やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Evaluation Logic

"84ࣄۀຊ෦ίϯαϧςΟϯά෦ઍ༿޾޺ ΍ΜΘΓԡ͑͞Α͏*".ͷධՁ࿦ཧ

։ນҰ൪ ಥવͰ͕͢໰୊Ͱ͢

࣍ͷ͏ͪ ʮIAM ʹ͓͚ΔϙϦγʔʯ͸ ͲΕͰ͠ΐ͏ʁ ʢෳ਺ճ౴Մʣ

ݸҎ্ͷਖ਼ղͷબ୒ࢶ͕͋Γ·͢ ΠϯϥΠϯϙϦγʔ AdministratorAccess ReadOnlyAccess ηογϣϯϙϦγʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ S3όέοτϙϦγʔ KMSΩʔϙϦγʔ S3ΞΫηείϯτϩʔϧϦετ
ΞΫηεڐՄͷڥք Organizations SCP ΧελϚʔ؅ཧϙϦγʔ EC2FullAccess ϦιʔεϕʔεϙϦγʔ VPCΤϯυϙΠϯτϙϦγʔ LambdaΞΫηεϙϦγʔ ৬຿ػೳͷAWS؅ཧϙϦγʔ SNSτϐοΫϙϦγʔ ৴པϙϦγʔ

ਖ਼ղ͸……

શ෦Ͱ͢ʂʂʂ

ΈΜͳ޿͍ҙຯͰͷʮ*".ͷϙϦγʔʯ ΠϯϥΠϯϙϦγʔ AdministratorAccess ReadOnlyAccess ηογϣϯϙϦγʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ S3όέοτϙϦγʔ KMSΩʔϙϦγʔ S3ΞΫηείϯτϩʔϧϦετ
ΞΫηεڐՄͷڥք Organizations SCP ΧελϚʔ؅ཧϙϦγʔ EC2FullAccess ϦιʔεϕʔεϙϦγʔ VPCΤϯυϙΠϯτϙϦγʔ LambdaΞΫηεϙϦγʔ ৬຿ػೳͷAWS؅ཧϙϦγʔ SNSτϐοΫϙϦγʔ ৴པϙϦγʔ

*".ͷϙϦγʔͷ૊Έ߹Θͤ ը૾͸͢΂ͯAWSυΩϡϝϯτΑΓ

*".ϜζΧγΠ 🤔 🤔 🤔 എܠը૾͸͢΂ͯAWSυΩϡϝϯτΑΓ

શ෦Λཧղ͢Δͷ͸೉͍͠ͷͰ ΍ΜΘΓԡ͑͞·͠ΐ͏

࠷ऴతʹ͜Μͳײ͡Ͱԡ͑͞·͢

ΞδΣϯμ 1.IAM JSON ϙϦγʔ 2.ಉҰΞΧ΢ϯτͰͷධՁ࿦ཧ 3.ΫϩεΞΧ΢ϯτͰͷධՁ࿦ཧ 4.ΨʔυϨʔϧ 5.ҟ୺ʂVPCΤϯυϙΠϯτϙϦγʔ

ࣗݾ঺հ ઍ༿ ޾޺ ɾAWS ࣄۀຊ෦ ɹίϯαϧςΟϯά෦ ɹϚωʔδϟʔ ɾ2020೥1݄JOIN ɾ2021
APN AWS Top Engineer ɾ޷͖ͳΞΫγϣϯ: sts:AssumeRole

*".+40/ϙϦγʔ

*".ʹ͓͚ΔϙϦγʔλΠϓ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ϙϦγʔλΠϓ͝ͱͷॏཁ౓ʢࢲݟʣ

ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ϙϦγʔλΠϓ͸΄ͱΜͲ+40/ JSON JSON JSON JSON JSON JSONͰͳ͍

ݟ͍ͯ͜͏ IAM JSON ϙϦγʔͷߏ੒ཁૉ

*".+40/ϙϦγʔߏ੒ཁૉ ϦιʔεϕʔεϙϦγʔ ͰͷΈࢦఆՄ ⭐…ࢦఆඞਢͷ߲໨

Θ͔Γ΍͍͢Πϝʔδ ʮAWSʹ͓͚ΔABACͷخ͠͞ɺਏ͞ΛޠΓ·ͨ͠ #AKIBAAWSʯΑΓ ɹhttps://dev.classmethod.jp/articles/akibaaws-06-iam-abac/

1SJODJQBMཁૉɿʮ୭͕ʯΛఆٛ *".άϧʔϓ͸ ࢦఆͰ͖ͳ͍ ϦιʔεϕʔεϙϦγʔ ͰͷΈࢦఆ

"DUJPOཁૉɿʮԿΛʯΛఆٛ ec2 : StartInstances s3 : PutObject kms :
Decrypt ΞΫγϣϯϓϨϑΟοΫε͸ αʔϏε໊લۭؒ ϚωδϝϯτίϯιʔϧɺAWS CLIɺAWS SDKͳͲͷ ΦϖϨʔγϣϯͷछผʹґΒͣධՁ͞ΕΔɻ ΞΫγϣϯʹΑΓ ରԠ͢ΔϦιʔελΠϓ͕ҟͳΔɻ

3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID • arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID
ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓ͸ҟͳΔɻ ҟͳΔϦιʔελΠϓ

3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:s3:::όέοτ໊/* • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID
• arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓ͸ҟͳΔɻ ҟͳΔϦιʔελΠϓ ϫΠϧυΧʔυͷ࢖༻Մ • arn:aws:ec2:${Region}:${Account}:instance/*

3FTPVDFཁૉɿʮԿʹʯΛఆٛ • arn:aws:s3:::όέοτ໊ • arn:aws:s3:::όέοτ໊/ΦϒδΣΫτ໊ • arn:aws:s3:::όέοτ໊/* • arn:aws:ec2:${Region}:${Account}:instance/ΠϯελϯεID
• arn:aws:ec2:${Region}:${Account}:volume/ϘϦϡʔϜID ARN Λࢦఆ͢ΔɻΞΫγϣϯʹΑΓରԠ͢ΔϦιʔελΠϓ͸ҟͳΔɻ ҟͳΔϦιʔελΠϓ • * ϫΠϧυΧʔυͷ࢖༻Մ • arn:aws:ec2:${Region}:${Account}:instance/* ΞΫγϣϯʹΑͬͯ͸͢΂ͯ(*)ͷࢦఆ͕ඞਢ ʢϦετܥͷΞΫγϣϯʹଟ͍ʣ

۩ମྫɿ"84؅ཧϙϦγʔʮ"ENJOJTUSBUPS"DDFTTʯ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow",
"Action": "*", "Resource": "*" } ] } ͢΂ͯͷϦιʔε΁ͷ ͢΂ͯͷΞΫγϣϯʹ ʢ৚݅ͳ͠Ͱʣ AllowΛ༩͑Δ

۩ମྫɿΧελϚʔ؅ཧϙϦγʔ { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny",
"Action": "*", "NotResource": “arn:aws:ec2:ap-northeast-1: 012345678910:instance/i-xxxxx” } ] } ಛఆͷϦιʔεҎ֎΁ͷ ͢΂ͯͷΞΫγϣϯΛ Deny͢Δ ର৅͕͜ͷΠϯελϯεͰ͋ͬͯ΋ɺ EFTDSJCFܥͳͲɺϦιʔελΠϓJOTUBODFʹ ରԠ͍ͯ͠ͳ͍ΞΫγϣϯ͸ڋ൱͞ΕΔ

"MMPX΋͘͠͸%FOZ εςʔτϝϯτ͝ͱʹ Allow ΋͘͠͸ Deny ͕ఆٛ͞ΕΔɻ ϦΫΤετͷ಺༰ʹ͍ͭͯҎԼͷ͍ͣΕ͔ͷঢ়ଶͱͳΔɻ ঢ়ଶ ֓ཁ
҉໧తͳڋ൱ %FOZ΋"MMPX΋༩͑ΒΕ͍ͯͳ͍ɻ σϑΥϧτɻ ໌ࣔతͳڋ൱ %FOZ͕༩͑ΒΕ͍ͯΔঢ়ଶɻ ໌ࣔతͳڐՄΑΓ༏ઌ͞ΕΔɻ ໌ࣔతͳڐՄ "MMPX͕༩͑ΒΕ͍ͯΔঢ়ଶɻ %FOZͱॏෳ͢Δ৔߹ɺଧͪফ͞ΕΔɻ ୭͕Կʹରͯ͠ʢͲΜͳ৚݅ͰʣԿΛ͢Δ͔

ಉҰΞΧ΢ϯτͰͷධՁ࿦ཧ

*".ʹ͓͚ΔϙϦγʔλΠϓʢ࠶ܝʣ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ࠓճͷൃදͰ͸ׂѪ͠·͢ ࠓճͷର৅֎

ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ຊষ͸͜ͷ̎ͭΛऔΓ্͛·͢ ຊষͷର৅

ΞΠσϯςΟςΟϕʔεϙϦγʔ *".Ϣʔβʔ *".άϧʔϓ *".ϩʔϧ Ξλον ͍ΘΏΔʮIAMϙϦγʔʯɻΞΠσϯςΟςΟʹΞλονɻ

ΞΠσϯςΟςΟϕʔεϙϦγʔ ҰͭͷIAM ΤϯςΟςΟʹ௚઀ຒΊ͜Έɻ ಠཱͨ͠ϦιʔεͰ͸ͳ͍ɻ ग़དྷ߹͍ͷϙϦγʔɻ ʮ৬຿ػೳͷAWS؅ཧϙϦγʔʯͱ͍͏ࡉ෼Խ΋Մೳɻ AdministratorAccessɺReadOnly AccessͳͲɻ ΧελϚʔ͕ಠࣗʹ࡞੒͢ΔϙϦγʔɻ
όʔδϣϯ؅ཧɺෳ਺ΤϯςΟςΟ΁ͷΞλον͕Մೳɻ *".Ϣʔβʔ *".άϧʔϓ *".ϩʔϧ Ξλον ͍ΘΏΔʮIAMϙϦγʔʯɻΞΠσϯςΟςΟʹΞλονɻ

ϦιʔεϕʔεϙϦγʔ … • ϦιʔεଆʹΞλον͢ΔϙϦγʔ • S3όέοτ • KMSΩʔ •
Lambdaؔ਺ • SNSτϐοΫ …ଞଟ਺ • ͢΂ͯͷϦιʔε͕ରԠ͍ͯ͠ΔΘ͚Ͱ͸ͳ͍ • Principalཁૉͷఆ͕ٛՄೳ • ΠϯϥΠϯϙϦγʔʢϦιʔεʹ௚઀ຒΊ͜Έʣ

ΞΠσϯςΟςΟϕʔεͱϦιʔεϕʔε IAMϢʔβʔ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ S3όέοτ EC2Πϯελϯε IAMϢʔβʔ Ϧιʔεϕʔε ϙϦγʔඇରԠ
s3:PutObject ec2:StartInstances

͍Β͢ͱͰߟ͑Α͏ IAMϢʔβʔ AWSϦιʔε

σϑΥϧτͰ͜Ε 1.҉໧తͳڋ൱

྆ऀͷϙϦγʔͷΠϝʔδ IAMϢʔβʔ AWSϦιʔε Θͨ͠͸͜ͷϦΫΤετΛ ࣮ߦͰ͖Δ ͜ͷਓ͔ΒͷϦΫΤετ͸ ڐՄͯ͋͛͠Δ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

σϑΥϧτͰ͸ͲͪΒͷఆٛ΋ͳ͍ IAMϢʔβʔ AWSϦιʔε ʜʜ ʜʜ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

ͲͪΒͰ΋ڐՄ͕ͳ͍ͷͰ݁Ռతʹڋ൱ IAMϢʔβʔ AWSϦιʔε ͓ؼΓ͍ͩ͘͞˝ εΠʔ

୯ͳΔʮڐՄʯͱ΋ 2.໌ࣔతͳڐՄ

ͲͪΒ͔ͰڐՄ͕༩͑ΒΕ͍ͯΔ IAMϢʔβʔ AWSϦιʔε Θͨ͠͸ ͜Ε͕Ͱ͖Δ ͜ͷਓʹ͸ ͜ΕΛڐ͢ खͿΒ

ڐՄ͞ΕΔ IAMϢʔβʔ AWSϦιʔε εΠʔ ͋ͳͨ͸௨͍͍ͬͯͱ ݴΘΕ͍ͯ·͢ ͋ͳͨ͸௨ΔݖརΛ ͍࣋ͬͯΔΑ͏Ͱ͢Ͷ εΠʔ
ϦιʔεϕʔεϙϦγʔΛ ΞλονͰ͖ͳ͍Ϧιʔεͷ৔߹ɺ ΞΠσϯςΟςΟଆͰݖݶͷ֬อ͕ඞཁ

ͪΐͬͱิ଍ ΞΧ΢ϯτ୯ҐͷڐՄͱ ΤϯςΟςΟ୯ҐͷڐՄ

ΞΧ΢ϯτΛ֗ͱͯ͠ߟ͑ͯΈΔ ֗ʢΞΧ΢ϯτʣA ֗B ֗C rootϢʔβʔ IAMϢʔβʔ 1,2,3 AWSϦιʔε

ϦιʔεϕʔεϙϦγʔͰͷڐՄͷ࢓ํ ֗ʢΞΧ΢ϯτʣA ֗B ֗C IAMϢʔβʔ

खͿΒͰ௨ΕΔͷ͸ΤϯςΟςΟ୯ҐͰڐՄ͞Εͨ΋ͷ ֗"ͷ*".Ϣʔβʔ͔ΒͷΞΫηεΛڐՄ खͿΒ खͿΒ IAMϢʔβʔ1 IAMϢʔβʔ2 IAMϢʔβʔ3

Ұ൪ڧ͍ 3.໌ࣔతͳڋ൱

Ͳ͔͜Ͱ%FOZ͕༩͑ΒΕ͍ͯΕ͹ڋ൱ IAMϢʔβʔ AWSϦιʔε

໌ࣔతͳڋ൱͸ԿΑΓ΋ڧ͍ IAMϢʔβʔ AWSϦιʔε εΠʔ ௨͍͍ͯ͠ͱ ݴΘΕ͍͚ͯͨͲ ڋ൱͞Ε͍ͯΔΑ͏Ͱ͢Ͷ ௨ͯ͠͸͍͚ͳ͍ͱ ݴΘΕ͍ͯ·͢
εΠʔ

ΫϩεΞΧ΢ϯτͰͷධՁ࿦ཧ

ΞΧ΢ϯτΛލ͍ͩΞΫηε IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧ΢ϯτʣA ֗ʢΞΧ΢ϯτʣB

جຊతͳߟ͑ํ͸มΘΒͳ͍ • ҉໧తͳڋ൱ɺ໌ࣔతͳڐՄɺ໌ࣔతͳڋ൱ͷߟ͑ํ͸มΘΒͳ͍ • ΞΠσϯςΟςΟͱϦιʔεͷ྆ํͰAllow͕༩͑ΒΕ͍ͯͳ͍ͱ ҉໧తͳڋ൱ͱͳΔ • ϦιʔεଆͰͷڐՄ͸ɺΞΧ΢ϯτ୯ҐɾΤϯςΟςΟ୯ҐͷͲͪ ΒͰ΋ྑ͍

྆ํͰͷڐՄ͕ඞཁ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧ΢ϯτʣA ֗ʢΞΧ΢ϯτʣB

ϦιʔεଆͰͷڐՄ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧ΢ϯτʣA ֗ʢΞΧ΢ϯτʣB ֗"ͷ*".Ϣʔβʔ͔ΒͷΞΫηεΛڐՄ ֗"͔ΒͷΞΫηεΛڐՄ ͲͪΒͰ΋OK

ยํ͚ͩͷڐՄͩͱ҉໧తͳڋ൱ IAMϢʔβʔ AWSϦιʔε ֗ʢΞΧ΢ϯτʣA ֗ʢΞΧ΢ϯτʣB ͋ͳͨ͸ট଴٬Ϧετʹ ࡌ͍ͬͯΔ͚Ͳ ڐՄূΛ࣋ͬͯͳ͍Ͱ͢Ͷ

Α͘࢖͏ྫ ΫϩεΞΧ΢ϯτͰͷεΠονϩʔϧ

ผΞΧ΢ϯτͷૢ࡞ʹεΠονϩʔϧΛ࢖͏͜ͱ͕ଟ͍ IAMϢʔβʔ IAMϩʔϧ

*".ϩʔϧΛҾ͖ड͚Δͱ͸ IAMϢʔβʔ IAMϩʔϧ IAMϩʔϧΛ Ҿ͖ड͚ͨηογϣϯ ʢ੍࣌ؒݶ͋Γʣ IAMϩʔϧͱ ಉ౳ͷݖݶ IAMϙϦγʔ
sts:AssumeRole

*".ϩʔϧΛҾ͖ड͚Δʹ͸ڐՄ͕ඞཁ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ʢ৴པϙϦγʔʣ ϦιʔεϕʔεϙϦγʔ ΫϩεΞΧ΢ϯτ
ΞΫηε ಉ͡ΞΧ΢ϯτͰͷ ΞΫηε

ΨʔυϨʔϧ

ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ຊষͷର৅ ຊষͷର৅

ΨʔυϨʔϧʁ • ΍͍͍ͬͯ͜ͱͷ্ݶΛઃ͚ΔΑ͏ʹػೳ͢Δ΋ͷ • ΞΠσϯςΟςΟϕʔεϙϦγʔͱϦιʔεϕʔεϙϦγʔͷ֎ଆ Ͱఆٛ͢Δ • ͏͔ͬΓ޿͍ڐՄΛ༩͑ͯ͠·ͬͯ΋ΨʔυϨʔϧʹΑΓ๷͙ •
ΨʔυϨʔϧࣗମͰԿ͔ΛڐՄͰ͖Δ΋ͷͰ͸ͳ͍ • ࠓճऔΓ্͛Δͷ͸ҎԼ • Organizations SCPʢΞΧ΢ϯτશମʹద༻ʣ • Permissions boundaryʢݸผͷΤϯςΟςΟʹద༻ʣ • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍΋ͷ͸҉໧తͳڋ൱ʹ ͳΔ

0SHBOJ[BUJPOTͱ͸ ϚωδϝϯτΞΧ΢ϯτ ΞΧ΢ϯτA ΞΧ΢ϯτB ΞΧ΢ϯτC SCP ෳ਺ͷAWSΞΧ΢ϯτΛ ֊૚Խͯ͠؅ཧͰ͖Δػೳɻ ݸʑͷAWSΞΧ΢ϯτʹ
SCPΛׂΓ౰ͯΒΕΔɻ

0SHBOJ[BUJPOT4$1͕ద༻͞ΕΔͱ IAMϢʔβʔ AWSϦιʔε rootϢʔβʔ Organizations SCP ΞΧ΢ϯτ಺ͷrootϢʔβʔΛؚΉશͯͷΤϯςΟςΟͷΞΫγϣϯ͸SCPʹΑΔධՁΛड͚Δɻ ϩʔϧΛҾ͖ड͚ͨ ηογϣϯ

0SHBOJ[BUJPOT4$1͕ద༻͞ΕΔͱ SCPͰڐՄ͕༩͑ΒΕ͍ͯͳ͍ϦΫΤετ͸ଞͷύʔϛογϣϯʹؔ܎ͳ͘҉໧తͳڋ൱ͱͳΔ Organizations SCP ͜͜ͰڐՄ͞Ε͍ͯΔ ͜ͱ͕͢΂ͯ ΋ͪΖΜ%FOZ͕͋Ε͹ ໌ࣔతͳڋ൱

1FSNJTTJPOTCPVOEBSZͱ͸ ʮΞΫηεڐՄͷڥքʯͱ΋ɻ ΞΠσϯςΟςΟϕʔεϙϦγʔ ͱηοτͰߟ͑Δɻ IAMϢʔβʔ΋͘͠͸IAMϩʔϧ ʹׂΓ౰ͯՄೳͰɺIAMάϧʔϓ ʹ͸ׂΓ౰ͯෆՄɻ

1FSNJTTJPOTCPVOEBSZͷΠϝʔδ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ηοτͰ࢖༻͢Δ
ΞΠσϯςΟςΟϕʔεϙϦγʔͷ ධՁͷλΠϛϯάͰΨʔυϨʔϧͱͯ͠ػೳ

ϦιʔεϕʔεϙϦγʔͰͷ"MMPX͕ͳ͍৔߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ʮ͜ͷϢʔβʔ͕ ΍͍͍ͬͯͷ͸͜͜·Ͱʯ
Permissions boundaryͰAllow͕ͳ͍৔߹ɺ҉໧తͳڋ൱ͱͳΔ 1FSNJTTJPOTCPVOEBSZͰ ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ ΋ͪΖΜ%FOZ͕͋Ε͹ ໌ࣔతͳڋ൱ ΞΠσϯςΟςΟϕʔεϙϦγʔ Ͱ͸ڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ

ϦιʔεϕʔεϙϦγʔͰ"MMPX͕͋Δ৔߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ͋ͳͨ͸ট଴͞Ε͍ͯΔͷͰ
ڐՄূ͸ݟͤͯ΋ΒΘͳͯ͘΋ େৎ෉Ͱ͢ɻ ϦιʔεϕʔεϙϦγʔͰͷධՁ͕ઌʹߦΘΕΔͨΊͦ͜ͰAllow͕͋Ε͹ڐՄ͞ΕΔ ʮ͜ͷϢʔβʔ͕ ΍͍͍ͬͯͷ͸͜͜·Ͱʯ ΋ͪΖΜ%FOZ͕͋Ε͹ ໌ࣔతͳڋ൱

ΫϩεΞΧ΢ϯτͷ৔߹ IAMϢʔβʔ AWSϦιʔε Permissions boundary ΞΠσϯςΟςΟ ϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ ΫϩεΞΧ΢ϯτͷ৔߹ɺΞΠσϯςΟςΟϕʔεϙϦγʔ΋ධՁ͞ΕΔͨΊΨʔυϨʔϧ͕ൃಈ
ʮ͜ͷϢʔβʔ͕ ΍͍͍ͬͯͷ͸͜͜·Ͱʯ 1FSNJTTJPOTCPVOEBSZͰ ڐՄ͞Ε͍ͯͳ͍Α͏Ͱ͢ɻ ଞͷϙϦγʔͰ͸ ڐՄ͕͋ΔΑ͏Ͱ͕͢ɺ

͜͜·Ͱݟ͖ͯͨ಺༰ͷ੔ཧ https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-black-belt-online-seminar-aws-identity-and- access-management-iam-part1 20190129 AWS Black Belt Online Seminar
AWS Identity and Access Management (AWS IAM) Part1 ʮ͜ͷϢʔβʔ͕ ΍͍͍ͬͯͷ͸͜͜·Ͱʯ ΞΧ΢ϯτΛލ͍ͩ৔߹ͷҧ͍

ҟ୺ʂ 71$ΤϯυϙΠϯτϙϦγʔ

෼ྨ্͸ϦιʔεϕʔεϙϦγʔ͕ͩಛघ ΞΠσϯςΟςΟϕʔεϙϦγʔ ϦιʔεϕʔεϙϦγʔ

71$ΤϯυϙΠϯτϙϦγʔ VPC EC2ͳͲ VPCΤϯυϙΠϯτ VPC಺ͷϦιʔε͕αʔϏεΤϯυϙΠϯτʹ௨৴Λߦ͏ͨΊʹ࢖༻Ͱ͖ΔVPCΤϯυϙΠϯτɻ αʔϏεͷछผʹΑͬͯ͸ΤϯυϙΠϯτʹϙϦγʔΛઃఆͰ͖Δɻ

ΨʔυϨʔϧͱͯ͠ػೳ IAMϢʔβʔ AWSϦιʔε VPCΤϯυϙΠϯτ ͜͜Λܦ༝ͨ͠௨৴Ͱ ڐՄ͢Δͷ͸͜Ε͚ͩ ڐՄ͕ͳ͍΋ͷ͸ ҉໧తͳڋ൱

71$ΤϯυϙΠϯτϙϦγʔͷ࢖༻ྫ VPC VPCΤϯυϙΠϯτ VPC಺෦ͷϦιʔε͔Β֎෦ͷS3όέοτ΁ͷΞΫηε͕ෆՄͱͳΔΑ͏ VPCΤϯυϙΠϯτϙϦγʔΛ࢖༻͢Δɻ

·ͱΊ

঺հͨ͠΋ͷͷશ෦੝Γ VPCΤϯυϙΠϯτ VPC ΫϩεΞΧ΢ϯτΞΫηε

঺հͨ͠΋ͷͷશ෦੝Γ VPCΤϯυϙΠϯτ VPC ΫϩεΞΧ΢ϯτΞΫηε 1FSNJTTJPOT CPVOEBSZ ΞΠσϯςΟςΟ ϕʔεϙϦγʔ
0SHBOJ[BUJPOT 4$1 71$ΤϯυϙΠϯτ ϙϦγʔ ϦιʔεϕʔεϙϦγʔ

·ͱΊ • IAMͷධՁ࿦ཧͷ݁Ռ͸ҎԼͷ͍ͣΕ͔ͱͳΔ • ҉໧తͳڋ൱ʢσϑΥϧτʣ • ໌ࣔతͳڐՄʢΨʔυϨʔϧͰ͸༩͑ΒΕͳ͍ʣ • ໌ࣔతͳڋ൱ʢͲ͔͜ͰDeny͕͋Ε͹ඞͣ͜ΕʹͳΔʣ
• ҉໧తͳڋ൱ͱͳΔྫ͸ҎԼ • ΞΠσϯςΟςΟͰ΋ϦιʔεͰ΋Allow͕༩͑ΒΕ͍ͯͳ͍ • ΨʔυϨʔϧͰAllow͕༩͑ΒΕ͍ͯͳ͍ • ΫϩεΞΧ΢ϯτͷ৔߹ʹ૒ํͰڐՄ͞Ε͍ͯͳ͍

やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Eva...

やんわり押さえよう IAM の評価論理 / 2021 DevIo Decade IAM Evaluation Logic

More Decks by YukihiroChiba

Other Decks in Technology

Featured

Transcript