪফ͞ΕΔɻ ୭͕Կʹରͯ͠ʢͲΜͳ݅ͰʣԿΛ͢Δ͔
ಉҰΞΧϯτͰͷධՁཧ
*".ʹ͓͚ΔϙϦγʔλΠϓʢ࠶ܝʣ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ࠓճͷൃදͰׂѪ͠·͢ ࠓճͷର֎
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ຊষ͜ͷ̎ͭΛऔΓ্͛·͢ ຊষͷର
ΞΠσϯςΟςΟϕʔεϙϦγʔ *".Ϣʔβʔ *".άϧʔϓ *".ϩʔϧ Ξλον ͍ΘΏΔʮIAMϙϦγʔʯɻΞΠσϯςΟςΟʹΞλονɻ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ҰͭͷIAM ΤϯςΟςΟʹຒΊ͜Έɻ ಠཱͨ͠ϦιʔεͰͳ͍ɻ ग़དྷ߹͍ͷϙϦγʔɻ ʮ৬ػೳͷAWSཧϙϦγʔʯͱ͍͏ࡉԽՄೳɻ AdministratorAccessɺReadOnly AccessͳͲɻ ΧελϚʔ͕ಠࣗʹ࡞͢ΔϙϦγʔɻ
όʔδϣϯཧɺෳΤϯςΟςΟͷΞλον͕Մೳɻ *".Ϣʔβʔ *".άϧʔϓ *".ϩʔϧ Ξλον ͍ΘΏΔʮIAMϙϦγʔʯɻΞΠσϯςΟςΟʹΞλονɻ
ϦιʔεϕʔεϙϦγʔ … • ϦιʔεଆʹΞλον͢ΔϙϦγʔ • S3όέοτ • KMSΩʔ •
Lambdaؔ • SNSτϐοΫ …ଞଟ • ͯ͢ͷϦιʔε͕ରԠ͍ͯ͠ΔΘ͚Ͱͳ͍ • Principalཁૉͷఆ͕ٛՄೳ • ΠϯϥΠϯϙϦγʔʢϦιʔεʹຒΊ͜Έʣ
ΞΠσϯςΟςΟϕʔεͱϦιʔεϕʔε IAMϢʔβʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ S3όέοτ EC2Πϯελϯε IAMϢʔβʔ Ϧιʔεϕʔε ϙϦγʔඇରԠ
s3:PutObject ec2:StartInstances
͍Β͢ͱͰߟ͑Α͏ IAMϢʔβʔ AWSϦιʔε
σϑΥϧτͰ͜Ε 1.҉తͳڋ൱
྆ऀͷϙϦγʔͷΠϝʔδ IAMϢʔβʔ AWSϦιʔε Θͨ͜͠ͷϦΫΤετΛ ࣮ߦͰ͖Δ ͜ͷਓ͔ΒͷϦΫΤετ ڐՄͯ͋͛͠Δ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
σϑΥϧτͰͲͪΒͷఆٛͳ͍ IAMϢʔβʔ AWSϦιʔε ʜʜ ʜʜ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
ͲͪΒͰڐՄ͕ͳ͍ͷͰ݁Ռతʹڋ൱ IAMϢʔβʔ AWSϦιʔε ͓ؼΓ͍ͩ͘͞˝ εΠʔ
୯ͳΔʮڐՄʯͱ 2.໌ࣔతͳڐՄ
ͲͪΒ͔ͰڐՄ͕༩͑ΒΕ͍ͯΔ IAMϢʔβʔ AWSϦιʔε Θͨ͠ ͜Ε͕Ͱ͖Δ ͜ͷਓʹ ͜ΕΛڐ͢ खͿΒ
ڐՄ͞ΕΔ IAMϢʔβʔ AWSϦιʔε εΠʔ ͋ͳͨ௨͍͍ͬͯͱ ݴΘΕ͍ͯ·͢ ͋ͳͨ௨ΔݖརΛ ͍࣋ͬͯΔΑ͏Ͱ͢Ͷ εΠʔ
ϦιʔεϕʔεϙϦγʔΛ ΞλονͰ͖ͳ͍Ϧιʔεͷ߹ɺ ΞΠσϯςΟςΟଆͰݖݶͷ֬อ͕ඞཁ
ͪΐͬͱิ ΞΧϯτ୯ҐͷڐՄͱ ΤϯςΟςΟ୯ҐͷڐՄ
ΞΧϯτΛ֗ͱͯ͠ߟ͑ͯΈΔ ֗ʢΞΧϯτʣA ֗B ֗C rootϢʔβʔ IAMϢʔβʔ 1,2,3 AWSϦιʔε
ϦιʔεϕʔεϙϦγʔͰͷڐՄͷํ ֗ʢΞΧϯτʣA ֗B ֗C IAMϢʔβʔ
खͿΒͰ௨ΕΔͷΤϯςΟςΟ୯ҐͰڐՄ͞Εͨͷ ֗"ͷ*".Ϣʔβʔ͔ΒͷΞΫηεΛڐՄ खͿΒ खͿΒ IAMϢʔβʔ1 IAMϢʔβʔ2 IAMϢʔβʔ3
Ұ൪ڧ͍ 3.໌ࣔతͳڋ൱
Ͳ͔͜Ͱ%FOZ͕༩͑ΒΕ͍ͯΕڋ൱ IAMϢʔβʔ AWSϦιʔε
໌ࣔతͳڋ൱ԿΑΓڧ͍ IAMϢʔβʔ AWSϦιʔε εΠʔ ௨͍͍ͯ͠ͱ ݴΘΕ͍͚ͯͨͲ ڋ൱͞Ε͍ͯΔΑ͏Ͱ͢Ͷ ௨͍͚ͯ͠ͳ͍ͱ ݴΘΕ͍ͯ·͢
εΠʔ
ΫϩεΞΧϯτͰͷධՁཧ
ΞΧϯτΛލ͍ͩΞΫηε IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧϯτʣA ֗ʢΞΧϯτʣB
جຊతͳߟ͑ํมΘΒͳ͍ • ҉తͳڋ൱ɺ໌ࣔతͳڐՄɺ໌ࣔతͳڋ൱ͷߟ͑ํมΘΒͳ͍ • ΞΠσϯςΟςΟͱϦιʔεͷ྆ํͰAllow͕༩͑ΒΕ͍ͯͳ͍ͱ ҉తͳڋ൱ͱͳΔ • ϦιʔεଆͰͷڐՄɺΞΧϯτ୯ҐɾΤϯςΟςΟ୯ҐͷͲͪ ΒͰྑ͍
྆ํͰͷڐՄ͕ඞཁ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧϯτʣA ֗ʢΞΧϯτʣB
ϦιʔεଆͰͷڐՄ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧϯτʣA ֗ʢΞΧϯτʣB ֗"ͷ*".Ϣʔβʔ͔ΒͷΞΫηεΛڐՄ ֗"͔ΒͷΞΫηεΛڐՄ ͲͪΒͰOK
ยํ͚ͩͷڐՄͩͱ҉తͳڋ൱ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧϯτʣA ֗ʢΞΧϯτʣB ͋ͳͨট٬Ϧετʹ ࡌ͍ͬͯΔ͚Ͳ ڐՄূΛ࣋ͬͯͳ͍Ͱ͢Ͷ
Α͘͏ྫ ΫϩεΞΧϯτͰͷεΠονϩʔϧ
ผΞΧϯτͷૢ࡞ʹεΠονϩʔϧΛ͏͜ͱ͕ଟ͍ IAMϢʔβʔ IAMϩʔϧ
*".ϩʔϧΛҾ͖ड͚Δͱ IAMϢʔβʔ IAMϩʔϧ IAMϩʔϧΛ Ҿ͖ड͚ͨηογϣϯ ʢ੍࣌ؒݶ͋Γʣ IAMϩʔϧͱ ಉͷݖݶ IAMϙϦγʔ
sts:AssumeRole
*".ϩʔϧΛҾ͖ड͚ΔʹڐՄ͕ඞཁ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ʢ৴པϙϦγʔʣ ϦιʔεϕʔεϙϦγʔ ΫϩεΞΧϯτ
ΞΫηε ಉ͡ΞΧϯτͰͷ ΞΫηε
ΨʔυϨʔϧ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ຊষͷର ຊষͷର
ΨʔυϨʔϧʁ • ͍͍ͬͯ͜ͱͷ্ݶΛઃ͚ΔΑ͏ʹػೳ͢Δͷ • ΞΠσϯςΟςΟϕʔεϙϦγʔͱϦιʔεϕʔεϙϦγʔͷ֎ଆ Ͱఆٛ͢Δ • ͏͔ͬΓ͍ڐՄΛ༩͑ͯ͠·ͬͯΨʔυϨʔϧʹΑΓ͙ •
ΨʔυϨʔϧࣗମͰԿ͔ΛڐՄͰ͖ΔͷͰͳ͍ • ࠓճऔΓ্͛ΔͷҎԼ • Organizations SCPʢΞΧϯτશମʹద༻ʣ • Permissions boundaryʢݸผͷΤϯςΟςΟʹద༻ʣ • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍ͷ҉తͳڋ൱ʹ ͳΔ
0SHBOJ[BUJPOTͱ ϚωδϝϯτΞΧϯτ ΞΧϯτA ΞΧϯτB ΞΧϯτC SCP ෳͷAWSΞΧϯτΛ ֊Խͯ͠ཧͰ͖Δػೳɻ ݸʑͷAWSΞΧϯτʹ
SCPΛׂΓͯΒΕΔɻ
0SHBOJ[BUJPOT4$1͕ద༻͞ΕΔͱ IAMϢʔβʔ AWSϦιʔε rootϢʔβʔ Organizations SCP ΞΧϯτͷrootϢʔβʔΛؚΉશͯͷΤϯςΟςΟͷΞΫγϣϯSCPʹΑΔධՁΛड͚Δɻ ϩʔϧΛҾ͖ड͚ͨ ηογϣϯ
0SHBOJ[BUJPOT4$1͕ద༻͞ΕΔͱ SCPͰڐՄ͕༩͑ΒΕ͍ͯͳ͍ϦΫΤετଞͷύʔϛογϣϯʹؔͳ͘҉తͳڋ൱ͱͳΔ Organizations SCP ͜͜ͰڐՄ͞Ε͍ͯΔ ͜ͱ͕ͯ͢ ͪΖΜ%FOZ͕͋Ε ໌ࣔతͳڋ൱
1FSNJTTJPOTCPVOEBSZͱ ʮΞΫηεڐՄͷڥքʯͱɻ ΞΠσϯςΟςΟϕʔεϙϦγʔ ͱηοτͰߟ͑Δɻ IAMϢʔβʔ͘͠IAMϩʔϧ ʹׂΓͯՄೳͰɺIAMάϧʔϓ ʹׂΓͯෆՄɻ
1FSNJTTJPOTCPVOEBSZͷΠϝʔδ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ηοτͰ༻͢Δ
ΞΠσϯςΟςΟϕʔεϙϦγʔͷ ධՁͷλΠϛϯάͰΨʔυϨʔϧͱͯ͠ػೳ
ϦιʔεϕʔεϙϦγʔͰͷ"MMPX͕ͳ͍߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ʮ͜ͷϢʔβʔ͕ ͍͍ͬͯͷ͜͜·Ͱʯ
Permissions boundaryͰAllow͕ͳ͍߹ɺ҉తͳڋ൱ͱͳΔ 1FSNJTTJPOTCPVOEBSZͰ ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ ͪΖΜ%FOZ͕͋Ε ໌ࣔతͳڋ൱ ΞΠσϯςΟςΟϕʔεϙϦγʔ ͰڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ
ϦιʔεϕʔεϙϦγʔͰ"MMPX͕͋Δ߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ͋ͳͨট͞Ε͍ͯΔͷͰ
ڐՄূݟͤͯΒΘͳͯ͘ େৎͰ͢ɻ ϦιʔεϕʔεϙϦγʔͰͷධՁ͕ઌʹߦΘΕΔͨΊͦ͜ͰAllow͕͋ΕڐՄ͞ΕΔ ʮ͜ͷϢʔβʔ͕ ͍͍ͬͯͷ͜͜·Ͱʯ ͪΖΜ%FOZ͕͋Ε ໌ࣔతͳڋ൱
ΫϩεΞΧϯτͷ߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ΫϩεΞΧϯτͷ߹ɺΞΠσϯςΟςΟϕʔεϙϦγʔධՁ͞ΕΔͨΊΨʔυϨʔϧ͕ൃಈ
ʮ͜ͷϢʔβʔ͕ ͍͍ͬͯͷ͜͜·Ͱʯ 1FSNJTTJPOTCPVOEBSZͰ ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ ଞͷϙϦγʔͰ ڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ
͜͜·Ͱݟ͖ͯͨ༰ͷཧ https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-black-belt-online-seminar-aws-identity-and- access-management-iam-part1 20190129 AWS Black Belt Online Seminar
AWS Identity and Access Management (AWS IAM) Part1 ʮ͜ͷϢʔβʔ͕ ͍͍ͬͯͷ͜͜·Ͱʯ ΞΧϯτΛލ͍ͩ߹ͷҧ͍
ҟʂ 71$ΤϯυϙΠϯτϙϦγʔ
ྨ্ϦιʔεϕʔεϙϦγʔ͕ͩಛघ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
71$ΤϯυϙΠϯτϙϦγʔ VPC EC2ͳͲ VPCΤϯυϙΠϯτ VPCͷϦιʔε͕αʔϏεΤϯυϙΠϯτʹ௨৴Λߦ͏ͨΊʹ༻Ͱ͖ΔVPCΤϯυϙΠϯτɻ αʔϏεͷछผʹΑͬͯΤϯυϙΠϯτʹϙϦγʔΛઃఆͰ͖Δɻ
ΨʔυϨʔϧͱͯ͠ػೳ IAMϢʔβʔ AWSϦιʔε VPCΤϯυϙΠϯτ ͜͜Λܦ༝ͨ͠௨৴Ͱ ڐՄ͢Δͷ͜Ε͚ͩ ڐՄ͕ͳ͍ͷ ҉తͳڋ൱
71$ΤϯυϙΠϯτϙϦγʔͷ༻ྫ VPC VPCΤϯυϙΠϯτ VPC෦ͷϦιʔε͔Β֎෦ͷS3όέοτͷΞΫηε͕ෆՄͱͳΔΑ͏ VPCΤϯυϙΠϯτϙϦγʔΛ༻͢Δɻ
·ͱΊ
հͨ͠ͷͷશ෦Γ VPCΤϯυϙΠϯτ VPC ΫϩεΞΧϯτΞΫηε
հͨ͠ͷͷશ෦Γ VPCΤϯυϙΠϯτ VPC ΫϩεΞΧϯτΞΫηε 1FSNJTTJPOT CPVOEBSZ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ
0SHBOJ[BUJPOT 4$1 71$ΤϯυϙΠϯτ ϙϦγʔ ϦιʔεϕʔεϙϦγʔ
·ͱΊ • IAMͷධՁཧͷ݁ՌҎԼͷ͍ͣΕ͔ͱͳΔ • ҉తͳڋ൱ʢσϑΥϧτʣ • ໌ࣔతͳڐՄʢΨʔυϨʔϧͰ༩͑ΒΕͳ͍ʣ • ໌ࣔతͳڋ൱ʢͲ͔͜ͰDeny͕͋Εඞͣ͜ΕʹͳΔʣ
• ҉తͳڋ൱ͱͳΔྫҎԼ • ΞΠσϯςΟςΟͰϦιʔεͰAllow͕༩͑ΒΕ͍ͯͳ͍ • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍ • ΫϩεΞΧϯτͷ߹ʹํͰڐՄ͞Ε͍ͯͳ͍
None