AWS IAM の知っておくべき話と知らなくてもいい話 DevIO2023/ AWS IAM DevIO 2023

"84*".ͷ஌͓ͬͯ͘΂͖࿩ͱ
஌Βͳͯ͘΋͍͍࿩

"84ࣄۀຊ෦νόϢΩ

View Slide

ࣗݾ঺հ
ઍ༿ ޾޺

(νόϢΩ)
•2020೥ೖࣾ

•޷͖ͳAWSαʔϏεɿIAM

•޷͖ͳΞΫγϣϯɿsts:AssumeRole
IUUQTEFWDMBTTNFUIPEKQBVUIPSDIJCBZVLJIJSP

View Slide

ࠓ೔ͷҙؾࠐΈ
w ͜ͷ࣌ؒ͸ʮνϣʔΫτʔΫʯͰ͢
w Θ͕ͨ͠Ұํతʹ஻ΔͷͰ͸ͳ͘ɺͥͻ૒ํ޲Ͱ΍ΓऔΓ͠·͠ΐ͏
w །Ұͷਖ਼ղ͕͋Δ΋ͷͰ͸͋Γ·ͤΜ
w ʮΈΜͳ͸Ͳ͏ͯ͠ΔΜͩΖ͏ʯΛڞ༗ͨ͠Γ
w ʮͲ͏͢Δͷ͕ΑΓྑ͍ͩΖ͏ʯΛҰॹʹߟ͑ͨΓ͠·͠ΐ͏

View Slide

ࠓ೔ͷ͓໿ଋ
w Έͳ͞Μʹݺͼ͔͚͍ͨ͜ͱ͕͋Δ৔߹ɺεϥ
Πυͷӈ্ʹ͜Μͳͷ͕ग़͖ͯ·͢
૒ํ޲λΠϜ
w ڍखɺεέονϒοΫ΁ͷॻ͖ࠐΈɺϚΠΫͰͷ
ൃݴͳͲɺ૒ํ޲Ͱ΍ΓऔΓ͍ͨ͠ͷͰ͝ڠྗ
͓ئ͍͠·͢

View Slide

ͬͦ͘͞΍ͬͯΈΑ͏
૒ํ޲λΠϜ
Έͳ͞Μͷ*".ϨϕϧΛڭ͍͑ͯͩ͘͞ɻ
*".Λ৮ͬͨ͜ͱ͕ͳ͍
*".ϢʔβʔɺάϧʔϓɺϩʔϧɺϙϦγʔΛ஌͍ͬͯΔ
*".ϦιʔεΛઃܭ͋Δ͍͸ߏஙͨ͜͠ͱ͕͋Δ
4$1΋͘͠͸1FSNJTTJPOTCPVOEBSZΛ࢖ͬͨ͜ͱ͕͋Δ
ηογϣϯϙϦγʔΛ࢖ͬͨ͜ͱ͕͋Δ
εέονϒοΫʹ਺ࣈΛॻ͍͍ͯͩ͘͞

View Slide

͞Βʹ΍ͬͯΈΑ͏
૒ํ޲λΠϜ
ྡͷ੮ͷਓͱ؆୯ͳࣗݾ঺հͱ
ʮࠓ೔ԿΛֶͼ͍͔ͨʯΛ࿩͠·͠ΐ͏
ʢͻͱΓ෼ͣͭʣ

View Slide

ࠓ೔ͷςʔϚ

View Slide

ࠓ೔ͷςʔϚ
*".ઃܭͷ࿩ʢߏ੒ɺݖݶͷ࣋ͨͤํʣ
*".ϕετϓϥΫςΟεͷ࿩
ධՁ࿦ཧͷ࿩
σʔλϓϨʔϯͱίϯτϩʔϧϓϨʔϯͷ࿩

View Slide

ࠓ೔ͷςʔϚ
ධՁ࿦ཧͷ࿩
্͔Βॱʹʮ஌͓ͬͯ͘΂͖ʯ౓͕ߴ͍
Լ͔Βॱʹʮ͠Ό΂Γ͍ͨʯ౓͕ߴ͍
஌͓ͬͯ͘΂͖
͠Ό΂Γ͍ͨ

View Slide

ࠓ೔ͷςʔϚ
ධՁ࿦ཧͷ࿩
૒ํ޲λΠϜ
Έͳ͞Μ͕ڵຯ͋Δ΋ͷΛ
ڍखͰڭ͍͑ͯͩ͘͞
஌Γ͍ͨ಺༰ΛεέονϒοΫʹ
ॻ͍͍ͯͩ͘͞

View Slide

*".ઃܭͷ࿩
ʢߏ੒ɺݖݶͷ࣋ͨͤํʣ

View Slide

ߏ੒ͱݖݶͷ࣋ͨͤํ
✦ ʮߏ੒ʯͷྫ
w *".ϢʔβʔͷΈʁεΠονϩʔϧʁ
w *".ϩʔϧΛ࢖͍ͬͯΔ৔߹ɺϢʔβʔͱʁ
w "84*".*EFOUJUZ$FOUFSʁ*".4".-ϑΣσϨʔγϣϯʁ
w ϚϧνΞΧ΢ϯτʁͦͷ৔߹Ͳͷ͘Β͍ͷن໛ʁ
✦ ʮݖݶͷ࣋ͨͤํʯͷྫ
w Ͳͷ͘Β͍໾ׂΛ෼͚ͯΔʁ
w ࠷খݖݶΛͲͷ͘Β͍௥ٻͯ͠Δʁ
w Ͳͷ͘Β͍ϙϦγʔΧελϚΠζͯ͠Δʁ
w ΨʔυϨʔϧ࢖༻ͯ͠Δʁ

View Slide

*".ઃܭʹؔͯ͠σΟεΧογϣϯλΠϜ
૒ํ޲λΠϜ
*".ઃܭʢߏ੒ɾݖݶͷ࣋ͨͤํʣʹؔͯ͠
ࠔΓ͝ͱɺฉ͍ͯΈ͍ͨ͜ͱ͕
͋Ε͹ͥͻޱ಄Ͱ͓ئ͍͠·͢

View Slide

ࢀߟʹͳΔࢥ૝
✦ຊ൪ɺεςʔδϯάɺ։ൃͰ"84
ΞΧ΢ϯτΛ෼͚Δ
✦ҎԼͷ໾ׂͰ෼͚Δ
w؅ཧऀ
wΞϓϦνʔϜ
wΠϯϑϥνʔϜ
wӡ༻νʔϜ
✦ͳΔ΂͘ਓ͕৮Βͳ্ͨ͘͠Ͱ޿
ΊʹݖݶΛ༩͑Δ
IUUQTEFWDMBTTNFUIPEKQBSUJDMFTJBNSPMFCBTFQFSNJTTJPO

View Slide


View Slide

*".ʹ͸ϕετϓϥΫςΟε͕͋Γ·͢
IUUQTEPDTBXTBNB[PODPNKB@KQ*".MBUFTU6TFS(VJEFCFTUQSBDUJDFTIUNM

View Slide

ཁ໿͢Δͱ͜Μͳײ͡
ਓʹ͸*%ϑΣσϨʔγϣϯ࢖ͬͯͶ
ϫʔΫϩʔυʹ͸*".ϩʔϧ࢖ͬͯͶ
.'"༗ޮԽͯ͠Ͷ
ΞΫηεΩʔϩʔςͯ͠Ͷ
ϧʔτϢʔβʔ࢖Θͳ͍ͰͶ
࠷খݖݶΛ໨ࢦͯ͠Ͷ
ఆظతʹ*".Ϧιʔε୨Էͯ͠͠Ͷ
*".ϙϦγʔͰ৚݅Ωʔ࢖ͬͯͶ
*"."DDFTT"OBMZ[FS࢖ͬͯͶ
0SHBOJ[BUJPOT4$1࢖ͬͯͶ
1FSNJTTJPOTCPVOEBSZ࢖ͬͯͶ

View Slide

ಠஅͱภݟʹΑΔϥϕϧ͚ͮ
.'"༗ޮԽͯ͠Ͷ
ݫक
Ͱ͖ΔݶΓ
༨༟͕͋Ε͹
༨༟͕͋Ε͹
༨༟͕͋Ε͹
༨༟͕͋Ε͹
Ͱ͖ΔݶΓ
༨༟͕͋Ε͹
Ͱ͖ΔݶΓ
༨༟͕͋Ε͹
Ͱ͖ΔݶΓ

View Slide

ϕετϓϥΫςΟεʹؔ͢Δ͋Ε͜Εɹɹ

.'"༗ޮԽͯ͠Ͷ
ݫक
Ͱ͖ΔݶΓ
༨༟͕͋Ε͹
༨༟͕͋Ε͹
༨༟͕͋Ε͹
༨༟͕͋Ε͹
Ͱ͖ΔݶΓ
༨༟͕͋Ε͹
Ͱ͖ΔݶΓ
༨༟͕͋Ε͹
Ͱ͖ΔݶΓ
૒ํ޲λΠϜ
͍Ζ͍Ζ
ฉ͔͍ͤͯͩ͘͞

View Slide

ධՁ࿦ཧͷ࿩

View Slide

ධՁ࿦ཧͱ͸
"84SF*OWFOU)BSOFTTQPXFSPG*".QPMJDJFT
SFJOJOQFSNJTTJPOTX"DDFTT"OBMZ[FS 4&$
ΑΓ
✦ "84*".͸ҎԼΛಥ͖߹Θͤͯ
ධՁ͢Δ
w ϦΫΤετͷίϯςΩετ
w ධՁର৅ͷϙϦγʔ
✦ ධՁͷ݁Ռ͸ҎԼͷ͍ͣΕ͔
w ڐՄ
w ڋ൱

View Slide

ධՁ࿦ཧϑϩʔνϟʔτ͸ઈରΈΑ͏
˞୯ҰΞΧ΢ϯτʹ͓͚ΔϑϩʔνϟʔτͰ͋Δ͜ͱʹ஫ҙ
IUUQTEPDTBXTBNB[PODPNKB@KQ*".MBUFTU6TFS(VJEFSFGFSFODF@QPMJDJFT@FWBMVBUJPOMPHJDIUNMQPMJDZFWBMEFOZBMMPX

View Slide

͜Ε͚͓֮ͩ͑ͯ͜͏
✦ σϑΥϧτͰ͸ڋ൱ʢ҉໧తͳڋ൱ʣ
✦ ໌ࣔతͳڋ൱͕Ͳ͔͜ʹ͋Ε͹݁Ռ͸ڋ൱
✦ ʮ໌ࣔతͳڐՄʯΛ༩͑ΒΕΔͷ͸ҎԼͷΈ
w ΞΠσϯςΟςΟϕʔεϙϦγʔ
w ϦιʔεϕʔεϙϦγʔ
✦ ҎԼ͸ΨʔυϨʔϧͱͯ͠ػೳ
w 0SHBOJ[BUJPOT4$1
w 1FSNJTTJPOTCPVOEBSZ
w ηογϣϯϙϦγʔʢείʔϓμ΢ϯϙϦγʔʣ
w ʢ71$ΤϯυϙΠϯτϙϦγʔʣ

View Slide

͜Ε͚͓֮ͩ͑ͯ͜͏
✦ ୯ҰΞΧ΢ϯτͷ৔߹ɺҎԼͷ͍ͣΕ͔ͷΞΫηεڐՄͷ
෇༩ͷΈͰ݁Ռ͕ڐՄʹͳΔ৔߹͕͋Δ
w ΞΠσϯςΟςΟϕʔεϙϦγʔ
w ϦιʔεϕʔεϙϦγʔ
✦ ϦιʔεϕʔεϙϦγʔͰڐՄ͢ΔϓϦϯγύϧʹΑͬͯ
ධՁ࿦ཧ͕มΘΔ৔߹͕͋Δ
✦ ΫϩεΞΧ΢ϯτͷ৔߹ɺ૒ํͰڐՄ͕ඞཁ

View Slide

ϑϦʔͷ࣭໰λΠϜ
૒ํ޲λΠϜ
͜͜ͷ෦෼͕ฉ͖͍ͨΜ͕ͩʁΛ
ืू͍ͯ͠·͢

View Slide

໾ʹཱͪͦ͏ͳϦϯΫू
IUUQTEFWDMBTTNFUIPEKQBSUJDMFTOFXQPMJDZFWBMVBUJPOMPHJD
fl
PXDIBSU IUUQTEFWDMBTTNFUIPEKQBSUJDMFTEFWJPJBNFWBMVBUJPOMPHJD IUUQTEFWDMBTTNFUIPEKQBSUJDMFTQSJODJQBMFMFNFOUJBNSPMFPSSPMFTFTTJPO

View Slide

σʔλϓϨʔϯͱ
ίϯτϩʔϧϓϨʔϯͷ࿩

View Slide

*".ʹ͸σʔλϓϨʔϯͱίϯτϩʔϧϓϨʔϯ͕͋Δ
IUUQTEFWDMBTTNFUIPEKQBSUJDMFTBXTJBNDPOUSPMQMBOFEBUBQMBOF

View Slide

ϑϦʔͷ࣭໰λΠϜ
૒ํ޲λΠϜ
ฉ͖͍ͨ͜ͱʜʜ͋Γ·͢ʁ

View Slide

໾ʹཱͪͦ͏ͳϦϯΫू
IUUQTEFWDMBTTNFUIPEKQBSUJDMFTBXTGBVMUJTPMBUJPOCPVOEBSJFT
IUUQTEFWDMBTTNFUIPEKQBSUJDMFTBXTJBNFWFOUVBMDPOTJTUFODZTFTTJPOQPMJDZ
IUUQTEFWDMBTTNFUIPEKQBSUJDMFTBXTJBNCBDLHSPVOEEFWJP

View Slide

͓͠·͍

View Slide

ηογϣϯΞϯέʔτ%":
ຬ଍౓্ҐͷηογϣϯΛޙ೔ϒϩάͰެ։༧ఆʂ
ճ౴΁ͷ͝ڠྗΛΑΖ͓͘͠ئ͍͠·͢ɻ
ෳ਺ճ౴Մɺ
લճͷ಺༰Ҿ͖ܧ͗·͢
ऴྃ͠·ͨ͠

View Slide

View Slide

AWS IAM の知っておくべき話と知らなくてもいい話 DevIO2023/ AWS IAM DevIO 2023

AWS IAM の知っておくべき話と知らなくてもいい話 DevIO2023/ AWS IAM DevIO 2023

YukihiroChiba

More Decks by YukihiroChiba

Featured

Transcript