Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Eva...
Search
YukihiroChiba
October 06, 2021
Technology
0
13k
やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Evaluation Logic
YukihiroChiba
October 06, 2021
Tweet
Share
More Decks by YukihiroChiba
See All by YukihiroChiba
わたしの業務の中に住み着いたCacoo/Cacoo has taken up residence in my work routine
yukihirochiba
0
940
Amazon VPCでの IPv6利用に向けた はじめの一歩/first-step-towards-using-ipv6-in-amazon-vpc
yukihirochiba
0
500
AWS IAM の結果整合性を避けるためセッションポリシーを用いてポリシーの動作確認を行う、を解説する
yukihirochiba
0
850
SSMエージェントはIAMロールの夢を見るか/ Do SSM Agents Dream Of IAM Roles?
yukihirochiba
0
2.4k
AWS IAM の知っておくべき話と知らなくてもいい話 DevIO2023/ AWS IAM DevIO 2023
yukihirochiba
0
3.3k
デジタルアイデンティティWGミニウェビナー第4回「IaaSとアイデンティティ」/ jnsa-iaas-identity
yukihirochiba
0
690
学習エンジンがうなりを上げているチームの作り方 / How to build a team with a learning engine humming along
yukihirochiba
0
4k
Amazon Route 53 Application Recovery Controller zonal shift 試してみた
yukihirochiba
0
1.9k
re:Growth 2022 Amazon Verified Permissions/妄想を膨らませる_チバユキ
yukihirochiba
0
5.4k
Other Decks in Technology
See All in Technology
手を動かしてレベルアップしよう!
maruto
0
210
AWS Well-Architected Frameworkで学ぶAmazon ECSのセキュリティ対策
umekou
2
140
2/18 Making Security Scale: メルカリが考えるセキュリティ戦略 - Coincheck x LayerX x Mercari
jsonf
0
210
クラウド関連のインシデントケースを収集して見えてきたもの
lhazy
6
860
PHPで印刷所に入稿できる名札データを作る / Generating Print-Ready Name Tag Data with PHP
tomzoh
0
180
分解して理解する Aspire
nenonaninu
2
1.1k
コンピュータビジョンの社会実装について考えていたらゲームを作っていた話
takmin
1
600
JAWS FESTA 2024「バスロケ」GPS×サーバーレスの開発と運用の舞台裏/jawsfesta2024-bus-gps-serverless
ma2shita
3
130
サイト信頼性エンジニアリングとAmazon Web Services / SRE and AWS
ymotongpoo
7
1.5k
Snowflake ML モデルを dbt データパイプラインに組み込む
estie
0
100
Windows の新しい管理者保護モード
murachiakira
0
200
IAMポリシーのAllow/Denyについて、改めて理解する
smt7174
2
210
Featured
See All Featured
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.7k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Bootstrapping a Software Product
garrettdimon
PRO
306
110k
The Invisible Side of Design
smashingmag
299
50k
The Pragmatic Product Professional
lauravandoore
32
6.4k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
49
2.3k
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.5k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Code Reviewing Like a Champion
maltzj
521
39k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Transcript
"84ࣄۀຊ෦ίϯαϧςΟϯά෦ઍ༿ ΜΘΓԡ͑͞Α͏*".ͷධՁཧ
։ນҰ൪ ಥવͰ͕͢Ͱ͢
࣍ͷ͏ͪ ʮIAM ʹ͓͚ΔϙϦγʔʯ ͲΕͰ͠ΐ͏ʁ ʢෳճՄʣ
ݸҎ্ͷਖ਼ղͷબࢶ͕͋Γ·͢ ΠϯϥΠϯϙϦγʔ AdministratorAccess ReadOnlyAccess ηογϣϯϙϦγʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ S3όέοτϙϦγʔ KMSΩʔϙϦγʔ S3ΞΫηείϯτϩʔϧϦετ
ΞΫηεڐՄͷڥք Organizations SCP ΧελϚʔཧϙϦγʔ EC2FullAccess ϦιʔεϕʔεϙϦγʔ VPCΤϯυϙΠϯτϙϦγʔ LambdaΞΫηεϙϦγʔ ৬ػೳͷAWSཧϙϦγʔ SNSτϐοΫϙϦγʔ ৴པϙϦγʔ
ਖ਼ղ……
શ෦Ͱ͢ʂʂʂ
ΈΜͳ͍ҙຯͰͷʮ*".ͷϙϦγʔʯ ΠϯϥΠϯϙϦγʔ AdministratorAccess ReadOnlyAccess ηογϣϯϙϦγʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ S3όέοτϙϦγʔ KMSΩʔϙϦγʔ S3ΞΫηείϯτϩʔϧϦετ
ΞΫηεڐՄͷڥք Organizations SCP ΧελϚʔཧϙϦγʔ EC2FullAccess ϦιʔεϕʔεϙϦγʔ VPCΤϯυϙΠϯτϙϦγʔ LambdaΞΫηεϙϦγʔ ৬ػೳͷAWSཧϙϦγʔ SNSτϐοΫϙϦγʔ ৴པϙϦγʔ
*".ͷϙϦγʔͷΈ߹Θͤ ը૾ͯ͢AWSυΩϡϝϯτΑΓ
*".ϜζΧγΠ 🤔 🤔 🤔 എܠը૾ͯ͢AWSυΩϡϝϯτΑΓ
શ෦Λཧղ͢Δͷ͍͠ͷͰ ΜΘΓԡ͑͞·͠ΐ͏
࠷ऴతʹ͜Μͳײ͡Ͱԡ͑͞·͢
ΞδΣϯμ 1.IAM JSON ϙϦγʔ 2.ಉҰΞΧϯτͰͷධՁཧ 3.ΫϩεΞΧϯτͰͷධՁཧ 4.ΨʔυϨʔϧ 5.ҟʂVPCΤϯυϙΠϯτϙϦγʔ
ࣗݾհ ઍ༿ ɾAWS ࣄۀຊ෦ ɹίϯαϧςΟϯά෦ ɹϚωʔδϟʔ ɾ20201݄JOIN ɾ2021
APN AWS Top Engineer ɾ͖ͳΞΫγϣϯ: sts:AssumeRole
*".+40/ϙϦγʔ
*".ʹ͓͚ΔϙϦγʔλΠϓ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ϙϦγʔλΠϓ͝ͱͷॏཁʢࢲݟʣ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ϙϦγʔλΠϓ΄ͱΜͲ+40/ JSON JSON JSON JSON JSON JSONͰͳ͍
ݟ͍ͯ͜͏ IAM JSON ϙϦγʔͷߏཁૉ
*".+40/ϙϦγʔߏཁૉ ϦιʔεϕʔεϙϦγʔ ͰͷΈࢦఆՄ ⭐…ࢦఆඞਢͷ߲
Θ͔Γ͍͢Πϝʔδ ʮAWSʹ͓͚ΔABACͷخ͠͞ɺਏ͞ΛޠΓ·ͨ͠ #AKIBAAWSʯΑΓ ɹhttps://dev.classmethod.jp/articles/akibaaws-06-iam-abac/
1SJODJQBMཁૉɿʮ୭͕ʯΛఆٛ *".άϧʔϓ ࢦఆͰ͖ͳ͍ ϦιʔεϕʔεϙϦγʔ ͰͷΈࢦఆ
"DUJPOཁૉɿʮԿΛʯΛఆٛ ec2 : StartInstances s3 : PutObject kms :
Decrypt ΞΫγϣϯϓϨϑΟοΫε αʔϏε໊લۭؒ ϚωδϝϯτίϯιʔϧɺAWS CLIɺAWS SDKͳͲͷ ΦϖϨʔγϣϯͷछผʹґΒͣධՁ͞ΕΔɻ ΞΫγϣϯʹΑΓ ରԠ͢ΔϦιʔελΠϓ͕ҟͳΔɻ
3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID • arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID
ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓҟͳΔɻ ҟͳΔϦιʔελΠϓ
3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:s3:::όέοτ໊/* • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID
• arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓҟͳΔɻ ҟͳΔϦιʔελΠϓ ϫΠϧυΧʔυͷ༻Մ • arn:aws:ec2:${Region}:${Account}:instance/*
3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:s3:::όέοτ໊/* • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID
• arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓҟͳΔɻ ҟͳΔϦιʔελΠϓ • * ϫΠϧυΧʔυͷ༻Մ • arn:aws:ec2:${Region}:${Account}:instance/* ΞΫγϣϯʹΑͬͯͯ͢(*)ͷࢦఆ͕ඞਢ ʢϦετܥͷΞΫγϣϯʹଟ͍ʣ
۩ମྫɿ"84ཧϙϦγʔʮ"ENJOJTUSBUPS"DDFTTʯ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow",
"Action": "*", "Resource": "*" } ] } ͯ͢ͷϦιʔεͷ ͯ͢ͷΞΫγϣϯʹ ʢ݅ͳ͠Ͱʣ AllowΛ༩͑Δ
۩ମྫɿΧελϚʔཧϙϦγʔ { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny",
"Action": "*", "NotResource": “arn:aws:ec2:ap-northeast-1: 012345678910:instance/i-xxxxx” } ] } ಛఆͷϦιʔεҎ֎ͷ ͯ͢ͷΞΫγϣϯΛ Deny͢Δ ର͕͜ͷΠϯελϯεͰ͋ͬͯɺ EFTDSJCFܥͳͲɺϦιʔελΠϓJOTUBODFʹ ରԠ͍ͯ͠ͳ͍ΞΫγϣϯڋ൱͞ΕΔ
"MMPX͘͠%FOZ εςʔτϝϯτ͝ͱʹ Allow ͘͠ Deny ͕ఆٛ͞ΕΔɻ ϦΫΤετͷ༰ʹ͍ͭͯҎԼͷ͍ͣΕ͔ͷঢ়ଶͱͳΔɻ ঢ়ଶ ֓ཁ
҉తͳڋ൱ %FOZ"MMPX༩͑ΒΕ͍ͯͳ͍ɻ σϑΥϧτɻ ໌ࣔతͳڋ൱ %FOZ͕༩͑ΒΕ͍ͯΔঢ়ଶɻ ໌ࣔతͳڐՄΑΓ༏ઌ͞ΕΔɻ ໌ࣔతͳڐՄ "MMPX͕༩͑ΒΕ͍ͯΔঢ়ଶɻ %FOZͱॏෳ͢Δ߹ɺଧͪফ͞ΕΔɻ ୭͕Կʹରͯ͠ʢͲΜͳ݅ͰʣԿΛ͢Δ͔
ಉҰΞΧϯτͰͷධՁཧ
*".ʹ͓͚ΔϙϦγʔλΠϓʢ࠶ܝʣ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ࠓճͷൃදͰׂѪ͠·͢ ࠓճͷର֎
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ຊষ͜ͷ̎ͭΛऔΓ্͛·͢ ຊষͷର
ΞΠσϯςΟςΟϕʔεϙϦγʔ *".Ϣʔβʔ *".άϧʔϓ *".ϩʔϧ Ξλον ͍ΘΏΔʮIAMϙϦγʔʯɻΞΠσϯςΟςΟʹΞλονɻ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ҰͭͷIAM ΤϯςΟςΟʹຒΊ͜Έɻ ಠཱͨ͠ϦιʔεͰͳ͍ɻ ग़དྷ߹͍ͷϙϦγʔɻ ʮ৬ػೳͷAWSཧϙϦγʔʯͱ͍͏ࡉԽՄೳɻ AdministratorAccessɺReadOnly AccessͳͲɻ ΧελϚʔ͕ಠࣗʹ࡞͢ΔϙϦγʔɻ
όʔδϣϯཧɺෳΤϯςΟςΟͷΞλον͕Մೳɻ *".Ϣʔβʔ *".άϧʔϓ *".ϩʔϧ Ξλον ͍ΘΏΔʮIAMϙϦγʔʯɻΞΠσϯςΟςΟʹΞλονɻ
ϦιʔεϕʔεϙϦγʔ … • ϦιʔεଆʹΞλον͢ΔϙϦγʔ • S3όέοτ • KMSΩʔ •
Lambdaؔ • SNSτϐοΫ …ଞଟ • ͯ͢ͷϦιʔε͕ରԠ͍ͯ͠ΔΘ͚Ͱͳ͍ • Principalཁૉͷఆ͕ٛՄೳ • ΠϯϥΠϯϙϦγʔʢϦιʔεʹຒΊ͜Έʣ
ΞΠσϯςΟςΟϕʔεͱϦιʔεϕʔε IAMϢʔβʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ S3όέοτ EC2Πϯελϯε IAMϢʔβʔ Ϧιʔεϕʔε ϙϦγʔඇରԠ
s3:PutObject ec2:StartInstances
͍Β͢ͱͰߟ͑Α͏ IAMϢʔβʔ AWSϦιʔε
σϑΥϧτͰ͜Ε 1.҉తͳڋ൱
྆ऀͷϙϦγʔͷΠϝʔδ IAMϢʔβʔ AWSϦιʔε Θͨ͜͠ͷϦΫΤετΛ ࣮ߦͰ͖Δ ͜ͷਓ͔ΒͷϦΫΤετ ڐՄͯ͋͛͠Δ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
σϑΥϧτͰͲͪΒͷఆٛͳ͍ IAMϢʔβʔ AWSϦιʔε ʜʜ ʜʜ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
ͲͪΒͰڐՄ͕ͳ͍ͷͰ݁Ռతʹڋ൱ IAMϢʔβʔ AWSϦιʔε ͓ؼΓ͍ͩ͘͞˝ εΠʔ
୯ͳΔʮڐՄʯͱ 2.໌ࣔతͳڐՄ
ͲͪΒ͔ͰڐՄ͕༩͑ΒΕ͍ͯΔ IAMϢʔβʔ AWSϦιʔε Θͨ͠ ͜Ε͕Ͱ͖Δ ͜ͷਓʹ ͜ΕΛڐ͢ खͿΒ
ڐՄ͞ΕΔ IAMϢʔβʔ AWSϦιʔε εΠʔ ͋ͳͨ௨͍͍ͬͯͱ ݴΘΕ͍ͯ·͢ ͋ͳͨ௨ΔݖརΛ ͍࣋ͬͯΔΑ͏Ͱ͢Ͷ εΠʔ
ϦιʔεϕʔεϙϦγʔΛ ΞλονͰ͖ͳ͍Ϧιʔεͷ߹ɺ ΞΠσϯςΟςΟଆͰݖݶͷ֬อ͕ඞཁ
ͪΐͬͱิ ΞΧϯτ୯ҐͷڐՄͱ ΤϯςΟςΟ୯ҐͷڐՄ
ΞΧϯτΛ֗ͱͯ͠ߟ͑ͯΈΔ ֗ʢΞΧϯτʣA ֗B ֗C rootϢʔβʔ IAMϢʔβʔ 1,2,3 AWSϦιʔε
ϦιʔεϕʔεϙϦγʔͰͷڐՄͷํ ֗ʢΞΧϯτʣA ֗B ֗C IAMϢʔβʔ
खͿΒͰ௨ΕΔͷΤϯςΟςΟ୯ҐͰڐՄ͞Εͨͷ ֗"ͷ*".Ϣʔβʔ͔ΒͷΞΫηεΛڐՄ खͿΒ खͿΒ IAMϢʔβʔ1 IAMϢʔβʔ2 IAMϢʔβʔ3
Ұ൪ڧ͍ 3.໌ࣔతͳڋ൱
Ͳ͔͜Ͱ%FOZ͕༩͑ΒΕ͍ͯΕڋ൱ IAMϢʔβʔ AWSϦιʔε
໌ࣔతͳڋ൱ԿΑΓڧ͍ IAMϢʔβʔ AWSϦιʔε εΠʔ ௨͍͍ͯ͠ͱ ݴΘΕ͍͚ͯͨͲ ڋ൱͞Ε͍ͯΔΑ͏Ͱ͢Ͷ ௨͍͚ͯ͠ͳ͍ͱ ݴΘΕ͍ͯ·͢
εΠʔ
ΫϩεΞΧϯτͰͷධՁཧ
ΞΧϯτΛލ͍ͩΞΫηε IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧϯτʣA ֗ʢΞΧϯτʣB
جຊతͳߟ͑ํมΘΒͳ͍ • ҉తͳڋ൱ɺ໌ࣔతͳڐՄɺ໌ࣔతͳڋ൱ͷߟ͑ํมΘΒͳ͍ • ΞΠσϯςΟςΟͱϦιʔεͷ྆ํͰAllow͕༩͑ΒΕ͍ͯͳ͍ͱ ҉తͳڋ൱ͱͳΔ • ϦιʔεଆͰͷڐՄɺΞΧϯτ୯ҐɾΤϯςΟςΟ୯ҐͷͲͪ ΒͰྑ͍
྆ํͰͷڐՄ͕ඞཁ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧϯτʣA ֗ʢΞΧϯτʣB
ϦιʔεଆͰͷڐՄ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧϯτʣA ֗ʢΞΧϯτʣB ֗"ͷ*".Ϣʔβʔ͔ΒͷΞΫηεΛڐՄ ֗"͔ΒͷΞΫηεΛڐՄ ͲͪΒͰOK
ยํ͚ͩͷڐՄͩͱ҉తͳڋ൱ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧϯτʣA ֗ʢΞΧϯτʣB ͋ͳͨট٬Ϧετʹ ࡌ͍ͬͯΔ͚Ͳ ڐՄূΛ࣋ͬͯͳ͍Ͱ͢Ͷ
Α͘͏ྫ ΫϩεΞΧϯτͰͷεΠονϩʔϧ
ผΞΧϯτͷૢ࡞ʹεΠονϩʔϧΛ͏͜ͱ͕ଟ͍ IAMϢʔβʔ IAMϩʔϧ
*".ϩʔϧΛҾ͖ड͚Δͱ IAMϢʔβʔ IAMϩʔϧ IAMϩʔϧΛ Ҿ͖ड͚ͨηογϣϯ ʢ੍࣌ؒݶ͋Γʣ IAMϩʔϧͱ ಉͷݖݶ IAMϙϦγʔ
sts:AssumeRole
*".ϩʔϧΛҾ͖ड͚ΔʹڐՄ͕ඞཁ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ʢ৴པϙϦγʔʣ ϦιʔεϕʔεϙϦγʔ ΫϩεΞΧϯτ
ΞΫηε ಉ͡ΞΧϯτͰͷ ΞΫηε
ΨʔυϨʔϧ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ຊষͷର ຊষͷର
ΨʔυϨʔϧʁ • ͍͍ͬͯ͜ͱͷ্ݶΛઃ͚ΔΑ͏ʹػೳ͢Δͷ • ΞΠσϯςΟςΟϕʔεϙϦγʔͱϦιʔεϕʔεϙϦγʔͷ֎ଆ Ͱఆٛ͢Δ • ͏͔ͬΓ͍ڐՄΛ༩͑ͯ͠·ͬͯΨʔυϨʔϧʹΑΓ͙ •
ΨʔυϨʔϧࣗମͰԿ͔ΛڐՄͰ͖ΔͷͰͳ͍ • ࠓճऔΓ্͛ΔͷҎԼ • Organizations SCPʢΞΧϯτશମʹద༻ʣ • Permissions boundaryʢݸผͷΤϯςΟςΟʹద༻ʣ • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍ͷ҉తͳڋ൱ʹ ͳΔ
0SHBOJ[BUJPOTͱ ϚωδϝϯτΞΧϯτ ΞΧϯτA ΞΧϯτB ΞΧϯτC SCP ෳͷAWSΞΧϯτΛ ֊Խͯ͠ཧͰ͖Δػೳɻ ݸʑͷAWSΞΧϯτʹ
SCPΛׂΓͯΒΕΔɻ
0SHBOJ[BUJPOT4$1͕ద༻͞ΕΔͱ IAMϢʔβʔ AWSϦιʔε rootϢʔβʔ Organizations SCP ΞΧϯτͷrootϢʔβʔΛؚΉશͯͷΤϯςΟςΟͷΞΫγϣϯSCPʹΑΔධՁΛड͚Δɻ ϩʔϧΛҾ͖ड͚ͨ ηογϣϯ
0SHBOJ[BUJPOT4$1͕ద༻͞ΕΔͱ SCPͰڐՄ͕༩͑ΒΕ͍ͯͳ͍ϦΫΤετଞͷύʔϛογϣϯʹؔͳ͘҉తͳڋ൱ͱͳΔ Organizations SCP ͜͜ͰڐՄ͞Ε͍ͯΔ ͜ͱ͕ͯ͢ ͪΖΜ%FOZ͕͋Ε ໌ࣔతͳڋ൱
1FSNJTTJPOTCPVOEBSZͱ ʮΞΫηεڐՄͷڥքʯͱɻ ΞΠσϯςΟςΟϕʔεϙϦγʔ ͱηοτͰߟ͑Δɻ IAMϢʔβʔ͘͠IAMϩʔϧ ʹׂΓͯՄೳͰɺIAMάϧʔϓ ʹׂΓͯෆՄɻ
1FSNJTTJPOTCPVOEBSZͷΠϝʔδ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ηοτͰ༻͢Δ
ΞΠσϯςΟςΟϕʔεϙϦγʔͷ ධՁͷλΠϛϯάͰΨʔυϨʔϧͱͯ͠ػೳ
ϦιʔεϕʔεϙϦγʔͰͷ"MMPX͕ͳ͍߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ʮ͜ͷϢʔβʔ͕ ͍͍ͬͯͷ͜͜·Ͱʯ
Permissions boundaryͰAllow͕ͳ͍߹ɺ҉తͳڋ൱ͱͳΔ 1FSNJTTJPOTCPVOEBSZͰ ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ ͪΖΜ%FOZ͕͋Ε ໌ࣔతͳڋ൱ ΞΠσϯςΟςΟϕʔεϙϦγʔ ͰڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ
ϦιʔεϕʔεϙϦγʔͰ"MMPX͕͋Δ߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ͋ͳͨট͞Ε͍ͯΔͷͰ
ڐՄূݟͤͯΒΘͳͯ͘ େৎͰ͢ɻ ϦιʔεϕʔεϙϦγʔͰͷධՁ͕ઌʹߦΘΕΔͨΊͦ͜ͰAllow͕͋ΕڐՄ͞ΕΔ ʮ͜ͷϢʔβʔ͕ ͍͍ͬͯͷ͜͜·Ͱʯ ͪΖΜ%FOZ͕͋Ε ໌ࣔతͳڋ൱
ΫϩεΞΧϯτͷ߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ΫϩεΞΧϯτͷ߹ɺΞΠσϯςΟςΟϕʔεϙϦγʔධՁ͞ΕΔͨΊΨʔυϨʔϧ͕ൃಈ
ʮ͜ͷϢʔβʔ͕ ͍͍ͬͯͷ͜͜·Ͱʯ 1FSNJTTJPOTCPVOEBSZͰ ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ ଞͷϙϦγʔͰ ڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ
͜͜·Ͱݟ͖ͯͨ༰ͷཧ https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-black-belt-online-seminar-aws-identity-and- access-management-iam-part1 20190129 AWS Black Belt Online Seminar
AWS Identity and Access Management (AWS IAM) Part1 ʮ͜ͷϢʔβʔ͕ ͍͍ͬͯͷ͜͜·Ͱʯ ΞΧϯτΛލ͍ͩ߹ͷҧ͍
ҟʂ 71$ΤϯυϙΠϯτϙϦγʔ
ྨ্ϦιʔεϕʔεϙϦγʔ͕ͩಛघ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
71$ΤϯυϙΠϯτϙϦγʔ VPC EC2ͳͲ VPCΤϯυϙΠϯτ VPCͷϦιʔε͕αʔϏεΤϯυϙΠϯτʹ௨৴Λߦ͏ͨΊʹ༻Ͱ͖ΔVPCΤϯυϙΠϯτɻ αʔϏεͷछผʹΑͬͯΤϯυϙΠϯτʹϙϦγʔΛઃఆͰ͖Δɻ
ΨʔυϨʔϧͱͯ͠ػೳ IAMϢʔβʔ AWSϦιʔε VPCΤϯυϙΠϯτ ͜͜Λܦ༝ͨ͠௨৴Ͱ ڐՄ͢Δͷ͜Ε͚ͩ ڐՄ͕ͳ͍ͷ ҉తͳڋ൱
71$ΤϯυϙΠϯτϙϦγʔͷ༻ྫ VPC VPCΤϯυϙΠϯτ VPC෦ͷϦιʔε͔Β֎෦ͷS3όέοτͷΞΫηε͕ෆՄͱͳΔΑ͏ VPCΤϯυϙΠϯτϙϦγʔΛ༻͢Δɻ
·ͱΊ
հͨ͠ͷͷશ෦Γ VPCΤϯυϙΠϯτ VPC ΫϩεΞΧϯτΞΫηε
հͨ͠ͷͷશ෦Γ VPCΤϯυϙΠϯτ VPC ΫϩεΞΧϯτΞΫηε 1FSNJTTJPOT CPVOEBSZ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ
0SHBOJ[BUJPOT 4$1 71$ΤϯυϙΠϯτ ϙϦγʔ ϦιʔεϕʔεϙϦγʔ
·ͱΊ • IAMͷධՁཧͷ݁ՌҎԼͷ͍ͣΕ͔ͱͳΔ • ҉తͳڋ൱ʢσϑΥϧτʣ • ໌ࣔతͳڐՄʢΨʔυϨʔϧͰ༩͑ΒΕͳ͍ʣ • ໌ࣔతͳڋ൱ʢͲ͔͜ͰDeny͕͋Εඞͣ͜ΕʹͳΔʣ
• ҉తͳڋ൱ͱͳΔྫҎԼ • ΞΠσϯςΟςΟͰϦιʔεͰAllow͕༩͑ΒΕ͍ͯͳ͍ • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍ • ΫϩεΞΧϯτͷ߹ʹํͰڐՄ͞Ε͍ͯͳ͍
None