$30 off During Our Annual Pro Sale. View Details »

AWS Service Namespace を流行らせたい/ AWS Service Namespace to become popular

YukihiroChiba
January 28, 2022
Technology
0
1.8k

AWS Service Namespace を流行らせたい/ AWS Service Namespace to become popular

YukihiroChiba

January 28, 2022
Tweet

More Decks by YukihiroChiba

See All by YukihiroChiba
AWS IAM の知っておくべき話と知らなくてもいい話 DevIO2023/ AWS IAM DevIO 2023
yukihirochiba
0
2.6k
デジタルアイデンティティWGミニウェビナー第4回「IaaSとアイデンティティ」/ jnsa-iaas-identity
yukihirochiba
0
440
学習エンジンがうなりを上げているチームの作り方 / How to build a team with a learning engine humming along
yukihirochiba
0
3.2k
Amazon Route 53 Application Recovery Controller zonal shift 試してみた
yukihirochiba
0
1.2k
re:Growth 2022 Amazon Verified Permissions/妄想を膨らませる_チバユキ
yukihirochiba
0
4.2k
どこで動いてるの?AWS IAM のコントロールプレーンとデータプレーンに思いを馳せる/iam-background
yukihirochiba
0
3.4k
ここが好きだよAWS管理ポリシー_devio2022/i_am_iam_lover
yukihirochiba
0
4.6k
1年ぶりにAWS Nitroに想いを馳せる/Nitro-ni-shinitro
yukihirochiba
0
1.3k
RIとSPって何が違うの?選択において押さえておくべきポイント/ec2-reserved-instances-savings-plans-comparison
yukihirochiba
1
13k

Other Decks in Technology

See All in Technology
太田博三
otanet
0
160
噂の Amazon Bedrock を Java から使ってみる #javado
tacck
1
120
アンドパッドが Ruby と RubyKaigi にコミットする理由
andpad
1
270
Kuma UIのこれまでとこれから
poteboy
5
3k
Oracle Cloud Infrastructure:2023年11月度サービス・アップデート
oracle4engineer
PRO
0
210
イベント企画設計における「フロントエンド」な考え方とその魅力
kgsi
1
1.8k
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
2
3.9k
【論文紹介】 A Survey on Hallucination in Large Language Models: Principles, Taxonomy, Challenges, and Open Questions
tomoaki25
4
150
pmconf 2023 プロダクトと事業を無限にスケールするための最強のロードマップの作り方 / The Greatest Roadmap for Unlimited Scaling your Business and Products
yamamuteki
3
600
お客様、そこは秘孔です!突かないでください! HTTP/2 Rapid reset の概要と対策
murachiakira
0
130
スタートアップにおける、チーム拡大を見据えたコンポーネント分割の取り組み
rynsuke
2
580
論文紹介: Improving Implicit Feedback-Based Recommendation through Multi-Behavior Alignment(Xin Xin et al., 2023)
hakubishin3
0
160

Featured

See All Featured
Web development in the modern age
philhawksworth
201
9.9k
Building Flexible Design Systems
yeseniaperezcruz
317
36k
Build your cross-platform service in a week with App Engine
jlugia
223
17k
Art, The Web, and Tiny UX
lynnandtonic
286
19k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
240
20k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.5k
Web Components: a chance to create the future
zenorocha
304
41k
A designer walks into a library…
pauljervisheath
199
18k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
6
7.3k
Building Your Own Lightsaber
phodgson
97
5.4k
Faster Mobile Websites
deanohume
296
29k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.6k

Transcript

  1. ʜʜྲྀߦΒ͍ͤͨɺ
    "844FSWJDF/BNFTQBDFΛɻ

    ઍ༿޾޺ʢνόϢΩʣ

    View Slide

  2. ࣗݾ঺հ
    ઍ༿ ޾޺


    (νόϢΩ)
    ࣦޮ
    ͠·ͨ͠

    View Slide

  3. ࣗݾ঺հ
    ઍ༿ ޾޺


    (νόϢΩ)
    ɾ2020೥1݄ΫϥεϝιουJOINɹɹɹɹ
    ࣦޮ
    ͠·ͨ͠

    View Slide

  4. ࣗݾ঺հ
    ઍ༿ ޾޺


    (νόϢΩ)
    ɾ2020೥1݄ΫϥεϝιουJOINɹɹɹɹ
    ɾ2021 APN AWS Top Engineer
    ࣦޮ
    ͠·ͨ͠

    View Slide

  5. ࣗݾ঺հ
    ઍ༿ ޾޺


    (νόϢΩ)
    ɾ2020೥1݄ΫϥεϝιουJOINɹɹɹɹ
    ɾ2021 APN AWS Top Engineer
    ɾ޷͖ͳAWSαʔϏεɿIAM

    View Slide

  6. ޷͖ͳʜʜ
    ޷͖ͳAWSαʔϏεɿIAM


    View Slide

  7. ޷͖ͳʜʜ
    ޷͖ͳAWSαʔϏεɿIAM


    ޷͖ͳAWSϦιʔεɿIAMϩʔϧ


    View Slide

  8. ޷͖ͳʜʜ
    ޷͖ͳAWSαʔϏεɿIAM


    ޷͖ͳAWSϦιʔεɿIAMϩʔϧ


    ޷͖ͳΞΫγϣϯɿsts:AssumeRole


    View Slide

  9. ޷͖ͳʜʜ
    ޷͖ͳAWSαʔϏεɿIAM


    ޷͖ͳAWSϦιʔεɿIAMϩʔϧ


    ޷͖ͳΞΫγϣϯɿsts:AssumeRole


    ޷͖ͳAWS Service Namespaceɿtiros

    View Slide

  10. ޷͖ͳʜʜ
    ޷͖ͳAWSαʔϏεɿIAM


    ޷͖ͳAWSϦιʔεɿIAMϩʔϧ


    ޷͖ͳΞΫγϣϯɿsts:AssumeRole


    ޷͖ͳAWS Service Namespaceɿtiros
    φχίϨʁʁ

    View Slide


  11. ޷͖ͳ AWS Service Namespace Λ


    ܾΊ·͠ΐ͏
    ϝΠϯςʔϚ

    View Slide

  12. "HFOEB
    1.AWSαʔϏε͋Δ͋Δ


    2.AWS Service Namespace


    1.ͱ͸


    2.ௐ΂ํ


    3.ΫΠζ


    1.ਖ਼Ҿ͖


    2.ٯҾ͖

    View Slide


  13. AWS αʔϏε͋Δ͋Δ
    ݴ͍͍ͨ

    View Slide


  14. "84αʔϏε͋Δ͋Δ
    ͦͷ1.


    ͦͷ2.


    ͦͷ3.


    View Slide


  15. "84αʔϏε͋Δ͋Δ
    ͦͷ1. ଟ͍ɻ


    ͦͷ2.


    ͦͷ3.


    View Slide


  16. ଟ͍ɻ
    ͳΜͰ΋223ݸ͋Δͱ͔……


    ɹͳ͍ͱ͔……


    ֮͑ΒΕͳ͍Α……


    View Slide


  17. "84αʔϏε͋Δ͋Δ
    ͦͷ1. ଟ͍ɻ


    ͦͷ2.


    ͦͷ3.


    View Slide


  18. "84αʔϏε͋Δ͋Δ
    ͦͷ1. ଟ͍ɻ


    ͦͷ2. ઀಄ࣙ AWS ͔ Amazon ͔໎͍͕ͪ


    ͦͷ3.


    View Slide


  19. ઀಄ࣙ"84͔"NB[PO͔໎͍͕ͪ
    Ұઆʹ͸ɻ


    ʮAWSʯ͕ͭ͘ͷ͸……


    ɹɹଞͷAWSαʔϏεͱ૊Έ߹ΘͤΔલఏ


    ɹɹɹɹAWS LambdaɺAWS BackupɺAWS IAM...


    ʮAmazonʯ͕ͭ͘ͷ͸……


    ɹɹ୯ಠͰ࢖͑Δ΋ͷ


    Amazon EC2ɺAmazon Route53ɺAmazon S3…

    View Slide


  20. ઀಄ࣙ"84͔"NB[PO͔໎͍͕ͪ
    ͪΐͬͱ೿ੜͯ͠


    ਖ਼໊ࣜশ໎͍͕ͪ໰୊
    •Amazon Elastic Compute Cloudʁ


    •Amazon EC2ʁ
    •Amazon Simple Storage Serviceʁ


    •Amazon S3ʁ
    ͳͲͳͲ……
    ΋͔ͯ͠͠ʮAmazon Elastic Compute Cloud (EC2)ʯʁ

    View Slide


  21. "84αʔϏε͋Δ͋Δ
    ͦͷ1. ଟ͍ɻ


    ͦͷ2. ઀಄ࣙ AWS ͔ Amazon ͔໎͍͕ͪ


    ͦͷ3.


    View Slide


  22. "84αʔϏε͋Δ͋Δ
    ͦͷ1. ଟ͍ɻ


    ͦͷ2. ઀಄ࣙ AWS ͔ Amazon ͔໎͍͕ͪ


    ͦͷ3. ԿΛ΋ͬͯ”αʔϏε”͔೰Ή


    View Slide


  23. ԿΛ΋ͬͯzαʔϏεz͔೰Ή
    Ϛωδϝϯτίϯιʔϧج४ʁ
    Ϋϥ΢υ੡඼Ұཡج४ʁ
    AWSυΩϡϝϯτج४ʁ

    View Slide


  24. ԿΛ΋ͬͯzαʔϏεz͔೰Ή
    Ϛωίϯ ੡඼ϖʔδ υΩϡϝϯτ
    &-#
    ʮ&$ʯͷ
    Ұ෦
    ͋Δ
    τοϓϖʔδ
    ʹ͋Δ
    5SBOTJU(BUFXBZ
    ʮ71$ʯͷ
    Ұ෦
    ͋Δ
    ʮ71$ʯʹ
    ͋Δ
    .BSLFUQMBDF
    αʔϏεը໘
    ͕͋Δ
    ͳ͍
    τοϓϖʔδ
    ʹ͋Δ
    ྫ͑͹……

    View Slide


  25. "84αʔϏε͋Δ͋Δ
    ͦͷ1. ଟ͍ɻ


    ͦͷ2. ઀಄ࣙ AWS ͔ Amazon ͔໎͍͕ͪ


    ͦͷ3. ԿΛ΋ͬͯ”αʔϏε”͔೰Ή


    ͏ʔΉ……
    🤔

    View Slide


  26. ͦ͜Ͱ AWS Service Namespace Ͱ͢Α
    ೰ΊΔ͋ͳͨ΁

    View Slide


  27. "844FSWJDF/BNFTQBDF͸
    ɾج४͕໌֬🤗


    ɹɹϦϑΝϨϯεͰఆٛ͞ΕͯΔ


    ɾ


    ɾ


    View Slide


  28. "844FSWJDF/BNFTQBDF͸
    ɾج४͕໌֬🤗


    ɹɹϦϑΝϨϯεͰఆٛ͞ΕͯΔ


    ɾAWS ΋ Amazon ΋͔ͭͳ͍🤗


    ɹɹେମུশΛ͓͚֮͑ͯ͹OK


    ɾ


    View Slide


  29. "844FSWJDF/BNFTQBDF͸
    ɾج४͕໌֬🤗


    ɹɹϦϑΝϨϯεͰఆٛ͞ΕͯΔ


    ɾAWS ΋ Amazon ΋͔ͭͳ͍🤗


    ɹɹେମུশΛ͓͚֮͑ͯ͹OK


    ɾ਺͸AWSαʔϏεΑΓଟ͍🥺


    ɹɹ2022/1/27࣌఺Ͱ301ݸ͋Γ·͢


    View Slide


  30. AWS Service Namespace ͱ͸Կ͔
    ࠓ೔ͷຊ୊

    View Slide


  31. "844FSWJDF/BNFTQBDFͱ͸
    arn:aws:s3:::my_corporate_bucket


    arn:aws:iam::123456789012:user/Test
    • AWS ੡඼Λࣝผ͢ΔͨΊͷαʔϏε໊લۭؒ


    • ARN ʹొ৔͠·͢

    View Slide


  32. "844FSWJDF/BNFTQBDFͱ͸
    • IAM JSON ϙϦγʔʹ΋ొ৔͠·͢


    • Action


    • Condition


    • αʔϏεϓϨϑΟοΫεͱ΋

    View Slide


  33. "844FSWJDF/BNFTQBDFͱ͸
    • IAM JSON ϙϦγʔʹ΋ొ৔͠·͢


    • Action


    • Condition


    • αʔϏεϓϨϑΟοΫεͱ΋
    ec2:CreateVpc


    s3:GetObject
    Actionͷྫɻ


    ɹରԠ͢ΔAPI͕ແ͘ݖݶ෇༩ͷͨΊʹͷΈ͋Δ΋ͷ΋

    View Slide


  34. "844FSWJDF/BNFTQBDFͱ͸
    • IAM JSON ϙϦγʔʹ΋ొ৔͠·͢


    • Action


    • Condition


    • αʔϏεϓϨϑΟοΫεͱ΋
    ec2:CreateVpc


    s3:GetObject
    iam:AWSServiceName


    rds:DatabaseName
    Actionͷྫɻ


    ɹରԠ͢ΔAPI͕ແ͘ݖݶ෇༩ͷͨΊʹͷΈ͋Δ΋ͷ΋
    Conditionͷྫɻ


    ɹάϩʔόϧ৚݅Ωʔʹରͯ͠


    ɹ αʔϏεݻ༗ͷ৚݅Ωʔͱݺ͹ΕΔ

    View Slide


  35. "844FSWJDF/BNFTQBDFͱ͸
    • AWS CLI ͷίϚϯυ໊ʹͳ͍ͬͯΔ͜ͱ͕ଟ͍


    • ྫ֎΋͋Γ·͢ʢaws con
    fi
    gserviceͱ͔ʣ
    aws sts get-caller-identity


    aws ecr put-image


    View Slide


  36. "844FSWJDF/BNFTQBDFͱ"84αʔϏε
    • 1ର1ʹͳ͍ͬͯΔ͜ͱ͕ଟ͍


    • ҰͭͷAWSαʔϏε͕ෳ਺ͷAWS Service
    NamespaceΛ࣋ͭ͜ͱ΋͋Δ


    • ҟͳΔAWSαʔϏε͕ಉ͡AWS Service Namespace
    Λ࣋ͭ͜ͱ΋͋Δ

    View Slide


  37. Ͳ͏΍ͬͯ֬ೝ͢Ε͹Α͍͔
    "844FSWJDF/BNFTQBDF

    View Slide


  38. ίϚϯυΛୟ͜͏
    i=`aws iam generate-service-last-accessed-details --arn
    arn:aws:iam::aws:policy/AdministratorAccess --output text`
    \

    && sleep 1
    \

    && aws iam get-service-last-accessed-details --job-id $i --max-items 1000
    \

    | jq -c '.ServicesLastAccessed[] | [.ServiceName,.ServiceNamespace]'
    ࠓ೥ͷ AWS αʔϏε໊લۭؒɺࠓ೥ͷ͏ͪʹɻ 2021


    https://dev.classmethod.jp/articles/aws-service-
    namespace-2021/
    ҎԼʹࡌͬͯ·͢ɻ

    View Slide


  39. ͳʹɺͦͷίϚϯυʜʜ
    AdministratorAccessΛΞΫηεΞυόΠβʔͰ


    ݟΔͷͱಉ͜͡ͱΛ AWS CLI Ͱ΍ͬͯ·͢ɻ
    ΞΫηεՄೳͳ


    ʮαʔϏεʯͱ


    ࠷ऴΞΫηε࣌ؒΛ


    දࣔ͢ΔΑ

    View Slide


  40. ͪΌΜͱϦϑΝϨϯεͰݟ͍ͨ
    • αʔϏεೝূϦϑΝϨϯεΛΈΑ͏


    • Service Authorization Reference ͳͷͰʮೝՄʯͱ༁ͯ͠΄͘͠΋
    ͋Δͱ͔ͳ͍ͱ͔


    • αʔϏεϓϨϑΟοΫε͝ͱʹϖʔδ͕࡞ΒΕ͍ͯ·͢
    ϙϦγʔઃܭ͢Δ࣌ʹ


    ֎ͤͳ͍Ͱ͢ΑͶ
    https://docs.aws.amazon.com/ja_jp/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html

    View Slide


  41. ͪΌΜͱϦϑΝϨϯεͰݟ͍ͨ
    • ʮAWS IAMͱ࿈ܞ͢ΔαʔϏεʯϖʔδ΋େࣄ


    • AWS IAM ͷυΩϡϝϯτͷҰ෦Ͱ͢


    • ͜͜ͰͷʮαʔϏεʯ͸αʔϏεϓϨϑΟοΫε͕ج४Ͱ͢
    ϒοΫϚʔΫͯ͠ͳ͍…ʁ


    ͳΜͰ……ʁ
    https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

    View Slide


  42. IAM ͱ஥ྑ͘ͳΔͳΒ


    AWSαʔϏε͡Όͳ͘


    AWS Service Namespace Λҙࣝ͠Α͏
    "844FSWJDF/BNFTQBDF

    View Slide


  43. AWS Service Namespace


    ΫΠζʂʂʂʂʂ
    νϟϨϯδ͠Α͏

    View Slide


  44. ΍Δ͜ͱ
    • ਖ਼Ҿ͖


    • AWSαʔϏε͔Β໊લۭؒΛߟ͑Δ


    • ٯҾ͖


    • ໊લۭ͔ؒΒAWSαʔϏεΛߟ͑Δ
    ͜͜Ͱͷʮਖ਼Ҿ͖ʯͱ͔ʮٯҾ͖ʯ͸Θͨ͠
    ͕উखʹͦ͏ݺΜͰΔ͚ͩͰ͢ɻ
    ΑͦͰݴ͏ͱ
    ஏΛ͔͖·͢Α

    View Slide


  45. ਖ਼Ҿ͖ฤ
    "844FSWJDF/BNFTQBDFΫΠζ

    View Slide


  46. ୈҰ໰
    "NB[PO&$
    ೉қ౓ɿ
    ʁ
    AWSαʔϏε AWS Service Namespace

    View Slide


  47. ୈҰ໰
    "NB[PO&$ FD
    ೉қ౓ɿ
    AWSαʔϏε AWS Service Namespace
    ؆୯Ͱ͢Ͷɻ

    View Slide


  48. ୈೋ໰
    "NB[PO4
    ೉қ౓ɿ
    ʁ
    AWSαʔϏε AWS Service Namespace

    View Slide


  49. ୈೋ໰
    "NB[PO4 T
    ೉қ౓ɿ
    AWSαʔϏε AWS Service Namespace
    ๏ଇΘ͔͖ͬͯ·ͨ͠Ͷɻ

    View Slide


  50. ୈࡾ໰
    "NB[PO71$
    ೉қ౓ɿ
    ʁ
    AWSαʔϏε AWS Service Namespace

    View Slide


  51. ୈࡾ໰
    "NB[PO71$
    ೉қ౓ɿ
    AWSαʔϏε AWS Service Namespace
    FD
    ʮvpcʯͰ͸͋Γ·ͤΜΑɻ

    View Slide


  52. ໊લۭؒFDଟ͍Αʜʜ
    • Amazon EC2 actions

    • Amazon EBS actions

    • Amazon VPC actions

    • Amazon IPAM actions

    • AWS Transit Gateway actions

    • AWS PrivateLink actions

    • AWS Client VPN actions

    • AWS Site-to-Site VPN actions

    • AWS Outposts actions

    • AWS Wavelength actions

    • VM Import/Export actions

    • AWS Nitro Enclaves
    https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query.html

    View Slide


  53. ٯҾ͖ฤ
    "844FSWJDF/BNFTQBDFΫΠζ

    View Slide


  54. ୈҰ໰
    "NB[PO3%4
    ೉қ౓ɿ
    AWSαʔϏε AWS Service Namespace
    SET
    Amazon RDS Ҏ֎ͰԿ͕͋ΔͰ͠ΐ͏ʁ
    ʁ

    View Slide


  55. ୈҰ໰
    "NB[PO3%4
    ೉қ౓ɿ
    AWSαʔϏε AWS Service Namespace
    SET
    "NB[PO
    %PDVNFOU%#
    ͦ͏ͳΜͩ……ɻ

    View Slide


  56. ୈೋ໰
    ೉қ౓ɿ
    AWSαʔϏε AWS Service Namespace
    NFEJBJNQPSU
    ϝσΟΞܥͷαʔϏε͔ͳʁʁʁʁ
    ʁ

    View Slide


  57. ୈೋ໰
    "NB[PO3%4
    ೉қ౓ɿ
    AWSαʔϏε AWS Service Namespace
    Amazon RDS Custom for Oracle ͷ


    ɹΠϯετʔϧϝσΟΞʹର͢ΔݖݶΛ෇༩͢ΔͨΊͷ໊લۭؒɻɻ
    NFEJBJNQPSU

    View Slide


  58. ୈࡾ໰
    ೉қ౓ɿ
    AWSαʔϏε AWS Service Namespace
    UJSPT
    ฉ͍ͨ͜ͱ΋ͳ͍Α……
    ʁ

    View Slide


  59. ୈࡾ໰
    ೉қ౓ɿ
    AWSαʔϏε AWS Service Namespace
    UJSPT
    ਖ਼֬ʹݴ͑͹ Amazon VPC Reachability Analyzer ͕


    ɹ΋ͬͱ΋ؔΘΓ͕ڧ͍
    "NB[PO71$
    ڧ͍ͯݴ͑͹

    View Slide


  60. UJSPTJTԿ
    https://aws.amazon.com/jp/security/provable-security/
    • ਪ࿦πʔϧʁ෼ੳج൫ʁΈ͍ͨͳ΋ͷ


    • Inspector ΍ΞΫηεΞφϥΠβʔͰ΋࢖༻͞ΕΔ


    • ઐ༻ͷAPIΛୟ͚ΔΘ͚Ͱͳ͘ڐՄΛ༩͑ΔͨΊʹඞཁ


    • ྫ͑͹ Inspector v2 ͷαʔϏεϦϯΫϩʔϧͷIAMϙϦγʔΛோΊͯΈΑ͏

    View Slide


  61. ͋ͳͨ͸Կ໰ਖ਼ղͰ͖·͔ͨ͠ʁ
    "844FSWJDF/BNFTQBDFΫΠζ

    View Slide


  62. ·ͱΊ
    Α͏΍͘ऴΘΓͰ͢

    View Slide


  63. "844FSWJDF/BNFTQBDF͸͍͍ͧ
    IAMʹৄ͘͠ͳΔͳΒආ͚ͯ௨Εͳ͍


    300ݸҎ্΋όϦΤʔγϣϯ͕͋Δ


    ਪ͠Λݟ͚ͭͯ௥͍͔͚Α͏

    View Slide


  64. ऴΘΓʹɿΘͨ͠ͷࣥ೦ΛோΊ͍ͯͩ͘͞
    https://dev.classmethod.jp/articles/aws-services-with-aws-servicenamespaces/
    ೥຤೥࢝ͷ࣌ؒΛ๋͛·ͨ͠

    View Slide