Save 37% off PRO during our Black Friday Sale! »

IAM Access Analyzer を活用して最小権限を目指そう

IAM Access Analyzer を活用して最小権限を目指そう

「IAM Access Analyzer を活用して最小権限を目指そう」というタイトルで登壇した際の資料です

325ce6fcd0a74ff78990b8632817da55?s=128

YukihiroChiba

May 19, 2021
Tweet

Transcript

  1. IAM Access AnalyzerΛ ׆༻ͯ͠࠷খݖݶΛ໨ࢦͦ͏  ઍ༿޾޺ʢνόϢΩʣ

  2. ͍͖ͳΓͰ͕͢  ͜Μͳ͜ͱΛࢥΘͳ͔ͬͨͩΖ͏͔

  3. ʮ͔Ϳͬͯͳ͍ʜʜʁʯ 

  4. ࢲʮ͔ͿͬͯΔͳʜʜʯ 

  5. ΑΖ͓͘͠ئ͍͠·͢  ͓͞Β͍ɺ΋͘͠͸ τΠϨٳܜͷ࣌ؒͱͯ͠ ͝׆༻͍ͩ͘͞

  6. ࣗݾ঺հ  ઍ༿ ޾޺ • 2020 ΫϥεϝιουδϣΠϯ • 2021 APN

    AWS Top EngineerΑ • ޷͖ͳAWSΞΫγϣϯɿ • sts:AssumeRole
  7. "HFOEB  1.࠷খݖݶͱ͸ 2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔ 3.IAM Access Analyzer ͱ͸ 4.࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ

  8. ࿩͢͜ͱ࿩͞ͳ͍͜ͱ  •࿩͢͜ͱ •࠷খݖݶͱ͸Կ͔ͷલఏ஌ࣝ •࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳͷ֓ཁ •࿩͞ͳ͍͜ͱ •IAM Access Analyzerͷ۩ମతͳ׆༻ྫ

  9.  1. IAM ͷ࠷খݖݶͱ͸ ͸͡Ίʹ

  10.  Ͳ͜ʹॻ͍ͯ͋Δͷʁ *".ʹ͓͚Δ࠷খݖݶͷݪଇ

  11. ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε  https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/ best-practices.html#grant-least-privilege

  12.  •ΞΫηεϨϕϧͷάϧʔϓԽͷ೺Ѳ •ॻ͖ࠐΈɺಡΈऔΓɺ؅ཧ…… •ϙϦγʔͷݕূ •ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ੒͢Δ •࠷ऴΞΫηε৘ใͷར༻ •AWS CloudTrail ͰͷΞΧ΢ϯτͷΠϕϯτͷ֬ೝ ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε

  13.  •ΞΫηεϨϕϧͷάϧʔϓԽͷ೺Ѳ •ॻ͖ࠐΈɺಡΈऔΓɺ؅ཧ…… •ϙϦγʔͷݕূ •ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ੒͢Δ •࠷ऴΞΫηε৘ใͷར༻ •AWS CloudTrail ͰͷΞΧ΢ϯτͷΠϕϯτͷ֬ೝ ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε

      
  14. ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப  https://docs.aws.amazon.com/wellarchitected/latest/ security-pillar/permissions-management.html

  15. ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப  • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϚωʔδυϙϦγʔ • AWS ؅ཧϙϦγʔ •

    ΧελϚʔ؅ཧϙϦγʔ • ΠϯϥΠϯϙϦγʔ ʮ΄ͱΜͲͷ৔߹ɺ࠷খݖݶͷݪଇʹैͬͯɺ ɹಠࣗͷΧελϚʔ؅ཧϙϦγʔΛ࡞੒͢Δඞཁ͕͋Γ·͢ɻʯ
  16. ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப  • ৚݅ɺϦιʔεɺΞΫγϣϯΛ࠷খԽ͢Δ • άϧʔϓ΍ଐੑʹΑΓಈతʹΞΫηεڐՄΛ༩͑Δ ʢݸʑͷϢʔβʔʹ෇༩͠ͳ͍ʣ • Ϧιʔε΍IAMΤϯςΟςΟʹΞλον͢ΔϙϦ γʔʹΑΓΞΫηεΛ੍ޚ͢Δ

    • Permissions boundary΍ABACΛ׆༻͢Δ ʮ͜ͷݪଇʹج͍ͮͯӡ༻͢Δͱɺҙਤ͠ͳ͍ΞΫηε੍͕ݶ͞Εɺ ɹɹ୭͕ͲͷϦιʔεʹΞΫηεͰ͖Δ͔؂ࠪͰ͖ΔΑ͏ʹͳΓ·͢ɻʯ
  17.  ࠷খݖݶ͕कΒΕ͍ͯͳ͍ͱͲ͏ͳΔʁ ࠷খݖݶͷݪଇ

  18. ࠷খݖݶ͕कΒΕ͍ͯͳ͍৔߹  • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ɹ • ɹ

  19. ࠷খݖݶ͕कΒΕ͍ͯͳ͍৔߹  • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ֐͕֦େ͢Δ • ɹ

  20. ࠷খݖݶ͕कΒΕ͍ͯͳ͍৔߹  • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ֐͕֦େ͢Δ • ಺෦൜ߦʹΑΔඃ֐͕֦େ͢Δ

  21. ࠷খݖݶ͕कΒΕ͍ͯͳ͍৔߹  • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ֐͕֦େ͢Δ • ಺෦൜ߦʹΑΔඃ֐͕֦େ͢Δ ʮڱ࢝͘ΊͯඞཁʹԠͯ͡௥Ճʯ͕ཧ૝

  22.  2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔ ࣍ʹ

  23.  ϙϦγʔͷछྨ ࠷খݖݶΛͲ͜Ͱ࣮ݱ͢Δ͔

  24. ಥવͰ͕͢  AWSʹ͓͚ΔϙϦγʔλΠϓ ̒ͭશͯ౴͑ΒΕ·͔͢ʁ

  25. ͭͷϙϦγʔλΠϓ  • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •

    Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ
  26. ͭͷϙϦγʔλΠϓ  • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •

    Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ 71$ΤϯυϙΠϯτϙϦγʔ͸ ͜͜ʹଐ͢Δ͕ɺ ʮͪΐͬͱ܅͕ͪ͘ͳ͍ʁʯͱ ࢥ͍ͬͯΔ
  27. ͭͷϙϦγʔλΠϓ  • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •

    Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ͍ΘΏΔʮIAMϙϦγʔʯ όέοτϙϦγʔɺIAMϩʔϧ৴པϙϦγʔͳͲ όέοτACLͳͲ IAMϩʔϧͷҾ͖ड͚࣌ʹઃఆՄೳ
  28. ͭͷϙϦγʔλΠϓ  • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •

    Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ +40/ +40/ +40/ +40/ +40/
  29.  JSON ϙϦγʔͷཁૉ ࠷খݖݶΛͲ͜Ͱ࣮૷͢Δ͔

  30. +40/ϙϦγʔͷཁૉ  https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1

  31. +40/ϙϦγʔͷཁૉ1SJODJQBM  https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 1SJODJQBM ʢ/PU1SJODJQMʣ ϦιʔεϕʔεϙϦγʔͰ࢖༻ɻ ΞΫηεͷ࣮ߦݩʢओମʣΛ੍ݶɻ ʮ୭͕ʯ

  32. +40/ϙϦγʔͷཁૉ"DUJPO  https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 "DUJPO ʢ/PU"DUJPOʣ ࣮ߦՄೳͳΞΫγϣϯΛ੍ݶɻ ʮԿΛʯ

  33. +40/ϙϦγʔͷཁૉ3FTPVSDF  https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 ΞΫηεՄೳͳϦιʔεΛ੍ݶɻ 3FTPVSDF ʢ/PU3FTPVSDFʣ ʮԿʹରͯ͠ʯ

  34. +40/ϙϦγʔͷཁૉ$POEJUJPO  https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 ಛఆͷ৚݅ԼͰͷΈ ΞΫηεΛڐՄʢ͋Δ͍͸ڋ൱ʣɻ $POEJUJPO ʮͲΜͳ৔߹ʹʯ

  35. ࠷খݖݶΛͲ͜Ͱ࣮૷͢Δ͔  ΞΠσϯςΟςΟϕʔεϙϦγʔͰ ActionΛߜΔ͚͕ͩ ࠷খݖݶͷ࣮૷Ͱ͸ͳ͍

  36.  3. IAM Access Analyzerͱ͸ ࿩͸มΘͬͯ

  37.  IAM Access Analyzerͱ͸Կ͔ ͦ΋ͦ΋

  38. *"."DDFTT"OBMZ[FSͱ͸Կ͔  ʮϦιʔεϕʔεϙϦγʔͷ PrincipalΛݟͯ͘ΕΔ΋ͷʯ͕ͩͬͨɺ ͍ͭͷؒʹ͔͍ΖΜͳ͜ͱ͕ Ͱ͖ΔΑ͏ʹͳ͍ͬͯͨ

  39. *"."DDFTT"OBMZ[FSͷྺ࢙  • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛ෼ੳ

  40. *"."DDFTT"OBMZ[FSͷྺ࢙  • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛ෼ੳ • 2021/01

    ෼ੳର৅͕௥Ճ • Secrets Manager γʔΫϨοτʹରԠ
  41. *"."DDFTT"OBMZ[FSͷྺ࢙  • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛ෼ੳ • 2021/01

    ෼ੳର৅͕௥Ճ • Secrets Manager γʔΫϨοτʹରԠ • 2021/03 ʮࣄલݕূʯʹରԠ • ϦιʔεϕʔεϙϦγʔͷมߋલʹ෼ੳ͕Մೳ • ϚωδϝϯτίϯιʔϧͰ͸ S3 όέοτϙϦγʔͷΈ
  42. *"."DDFTT"OBMZ[FSͷྺ࢙  • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛ෼ੳ • 2021/01

    ෼ੳର৅͕௥Ճ • Secrets Manager γʔΫϨοτʹରԠ • 2021/03 ʮࣄલݕূʯʹରԠ • ϦιʔεϕʔεϙϦγʔͷมߋલʹ෼ੳ͕Մೳ • ϚωδϝϯτίϯιʔϧͰ͸ S3 όέοτϙϦγʔͷΈ ٸʹྲྀΕ͕มΘΔ
  43. *"."DDFTT"OBMZ[FSͷྺ࢙  • 2019/12 ϦϦʔε • 2021/01 ෼ੳର৅͕௥Ճ • 2021/03

    ʮࣄલݕূʯʹରԠ • 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ • ϙϦγʔݕূʢValidationʣͱ΋ • ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ • AWS CLI Ͱ͸ SCP ΍ϦιʔεϕʔεϙϦγʔʹ΋ରԠ
  44. *"."DDFTT"OBMZ[FSͷྺ࢙  • 2019/12 ϦϦʔε • 2021/01 ෼ੳର৅͕௥Ճ • 2021/03

    ʮࣄલݕূʯʹରԠ • 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ • ϙϦγʔݕূʢValidationʣͱ΋ • ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ • AWS CLI Ͱ͸ SCP ΍ϦιʔεϕʔεϙϦγʔʹ΋ରԠ • 2021/04 ʮϙϦγʔͷੜ੒ʯʹରԠ • ΞΠσϯςΟςΟϕʔεϙϦγʔͷΈ͕ର৅
  45. ͬ͘͟ΓԿ͕ҧ͏͔  Region ΞφϥΠβʔ IAM Access Analyzer ϦιʔεϕʔεϙϦγʔͷ෼ੳ αʔϏεʹ ϦϯΫ͞Εͨ

    ϩʔϧ ϙϦγʔͷݕূ ϙϦγʔͷੜ੒ αʔϏε͕ ࢖༻͢Δ ϩʔϧ
  46. ͬ͘͟ΓԿ͕ҧ͏͔  • ϦιʔεϕʔεϙϦγʔͷ෼ੳʹ͸ϦʔδϣφϧϦιʔεͰ ͋ΔʮΞφϥΠβʔʯͷ࡞੒͕ඞཁ • ϙϦγʔͷݕূʹ͸Ϧιʔε΋ϩʔϧ΋ཁΒͳ͍ • ϙϦγʔͷੜ੒ʹ͸ϩʔϧ͚ͩཁΔ

  47.  IAM ΞΫηεΞυόΠβʔ ͱԿ͕ҧ͏͔ ࠞཚ͕ͪ͠

  48. ΞφϥΠβʔͱΞυόΠβʔ  *"."DDFTT"OBMZ[FS *"."DDFTT"EWJTPS *".ΞΫηεʁ ΞφϥΠβʔʂ ΞυόΠβʔʂ Կ͕Ͱ͖Δ͔ ɾϦιʔεϕʔεϙϦγʔͷ෼ੳ ɾ֤छϙϦγʔͷݕূ

    ɾΞΠσϯςΟςΟϕʔεϙϦγʔͷੜ੒ ɾ*".Ϧιʔε୯ҐͰͷɺ ΞΫηεڐՄͱΞΫηεཤྺͷදࣔ αʔϏε͔Ͳ͏͔ ɾ"84αʔϏεͰ͋Δ ɾϦιʔε΋ଘࡏ͢Δ ɾαʔϏε༻ͷϩʔϧ΋ଘࡏ͢Δ ɾ"84αʔϏεͰ͸ͳ͍ ɾෳ਺ͷ"1*ʹΑΔػೳͷ໊শ ར༻ྉ ແྉͰࠓ͙͓͢࢖͍͍͚ͨͩ·͢ ແྉͰࠓ͙͓͢࢖͍͍͚ͨͩ·͢
  49. ΞΫηεΞυόΠβʔͷ֓ཁ  •ΞΠσϯςΟςΟϕʔεϙϦγʔΛج४ͱͨ͠ʮΞΫ ηεՄೳͳαʔϏεʯͷදࣔ •Cloud TrailΛϕʔεͱͨ͠ʮΞΫηεཤྺʯͷදࣔ

  50.  4. ࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ Α͏΍͘

  51. औΓ্͛Δͷ͸͜ͷͭͰ͢ 

  52.  ͦͷ1. ϙϦγʔͷݕূ ࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ

  53. ϙϦγʔͷݕূͱ͸  • IAM Access Analyzer ʹΑΔػೳ • ҎԼͷϙϦγʔʹର͍͍ͯ͠ײ͡ͷνΣοΫΛͯ͘͠ΕΔ •

    ΞΠσϯςΟςΟϕʔεϙϦγʔ • SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ※ϚωίϯෆՄ • ϦιʔεϕʔεϙϦγʔɹ※ϚωίϯෆՄ
  54. ϙϦγʔͷݕূͱ͸  • ϙϦγʔͷνΣοΫͷ؍఺ • ηΩϡϦςΟɹηΩϡϦςΟϦεΫͱΈͳ͞ΕΔ಺༰ • ΤϥʔɹߏจΤϥʔ΍ແޮͳ஋ͳͲ • ܯࠂɹηΩϡϦςΟϦεΫͰ͸ͳ͍͕ϕετϓϥΫςΟεͰͳ͍

    • ఏҊɹΞΫηεڐՄʹӨڹΛ༩͑ͳ͍ఏҊʢ৑௕ͳهड़ͳͲʣ
  55. ϙϦγʔͷݕূͷྫ  • ηΩϡϦςΟͷΧςΰϦͷνΣοΫ߲໨ྫ • NotPrincipalͰڐՄΛ༩͍͑ͯΔ • PassRoleΛڐՄ͢ΔResourceʢϩʔϧʣ͕޿͗͢Δ • PassRoleΛڐՄ͢ΔAction͕޿͗͢Δ

  56. ϙϦγʔͷݕূ  • Ϛωίϯ͔ΒΞΠσϯςΟςΟϕʔεϙϦγʔΛฤू͢Δͱ͖͸Կ ΋ߟ͑ͣศརʹ࢖͏ • ϙϦγʔΛ CI/CD ؅ཧ͍ͯ͠Δͱ͖͸ϓϩάϥϜʹΑΓࣗಈͰݕ ূͤ͞Δ࢖͍ํ΋͋Γ

    • ʮ࠷খݖݶΛ໨ࢦ͢ʯͱ͍͏؍఺Ͱ͸ͦ͜·Ͱڧ͘ͳ͍
  57.  ͦͷ2. ϙϦγʔͷੜ੒ ࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ

  58. ϙϦγʔͷੜ੒ͱ͸  • IAM Access Analyzer ʹΑΔػೳ • աڈͷΞΫςΟϏςΟΛجʹɺΞΠσϯςΟςΟϕʔεϙϦγʔͷ ਽ܗΛੜ੒ͯ͘͠ΕΔ

  59. ϙϦγʔͷੜ੒ʂخ͍͠  ͏͔ͬΓ৑௕ߏ੒ͰϒϩάԽ͞ΕΔ΄ͲͷΞπ͞

  60.  ஫ҙ఺͕͋Γ·͢ ͍͔ͭ͘

  61. ஫ҙ఺ͦͷʢͨͪʣ  •աڈͷΞΫςΟϏςΟ͕͋Δ͜ͱ͕લఏͳͷͰɺʮ࠷খͰελʔ τʯͷέʔεͰ͸࢖͑ͳ͍ •ର৅Ϣʔβʔ/ϩʔϧͱಉ͡ΞΧ΢ϯτͰ Trail ͕༗ޮʹͳ͍ͬͯ Δඞཁ͕͋Δ •ϕʔεͱͰ͖Δظؒ͸࠷େͰ90೔ؒ •ෳ਺ͷϢʔβʔ/ϩʔϧʹରͯ͠ಉ࣌ʹੜ੒Ͱ͖ͳ͍

    •1೔ʹੜ੒Ͱ͖Δͷ͸5݅·Ͱ
  62. ஫ҙ఺ͦͷ  •ਫ਼ࠪͯ͘͠ΕΔͷ͸ Action ͷΈ •Resource ΍ Codition ʹ͸աڈͷΞΫςΟϏςΟ͸൓ө͞Ε ͳ͍

    ʮ͜ͷϢʔβʔ͸աڈ೔ؒͰ ಛఆͷ4όέοτʹରͯ͠ͷΈΞΫηεͯ͠Δ͔Β 3FTPVSDFͰ͜ͷ4όέοτ͚ͩʹߜΔͱ͍͍Αʯ ͳΜͯ͜ͱ͸ͯ͘͠Ε·ͤΜɻ
  63. ஫ҙ఺ͦͷ  •͢΂ͯͷαʔϏεͰ Action ϨϕϧͰਫ਼ࠪͯ͘͠ΕΔΘ͚Ͱ͸ͳ͍ ্هҎ֎ͷαʔϏε͸ ʮαʔϏεϨϕϧʯͰͷ ચ͍ग़ͩ͠Α ◦ IAM


    ◦ AWS KMS
 ◦ AWS Lambda
 ◦ AWS RAM
 ◦ Amazon RDS
 ◦ AWS Resource Groups
 ◦ Amazon S3
 ◦ AWS Security Token Service
 ◦ AWS Systems Manager
 ◦ IAM Access Analyzer
 ◦ Amazon CloudWatch
 ◦ Amazon Cognito Identity
 ◦ Amazon Cognito user pools
 ◦ Amazon EC2
 ◦ Amazon ECS
 ◦ Elastic Load Balancing

  64. ϙϦγʔͷੜ੒  •։ൃظؒͷ࣮੷Λ΋ͱʹʮ࠷খݖݶΛ໨ࢦ͢ʯͱ͍͏έʔεͰ ͸༗ޮ •ʮΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔʯʹ͔͠ ࢖͑ͳ͍ͷΛཧղ͢Δ •Action ͕͢΂ͯચ͍ग़͞ΕΔΘ͚Ͱ͸ͳ͍͜ͱΛཧղ͢Δ

  65.  ͦͷ3. ࠷ऴΞΫηε৘ใͷར༻ ࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ

  66. ࠷ऴΞΫηε৘ใͷར༻ͱ͸  • IAM ΞΫηεΞυόΠβʔ ʹΑΔػೳ • IAMϦιʔεʢϢʔβʔ/άϧʔϓ/ϩʔϧ/ϙϦγʔʣ୯ҐͰҎԼΛ֬ ೝͰ͖Δ •

    ΞΫηεՄೳͳAWSαʔϏε • ࠷ऴΞΫηεཤྺ • ҎԼͷAWSαʔϏεʹରͯ͠͸ΞΫγϣϯϨϕϧͰ֬ೝՄೳ • Amazon S3 • Amazon EC2 • AWS IAM • AWS Lambda
  67. ࠷ऴΞΫηε৘ใͷར༻  • ϚωίϯͩͬͨΒ͔͜͜Β؆୯ʹݟΕ·͢ɻ

  68. ࠷ऴΞΫηε৘ใͷར༻  •ΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔͷʹ࢖͑Δ •ʮϙϦγʔͷੜ੒ʯͱػೳ͸ࣅ͍ͯΔ͕ɺͰ͖Δ͜ͱ͕গͳ ͍෼ɺΑΓ͓खܰ •AWS CLI Ͱ΍Δͱ݁ߏָ͍͠

  69. ·ͱΊ  ·ͱΊ

  70. ·ͱΊ  • ʮ࠷খݖݶʯ͸͍ΖΜͳϙϦγʔͷ͍ΖΜͳཁૉ Λ࢖࣮ͬͯ૷͢Δ • IAM Access Analyzer(ͱΞυόΠβʔ)͸ͦͷҰ ෦Λνϡʔχϯά͢Δͷʹศར

    • ʮ͜Ε͑͞΍͓͚ͬͯ͹OKʯ͸ͳ͍ͷͰɺܧଓ ͯ͠಄Λ೰·ͤ·͠ΐ͏