Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS IAM の知っておくべき話と知らなくてもいい話 DevIO2023/ AWS IAM ...

YukihiroChiba
July 27, 2023
0
3.3k

AWS IAM の知っておくべき話と知らなくてもいい話 DevIO2023/ AWS IAM DevIO 2023

YukihiroChiba

July 27, 2023
Tweet

More Decks by YukihiroChiba

See All by YukihiroChiba
わたしの業務の中に住み着いたCacoo/Cacoo has taken up residence in my work routine
yukihirochiba
0
940
Amazon VPCでの IPv6利用に向けた はじめの一歩/first-step-towards-using-ipv6-in-amazon-vpc
yukihirochiba
0
500
AWS IAM の結果整合性を避けるためセッションポリシーを用いてポリシーの動作確認を行う、を解説する
yukihirochiba
0
850
SSMエージェントはIAMロールの夢を見るか/ Do SSM Agents Dream Of IAM Roles?
yukihirochiba
0
2.4k
デジタルアイデンティティWGミニウェビナー第4回「IaaSとアイデンティティ」/ jnsa-iaas-identity
yukihirochiba
0
690
学習エンジンがうなりを上げているチームの作り方 / How to build a team with a learning engine humming along
yukihirochiba
0
4k
Amazon Route 53 Application Recovery Controller zonal shift 試してみた
yukihirochiba
0
1.9k
re:Growth 2022 Amazon Verified Permissions/妄想を膨らませる_チバユキ
yukihirochiba
0
5.4k
どこで動いてるの?AWS IAM のコントロールプレーンとデータプレーンに思いを馳せる/iam-background
yukihirochiba
1
5.4k

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.5k
The Cult of Friendly URLs
andyhume
78
6.2k
Making the Leap to Tech Lead
cromwellryan
133
9.1k
Designing for Performance
lara
604
68k
Agile that works and the tools we love
rasmusluckow
328
21k
Bash Introduction
62gerente
611
210k
Documentation Writing (for coders)
carmenintech
67
4.6k
Speed Design
sergeychernyshev
27
810
For a Future-Friendly Web
brad_frost
176
9.6k
Designing on Purpose - Digital PM Summit 2013
jponch
117
7.1k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
6
570
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3k

Transcript

  1. "84*".ͷ஌͓ͬͯ͘΂͖࿩ͱ ஌Βͳͯ͘΋͍͍࿩  "84ࣄۀຊ෦νόϢΩ

  2. ࣗݾ঺հ  ઍ༿ ޾޺ (νόϢΩ) •2020೥ೖࣾ •޷͖ͳAWSαʔϏεɿIAM •޷͖ͳΞΫγϣϯɿsts:AssumeRole IUUQTEFWDMBTTNFUIPEKQBVUIPSDIJCBZVLJIJSP

  3. ࠓ೔ͷҙؾࠐΈ  w ͜ͷ࣌ؒ͸ʮνϣʔΫτʔΫʯͰ͢ w Θ͕ͨ͠Ұํతʹ஻ΔͷͰ͸ͳ͘ɺͥͻ૒ํ޲Ͱ΍ΓऔΓ͠·͠ΐ͏ w །Ұͷਖ਼ղ͕͋Δ΋ͷͰ͸͋Γ·ͤΜ w ʮΈΜͳ͸Ͳ͏ͯ͠ΔΜͩΖ͏ʯΛڞ༗ͨ͠Γ

    w ʮͲ͏͢Δͷ͕ΑΓྑ͍ͩΖ͏ʯΛҰॹʹߟ͑ͨΓ͠·͠ΐ͏

  4. ࠓ೔ͷ͓໿ଋ  w Έͳ͞Μʹݺͼ͔͚͍ͨ͜ͱ͕͋Δ৔߹ɺεϥ Πυͷӈ্ʹ͜Μͳͷ͕ग़͖ͯ·͢ ૒ํ޲λΠϜ w ڍखɺεέονϒοΫ΁ͷॻ͖ࠐΈɺϚΠΫͰͷ ൃݴͳͲɺ૒ํ޲Ͱ΍ΓऔΓ͍ͨ͠ͷͰ͝ڠྗ ͓ئ͍͠·͢

  5. ͬͦ͘͞΍ͬͯΈΑ͏  ૒ํ޲λΠϜ Έͳ͞Μͷ*".ϨϕϧΛڭ͍͑ͯͩ͘͞ɻ  *".Λ৮ͬͨ͜ͱ͕ͳ͍  *".ϢʔβʔɺάϧʔϓɺϩʔϧɺϙϦγʔΛ஌͍ͬͯΔ  *".ϦιʔεΛઃܭ͋Δ͍͸ߏஙͨ͜͠ͱ͕͋Δ

     4$1΋͘͠͸1FSNJTTJPOTCPVOEBSZΛ࢖ͬͨ͜ͱ͕͋Δ  ηογϣϯϙϦγʔΛ࢖ͬͨ͜ͱ͕͋Δ εέονϒοΫʹ਺ࣈΛॻ͍͍ͯͩ͘͞

  6. ͞Βʹ΍ͬͯΈΑ͏  ૒ํ޲λΠϜ ྡͷ੮ͷਓͱ؆୯ͳࣗݾ঺հͱ ʮࠓ೔ԿΛֶͼ͍͔ͨʯΛ࿩͠·͠ΐ͏ ʢͻͱΓ෼ͣͭʣ

  7. ࠓ೔ͷςʔϚ 

  8. ࠓ೔ͷςʔϚ   *".ઃܭͷ࿩ʢߏ੒ɺݖݶͷ࣋ͨͤํʣ  *".ϕετϓϥΫςΟεͷ࿩  ධՁ࿦ཧͷ࿩  σʔλϓϨʔϯͱίϯτϩʔϧϓϨʔϯͷ࿩

  9. ࠓ೔ͷςʔϚ   *".ઃܭͷ࿩ʢߏ੒ɺݖݶͷ࣋ͨͤํʣ  *".ϕετϓϥΫςΟεͷ࿩  ධՁ࿦ཧͷ࿩  σʔλϓϨʔϯͱίϯτϩʔϧϓϨʔϯͷ࿩

    ্͔Βॱʹʮ஌͓ͬͯ͘΂͖ʯ౓͕ߴ͍ Լ͔Βॱʹʮ͠Ό΂Γ͍ͨʯ౓͕ߴ͍ ஌͓ͬͯ͘΂͖ ͠Ό΂Γ͍ͨ

  10. ࠓ೔ͷςʔϚ   *".ઃܭͷ࿩ʢߏ੒ɺݖݶͷ࣋ͨͤํʣ  *".ϕετϓϥΫςΟεͷ࿩  ධՁ࿦ཧͷ࿩  σʔλϓϨʔϯͱίϯτϩʔϧϓϨʔϯͷ࿩

    ૒ํ޲λΠϜ Έͳ͞Μ͕ڵຯ͋Δ΋ͷΛ ڍखͰڭ͍͑ͯͩ͘͞ ஌Γ͍ͨ಺༰ΛεέονϒοΫʹ ॻ͍͍ͯͩ͘͞

  11.  *".ઃܭͷ࿩ ʢߏ੒ɺݖݶͷ࣋ͨͤํʣ

  12. ߏ੒ͱݖݶͷ࣋ͨͤํ  ✦ ʮߏ੒ʯͷྫ w *".ϢʔβʔͷΈʁεΠονϩʔϧʁ w *".ϩʔϧΛ࢖͍ͬͯΔ৔߹ɺϢʔβʔͱʁ w "84*".*EFOUJUZ$FOUFSʁ*".4".-ϑΣσϨʔγϣϯʁ

    w ϚϧνΞΧ΢ϯτʁͦͷ৔߹Ͳͷ͘Β͍ͷن໛ʁ ✦ ʮݖݶͷ࣋ͨͤํʯͷྫ w Ͳͷ͘Β͍໾ׂΛ෼͚ͯΔʁ w ࠷খݖݶΛͲͷ͘Β͍௥ٻͯ͠Δʁ w Ͳͷ͘Β͍ϙϦγʔΧελϚΠζͯ͠Δʁ w ΨʔυϨʔϧ࢖༻ͯ͠Δʁ

  13. *".ઃܭʹؔͯ͠σΟεΧογϣϯλΠϜ  ૒ํ޲λΠϜ *".ઃܭʢߏ੒ɾݖݶͷ࣋ͨͤํʣʹؔͯ͠ ࠔΓ͝ͱɺฉ͍ͯΈ͍ͨ͜ͱ͕ ͋Ε͹ͥͻޱ಄Ͱ͓ئ͍͠·͢

  14. ࢀߟʹͳΔࢥ૝  ✦ຊ൪ɺεςʔδϯάɺ։ൃͰ"84 ΞΧ΢ϯτΛ෼͚Δ ✦ҎԼͷ໾ׂͰ෼͚Δ w؅ཧऀ wΞϓϦνʔϜ wΠϯϑϥνʔϜ wӡ༻νʔϜ ✦ͳΔ΂͘ਓ͕৮Βͳ্ͨ͘͠Ͱ޿

    ΊʹݖݶΛ༩͑Δ IUUQTEFWDMBTTNFUIPEKQBSUJDMFTJBNSPMFCBTFQFSNJTTJPO

  15.  *".ϕετϓϥΫςΟεͷ࿩

  16. *".ʹ͸ϕετϓϥΫςΟε͕͋Γ·͢  IUUQTEPDTBXTBNB[PODPNKB@KQ*".MBUFTU6TFS(VJEFCFTUQSBDUJDFTIUNM

  17. ཁ໿͢Δͱ͜Μͳײ͡   ਓʹ͸*%ϑΣσϨʔγϣϯ࢖ͬͯͶ  ϫʔΫϩʔυʹ͸*".ϩʔϧ࢖ͬͯͶ  .'"༗ޮԽͯ͠Ͷ  ΞΫηεΩʔϩʔςͯ͠Ͷ

     ϧʔτϢʔβʔ࢖Θͳ͍ͰͶ  ࠷খݖݶΛ໨ࢦͯ͠Ͷ  ఆظతʹ*".Ϧιʔε୨Էͯ͠͠Ͷ  *".ϙϦγʔͰ৚݅Ωʔ࢖ͬͯͶ  *"."DDFTT"OBMZ[FS࢖ͬͯͶ 0SHBOJ[BUJPOT4$1࢖ͬͯͶ 1FSNJTTJPOTCPVOEBSZ࢖ͬͯͶ

  18. ಠஅͱภݟʹΑΔϥϕϧ͚ͮ   ਓʹ͸*%ϑΣσϨʔγϣϯ࢖ͬͯͶ  ϫʔΫϩʔυʹ͸*".ϩʔϧ࢖ͬͯͶ  .'"༗ޮԽͯ͠Ͷ  ΞΫηεΩʔϩʔςͯ͠Ͷ

     ϧʔτϢʔβʔ࢖Θͳ͍ͰͶ  ࠷খݖݶΛ໨ࢦͯ͠Ͷ  ఆظతʹ*".Ϧιʔε୨Էͯ͠͠Ͷ  *".ϙϦγʔͰ৚݅Ωʔ࢖ͬͯͶ  *"."DDFTT"OBMZ[FS࢖ͬͯͶ 0SHBOJ[BUJPOT4$1࢖ͬͯͶ 1FSNJTTJPOTCPVOEBSZ࢖ͬͯͶ ݫक Ͱ͖ΔݶΓ ༨༟͕͋Ε͹ ༨༟͕͋Ε͹ ༨༟͕͋Ε͹ ༨༟͕͋Ε͹ Ͱ͖ΔݶΓ ༨༟͕͋Ε͹ Ͱ͖ΔݶΓ ༨༟͕͋Ε͹ Ͱ͖ΔݶΓ

  19. ϕετϓϥΫςΟεʹؔ͢Δ͋Ε͜Εɹɹ   ਓʹ͸*%ϑΣσϨʔγϣϯ࢖ͬͯͶ  ϫʔΫϩʔυʹ͸*".ϩʔϧ࢖ͬͯͶ  .'"༗ޮԽͯ͠Ͷ  ΞΫηεΩʔϩʔςͯ͠Ͷ

     ϧʔτϢʔβʔ࢖Θͳ͍ͰͶ  ࠷খݖݶΛ໨ࢦͯ͠Ͷ  ఆظతʹ*".Ϧιʔε୨Էͯ͠͠Ͷ  *".ϙϦγʔͰ৚݅Ωʔ࢖ͬͯͶ  *"."DDFTT"OBMZ[FS࢖ͬͯͶ 0SHBOJ[BUJPOT4$1࢖ͬͯͶ 1FSNJTTJPOTCPVOEBSZ࢖ͬͯͶ ݫक Ͱ͖ΔݶΓ ༨༟͕͋Ε͹ ༨༟͕͋Ε͹ ༨༟͕͋Ε͹ ༨༟͕͋Ε͹ Ͱ͖ΔݶΓ ༨༟͕͋Ε͹ Ͱ͖ΔݶΓ ༨༟͕͋Ε͹ Ͱ͖ΔݶΓ ૒ํ޲λΠϜ ͍Ζ͍Ζ ฉ͔͍ͤͯͩ͘͞

  20.  ධՁ࿦ཧͷ࿩

  21. ධՁ࿦ཧͱ͸  "84SF*OWFOU)BSOFTTQPXFSPG*".QPMJDJFT SFJOJOQFSNJTTJPOTX"DDFTT"OBMZ[FS 4&$ ΑΓ ✦ "84*".͸ҎԼΛಥ͖߹Θͤͯ ධՁ͢Δ w

    ϦΫΤετͷίϯςΩετ w ධՁର৅ͷϙϦγʔ ✦ ධՁͷ݁Ռ͸ҎԼͷ͍ͣΕ͔ w ڐՄ w ڋ൱

  22. ධՁ࿦ཧϑϩʔνϟʔτ͸ઈରΈΑ͏  ˞୯ҰΞΧ΢ϯτʹ͓͚ΔϑϩʔνϟʔτͰ͋Δ͜ͱʹ஫ҙ IUUQTEPDTBXTBNB[PODPNKB@KQ*".MBUFTU6TFS(VJEFSFGFSFODF@QPMJDJFT@FWBMVBUJPOMPHJDIUNMQPMJDZFWBMEFOZBMMPX

  23. ͜Ε͚͓֮ͩ͑ͯ͜͏  ✦ σϑΥϧτͰ͸ڋ൱ʢ҉໧తͳڋ൱ʣ ✦ ໌ࣔతͳڋ൱͕Ͳ͔͜ʹ͋Ε͹݁Ռ͸ڋ൱ ✦ ʮ໌ࣔతͳڐՄʯΛ༩͑ΒΕΔͷ͸ҎԼͷΈ w ΞΠσϯςΟςΟϕʔεϙϦγʔ

    w ϦιʔεϕʔεϙϦγʔ ✦ ҎԼ͸ΨʔυϨʔϧͱͯ͠ػೳ w 0SHBOJ[BUJPOT4$1 w 1FSNJTTJPOTCPVOEBSZ w ηογϣϯϙϦγʔʢείʔϓμ΢ϯϙϦγʔʣ w ʢ71$ΤϯυϙΠϯτϙϦγʔʣ

  24. ͜Ε͚͓֮ͩ͑ͯ͜͏  ✦ ୯ҰΞΧ΢ϯτͷ৔߹ɺҎԼͷ͍ͣΕ͔ͷΞΫηεڐՄͷ ෇༩ͷΈͰ݁Ռ͕ڐՄʹͳΔ৔߹͕͋Δ w ΞΠσϯςΟςΟϕʔεϙϦγʔ w ϦιʔεϕʔεϙϦγʔ ✦

    ϦιʔεϕʔεϙϦγʔͰڐՄ͢ΔϓϦϯγύϧʹΑͬͯ ධՁ࿦ཧ͕มΘΔ৔߹͕͋Δ ✦ ΫϩεΞΧ΢ϯτͷ৔߹ɺ૒ํͰڐՄ͕ඞཁ

  25. ϑϦʔͷ࣭໰λΠϜ  ૒ํ޲λΠϜ ͜͜ͷ෦෼͕ฉ͖͍ͨΜ͕ͩʁΛ ืू͍ͯ͠·͢

  26. ໾ʹཱͪͦ͏ͳϦϯΫू  IUUQTEFWDMBTTNFUIPEKQBSUJDMFTOFXQPMJDZFWBMVBUJPOMPHJD fl PXDIBSU IUUQTEFWDMBTTNFUIPEKQBSUJDMFTEFWJPJBNFWBMVBUJPOMPHJD IUUQTEFWDMBTTNFUIPEKQBSUJDMFTQSJODJQBMFMFNFOUJBNSPMFPSSPMFTFTTJPO

  27.  σʔλϓϨʔϯͱ ίϯτϩʔϧϓϨʔϯͷ࿩

  28. *".ʹ͸σʔλϓϨʔϯͱίϯτϩʔϧϓϨʔϯ͕͋Δ  IUUQTEFWDMBTTNFUIPEKQBSUJDMFTBXTJBNDPOUSPMQMBOFEBUBQMBOF

  29. ϑϦʔͷ࣭໰λΠϜ  ૒ํ޲λΠϜ ฉ͖͍ͨ͜ͱʜʜ͋Γ·͢ʁ

  30. ໾ʹཱͪͦ͏ͳϦϯΫू  IUUQTEFWDMBTTNFUIPEKQBSUJDMFTBXTGBVMUJTPMBUJPOCPVOEBSJFT IUUQTEFWDMBTTNFUIPEKQBSUJDMFTBXTJBNFWFOUVBMDPOTJTUFODZTFTTJPOQPMJDZ IUUQTEFWDMBTTNFUIPEKQBSUJDMFTBXTJBNCBDLHSPVOEEFWJP

  31. ͓͠·͍ 

  32. ηογϣϯΞϯέʔτ%":  ຬ଍౓্ҐͷηογϣϯΛޙ೔ϒϩάͰެ։༧ఆʂ ճ౴΁ͷ͝ڠྗΛΑΖ͓͘͠ئ͍͠·͢ɻ ෳ਺ճ౴Մɺ લճͷ಺༰Ҿ͖ܧ͗·͢ ऴྃ͠·ͨ͠

  33. None