AWS Service Namespace を流行らせたい/ AWS Service Namespace to become popular

ʜʜྲྀߦΒ͍ͤͨɺ "844FSWJDF/BNFTQBDFΛɻ ઍ༿޾޺ʢνόϢΩʣ

ࣗݾ঺հ ઍ༿ ޾޺ (νόϢΩ) ࣦޮ ͠·ͨ͠

ࣗݾ঺հ ઍ༿ ޾޺ (νόϢΩ) ɾ2020೥1݄ΫϥεϝιουJOINɹɹɹɹ ࣦޮ ͠·ͨ͠

ࣗݾ঺հ ઍ༿ ޾޺ (νόϢΩ) ɾ2020೥1݄ΫϥεϝιουJOINɹɹɹɹ ɾ2021 APN AWS Top
Engineer ࣦޮ ͠·ͨ͠

ࣗݾ঺հ ઍ༿ ޾޺ (νόϢΩ) ɾ2020೥1݄ΫϥεϝιουJOINɹɹɹɹ ɾ2021 APN AWS Top
Engineer ɾ޷͖ͳAWSαʔϏεɿIAM

޷͖ͳʜʜ ޷͖ͳAWSαʔϏεɿIAM

޷͖ͳʜʜ ޷͖ͳAWSαʔϏεɿIAM ޷͖ͳAWSϦιʔεɿIAMϩʔϧ

޷͖ͳʜʜ ޷͖ͳAWSαʔϏεɿIAM ޷͖ͳAWSϦιʔεɿIAMϩʔϧ ޷͖ͳΞΫγϣϯɿsts:AssumeRole

޷͖ͳʜʜ ޷͖ͳAWSαʔϏεɿIAM ޷͖ͳAWSϦιʔεɿIAMϩʔϧ ޷͖ͳΞΫγϣϯɿsts:AssumeRole ޷͖ͳAWS Service Namespaceɿtiros

޷͖ͳʜʜ ޷͖ͳAWSαʔϏεɿIAM ޷͖ͳAWSϦιʔεɿIAMϩʔϧ ޷͖ͳΞΫγϣϯɿsts:AssumeRole ޷͖ͳAWS Service Namespaceɿtiros φχίϨʁʁ

޷͖ͳ AWS Service Namespace Λ ܾΊ·͠ΐ͏ ϝΠϯςʔϚ

"HFOEB 1.AWSαʔϏε͋Δ͋Δ 2.AWS Service Namespace 1.ͱ͸ 2.ௐ΂ํ 3.ΫΠζ 1.ਖ਼Ҿ͖
2.ٯҾ͖

AWS αʔϏε͋Δ͋Δ ݴ͍͍ͨ

"84αʔϏε͋Δ͋Δ ͦͷ1. ͦͷ2. ͦͷ3.

"84αʔϏε͋Δ͋Δ ͦͷ1. ଟ͍ɻ ͦͷ2. ͦͷ3.

ଟ͍ɻ ͳΜͰ΋223ݸ͋Δͱ͔…… ɹͳ͍ͱ͔…… ֮͑ΒΕͳ͍Α……

"84αʔϏε͋Δ͋Δ ͦͷ1. ଟ͍ɻ ͦͷ2. ͦͷ3.

"84αʔϏε͋Δ͋Δ ͦͷ1. ଟ͍ɻ ͦͷ2. ઀಄ࣙ AWS ͔ Amazon ͔໎͍͕ͪ
ͦͷ3.

઀಄ࣙ"84͔"NB[PO͔໎͍͕ͪ Ұઆʹ͸ɻ ʮAWSʯ͕ͭ͘ͷ͸…… ɹɹଞͷAWSαʔϏεͱ૊Έ߹ΘͤΔલఏ ɹɹɹɹAWS LambdaɺAWS BackupɺAWS IAM... ʮAmazonʯ͕ͭ͘ͷ͸……
ɹɹ୯ಠͰ࢖͑Δ΋ͷ Amazon EC2ɺAmazon Route53ɺAmazon S3…

઀಄ࣙ"84͔"NB[PO͔໎͍͕ͪ ͪΐͬͱ೿ੜͯ͠ ਖ਼໊ࣜশ໎͍͕ͪ໰୊ •Amazon Elastic Compute Cloudʁ •Amazon EC2ʁ
•Amazon Simple Storage Serviceʁ •Amazon S3ʁ ͳͲͳͲ…… ΋͔ͯ͠͠ʮAmazon Elastic Compute Cloud (EC2)ʯʁ

ͦͷ3.

ͦͷ3. ԿΛ΋ͬͯ”αʔϏε”͔೰Ή

ԿΛ΋ͬͯzαʔϏεz͔೰Ή Ϛωδϝϯτίϯιʔϧج४ʁ Ϋϥ΢υ੡඼Ұཡج४ʁ AWSυΩϡϝϯτج४ʁ

ԿΛ΋ͬͯzαʔϏεz͔೰Ή Ϛωίϯ ੡඼ϖʔδ υΩϡϝϯτ &-# ʮ&$ʯͷ Ұ෦ ͋Δ τοϓϖʔδ
ʹ͋Δ 5SBOTJU(BUFXBZ ʮ71$ʯͷ Ұ෦ ͋Δ ʮ71$ʯʹ ͋Δ .BSLFUQMBDF αʔϏεը໘ ͕͋Δ ͳ͍ τοϓϖʔδ ʹ͋Δ ྫ͑͹……

ͦͷ3. ԿΛ΋ͬͯ”αʔϏε”͔೰Ή ͏ʔΉ…… 🤔

ͦ͜Ͱ AWS Service Namespace Ͱ͢Α ೰ΊΔ͋ͳͨ΁

"844FSWJDF/BNFTQBDF͸ ɾج४͕໌֬🤗 ɹɹϦϑΝϨϯεͰఆٛ͞ΕͯΔ ɾ ɾ

"844FSWJDF/BNFTQBDF͸ ɾج४͕໌֬🤗 ɹɹϦϑΝϨϯεͰఆٛ͞ΕͯΔ ɾAWS ΋ Amazon ΋͔ͭͳ͍🤗 ɹɹେମུশΛ͓͚֮͑ͯ͹OK ɾ

"844FSWJDF/BNFTQBDF͸ ɾج४͕໌֬🤗 ɹɹϦϑΝϨϯεͰఆٛ͞ΕͯΔ ɾAWS ΋ Amazon ΋͔ͭͳ͍🤗 ɹɹେମུশΛ͓͚֮͑ͯ͹OK ɾ਺͸AWSαʔϏεΑΓଟ͍🥺
ɹɹ2022/1/27࣌఺Ͱ301ݸ͋Γ·͢

AWS Service Namespace ͱ͸Կ͔ ࠓ೔ͷຊ୊

"844FSWJDF/BNFTQBDFͱ͸ arn:aws:s3:::my_corporate_bucket arn:aws:iam::123456789012:user/Test • AWS ੡඼Λࣝผ͢ΔͨΊͷαʔϏε໊લۭؒ • ARN ʹొ৔͠·͢

"844FSWJDF/BNFTQBDFͱ͸ • IAM JSON ϙϦγʔʹ΋ొ৔͠·͢ • Action • Condition
• αʔϏεϓϨϑΟοΫεͱ΋

• αʔϏεϓϨϑΟοΫεͱ΋ ec2:CreateVpc s3:GetObject Actionͷྫɻ ɹରԠ͢ΔAPI͕ແ͘ݖݶ෇༩ͷͨΊʹͷΈ͋Δ΋ͷ΋

• αʔϏεϓϨϑΟοΫεͱ΋ ec2:CreateVpc s3:GetObject iam:AWSServiceName rds:DatabaseName Actionͷྫɻ ɹରԠ͢ΔAPI͕ແ͘ݖݶ෇༩ͷͨΊʹͷΈ͋Δ΋ͷ΋ Conditionͷྫɻ ɹάϩʔόϧ৚݅Ωʔʹରͯ͠ ɹ αʔϏεݻ༗ͷ৚݅Ωʔͱݺ͹ΕΔ

"844FSWJDF/BNFTQBDFͱ͸ • AWS CLI ͷίϚϯυ໊ʹͳ͍ͬͯΔ͜ͱ͕ଟ͍ • ྫ֎΋͋Γ·͢ʢaws con fi
gserviceͱ͔ʣ aws sts get-caller-identity aws ecr put-image

"844FSWJDF/BNFTQBDFͱ"84αʔϏε • 1ର1ʹͳ͍ͬͯΔ͜ͱ͕ଟ͍ • ҰͭͷAWSαʔϏε͕ෳ਺ͷAWS Service NamespaceΛ࣋ͭ͜ͱ΋͋Δ • ҟͳΔAWSαʔϏε͕ಉ͡AWS
Service Namespace Λ࣋ͭ͜ͱ΋͋Δ

Ͳ͏΍ͬͯ֬ೝ͢Ε͹Α͍͔ "844FSWJDF/BNFTQBDF

ίϚϯυΛୟ͜͏ i=`aws iam generate-service-last-accessed-details --arn arn:aws:iam::aws:policy/AdministratorAccess --output text` \
&& sleep 1 \ && aws iam get-service-last-accessed-details --job-id $i --max-items 1000 \ | jq -c '.ServicesLastAccessed[] | [.ServiceName,.ServiceNamespace]' ࠓ೥ͷ AWS αʔϏε໊લۭؒɺࠓ೥ͷ͏ͪʹɻ 2021 https://dev.classmethod.jp/articles/aws-servicenamespace-2021/ ҎԼʹࡌͬͯ·͢ɻ

ͳʹɺͦͷίϚϯυʜʜ AdministratorAccessΛΞΫηεΞυόΠβʔͰ ݟΔͷͱಉ͜͡ͱΛ AWS CLI Ͱ΍ͬͯ·͢ɻ ΞΫηεՄೳͳ ʮαʔϏεʯͱ ࠷ऴΞΫηε࣌ؒΛ
දࣔ͢ΔΑ

ͪΌΜͱϦϑΝϨϯεͰݟ͍ͨ • αʔϏεೝূϦϑΝϨϯεΛΈΑ͏ • Service Authorization Reference ͳͷͰʮೝՄʯͱ༁ͯ͠΄͘͠΋ ͋Δͱ͔ͳ͍ͱ͔
• αʔϏεϓϨϑΟοΫε͝ͱʹϖʔδ͕࡞ΒΕ͍ͯ·͢ ϙϦγʔઃܭ͢Δ࣌ʹ ֎ͤͳ͍Ͱ͢ΑͶ https://docs.aws.amazon.com/ja_jp/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html

ͪΌΜͱϦϑΝϨϯεͰݟ͍ͨ • ʮAWS IAMͱ࿈ܞ͢ΔαʔϏεʯϖʔδ΋େࣄ • AWS IAM ͷυΩϡϝϯτͷҰ෦Ͱ͢ •
͜͜ͰͷʮαʔϏεʯ͸αʔϏεϓϨϑΟοΫε͕ج४Ͱ͢ ϒοΫϚʔΫͯ͠ͳ͍…ʁ ͳΜͰ……ʁ https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

IAM ͱ஥ྑ͘ͳΔͳΒ AWSαʔϏε͡Όͳ͘ AWS Service Namespace Λҙࣝ͠Α͏ "844FSWJDF/BNFTQBDF

AWS Service Namespace ΫΠζʂʂʂʂʂ νϟϨϯδ͠Α͏

΍Δ͜ͱ • ਖ਼Ҿ͖ • AWSαʔϏε͔Β໊લۭؒΛߟ͑Δ • ٯҾ͖ • ໊લۭ͔ؒΒAWSαʔϏεΛߟ͑Δ
͜͜Ͱͷʮਖ਼Ҿ͖ʯͱ͔ʮٯҾ͖ʯ͸Θͨ͠ ͕উखʹͦ͏ݺΜͰΔ͚ͩͰ͢ɻ ΑͦͰݴ͏ͱ ஏΛ͔͖·͢Α

ਖ਼Ҿ͖ฤ "844FSWJDF/BNFTQBDFΫΠζ

ୈҰ໰ "NB[PO&$ ೉қ౓ɿ ʁ AWSαʔϏε AWS Service Namespace

ୈҰ໰ "NB[PO&$ FD ೉қ౓ɿ AWSαʔϏε AWS Service Namespace ؆୯Ͱ͢Ͷɻ

ୈೋ໰ "NB[PO4 ೉қ౓ɿ ʁ AWSαʔϏε AWS Service Namespace

ୈೋ໰ "NB[PO4 T ೉қ౓ɿ AWSαʔϏε AWS Service Namespace ๏ଇΘ͔͖ͬͯ·ͨ͠Ͷɻ

ୈࡾ໰ "NB[PO71$ ೉қ౓ɿ ʁ AWSαʔϏε AWS Service Namespace

ୈࡾ໰ "NB[PO71$ ೉қ౓ɿ AWSαʔϏε AWS Service Namespace FD ʮvpcʯͰ͸͋Γ·ͤΜΑɻ

໊લۭؒFDଟ͍Αʜʜ • Amazon EC2 actions • Amazon EBS actions
• Amazon VPC actions • Amazon IPAM actions • AWS Transit Gateway actions • AWS PrivateLink actions • AWS Client VPN actions • AWS Site-to-Site VPN actions • AWS Outposts actions • AWS Wavelength actions • VM Import/Export actions • AWS Nitro Enclaves https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query.html

ٯҾ͖ฤ "844FSWJDF/BNFTQBDFΫΠζ

ୈҰ໰ "NB[PO3%4 ೉қ౓ɿ AWSαʔϏε AWS Service Namespace SET Amazon
RDS Ҏ֎ͰԿ͕͋ΔͰ͠ΐ͏ʁ ʁ

ୈҰ໰ "NB[PO3%4 ೉қ౓ɿ AWSαʔϏε AWS Service Namespace SET "NB[PO
%PDVNFOU%# ͦ͏ͳΜͩ……ɻ

ୈೋ໰ ೉қ౓ɿ AWSαʔϏε AWS Service Namespace NFEJBJNQPSU ϝσΟΞܥͷαʔϏε͔ͳʁʁʁʁ ʁ

ୈೋ໰ "NB[PO3%4 ೉қ౓ɿ AWSαʔϏε AWS Service Namespace Amazon RDS
Custom for Oracle ͷ ɹΠϯετʔϧϝσΟΞʹର͢ΔݖݶΛ෇༩͢ΔͨΊͷ໊લۭؒɻɻ NFEJBJNQPSU

ୈࡾ໰ ೉қ౓ɿ AWSαʔϏε AWS Service Namespace UJSPT ฉ͍ͨ͜ͱ΋ͳ͍Α…… ʁ

ୈࡾ໰ ೉қ౓ɿ AWSαʔϏε AWS Service Namespace UJSPT ਖ਼֬ʹݴ͑͹ Amazon
VPC Reachability Analyzer ͕ ɹ΋ͬͱ΋ؔΘΓ͕ڧ͍ "NB[PO71$ ڧ͍ͯݴ͑͹

UJSPTJTԿ https://aws.amazon.com/jp/security/provable-security/ • ਪ࿦πʔϧʁ෼ੳج൫ʁΈ͍ͨͳ΋ͷ • Inspector ΍ΞΫηεΞφϥΠβʔͰ΋࢖༻͞ΕΔ • ઐ༻ͷAPIΛୟ͚ΔΘ͚Ͱͳ͘ڐՄΛ༩͑ΔͨΊʹඞཁ
• ྫ͑͹ Inspector v2 ͷαʔϏεϦϯΫϩʔϧͷIAMϙϦγʔΛோΊͯΈΑ͏

͋ͳͨ͸Կ໰ਖ਼ղͰ͖·͔ͨ͠ʁ "844FSWJDF/BNFTQBDFΫΠζ

·ͱΊ Α͏΍͘ऴΘΓͰ͢

"844FSWJDF/BNFTQBDF͸͍͍ͧ IAMʹৄ͘͠ͳΔͳΒආ͚ͯ௨Εͳ͍ 300ݸҎ্΋όϦΤʔγϣϯ͕͋Δ ਪ͠Λݟ͚ͭͯ௥͍͔͚Α͏

ऴΘΓʹɿΘͨ͠ͷࣥ೦ΛோΊ͍ͯͩ͘͞ https://dev.classmethod.jp/articles/aws-services-with-aws-servicenamespaces/ ೥຤೥࢝ͷ࣌ؒΛ๋͛·ͨ͠

AWS Service Namespace を流行らせたい/ AWS Service Namespace to become popular

AWS Service Namespace を流行らせたい/ AWS Service Namespace to become popular

More Decks by YukihiroChiba

Other Decks in Technology

Featured

Transcript