Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Eva...
Search
YukihiroChiba
October 06, 2021
Technology
0
12k
やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Evaluation Logic
YukihiroChiba
October 06, 2021
Tweet
Share
More Decks by YukihiroChiba
See All by YukihiroChiba
わたしの業務の中に住み着いたCacoo/Cacoo has taken up residence in my work routine
yukihirochiba
0
830
Amazon VPCでの IPv6利用に向けた はじめの一歩/first-step-towards-using-ipv6-in-amazon-vpc
yukihirochiba
0
320
AWS IAM の結果整合性を避けるためセッションポリシーを用いてポリシーの動作確認を行う、を解説する
yukihirochiba
0
720
SSMエージェントはIAMロールの夢を見るか/ Do SSM Agents Dream Of IAM Roles?
yukihirochiba
0
2.2k
AWS IAM の知っておくべき話と知らなくてもいい話 DevIO2023/ AWS IAM DevIO 2023
yukihirochiba
0
3.2k
デジタルアイデンティティWGミニウェビナー第4回「IaaSとアイデンティティ」/ jnsa-iaas-identity
yukihirochiba
0
640
学習エンジンがうなりを上げているチームの作り方 / How to build a team with a learning engine humming along
yukihirochiba
0
3.9k
Amazon Route 53 Application Recovery Controller zonal shift 試してみた
yukihirochiba
0
1.7k
re:Growth 2022 Amazon Verified Permissions/妄想を膨らませる_チバユキ
yukihirochiba
0
5.1k
Other Decks in Technology
See All in Technology
Mini Tokyo 3D × PLATEAU - 公共交通デジタルツインにリアルな風景を
nagix
1
230
「視座」の上げ方が成人発達理論にわかりやすくまとまってた / think_ perspective_hidden_dimensions
shuzon
2
16k
Valuable Lessons Learned on Kaggle’s ARC AGI LLM challenge
ianozsvald
0
100
3次元点群データ「VIRTUAL SHIZUOKA』のオープンデータ化による恩恵と協働の未来/FOSS4G Japan 2024
kazz24s
0
130
いざ、BSC討伐の旅
nikinusu
1
580
RAGのためのビジネス文書解析技術
eida
3
660
マルチモーダルデータ基盤の課題と観点
neonankiti
1
110
Redmine 6.0 新機能評価ガイド
vividtone
0
260
株式会社島津製作所_研究開発(集団協業と知的生産)の現場を支える、OSS知識基盤システムの導入
akahane92
1
180
利きプロセススケジューラ
sat
PRO
4
2.6k
形式手法の 10 メートル手前 #kernelvm / Kernel VM Study Hokuriku Part 7
ytaka23
5
750
QAEチームが辿った3年 ボクらが改善業務にスクラムを選んだワケ / 20241108_cloudsign_ques23
bengo4com
0
590
Featured
See All Featured
Music & Morning Musume
bryan
46
6.2k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
Rails Girls Zürich Keynote
gr2m
93
13k
Unsuck your backbone
ammeep
668
57k
For a Future-Friendly Web
brad_frost
175
9.4k
The Invisible Side of Design
smashingmag
297
50k
Writing Fast Ruby
sferik
627
61k
Why Our Code Smells
bkeepers
PRO
334
57k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
7
560
It's Worth the Effort
3n
183
27k
Practical Orchestrator
shlominoach
186
10k
Transcript
"84ࣄۀຊ෦ίϯαϧςΟϯά෦ઍ༿ ΜΘΓԡ͑͞Α͏*".ͷධՁཧ
։ນҰ൪ ಥવͰ͕͢Ͱ͢
࣍ͷ͏ͪ ʮIAM ʹ͓͚ΔϙϦγʔʯ ͲΕͰ͠ΐ͏ʁ ʢෳճՄʣ
ݸҎ্ͷਖ਼ղͷબࢶ͕͋Γ·͢ ΠϯϥΠϯϙϦγʔ AdministratorAccess ReadOnlyAccess ηογϣϯϙϦγʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ S3όέοτϙϦγʔ KMSΩʔϙϦγʔ S3ΞΫηείϯτϩʔϧϦετ
ΞΫηεڐՄͷڥք Organizations SCP ΧελϚʔཧϙϦγʔ EC2FullAccess ϦιʔεϕʔεϙϦγʔ VPCΤϯυϙΠϯτϙϦγʔ LambdaΞΫηεϙϦγʔ ৬ػೳͷAWSཧϙϦγʔ SNSτϐοΫϙϦγʔ ৴པϙϦγʔ
ਖ਼ղ……
શ෦Ͱ͢ʂʂʂ
ΈΜͳ͍ҙຯͰͷʮ*".ͷϙϦγʔʯ ΠϯϥΠϯϙϦγʔ AdministratorAccess ReadOnlyAccess ηογϣϯϙϦγʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ S3όέοτϙϦγʔ KMSΩʔϙϦγʔ S3ΞΫηείϯτϩʔϧϦετ
ΞΫηεڐՄͷڥք Organizations SCP ΧελϚʔཧϙϦγʔ EC2FullAccess ϦιʔεϕʔεϙϦγʔ VPCΤϯυϙΠϯτϙϦγʔ LambdaΞΫηεϙϦγʔ ৬ػೳͷAWSཧϙϦγʔ SNSτϐοΫϙϦγʔ ৴པϙϦγʔ
*".ͷϙϦγʔͷΈ߹Θͤ ը૾ͯ͢AWSυΩϡϝϯτΑΓ
*".ϜζΧγΠ 🤔 🤔 🤔 എܠը૾ͯ͢AWSυΩϡϝϯτΑΓ
શ෦Λཧղ͢Δͷ͍͠ͷͰ ΜΘΓԡ͑͞·͠ΐ͏
࠷ऴతʹ͜Μͳײ͡Ͱԡ͑͞·͢
ΞδΣϯμ 1.IAM JSON ϙϦγʔ 2.ಉҰΞΧϯτͰͷධՁཧ 3.ΫϩεΞΧϯτͰͷධՁཧ 4.ΨʔυϨʔϧ 5.ҟʂVPCΤϯυϙΠϯτϙϦγʔ
ࣗݾհ ઍ༿ ɾAWS ࣄۀຊ෦ ɹίϯαϧςΟϯά෦ ɹϚωʔδϟʔ ɾ20201݄JOIN ɾ2021
APN AWS Top Engineer ɾ͖ͳΞΫγϣϯ: sts:AssumeRole
*".+40/ϙϦγʔ
*".ʹ͓͚ΔϙϦγʔλΠϓ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ϙϦγʔλΠϓ͝ͱͷॏཁʢࢲݟʣ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ϙϦγʔλΠϓ΄ͱΜͲ+40/ JSON JSON JSON JSON JSON JSONͰͳ͍
ݟ͍ͯ͜͏ IAM JSON ϙϦγʔͷߏཁૉ
*".+40/ϙϦγʔߏཁૉ ϦιʔεϕʔεϙϦγʔ ͰͷΈࢦఆՄ ⭐…ࢦఆඞਢͷ߲
Θ͔Γ͍͢Πϝʔδ ʮAWSʹ͓͚ΔABACͷخ͠͞ɺਏ͞ΛޠΓ·ͨ͠ #AKIBAAWSʯΑΓ ɹhttps://dev.classmethod.jp/articles/akibaaws-06-iam-abac/
1SJODJQBMཁૉɿʮ୭͕ʯΛఆٛ *".άϧʔϓ ࢦఆͰ͖ͳ͍ ϦιʔεϕʔεϙϦγʔ ͰͷΈࢦఆ
"DUJPOཁૉɿʮԿΛʯΛఆٛ ec2 : StartInstances s3 : PutObject kms :
Decrypt ΞΫγϣϯϓϨϑΟοΫε αʔϏε໊લۭؒ ϚωδϝϯτίϯιʔϧɺAWS CLIɺAWS SDKͳͲͷ ΦϖϨʔγϣϯͷछผʹґΒͣධՁ͞ΕΔɻ ΞΫγϣϯʹΑΓ ରԠ͢ΔϦιʔελΠϓ͕ҟͳΔɻ
3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID • arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID
ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓҟͳΔɻ ҟͳΔϦιʔελΠϓ
3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:s3:::όέοτ໊/* • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID
• arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓҟͳΔɻ ҟͳΔϦιʔελΠϓ ϫΠϧυΧʔυͷ༻Մ • arn:aws:ec2:${Region}:${Account}:instance/*
3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:s3:::όέοτ໊/* • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID
• arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓҟͳΔɻ ҟͳΔϦιʔελΠϓ • * ϫΠϧυΧʔυͷ༻Մ • arn:aws:ec2:${Region}:${Account}:instance/* ΞΫγϣϯʹΑͬͯͯ͢(*)ͷࢦఆ͕ඞਢ ʢϦετܥͷΞΫγϣϯʹଟ͍ʣ
۩ମྫɿ"84ཧϙϦγʔʮ"ENJOJTUSBUPS"DDFTTʯ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow",
"Action": "*", "Resource": "*" } ] } ͯ͢ͷϦιʔεͷ ͯ͢ͷΞΫγϣϯʹ ʢ݅ͳ͠Ͱʣ AllowΛ༩͑Δ
۩ମྫɿΧελϚʔཧϙϦγʔ { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny",
"Action": "*", "NotResource": “arn:aws:ec2:ap-northeast-1: 012345678910:instance/i-xxxxx” } ] } ಛఆͷϦιʔεҎ֎ͷ ͯ͢ͷΞΫγϣϯΛ Deny͢Δ ର͕͜ͷΠϯελϯεͰ͋ͬͯɺ EFTDSJCFܥͳͲɺϦιʔελΠϓJOTUBODFʹ ରԠ͍ͯ͠ͳ͍ΞΫγϣϯڋ൱͞ΕΔ
"MMPX͘͠%FOZ εςʔτϝϯτ͝ͱʹ Allow ͘͠ Deny ͕ఆٛ͞ΕΔɻ ϦΫΤετͷ༰ʹ͍ͭͯҎԼͷ͍ͣΕ͔ͷঢ়ଶͱͳΔɻ ঢ়ଶ ֓ཁ
҉తͳڋ൱ %FOZ"MMPX༩͑ΒΕ͍ͯͳ͍ɻ σϑΥϧτɻ ໌ࣔతͳڋ൱ %FOZ͕༩͑ΒΕ͍ͯΔঢ়ଶɻ ໌ࣔతͳڐՄΑΓ༏ઌ͞ΕΔɻ ໌ࣔతͳڐՄ "MMPX͕༩͑ΒΕ͍ͯΔঢ়ଶɻ %FOZͱॏෳ͢Δ߹ɺଧͪফ͞ΕΔɻ ୭͕Կʹରͯ͠ʢͲΜͳ݅ͰʣԿΛ͢Δ͔
ಉҰΞΧϯτͰͷධՁཧ
*".ʹ͓͚ΔϙϦγʔλΠϓʢ࠶ܝʣ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ࠓճͷൃදͰׂѪ͠·͢ ࠓճͷର֎
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ຊষ͜ͷ̎ͭΛऔΓ্͛·͢ ຊষͷର
ΞΠσϯςΟςΟϕʔεϙϦγʔ *".Ϣʔβʔ *".άϧʔϓ *".ϩʔϧ Ξλον ͍ΘΏΔʮIAMϙϦγʔʯɻΞΠσϯςΟςΟʹΞλονɻ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ҰͭͷIAM ΤϯςΟςΟʹຒΊ͜Έɻ ಠཱͨ͠ϦιʔεͰͳ͍ɻ ग़དྷ߹͍ͷϙϦγʔɻ ʮ৬ػೳͷAWSཧϙϦγʔʯͱ͍͏ࡉԽՄೳɻ AdministratorAccessɺReadOnly AccessͳͲɻ ΧελϚʔ͕ಠࣗʹ࡞͢ΔϙϦγʔɻ
όʔδϣϯཧɺෳΤϯςΟςΟͷΞλον͕Մೳɻ *".Ϣʔβʔ *".άϧʔϓ *".ϩʔϧ Ξλον ͍ΘΏΔʮIAMϙϦγʔʯɻΞΠσϯςΟςΟʹΞλονɻ
ϦιʔεϕʔεϙϦγʔ … • ϦιʔεଆʹΞλον͢ΔϙϦγʔ • S3όέοτ • KMSΩʔ •
Lambdaؔ • SNSτϐοΫ …ଞଟ • ͯ͢ͷϦιʔε͕ରԠ͍ͯ͠ΔΘ͚Ͱͳ͍ • Principalཁૉͷఆ͕ٛՄೳ • ΠϯϥΠϯϙϦγʔʢϦιʔεʹຒΊ͜Έʣ
ΞΠσϯςΟςΟϕʔεͱϦιʔεϕʔε IAMϢʔβʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ S3όέοτ EC2Πϯελϯε IAMϢʔβʔ Ϧιʔεϕʔε ϙϦγʔඇରԠ
s3:PutObject ec2:StartInstances
͍Β͢ͱͰߟ͑Α͏ IAMϢʔβʔ AWSϦιʔε
σϑΥϧτͰ͜Ε 1.҉తͳڋ൱
྆ऀͷϙϦγʔͷΠϝʔδ IAMϢʔβʔ AWSϦιʔε Θͨ͜͠ͷϦΫΤετΛ ࣮ߦͰ͖Δ ͜ͷਓ͔ΒͷϦΫΤετ ڐՄͯ͋͛͠Δ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
σϑΥϧτͰͲͪΒͷఆٛͳ͍ IAMϢʔβʔ AWSϦιʔε ʜʜ ʜʜ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
ͲͪΒͰڐՄ͕ͳ͍ͷͰ݁Ռతʹڋ൱ IAMϢʔβʔ AWSϦιʔε ͓ؼΓ͍ͩ͘͞˝ εΠʔ
୯ͳΔʮڐՄʯͱ 2.໌ࣔతͳڐՄ
ͲͪΒ͔ͰڐՄ͕༩͑ΒΕ͍ͯΔ IAMϢʔβʔ AWSϦιʔε Θͨ͠ ͜Ε͕Ͱ͖Δ ͜ͷਓʹ ͜ΕΛڐ͢ खͿΒ
ڐՄ͞ΕΔ IAMϢʔβʔ AWSϦιʔε εΠʔ ͋ͳͨ௨͍͍ͬͯͱ ݴΘΕ͍ͯ·͢ ͋ͳͨ௨ΔݖརΛ ͍࣋ͬͯΔΑ͏Ͱ͢Ͷ εΠʔ
ϦιʔεϕʔεϙϦγʔΛ ΞλονͰ͖ͳ͍Ϧιʔεͷ߹ɺ ΞΠσϯςΟςΟଆͰݖݶͷ֬อ͕ඞཁ
ͪΐͬͱิ ΞΧϯτ୯ҐͷڐՄͱ ΤϯςΟςΟ୯ҐͷڐՄ
ΞΧϯτΛ֗ͱͯ͠ߟ͑ͯΈΔ ֗ʢΞΧϯτʣA ֗B ֗C rootϢʔβʔ IAMϢʔβʔ 1,2,3 AWSϦιʔε
ϦιʔεϕʔεϙϦγʔͰͷڐՄͷํ ֗ʢΞΧϯτʣA ֗B ֗C IAMϢʔβʔ
खͿΒͰ௨ΕΔͷΤϯςΟςΟ୯ҐͰڐՄ͞Εͨͷ ֗"ͷ*".Ϣʔβʔ͔ΒͷΞΫηεΛڐՄ खͿΒ खͿΒ IAMϢʔβʔ1 IAMϢʔβʔ2 IAMϢʔβʔ3
Ұ൪ڧ͍ 3.໌ࣔతͳڋ൱
Ͳ͔͜Ͱ%FOZ͕༩͑ΒΕ͍ͯΕڋ൱ IAMϢʔβʔ AWSϦιʔε
໌ࣔతͳڋ൱ԿΑΓڧ͍ IAMϢʔβʔ AWSϦιʔε εΠʔ ௨͍͍ͯ͠ͱ ݴΘΕ͍͚ͯͨͲ ڋ൱͞Ε͍ͯΔΑ͏Ͱ͢Ͷ ௨͍͚ͯ͠ͳ͍ͱ ݴΘΕ͍ͯ·͢
εΠʔ
ΫϩεΞΧϯτͰͷධՁཧ
ΞΧϯτΛލ͍ͩΞΫηε IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧϯτʣA ֗ʢΞΧϯτʣB
جຊతͳߟ͑ํมΘΒͳ͍ • ҉తͳڋ൱ɺ໌ࣔతͳڐՄɺ໌ࣔతͳڋ൱ͷߟ͑ํมΘΒͳ͍ • ΞΠσϯςΟςΟͱϦιʔεͷ྆ํͰAllow͕༩͑ΒΕ͍ͯͳ͍ͱ ҉తͳڋ൱ͱͳΔ • ϦιʔεଆͰͷڐՄɺΞΧϯτ୯ҐɾΤϯςΟςΟ୯ҐͷͲͪ ΒͰྑ͍
྆ํͰͷڐՄ͕ඞཁ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧϯτʣA ֗ʢΞΧϯτʣB
ϦιʔεଆͰͷڐՄ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧϯτʣA ֗ʢΞΧϯτʣB ֗"ͷ*".Ϣʔβʔ͔ΒͷΞΫηεΛڐՄ ֗"͔ΒͷΞΫηεΛڐՄ ͲͪΒͰOK
ยํ͚ͩͷڐՄͩͱ҉తͳڋ൱ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧϯτʣA ֗ʢΞΧϯτʣB ͋ͳͨট٬Ϧετʹ ࡌ͍ͬͯΔ͚Ͳ ڐՄূΛ࣋ͬͯͳ͍Ͱ͢Ͷ
Α͘͏ྫ ΫϩεΞΧϯτͰͷεΠονϩʔϧ
ผΞΧϯτͷૢ࡞ʹεΠονϩʔϧΛ͏͜ͱ͕ଟ͍ IAMϢʔβʔ IAMϩʔϧ
*".ϩʔϧΛҾ͖ड͚Δͱ IAMϢʔβʔ IAMϩʔϧ IAMϩʔϧΛ Ҿ͖ड͚ͨηογϣϯ ʢ੍࣌ؒݶ͋Γʣ IAMϩʔϧͱ ಉͷݖݶ IAMϙϦγʔ
sts:AssumeRole
*".ϩʔϧΛҾ͖ड͚ΔʹڐՄ͕ඞཁ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ʢ৴པϙϦγʔʣ ϦιʔεϕʔεϙϦγʔ ΫϩεΞΧϯτ
ΞΫηε ಉ͡ΞΧϯτͰͷ ΞΫηε
ΨʔυϨʔϧ
ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ຊষͷର ຊষͷର
ΨʔυϨʔϧʁ • ͍͍ͬͯ͜ͱͷ্ݶΛઃ͚ΔΑ͏ʹػೳ͢Δͷ • ΞΠσϯςΟςΟϕʔεϙϦγʔͱϦιʔεϕʔεϙϦγʔͷ֎ଆ Ͱఆٛ͢Δ • ͏͔ͬΓ͍ڐՄΛ༩͑ͯ͠·ͬͯΨʔυϨʔϧʹΑΓ͙ •
ΨʔυϨʔϧࣗମͰԿ͔ΛڐՄͰ͖ΔͷͰͳ͍ • ࠓճऔΓ্͛ΔͷҎԼ • Organizations SCPʢΞΧϯτશମʹద༻ʣ • Permissions boundaryʢݸผͷΤϯςΟςΟʹద༻ʣ • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍ͷ҉తͳڋ൱ʹ ͳΔ
0SHBOJ[BUJPOTͱ ϚωδϝϯτΞΧϯτ ΞΧϯτA ΞΧϯτB ΞΧϯτC SCP ෳͷAWSΞΧϯτΛ ֊Խͯ͠ཧͰ͖Δػೳɻ ݸʑͷAWSΞΧϯτʹ
SCPΛׂΓͯΒΕΔɻ
0SHBOJ[BUJPOT4$1͕ద༻͞ΕΔͱ IAMϢʔβʔ AWSϦιʔε rootϢʔβʔ Organizations SCP ΞΧϯτͷrootϢʔβʔΛؚΉશͯͷΤϯςΟςΟͷΞΫγϣϯSCPʹΑΔධՁΛड͚Δɻ ϩʔϧΛҾ͖ड͚ͨ ηογϣϯ
0SHBOJ[BUJPOT4$1͕ద༻͞ΕΔͱ SCPͰڐՄ͕༩͑ΒΕ͍ͯͳ͍ϦΫΤετଞͷύʔϛογϣϯʹؔͳ͘҉తͳڋ൱ͱͳΔ Organizations SCP ͜͜ͰڐՄ͞Ε͍ͯΔ ͜ͱ͕ͯ͢ ͪΖΜ%FOZ͕͋Ε ໌ࣔతͳڋ൱
1FSNJTTJPOTCPVOEBSZͱ ʮΞΫηεڐՄͷڥքʯͱɻ ΞΠσϯςΟςΟϕʔεϙϦγʔ ͱηοτͰߟ͑Δɻ IAMϢʔβʔ͘͠IAMϩʔϧ ʹׂΓͯՄೳͰɺIAMάϧʔϓ ʹׂΓͯෆՄɻ
1FSNJTTJPOTCPVOEBSZͷΠϝʔδ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ηοτͰ༻͢Δ
ΞΠσϯςΟςΟϕʔεϙϦγʔͷ ධՁͷλΠϛϯάͰΨʔυϨʔϧͱͯ͠ػೳ
ϦιʔεϕʔεϙϦγʔͰͷ"MMPX͕ͳ͍߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ʮ͜ͷϢʔβʔ͕ ͍͍ͬͯͷ͜͜·Ͱʯ
Permissions boundaryͰAllow͕ͳ͍߹ɺ҉తͳڋ൱ͱͳΔ 1FSNJTTJPOTCPVOEBSZͰ ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ ͪΖΜ%FOZ͕͋Ε ໌ࣔతͳڋ൱ ΞΠσϯςΟςΟϕʔεϙϦγʔ ͰڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ
ϦιʔεϕʔεϙϦγʔͰ"MMPX͕͋Δ߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ͋ͳͨট͞Ε͍ͯΔͷͰ
ڐՄূݟͤͯΒΘͳͯ͘ େৎͰ͢ɻ ϦιʔεϕʔεϙϦγʔͰͷධՁ͕ઌʹߦΘΕΔͨΊͦ͜ͰAllow͕͋ΕڐՄ͞ΕΔ ʮ͜ͷϢʔβʔ͕ ͍͍ͬͯͷ͜͜·Ͱʯ ͪΖΜ%FOZ͕͋Ε ໌ࣔతͳڋ൱
ΫϩεΞΧϯτͷ߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ΫϩεΞΧϯτͷ߹ɺΞΠσϯςΟςΟϕʔεϙϦγʔධՁ͞ΕΔͨΊΨʔυϨʔϧ͕ൃಈ
ʮ͜ͷϢʔβʔ͕ ͍͍ͬͯͷ͜͜·Ͱʯ 1FSNJTTJPOTCPVOEBSZͰ ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ ଞͷϙϦγʔͰ ڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ
͜͜·Ͱݟ͖ͯͨ༰ͷཧ https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-black-belt-online-seminar-aws-identity-and- access-management-iam-part1 20190129 AWS Black Belt Online Seminar
AWS Identity and Access Management (AWS IAM) Part1 ʮ͜ͷϢʔβʔ͕ ͍͍ͬͯͷ͜͜·Ͱʯ ΞΧϯτΛލ͍ͩ߹ͷҧ͍
ҟʂ 71$ΤϯυϙΠϯτϙϦγʔ
ྨ্ϦιʔεϕʔεϙϦγʔ͕ͩಛघ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ
71$ΤϯυϙΠϯτϙϦγʔ VPC EC2ͳͲ VPCΤϯυϙΠϯτ VPCͷϦιʔε͕αʔϏεΤϯυϙΠϯτʹ௨৴Λߦ͏ͨΊʹ༻Ͱ͖ΔVPCΤϯυϙΠϯτɻ αʔϏεͷछผʹΑͬͯΤϯυϙΠϯτʹϙϦγʔΛઃఆͰ͖Δɻ
ΨʔυϨʔϧͱͯ͠ػೳ IAMϢʔβʔ AWSϦιʔε VPCΤϯυϙΠϯτ ͜͜Λܦ༝ͨ͠௨৴Ͱ ڐՄ͢Δͷ͜Ε͚ͩ ڐՄ͕ͳ͍ͷ ҉తͳڋ൱
71$ΤϯυϙΠϯτϙϦγʔͷ༻ྫ VPC VPCΤϯυϙΠϯτ VPC෦ͷϦιʔε͔Β֎෦ͷS3όέοτͷΞΫηε͕ෆՄͱͳΔΑ͏ VPCΤϯυϙΠϯτϙϦγʔΛ༻͢Δɻ
·ͱΊ
հͨ͠ͷͷશ෦Γ VPCΤϯυϙΠϯτ VPC ΫϩεΞΧϯτΞΫηε
հͨ͠ͷͷશ෦Γ VPCΤϯυϙΠϯτ VPC ΫϩεΞΧϯτΞΫηε 1FSNJTTJPOT CPVOEBSZ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ
0SHBOJ[BUJPOT 4$1 71$ΤϯυϙΠϯτ ϙϦγʔ ϦιʔεϕʔεϙϦγʔ
·ͱΊ • IAMͷධՁཧͷ݁ՌҎԼͷ͍ͣΕ͔ͱͳΔ • ҉తͳڋ൱ʢσϑΥϧτʣ • ໌ࣔతͳڐՄʢΨʔυϨʔϧͰ༩͑ΒΕͳ͍ʣ • ໌ࣔతͳڋ൱ʢͲ͔͜ͰDeny͕͋Εඞͣ͜ΕʹͳΔʣ
• ҉తͳڋ൱ͱͳΔྫҎԼ • ΞΠσϯςΟςΟͰϦιʔεͰAllow͕༩͑ΒΕ͍ͯͳ͍ • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍ • ΫϩεΞΧϯτͷ߹ʹํͰڐՄ͞Ε͍ͯͳ͍
None