Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ここが好きだよAWS管理ポリシー_devio2022/i_am_iam_lover

YukihiroChiba
August 01, 2022
Technology
0
4.4k

 ここが好きだよAWS管理ポリシー_devio2022/i_am_iam_lover

YukihiroChiba

August 01, 2022
Tweet

More Decks by YukihiroChiba

See All by YukihiroChiba
AWS IAM の知っておくべき話と知らなくてもいい話 DevIO2023/ AWS IAM DevIO 2023
yukihirochiba
0
2.4k
デジタルアイデンティティWGミニウェビナー第4回「IaaSとアイデンティティ」/ jnsa-iaas-identity
yukihirochiba
0
360
学習エンジンがうなりを上げているチームの作り方 / How to build a team with a learning engine humming along
yukihirochiba
0
3k
Amazon Route 53 Application Recovery Controller zonal shift 試してみた
yukihirochiba
0
1.1k
re:Growth 2022 Amazon Verified Permissions/妄想を膨らませる_チバユキ
yukihirochiba
0
4k
どこで動いてるの?AWS IAM のコントロールプレーンとデータプレーンに思いを馳せる/iam-background
yukihirochiba
0
3.2k
AWS Service Namespace を流行らせたい/ AWS Service Namespace to become popular
yukihirochiba
0
1.7k
1年ぶりにAWS Nitroに想いを馳せる/Nitro-ni-shinitro
yukihirochiba
0
1.2k
RIとSPって何が違うの?選択において押さえておくべきポイント/ec2-reserved-instances-savings-plans-comparison
yukihirochiba
1
12k

Other Decks in Technology

See All in Technology
Goで実装された高速な
仮想待合室サーバの実装と詳解
pyama86
13
5.6k
Product Ops: Conectando Estratégia e Execução de Produto
rigolon
1
120
サーバーレスアーキテクチャを使って、小さく作って大きくする取り組み
daikimori
0
320
YouTubeへのライブ配信機能をリリースするまで
yurihondo
0
810
Web PubSubで創るマイ都市デジタルツイン 〜WebSocketはPostmanでテストするのだよ〜
nagix
0
270
R Not Only in Production
karawoo
0
130
【初心者向け】まだ間に合う! Hugging Face入門 -TransformersでAI推論&学習
tkhresk
3
630
テスト文化の成熟:自動テストが浸透した組織が次に目指すべきステップ
igsr5
4
640
Beyond the Baseline: Horizons for Cloud Security Programs
ramimac
0
140
DevOpsDays Taipei 2023 行前攻略
devopstaiwan
0
220
データベーススペシャリストというキャリアと生存戦略 ~10年後も変わらないこと、変わること / career-spiral
soudai
15
4.3k
モチベーションサイクルという観点でQAをしよう
mixi_engineers
PRO
1
140

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
236
10k
Why Our Code Smells
bkeepers
PRO
329
56k
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.1k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
352
21k
What the flash - Photography Introduction
edds
64
11k
WebSockets: Embracing the real-time Web
robhawkes
58
6.5k
A Modern Web Designer's Workflow
chriscoyier
688
190k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.5k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
184
15k
Happy Clients
brianwarren
92
6.1k
Making Projects Easy
brettharned
104
5.1k
4 Signs Your Business is Dying
shpigford
172
21k

Transcript


  1. "84ࣄۀຊ෦ίϯαϧςΟϯά෦ઍ༿޾޺ʢνόϢΩʣ
    ࢲͷ"84ѪΛฉ͚ʂ
    ͕͜͜޷͖ͩΑ
    "84*".ͷ"84؅ཧϙϦγʔ

    View Slide

  2. ࣗݾ঺հ
    ઍ༿޾޺
    νόϢΩ

    w"84ྺɿ೥ڧ
    w޷͖ͳ"84αʔϏεɿ"84*".
    w޷͖ͳ͓໘ͷछྨɿఱۡͷ͓໘
    ࠓճͷεϥΠυ͸ຕ͋Γ·͢

    View Slide


  3. ɻ

    View Slide


  4. ͳΜͷ਺ࣈ͔Θ͔ΔͰ͠ΐ͏͔ʁ

    View Slide


  5. ͳΜͷ਺ࣈ͔Θ͔ΔͰ͠ΐ͏͔ʁ

    Կ͔Λ߹ܭͨ͠਺Ͱ͢

    View Slide


  6. ݴ͑Δ͔ͳʁ

    ϙ˓Ϟϯͷछྨ
    ˞8JLJQFEJBΑΓɻୈੈ୅͸আ͘ɻ
    IUUQTKBXJLJQFEJBPSHXJLJશࠃϙέϞϯਤؑॱͷϙέϞϯҰཡ

    View Slide


  7. ϙ˓ϞϯΑΓଟ͍"84؅ཧϙϦγʔ

    "84؅ཧ
    ϙϦγʔͷ਺
    ˞ +5$
    ࣌఺
    ͰΞΫςΟϒͳ΋ͷ
    ϙ˓Ϟϯͷछྨ
    ˞8JLJQFEJBΑΓɻୈੈ୅͸আ͘ɻ
    IUUQTKBXJLJQFEJBPSHXJLJશࠃϙέϞϯਤؑॱͷϙέϞϯҰཡ

    View Slide

  8. ͕͜͜޷͖ͩΑ"84؅ཧϙϦγʔ
    wࣗಈͰ࡞੒ɾߋ৽͞ΕΔ
    wͨ͘͞Μ͋Δ͠ɺͨ·ʹ͍ͳ͘ͳΔ
    w໊শ΍આ໌ʹϑϦʔμϜ͞Λײ͡Δ
    ޷͖ͩͳ͊

    View Slide


  9. "84؅ཧϙϦγʔͱ͸

    View Slide

  10. "84؅ཧϙϦγʔͱ͸
    "84͕؅ཧ͢ΔϙϦγʔ
    ͷ͜ͱͰ͢

    View Slide

  11. "84؅ཧϙϦγʔͱ͸
    "84͕؅ཧ͢ΔϙϦγʔ
    ͷ͜ͱͰ͢
    ΠϯϥΠϯͰͳ͍
    ΧελϚʔ؅ཧͰͳ͍

    View Slide

  12. ϙϦγʔΛΠϯϥΠϯ͔؅ཧ͔ͷ੾ΓޱͰݟ͍ͯ͘
    ϙϦγʔ ΠϯϥΠϯϙϦγʔ
    ؅ཧϙϦγʔ
    όʔδϣϯ؅ཧɺελϯυΞϩϯɺ
    ෳ਺Ϧιʔε΁ͷΞλον͕Մೳ
    *".Ϧιʔε΁ͷຒΊࠐΈ
    ೥݄ʹొ৔

    View Slide


  13. ϙϦγʔ ΠϯϥΠϯϙϦγʔ
    ؅ཧϙϦγʔ
    ΧελϚʔ
    ؅ཧϙϦγʔ
    "84
    ؅ཧϙϦγʔ
    όʔδϣϯ؅ཧɺελϯυΞϩϯɺ
    ෳ਺Ϧιʔε΁ͷΞλον͕Մೳ
    *".Ϧιʔε΁ͷຒΊࠐΈ
    "84ʹΑΓ؅ཧ͞ΕΔ
    ΧελϚʔ͕؅ཧ
    ࠓճऔΓ্͛Δͷ͸͜Ε
    ϙϦγʔΛΠϯϥΠϯ͔؅ཧ͔ͷ੾ΓޱͰݟ͍ͯ͘

    View Slide


  14. ϙϦγʔ ΠϯϥΠϯϙϦγʔ
    ؅ཧϙϦγʔ
    ΧελϚʔ
    ؅ཧϙϦγʔ
    όʔδϣϯ؅ཧɺελϯυΞϩϯɺ
    ෳ਺Ϧιʔε΁ͷΞλον͕Մೳ
    *".Ϧιʔε΁ͷຒΊࠐΈ
    "84ʹΑΓ؅ཧ͞ΕΔ
    ৬຿ػೳ༻
    αʔϏε
    ϩʔϧ༻
    αʔϏεϦϯΫ
    ϩʔϧ 4-3

    ্هҎ֎
    ΧελϚʔ͕؅ཧ
    ϙϦγʔͷύε͔Β൑ผ
    ϙϦγʔΛΠϯϥΠϯ͔؅ཧ͔ͷ੾ΓޱͰݟ͍ͯ͘
    "84
    ؅ཧϙϦγʔ

    View Slide

  15. ͨͷ͍͠ʂ
    ϙϦγʔ ΠϯϥΠϯϙϦγʔ
    ؅ཧϙϦγʔ
    ΧελϚʔ
    ؅ཧϙϦγʔ
    ৬຿ػೳ༻
    αʔϏε
    ϩʔϧ༻
    αʔϏεϦϯΫ
    ϩʔϧ 4-3

    ্هҎ֎
    ͨͷ͍͠ʂ
    "84
    ؅ཧϙϦγʔ
    ৽αʔϏεɺ৽ػೳͷൃදʹઌߦͯ͠
    ࡞੒ɾߋ৽͞Ε͍ͯΔ͜ͱ͕ଟ͍

    View Slide


  16. ਺ࣈͰݟΔ
    "84؅ཧϙϦγʔ

    View Slide


  17. ࠶ܝ

    "84؅ཧ
    ϙϦγʔͷ਺
    ϙ˓Ϟϯͷछྨ
    ˞8JLJQFEJBΑΓɻୈੈ୅͸আ͘ɻ
    IUUQTKBXJLJQFEJBPSHXJLJશࠃϙέϞϯਤؑॱͷϙέϞϯҰཡ
    ˞ +5$
    ࣌఺
    ͰΞΫςΟϒͳ΋ͷ

    View Slide


  18. Ͳͷ͘Β͍ͷϖʔεͰ
    ૿͍͑ͯΔͷ͔ʁ

    View Slide

  19. ೥͝ͱʹݟΔ"84؅ཧϙϦγʔͷ૿Ճ
    ΄΅ຖ೥௒
    ૿͑ͯΔ

    View Slide


  20. Ͳͷ݄͕͍ͪ͹Μ
    ૿͍͑ͯΔͷ͔ʁ

    View Slide

  21. ݄͝ͱʹݟΔ"84؅ཧϙϦγʔͷ૿Ճ
    ݄΋ଟ͍ͷʁ

    View Slide

  22. ೥ͱ݄͝ͱʹݟΔ"84؅ཧϙϦγʔͷ૿Ճ
    ೥݄
    ͕ଟ͍͚ͩͩͬͨ

    View Slide


  23. ͜Ε·Ͱͷ૿Ճ܏޲Λ
    ݄͝ͱʹݟΔ

    View Slide

  24. ΍ͬͺΓ݄ͱ݄͕ͭΑ͍

    View Slide

  25. ΍ͬͺΓ݄ͱ݄͕ͭΑ͍
    ೥຤͸
    "84؅ཧϙϦγʔͷ०

    View Slide


  26. ݮΔ͜ͱ΋͋ΔΑɺ
    "84؅ཧϙϦγʔ

    View Slide

  27. ඇਪ঑ͷ"84؅ཧϙϦγʔ
    wඇਪ঑ʢഇࢭɾ%FQSFDBUFEʣʹͳΔͱʜʜ
    wΞλονࡁΈͷ৔߹
    wΞλον͸ܧଓ͞ΕΔ
    wϙϦγʔͷޮྗ΋ܧଓ͞ΕΔ
    wΞλον͞Εͯͳ͍৔߹
    w৽نͷΞλον͕Ͱ͖ͳ͍ʢ*T"UUBDIBCMFGBMTFʣ
    wදࣔ͞Εͳ͘ͳΔ

    View Slide

  28. ΋͍ͬͨͳͯ͘ϦϦʔεͰ͖ͳ͍
    "NB[PO$POOFDU'VMM"DDFTT
    "NB[PO$POOFDU'VMM"DDFTT
    "NB[PO$POOFDU@'VMM"DDFTT
    %FQSFDBUFEʢഇࢭࡁΈʣ
    ৽͍͠ϙϦγʔ

    View Slide

  29. কདྷతʹඇਪ঑ʹͳΓͦ͏ͳϙϦγʔ
    w"NB[PO%ZOBNP%#'VMM"DDFTTXJUI%BUB1JQFMJOF
    w"NB[PO&$3PMFGPS44.
    w"NB[PO&MBTUJD.BQ3FEVDF'VMM"DDFTT
    w"NB[PO&MBTUJD.BQ3FEVDF3PMF
    w"84%BUB1JQFMJOF3PMF
    ʮઆ໌ʯʹEFQSFDBUJPO
    ΋͘͠͸EFQSFDBUFEΛ
    ؚΉ΋ͷΛ୳͠·ͨ͠

    View Slide


  30. "84؅ཧϙϦγʔ
    ͷѪͰํ

    View Slide


  31. "84$-*ͱKRͰ$47ग़ྗͯ͠
    εϓϨουγʔτͰѪͰ·͠ΐ͏

    View Slide

  32. BXTJBNMJTUQPMJDJFT
    aws iam list-policies\


    --scope AWS\


    --max-items 1000\


    | jq -r '


    ["ϙϦγʔ໊","ύε","σϑΥϧτόʔδϣϯ","࡞੒೔࣌","ߋ৽೔࣌","ΞλονՄ൱"],


    (.Policies[] | [.PolicyName,.Path,.DefaultVersionId,.CreateDate,.UpdateDate,.IsAttachable]) | @csv' | pbcopy
    είʔϓͱͯ͠ʮ"84ʯΛࢦఆ͠ɺ
    KRͰඞཁͳՕॴͷΈϑΟϧλϦϯά$47Խ͠ɺ
    ΫϦοϓϘʔυʹίϐʔʢ.BDͷ৔߹ʣ
    Ұ౓ͷ࣮ߦͰશྔΛ
    औಘͰ͖ͳ͘ͳΔ೔΋ۙͦ͏

    View Slide

  33. ͜͏ͯ͠ɺ

    View Slide

  34. ͜͏ͯ͠ɺ͜͏ͯ͠ɺ

    View Slide

  35. ͜͏ͯ͠ɺ͜͏ͯ͠ɺ͜͏ͯ͠ɺ

    View Slide

  36. ͜͏ͯ͠ɺ͜͏ͯ͠ɺ͜͏ͯ͠ɺ͜͏

    View Slide

  37. ͜͏ͯ͠ɺ

    View Slide

  38. ͜͏ͯ͠ɺ͜͏ͯ͠ɺ

    View Slide

  39. ͜͏ͯ͠ɺ͜͏ͯ͠ɺ͜͏ͯ͠ɺ

    View Slide

  40. ͜͏ͯ͠ɺ͜͏ͯ͠ɺ͜͏ͯ͠ɺ͜͏

    View Slide

  41. ৚݅ͰϑΟϧλ
    ;ˠ"Ͱฒ΂
    $06/5*'4

    ͋ͱ͸͍͔Α͏ʹ΋ʂ
    -&/

    View Slide

  42. ʮઆ໌ʯ΋ཉ͚͠Ε͹BXTJBNHFUQPMJDZ
    aws iam list-policies --max-items 1000 --scope AWS | jq -r '.Policies[].Arn' \


    | while read policy; do


    aws iam get-policy --policy-arn $policy \


    | jq -r '.Policy | [.PolicyName,.Description] | @csv' >> policies.csv


    done
    MJTUQPMJDJFTͷ݁ՌΛͻͱͭͣͭ৯Θͤͯ
    HFUQPMJDZͰϙϦγʔ໊ɺઆ໌Λग़ྗ
    ͋ͱ͸7-00,61ؔ਺ͰؤுΔ
    ෼͘Β͍͔͔ͬͨ
    ؾ͕͠·͢

    View Slide


  43. "84؅ཧϙϦγʔ
    ͳΜͰ΋ϥϯΩϯά
    ˞ +5$
    ࣌఺

    View Slide


  44. ϙϦγʔ໊ͷ௕͞

    View Slide

  45. ϙϦγʔ໊ͷ௕͞ͷ্ݶ͸
    ͍ͪ͹Μ௕͍ จࣈ

    "NB[PO4BHF.BLFS4FSWJDF$BUBMPH1SPEVDUT$MPVEGPSNBUJPO4FSWJDF3PMF1PMJDZ
    ͍ͪ͹Μ୹͍ จࣈ

    #JMMJOH
    ௕͍Αʂ
    ୹͍Αʂ
    ฏۉ஋ɿจࣈ
    தԝ஋ɿจࣈ

    View Slide


  46. આ໌ͷ௕͞

    View Slide

  47. આ໌ͷ௕͞ͷ্ݶ͸
    ͍ͪ͹Μ௕͍ จࣈ

    5IJTQPMJDZJTBUUBDIFEUPUIF&MBTUJD%JTBTUFS3FDPWFSZ3FQMJDBUJPOTFSWFSTJOTUBODFSPMF5IJTQPMJDZBMMPXTUIF&MBTUJD%JTBTUFS3FDPWFSZ %34

    3FQMJDBUJPO4FSWFST XIJDIBSF&$JOTUBODFTMBVODIFECZ&MBTUJD%JTBTUFS3FDPWFSZUPDPNNVOJDBUFXJUIUIF%34TFSWJDF BOEUPDSFBUF
    TOBQTIPUTJOZPVS"84BDDPVOU"O*".SPMFXJUIUIJTQPMJDZJTBUUBDIFE BTBO&$*OTUBODF1SP
    fi
    MF
    CZ&MBTUJD%JTBTUFS3FDPWFSZUPUIF%34
    3FQMJDBUJPO4FSWFSTXIJDIBSFBVUPNBUJDBMMZMBVODIFEBOEUFSNJOBUFECZ%34 BTOFFEFE%343FQMJDBUJPO4FSWFSTBSFVTFEUPGBDJMJUBUFEBUB
    SFQMJDBUJPOGSPNZPVSFYUFSOBMTFSWFSTUP"84 BTQBSUPGUIFSFDPWFSZQSPDFTTNBOBHFECZ%348FEPOPUSFDPNNFOEUIBUZPVBUUBDIUIJT
    QPMJDZUPZPVS*".VTFSTPSSPMFT
    ͍ͪ͹Μ୹͍ จࣈ

    %FOZBMMBDDFTT
    ௕͍Αʂ
    ඒ͢͠͞Βײ͡Δ
    ฏۉ஋ɿจࣈ
    தԝ஋ɿจࣈ
    "84&MBTUJD%JTBTUFS3FDPWFSZ3FQMJDBUJPO4FSWFS1PMJDZ
    "84%FOZ"MM

    View Slide


  48. όʔδϣϯ਺

    View Slide

  49. ͪͳΈʹ7JFX0OMZ"DDFTT͸όʔδϣϯ਺ͰҐ
    3FBE0OMZ"DDFTT
    "84$PO
    fi
    H3PMF
    4FDVSJUZ"VEJU
    "84$PO
    fi
    H4FSWJDF3PMF1PMJDZ
    '.44FSWJDF3PMF1PMJDZ
    "844VQQPSU4FSWJDF3PMF1PMJDZ
    "NB[PO4BHF.BLFS'VMM"DDFTT
    $MPVEXBUDI"QQMJDBUJPO*OTJHIUT4FSWJDF-JOLFE3PMF1PMJDZ
    "NB[PO&$4@'VMM"DDFTT
    "844FSWJDF3PMF'PS*NBHF#VJMEFS
    όʔδϣϯ਺501
    ɹ
    ɹ
    ɹ
    ɹ
    ɹ
    ɹ
    ɹ
    ɹ
    ɹ

    ͓ੈ࿩ʹͳͬͯ·͢

    View Slide


  50. ͕͜͜޷͖ͩΑ
    "84؅ཧϙϦγʔ

    View Slide


  51. ϙϦγʔ໊ͱ͔આ໌ʹ
    ͳΜ͔͜͏ʜʜ
    ϑϦʔμϜ͞Λײ͡Δ

    View Slide

  52. ͔ͦ͜͜͠ʹજΉѪ͠͞ϙΠϯτ
    wʙ3FBE0OMZ"DDFTTͩͬͨΓʙ3FBE0OMZͩͬͨΓ
    w3FBE0OMZ͡Όͳͯ͘3FBEPOMZ΋͋Δ
    wʮ"84ʯ΍ʮ"NB[POʯͷ઀಄͍ࣙͭͨΓ͔ͭͳ͔ͬͨΓ͢Δ
    wʙ'VMM"DDFTT ʙ3FBE0OMZ"DDFTTͷલʹΞϯμʔείΞ͋ͬͨΓͳ͔ͬͨΓ
    wʙ4FSWJDF3PMFͩͬͨΓʙ4FSWJDF3PMF1PMJDZͩͬͨΓ
    wαʔϏε໊ུ͕শͩͬͨΓϑϧ໊শͩͬͨΓ
    wΞϯμʔείΞͦ͜ʹڬΉΜͩʜʜͱͳͬͨΓ
    "NB[PO$POOFDU'VMM"DDFTT
    "NB[PO$POOFDU@'VMM"DDFTT "84$PO
    fi
    H3PMF
    "84@$PO
    fi
    H3PMF
    "84$MPVE5SBJM3FBE0OMZ"DDFTT
    "84$MPVE5SBJM@3FBE0OMZ"DDFTT
    ϙϦγʔͷ໋໊نଇ·ΘΓ

    View Slide

  53. ͔ͦ͜͜͠ʹજΉѪ͠͞ϙΠϯτ
    w"NB[PO$IJNF4%,
    w"84&MBTUJD#FBOTUBML&OIBODFE)FBMUI
    w"NB[PO'SFF350405"6QEBUF
    w"MFYB'PS#VTJOFTT%FWJDF4FUVQ
    w"84$MPVE'SPOU-PHHFS
    w"84*P53VMF"DUJPOT
    ͪΐͬͱݟͩͱϙϦγʔ໊ͱΘ͔Βͳ͍ݸੑతͳ໊લͨͪ
    w"84-BNCEB*OWPDBUJPO%ZOBNP%#
    w*".6TFS44),FZT
    w"NB[PO44.1BUDI"TTPDJBUJPO
    w"840QT8PSLT3FHJTUFS$-*@&$
    w*743FDPSE5P4
    w&$*OTUBODF$POOFDU

    View Slide

  54. ͔ͦ͜͜͠ʹજΉѪ͠͞ϙΠϯτ
    w຤ඌͷʮʯ͕͍ͭͨΓ͔ͭͳ͔ͬͨΓ
    wͪͳΈʹʮʯ͕෇͘ͷ͸ݸதݸ
    w5IJTQPMJDZ͔Β࢝·ͬͨΓ5IJT*".QPMJDZ͔Β࢝·ͬͨΓ
    w͍͖ͳΓಈࢺ͔Β࢝·Δύλʔϯ΋ଟ͍
    wSFBEPOMZͩͬͨΓSFBEPOMZͩͬͨΓ
    w%0/0564&ͬͯॻ͍ͯ͋ͬͨΓ
    wจࣈॻ͍ͯ͋ͬͨΓจࣈͰऴΘͬͨΓ
    ϙϦγʔͷઆ໌ͷதʹ΋

    View Slide


  55. ͢΂͕ͯѪ͓͍͠ͳʜʜ

    View Slide


  56. ͩͬͯͦ͜ʹ͸
    ྺ࢙
    νʔϜͷଟ͞
    ײ͡ΒΕΔ͔Β
    ͱ
    Λ

    View Slide

  57. "84ͱ͍͏αʔϏεͷཪʹ͍Δ਺ଟͷਓʑʜʜ

    View Slide


  58. ·ͱΊ

    View Slide

  59. ͕͜͜޷͖ͩΑ"84؅ཧϙϦγʔ
    wͦ͜ʹ͸ະདྷɺͦͯ͠ྺ࢙ɺͭ·Γ"84ͷ͢΂͕ͯ
    ͋Δ
    wόϦΤʔγϣϯ๛͔ɺͦΕͰ͍ͯফ͑Δ͔΋͠Εͳ͍
    ၪ͞
    wਪ͠ϙϦγʔΛݟ͚ͭΑ͏ʂ

    View Slide

  60. Ͳ͕ͬͪઌʹ ʹ౸ୡ͢Δ͔ͳʁ

    View Slide

  61. View Slide