ここが好きだよAWS管理ポリシー_devio2022/i_am_iam_lover

"84ࣄۀຊ෦ίϯαϧςΟϯά෦ઍ༿޾޺ʢνόϢΩʣ ࢲͷ"84ѪΛฉ͚ʂ ͕͜͜޷͖ͩΑ "84*".ͷ"84؅ཧϙϦγʔ

ࣗݾ঺հ ઍ༿޾޺ νόϢΩ w"84ྺɿ೥ڧ w޷͖ͳ"84αʔϏεɿ"84*". w޷͖ͳ͓໘ͷछྨɿఱۡͷ͓໘ ࠓճͷεϥΠυ͸ຕ͋Γ·͢

ͳΜͷ਺ࣈ͔Θ͔ΔͰ͠ΐ͏͔ʁ

ͳΜͷ਺ࣈ͔Θ͔ΔͰ͠ΐ͏͔ʁ Կ͔Λ߹ܭͨ͠਺Ͱ͢

ݴ͑Δ͔ͳʁ ϙ˓Ϟϯͷछྨ ˞8JLJQFEJBΑΓɻୈੈ୅͸আ͘ɻ IUUQTKBXJLJQFEJBPSHXJLJશࠃϙέϞϯਤؑॱͷϙέϞϯҰཡ

ϙ˓ϞϯΑΓଟ͍"84؅ཧϙϦγʔ "84؅ཧ ϙϦγʔͷ਺ ˞ +5$ ࣌఺ ͰΞΫςΟϒͳ΋ͷ
ϙ˓Ϟϯͷछྨ ˞8JLJQFEJBΑΓɻୈੈ୅͸আ͘ɻ IUUQTKBXJLJQFEJBPSHXJLJશࠃϙέϞϯਤؑॱͷϙέϞϯҰཡ

͕͜͜޷͖ͩΑ"84؅ཧϙϦγʔ wࣗಈͰ࡞੒ɾߋ৽͞ΕΔ wͨ͘͞Μ͋Δ͠ɺͨ·ʹ͍ͳ͘ͳΔ w໊শ΍આ໌ʹϑϦʔμϜ͞Λײ͡Δ ޷͖ͩͳ͊

"84؅ཧϙϦγʔͱ͸

"84؅ཧϙϦγʔͱ͸ "84͕؅ཧ͢ΔϙϦγʔ ͷ͜ͱͰ͢

"84؅ཧϙϦγʔͱ͸ "84͕؅ཧ͢ΔϙϦγʔ ͷ͜ͱͰ͢ ΠϯϥΠϯͰͳ͍ ΧελϚʔ؅ཧͰͳ͍

ϙϦγʔΛΠϯϥΠϯ͔؅ཧ͔ͷ੾ΓޱͰݟ͍ͯ͘ ϙϦγʔ ΠϯϥΠϯϙϦγʔ ؅ཧϙϦγʔ όʔδϣϯ؅ཧɺελϯυΞϩϯɺ ෳ਺Ϧιʔε΁ͷΞλον͕Մೳ *".Ϧιʔε΁ͷຒΊࠐΈ ೥݄ʹొ৔

ϙϦγʔ ΠϯϥΠϯϙϦγʔ ؅ཧϙϦγʔ ΧελϚʔ ؅ཧϙϦγʔ "84 ؅ཧϙϦγʔ όʔδϣϯ؅ཧɺελϯυΞϩϯɺ ෳ਺Ϧιʔε΁ͷΞλον͕Մೳ
*".Ϧιʔε΁ͷຒΊࠐΈ "84ʹΑΓ؅ཧ͞ΕΔ ΧελϚʔ͕؅ཧ ࠓճऔΓ্͛Δͷ͸͜Ε ϙϦγʔΛΠϯϥΠϯ͔؅ཧ͔ͷ੾ΓޱͰݟ͍ͯ͘

ϙϦγʔ ΠϯϥΠϯϙϦγʔ ؅ཧϙϦγʔ ΧελϚʔ ؅ཧϙϦγʔ όʔδϣϯ؅ཧɺελϯυΞϩϯɺ ෳ਺Ϧιʔε΁ͷΞλον͕Մೳ *".Ϧιʔε΁ͷຒΊࠐΈ "84ʹΑΓ؅ཧ͞ΕΔ
৬຿ػೳ༻ αʔϏε ϩʔϧ༻ αʔϏεϦϯΫ ϩʔϧ 4-3 ༻ ্هҎ֎ ΧελϚʔ͕؅ཧ ϙϦγʔͷύε͔Β൑ผ ϙϦγʔΛΠϯϥΠϯ͔؅ཧ͔ͷ੾ΓޱͰݟ͍ͯ͘ "84 ؅ཧϙϦγʔ

ͨͷ͍͠ʂ ϙϦγʔ ΠϯϥΠϯϙϦγʔ ؅ཧϙϦγʔ ΧελϚʔ ؅ཧϙϦγʔ ৬຿ػೳ༻ αʔϏε ϩʔϧ༻
αʔϏεϦϯΫ ϩʔϧ 4-3 ༻ ্هҎ֎ ͨͷ͍͠ʂ "84 ؅ཧϙϦγʔ ৽αʔϏεɺ৽ػೳͷൃදʹઌߦͯ͠ ࡞੒ɾߋ৽͞Ε͍ͯΔ͜ͱ͕ଟ͍

਺ࣈͰݟΔ "84؅ཧϙϦγʔ

࠶ܝ "84؅ཧ ϙϦγʔͷ਺ ϙ˓Ϟϯͷछྨ ˞8JLJQFEJBΑΓɻୈੈ୅͸আ͘ɻ IUUQTKBXJLJQFEJBPSHXJLJશࠃϙέϞϯਤؑॱͷϙέϞϯҰཡ ˞
+5$ ࣌఺ ͰΞΫςΟϒͳ΋ͷ

Ͳͷ͘Β͍ͷϖʔεͰ ૿͍͑ͯΔͷ͔ʁ

೥͝ͱʹݟΔ"84؅ཧϙϦγʔͷ૿Ճ ΄΅ຖ೥௒ ૿͑ͯΔ

Ͳͷ݄͕͍ͪ͹Μ ૿͍͑ͯΔͷ͔ʁ

݄͝ͱʹݟΔ"84؅ཧϙϦγʔͷ૿Ճ ݄΋ଟ͍ͷʁ

೥ͱ݄͝ͱʹݟΔ"84؅ཧϙϦγʔͷ૿Ճ ೥݄ ͕ଟ͍͚ͩͩͬͨ

͜Ε·Ͱͷ૿Ճ܏޲Λ ݄͝ͱʹݟΔ

΍ͬͺΓ݄ͱ݄͕ͭΑ͍

΍ͬͺΓ݄ͱ݄͕ͭΑ͍ ೥຤͸ "84؅ཧϙϦγʔͷ०

ݮΔ͜ͱ΋͋ΔΑɺ "84؅ཧϙϦγʔ

ඇਪ঑ͷ"84؅ཧϙϦγʔ wඇਪ঑ʢഇࢭɾ%FQSFDBUFEʣʹͳΔͱʜʜ wΞλονࡁΈͷ৔߹ wΞλον͸ܧଓ͞ΕΔ wϙϦγʔͷޮྗ΋ܧଓ͞ΕΔ wΞλον͞Εͯͳ͍৔߹ w৽نͷΞλον͕Ͱ͖ͳ͍ʢ*T"UUBDIBCMFGBMTFʣ wදࣔ͞Εͳ͘ͳΔ

΋͍ͬͨͳͯ͘ϦϦʔεͰ͖ͳ͍ "NB[PO$POOFDU'VMM"DDFTT "NB[PO$POOFDU'VMM"DDFTT "NB[PO$POOFDU@'VMM"DDFTT %FQSFDBUFEʢഇࢭࡁΈʣ ৽͍͠ϙϦγʔ

কདྷతʹඇਪ঑ʹͳΓͦ͏ͳϙϦγʔ w"NB[PO%ZOBNP%#'VMM"DDFTTXJUI%BUB1JQFMJOF w"NB[PO&$3PMFGPS44. w"NB[PO&MBTUJD.BQ3FEVDF'VMM"DDFTT w"NB[PO&MBTUJD.BQ3FEVDF3PMF w"84%BUB1JQFMJOF3PMF ʮઆ໌ʯʹEFQSFDBUJPO ΋͘͠͸EFQSFDBUFEΛ ؚΉ΋ͷΛ୳͠·ͨ͠

"84؅ཧϙϦγʔ ͷѪͰํ

"84$-*ͱKRͰ$47ग़ྗͯ͠ εϓϨουγʔτͰѪͰ·͠ΐ͏

BXTJBNMJTUQPMJDJFT aws iam list-policies\ --scope AWS\ --max-items 1000\ |
jq -r ' ["ϙϦγʔ໊","ύε","σϑΥϧτόʔδϣϯ","࡞੒೔࣌","ߋ৽೔࣌","ΞλονՄ൱"], (.Policies[] | [.PolicyName,.Path,.DefaultVersionId,.CreateDate,.UpdateDate,.IsAttachable]) | @csv' | pbcopy είʔϓͱͯ͠ʮ"84ʯΛࢦఆ͠ɺ KRͰඞཁͳՕॴͷΈϑΟϧλϦϯά $47Խ͠ɺ ΫϦοϓϘʔυʹίϐʔʢ.BDͷ৔߹ʣ Ұ౓ͷ࣮ߦͰશྔΛ औಘͰ͖ͳ͘ͳΔ೔΋ۙͦ͏

͜͏ͯ͠ɺ

͜͏ͯ͠ɺ͜͏ͯ͠ɺ

͜͏ͯ͠ɺ͜͏ͯ͠ɺ͜͏ͯ͠ɺ

͜͏ͯ͠ɺ͜͏ͯ͠ɺ͜͏ͯ͠ɺ͜͏

͜͏ͯ͠ɺ

͜͏ͯ͠ɺ͜͏ͯ͠ɺ

͜͏ͯ͠ɺ͜͏ͯ͠ɺ͜͏ͯ͠ɺ

͜͏ͯ͠ɺ͜͏ͯ͠ɺ͜͏ͯ͠ɺ͜͏

৚݅ͰϑΟϧλ ;ˠ"Ͱฒ΂ $06/5*'4 ͋ͱ͸͍͔Α͏ʹ΋ʂ -&/

ʮઆ໌ʯ΋ཉ͚͠Ε͹BXTJBNHFUQPMJDZ aws iam list-policies --max-items 1000 --scope AWS |
jq -r '.Policies[].Arn' \ | while read policy; do aws iam get-policy --policy-arn $policy \ | jq -r '.Policy | [.PolicyName,.Description] | @csv' >> policies.csv done MJTUQPMJDJFTͷ݁ՌΛͻͱͭͣͭ৯Θͤͯ HFUQPMJDZͰϙϦγʔ໊ɺઆ໌Λग़ྗ ͋ͱ͸7-00,61ؔ਺ͰؤுΔ ෼͘Β͍͔͔ͬͨ ؾ͕͠·͢

"84؅ཧϙϦγʔ ͳΜͰ΋ϥϯΩϯά ˞ +5$ ࣌఺

ϙϦγʔ໊ͷ௕͞

ϙϦγʔ໊ͷ௕͞ͷ্ݶ͸ ͍ͪ͹Μ௕͍ จࣈ "NB[PO4BHF.BLFS4FSWJDF$BUBMPH1SPEVDUT$MPVEGPSNBUJPO4FSWJDF3PMF1PMJDZ ͍ͪ͹Μ୹͍ จࣈ #JMMJOH ௕͍Αʂ ୹͍Αʂ
ฏۉ஋ɿจࣈ தԝ஋ɿจࣈ

આ໌ͷ௕͞

આ໌ͷ௕͞ͷ্ݶ͸ ͍ͪ͹Μ௕͍ จࣈ 5IJTQPMJDZJTBUUBDIFEUPUIF&MBTUJD%JTBTUFS3FDPWFSZ3FQMJDBUJPOTFSWFSTJOTUBODFSPMF5IJTQPMJDZBMMPXTUIF&MBTUJD%JTBTUFS3FDPWFSZ %34 3FQMJDBUJPO4FSWFST XIJDIBSF&$JOTUBODFTMBVODIFECZ&MBTUJD%JTBTUFS3FDPWFSZUPDPNNVOJDBUFXJUIUIF%34TFSWJDF BOEUPDSFBUF&#4
TOBQTIPUTJOZPVS"84BDDPVOU"O*".SPMFXJUIUIJTQPMJDZJTBUUBDIFE BTBO&$*OTUBODF1SP fi MF CZ&MBTUJD%JTBTUFS3FDPWFSZUPUIF%34 3FQMJDBUJPO4FSWFSTXIJDIBSFBVUPNBUJDBMMZMBVODIFEBOEUFSNJOBUFECZ%34 BTOFFEFE%343FQMJDBUJPO4FSWFSTBSFVTFEUPGBDJMJUBUFEBUB SFQMJDBUJPOGSPNZPVSFYUFSOBMTFSWFSTUP"84 BTQBSUPGUIFSFDPWFSZQSPDFTTNBOBHFECZ%348FEPOPUSFDPNNFOEUIBUZPVBUUBDIUIJT QPMJDZUPZPVS*".VTFSTPSSPMFT ͍ͪ͹Μ୹͍ จࣈ %FOZBMMBDDFTT ௕͍Αʂ ඒ͢͠͞Βײ͡Δ ฏۉ஋ɿจࣈ தԝ஋ɿจࣈ "84&MBTUJD%JTBTUFS3FDPWFSZ3FQMJDBUJPO4FSWFS1PMJDZ "84%FOZ"MM

όʔδϣϯ਺

ͪͳΈʹ7JFX0OMZ"DDFTT͸όʔδϣϯ਺ͰҐ 3FBE0OMZ"DDFTT "84$PO fi H3PMF 4FDVSJUZ"VEJU
"84$PO fi H4FSWJDF3PMF1PMJDZ '.44FSWJDF3PMF1PMJDZ "844VQQPSU4FSWJDF3PMF1PMJDZ "NB[PO4BHF.BLFS'VMM"DDFTT $MPVEXBUDI"QQMJDBUJPO*OTJHIUT4FSWJDF-JOLFE3PMF1PMJDZ "NB[PO&$4@'VMM"DDFTT "844FSWJDF3PMF'PS*NBHF#VJMEFS όʔδϣϯ਺501 ɹ ɹ ɹ ɹ ɹ ɹ ɹ ɹ ɹ ͓ੈ࿩ʹͳͬͯ·͢

͕͜͜޷͖ͩΑ "84؅ཧϙϦγʔ

ϙϦγʔ໊ͱ͔આ໌ʹ ͳΜ͔͜͏ʜʜ ϑϦʔμϜ͞Λײ͡Δ

͔ͦ͜͜͠ʹજΉѪ͠͞ϙΠϯτ wʙ3FBE0OMZ"DDFTTͩͬͨΓʙ3FBE0OMZͩͬͨΓ w3FBE0OMZ͡Όͳͯ͘3FBEPOMZ΋͋Δ wʮ"84ʯ΍ʮ"NB[POʯͷ઀಄͍ࣙͭͨΓ͔ͭͳ͔ͬͨΓ͢Δ wʙ'VMM"DDFTT ʙ3FBE0OMZ"DDFTTͷલʹΞϯμʔείΞ͋ͬͨΓͳ͔ͬͨΓ wʙ4FSWJDF3PMFͩͬͨΓʙ4FSWJDF3PMF1PMJDZͩͬͨΓ wαʔϏε໊ུ͕শͩͬͨΓϑϧ໊শͩͬͨΓ wΞϯμʔείΞͦ͜ʹڬΉΜͩʜʜͱͳͬͨΓ
"NB[PO$POOFDU'VMM"DDFTT "NB[PO$POOFDU@'VMM"DDFTT "84$PO fi H3PMF "84@$PO fi H3PMF "84$MPVE5SBJM3FBE0OMZ"DDFTT "84$MPVE5SBJM@3FBE0OMZ"DDFTT ϙϦγʔͷ໋໊نଇ·ΘΓ

͔ͦ͜͜͠ʹજΉѪ͠͞ϙΠϯτ w"NB[PO$IJNF4%, w"84&MBTUJD#FBOTUBML&OIBODFE)FBMUI w"NB[PO'SFF350405"6QEBUF w"MFYB'PS#VTJOFTT%FWJDF4FUVQ w"84$MPVE'SPOU-PHHFS w"84*P53VMF"DUJPOT ͪΐͬͱݟͩͱϙϦγʔ໊ͱΘ͔Βͳ͍ݸੑతͳ໊લͨͪ w"84-BNCEB*OWPDBUJPO%ZOBNP%#
w*".6TFS44),FZT w"NB[PO44.1BUDI"TTPDJBUJPO w"840QT8PSLT3FHJTUFS$-*@&$ w*743FDPSE5P4 w&$*OTUBODF$POOFDU

͔ͦ͜͜͠ʹજΉѪ͠͞ϙΠϯτ w຤ඌͷʮʯ͕͍ͭͨΓ͔ͭͳ͔ͬͨΓ wͪͳΈʹʮʯ͕෇͘ͷ͸ݸதݸ w5IJTQPMJDZ͔Β࢝·ͬͨΓ5IJT*".QPMJDZ͔Β࢝·ͬͨΓ w͍͖ͳΓಈࢺ͔Β࢝·Δύλʔϯ΋ଟ͍ wSFBEPOMZͩͬͨΓSFBEPOMZͩͬͨΓ w%0/0564&ͬͯॻ͍ͯ͋ͬͨΓ wจࣈॻ͍ͯ͋ͬͨΓจࣈͰऴΘͬͨΓ ϙϦγʔͷઆ໌ͷதʹ΋

͢΂͕ͯѪ͓͍͠ͳʜʜ

ͩͬͯͦ͜ʹ͸ ྺ࢙ νʔϜͷଟ͞ ײ͡ΒΕΔ͔Β ͱ Λ

"84ͱ͍͏αʔϏεͷཪʹ͍Δ਺ଟͷਓʑʜʜ

·ͱΊ

͕͜͜޷͖ͩΑ"84؅ཧϙϦγʔ wͦ͜ʹ͸ະདྷɺͦͯ͠ྺ࢙ɺͭ·Γ"84ͷ͢΂͕ͯ ͋Δ wόϦΤʔγϣϯ๛͔ɺͦΕͰ͍ͯফ͑Δ͔΋͠Εͳ͍ ၪ͞ wਪ͠ϙϦγʔΛݟ͚ͭΑ͏ʂ

Ͳ͕ͬͪઌʹ ʹ౸ୡ͢Δ͔ͳʁ

ここが好きだよAWS管理ポリシー_devio2022/i_am_iam_lover

ここが好きだよAWS管理ポリシー_devio2022/i_am_iam_lover

More Decks by YukihiroChiba

Other Decks in Technology

Featured

Transcript