Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
IAM Access Analyzer を活用して最小権限を目指そう
Search
YukihiroChiba
May 19, 2021
Technology
0
3.6k
IAM Access Analyzer を活用して最小権限を目指そう
「IAM Access Analyzer を活用して最小権限を目指そう」というタイトルで登壇した際の資料です
YukihiroChiba
May 19, 2021
Tweet
Share
More Decks by YukihiroChiba
See All by YukihiroChiba
わたしの業務の中に住み着いたCacoo/Cacoo has taken up residence in my work routine
yukihirochiba
0
1.1k
Amazon VPCでの IPv6利用に向けた はじめの一歩/first-step-towards-using-ipv6-in-amazon-vpc
yukihirochiba
0
710
AWS IAM の結果整合性を避けるためセッションポリシーを用いてポリシーの動作確認を行う、を解説する
yukihirochiba
0
960
SSMエージェントはIAMロールの夢を見るか/ Do SSM Agents Dream Of IAM Roles?
yukihirochiba
0
2.6k
AWS IAM の知っておくべき話と知らなくてもいい話 DevIO2023/ AWS IAM DevIO 2023
yukihirochiba
0
3.5k
デジタルアイデンティティWGミニウェビナー第4回「IaaSとアイデンティティ」/ jnsa-iaas-identity
yukihirochiba
0
740
学習エンジンがうなりを上げているチームの作り方 / How to build a team with a learning engine humming along
yukihirochiba
0
4.1k
Amazon Route 53 Application Recovery Controller zonal shift 試してみた
yukihirochiba
0
2k
re:Growth 2022 Amazon Verified Permissions/妄想を膨らませる_チバユキ
yukihirochiba
0
5.5k
Other Decks in Technology
See All in Technology
2025-07-06 QGIS初級ハンズオン「はじめてのQGIS」
kou_kita
0
180
関数型プログラミングで 「脳がバグる」を乗り越える
manabeai
2
200
自律的なスケーリング手法FASTにおけるVPoEとしてのアカウンタビリティ / dev-productivity-con-2025
yoshikiiida
2
17k
スタートアップに選択肢を 〜生成AIを活用したセカンダリー事業への挑戦〜
nstock
0
250
DatabricksにOLTPデータベース『Lakebase』がやってきた!
inoutk
0
130
データ基盤からデータベースまで?広がるユースケースのDatabricksについて教えるよ!
akuwano
3
130
United Airlines Customer Service– Call 1-833-341-3142 Now!
airhelp
0
170
Reach American Airlines®️ Instantly: 19 Calling Methods for Fast Support in the USA
flyamerican
1
180
第4回Snowflake 金融ユーザー会 Snowflake summit recap
tamaoki
1
300
SREの次のキャリアの道しるべ 〜SREがマネジメントレイヤーに挑戦して、 気づいたこととTips〜
coconala_engineer
0
110
クラウド開発の舞台裏とSRE文化の醸成 / SRE NEXT 2025 Lunch Session
kazeburo
1
260
[ JAWS-UG千葉支部 x 彩の国埼玉支部 ]ムダ遣い卒業!FinOpsで始めるAWSコスト最適化の第一歩
sh_fk2
2
120
Featured
See All Featured
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Producing Creativity
orderedlist
PRO
346
40k
A Tale of Four Properties
chriscoyier
160
23k
Rails Girls Zürich Keynote
gr2m
95
14k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
The Pragmatic Product Professional
lauravandoore
35
6.7k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
KATA
mclloyd
30
14k
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.9k
Code Review Best Practice
trishagee
69
19k
Docker and Python
trallard
44
3.5k
The Cost Of JavaScript in 2023
addyosmani
51
8.5k
Transcript
IAM Access AnalyzerΛ ׆༻ͯ͠࠷খݖݶΛࢦͦ͏ ઍ༿ʢνόϢΩʣ
͍͖ͳΓͰ͕͢ ͜Μͳ͜ͱΛࢥΘͳ͔ͬͨͩΖ͏͔
ʮ͔Ϳͬͯͳ͍ʜʜʁʯ
ࢲʮ͔ͿͬͯΔͳʜʜʯ
ΑΖ͓͘͠ئ͍͠·͢ ͓͞Β͍ɺ͘͠ τΠϨٳܜͷ࣌ؒͱͯ͠ ͝׆༻͍ͩ͘͞
ࣗݾհ ઍ༿ • 2020 ΫϥεϝιουδϣΠϯ • 2021 APN
AWS Top EngineerΑ • ͖ͳAWSΞΫγϣϯɿ • sts:AssumeRole
"HFOEB 1.࠷খݖݶͱ 2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔ 3.IAM Access Analyzer ͱ 4.࠷খݖݶΛࢦͨ͢Ίͷػೳ
͢͜ͱ͞ͳ͍͜ͱ •͢͜ͱ •࠷খݖݶͱԿ͔ͷલఏࣝ •࠷খݖݶΛࢦͨ͢Ίͷػೳͷ֓ཁ •͞ͳ͍͜ͱ •IAM Access Analyzerͷ۩ମతͳ׆༻ྫ
1. IAM ͷ࠷খݖݶͱ ͡Ίʹ
Ͳ͜ʹॻ͍ͯ͋Δͷʁ *".ʹ͓͚Δ࠷খݖݶͷݪଇ
ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/ best-practices.html#grant-least-privilege
•ΞΫηεϨϕϧͷάϧʔϓԽͷѲ •ॻ͖ࠐΈɺಡΈऔΓɺཧ…… •ϙϦγʔͷݕূ •ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ͢Δ •࠷ऴΞΫηεใͷར༻ •AWS CloudTrail ͰͷΞΧϯτͷΠϕϯτͷ֬ೝ ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε
•ΞΫηεϨϕϧͷάϧʔϓԽͷѲ •ॻ͖ࠐΈɺಡΈऔΓɺཧ…… •ϙϦγʔͷݕূ •ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ͢Δ •࠷ऴΞΫηεใͷར༻ •AWS CloudTrail ͰͷΞΧϯτͷΠϕϯτͷ֬ೝ ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε
ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப https://docs.aws.amazon.com/wellarchitected/latest/ security-pillar/permissions-management.html
ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϚωʔδυϙϦγʔ • AWS ཧϙϦγʔ •
ΧελϚʔཧϙϦγʔ • ΠϯϥΠϯϙϦγʔ ʮ΄ͱΜͲͷ߹ɺ࠷খݖݶͷݪଇʹैͬͯɺ ɹಠࣗͷΧελϚʔཧϙϦγʔΛ࡞͢Δඞཁ͕͋Γ·͢ɻʯ
ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப • ݅ɺϦιʔεɺΞΫγϣϯΛ࠷খԽ͢Δ • άϧʔϓଐੑʹΑΓಈతʹΞΫηεڐՄΛ༩͑Δ ʢݸʑͷϢʔβʔʹ༩͠ͳ͍ʣ • ϦιʔεIAMΤϯςΟςΟʹΞλον͢ΔϙϦ γʔʹΑΓΞΫηεΛ੍ޚ͢Δ
• Permissions boundaryABACΛ׆༻͢Δ ʮ͜ͷݪଇʹج͍ͮͯӡ༻͢Δͱɺҙਤ͠ͳ͍ΞΫηε੍͕ݶ͞Εɺ ɹɹ୭͕ͲͷϦιʔεʹΞΫηεͰ͖Δ͔ࠪͰ͖ΔΑ͏ʹͳΓ·͢ɻʯ
࠷খݖݶ͕कΒΕ͍ͯͳ͍ͱͲ͏ͳΔʁ ࠷খݖݶͷݪଇ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ɹ • ɹ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ͕֦େ͢Δ • ɹ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ͕֦େ͢Δ • ෦൜ߦʹΑΔඃ͕֦େ͢Δ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ͕֦େ͢Δ • ෦൜ߦʹΑΔඃ͕֦େ͢Δ ʮڱ࢝͘ΊͯඞཁʹԠͯ͡Ճʯ͕ཧ
2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔ ࣍ʹ
ϙϦγʔͷछྨ ࠷খݖݶΛͲ͜Ͱ࣮ݱ͢Δ͔
ಥવͰ͕͢ AWSʹ͓͚ΔϙϦγʔλΠϓ ̒ͭશͯ͑ΒΕ·͔͢ʁ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •
Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •
Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ 71$ΤϯυϙΠϯτϙϦγʔ ͜͜ʹଐ͢Δ͕ɺ ʮͪΐͬͱ܅͕ͪ͘ͳ͍ʁʯͱ ࢥ͍ͬͯΔ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •
Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ͍ΘΏΔʮIAMϙϦγʔʯ όέοτϙϦγʔɺIAMϩʔϧ৴པϙϦγʔͳͲ όέοτACLͳͲ IAMϩʔϧͷҾ͖ड͚࣌ʹઃఆՄೳ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •
Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ +40/ +40/ +40/ +40/ +40/
JSON ϙϦγʔͷཁૉ ࠷খݖݶΛͲ͜Ͱ࣮͢Δ͔
+40/ϙϦγʔͷཁૉ https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1
+40/ϙϦγʔͷཁૉ1SJODJQBM https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 1SJODJQBM ʢ/PU1SJODJQMʣ ϦιʔεϕʔεϙϦγʔͰ༻ɻ ΞΫηεͷ࣮ߦݩʢओମʣΛ੍ݶɻ ʮ୭͕ʯ
+40/ϙϦγʔͷཁૉ"DUJPO https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 "DUJPO ʢ/PU"DUJPOʣ ࣮ߦՄೳͳΞΫγϣϯΛ੍ݶɻ ʮԿΛʯ
+40/ϙϦγʔͷཁૉ3FTPVSDF https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 ΞΫηεՄೳͳϦιʔεΛ੍ݶɻ 3FTPVSDF ʢ/PU3FTPVSDFʣ ʮԿʹରͯ͠ʯ
+40/ϙϦγʔͷཁૉ$POEJUJPO https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 ಛఆͷ݅ԼͰͷΈ ΞΫηεΛڐՄʢ͋Δ͍ڋ൱ʣɻ $POEJUJPO ʮͲΜͳ߹ʹʯ
࠷খݖݶΛͲ͜Ͱ࣮͢Δ͔ ΞΠσϯςΟςΟϕʔεϙϦγʔͰ ActionΛߜΔ͚͕ͩ ࠷খݖݶͷ࣮Ͱͳ͍
3. IAM Access Analyzerͱ มΘͬͯ
IAM Access AnalyzerͱԿ͔ ͦͦ
*"."DDFTT"OBMZ[FSͱԿ͔ ʮϦιʔεϕʔεϙϦγʔͷ PrincipalΛݟͯ͘ΕΔͷʯ͕ͩͬͨɺ ͍ͭͷؒʹ͔͍ΖΜͳ͜ͱ͕ Ͱ͖ΔΑ͏ʹͳ͍ͬͯͨ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ • 2021/01
ੳର͕Ճ • Secrets Manager γʔΫϨοτʹରԠ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ • 2021/01
ੳର͕Ճ • Secrets Manager γʔΫϨοτʹରԠ • 2021/03 ʮࣄલݕূʯʹରԠ • ϦιʔεϕʔεϙϦγʔͷมߋલʹੳ͕Մೳ • ϚωδϝϯτίϯιʔϧͰ S3 όέοτϙϦγʔͷΈ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ • 2021/01
ੳର͕Ճ • Secrets Manager γʔΫϨοτʹରԠ • 2021/03 ʮࣄલݕূʯʹରԠ • ϦιʔεϕʔεϙϦγʔͷมߋલʹੳ͕Մೳ • ϚωδϝϯτίϯιʔϧͰ S3 όέοτϙϦγʔͷΈ ٸʹྲྀΕ͕มΘΔ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • 2021/01 ੳର͕Ճ • 2021/03
ʮࣄલݕূʯʹରԠ • 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ • ϙϦγʔݕূʢValidationʣͱ • ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ • AWS CLI Ͱ SCP ϦιʔεϕʔεϙϦγʔʹରԠ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • 2021/01 ੳର͕Ճ • 2021/03
ʮࣄલݕূʯʹରԠ • 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ • ϙϦγʔݕূʢValidationʣͱ • ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ • AWS CLI Ͱ SCP ϦιʔεϕʔεϙϦγʔʹରԠ • 2021/04 ʮϙϦγʔͷੜʯʹରԠ • ΞΠσϯςΟςΟϕʔεϙϦγʔͷΈ͕ର
ͬ͘͟ΓԿ͕ҧ͏͔ Region ΞφϥΠβʔ IAM Access Analyzer ϦιʔεϕʔεϙϦγʔͷੳ αʔϏεʹ ϦϯΫ͞Εͨ
ϩʔϧ ϙϦγʔͷݕূ ϙϦγʔͷੜ αʔϏε͕ ༻͢Δ ϩʔϧ
ͬ͘͟ΓԿ͕ҧ͏͔ • ϦιʔεϕʔεϙϦγʔͷੳʹϦʔδϣφϧϦιʔεͰ ͋ΔʮΞφϥΠβʔʯͷ࡞͕ඞཁ • ϙϦγʔͷݕূʹϦιʔεϩʔϧཁΒͳ͍ • ϙϦγʔͷੜʹϩʔϧ͚ͩཁΔ
IAM ΞΫηεΞυόΠβʔ ͱԿ͕ҧ͏͔ ࠞཚ͕ͪ͠
ΞφϥΠβʔͱΞυόΠβʔ *"."DDFTT"OBMZ[FS *"."DDFTT"EWJTPS *".ΞΫηεʁ ΞφϥΠβʔʂ ΞυόΠβʔʂ Կ͕Ͱ͖Δ͔ ɾϦιʔεϕʔεϙϦγʔͷੳ ɾ֤छϙϦγʔͷݕূ
ɾΞΠσϯςΟςΟϕʔεϙϦγʔͷੜ ɾ*".Ϧιʔε୯ҐͰͷɺ ΞΫηεڐՄͱΞΫηεཤྺͷදࣔ αʔϏε͔Ͳ͏͔ ɾ"84αʔϏεͰ͋Δ ɾϦιʔεଘࡏ͢Δ ɾαʔϏε༻ͷϩʔϧଘࡏ͢Δ ɾ"84αʔϏεͰͳ͍ ɾෳͷ"1*ʹΑΔػೳͷ໊শ ར༻ྉ ແྉͰࠓ͙͓͍͍͚ͨͩ͢·͢ ແྉͰࠓ͙͓͍͍͚ͨͩ͢·͢
ΞΫηεΞυόΠβʔͷ֓ཁ •ΞΠσϯςΟςΟϕʔεϙϦγʔΛج४ͱͨ͠ʮΞΫ ηεՄೳͳαʔϏεʯͷදࣔ •Cloud TrailΛϕʔεͱͨ͠ʮΞΫηεཤྺʯͷදࣔ
4. ࠷খݖݶΛࢦͨ͢Ίͷػೳ Α͏͘
औΓ্͛Δͷ͜ͷͭͰ͢
ͦͷ1. ϙϦγʔͷݕূ ࠷খݖݶΛࢦͨ͢Ίͷػೳ
ϙϦγʔͷݕূͱ • IAM Access Analyzer ʹΑΔػೳ • ҎԼͷϙϦγʔʹର͍͍ͯ͠ײ͡ͷνΣοΫΛͯ͘͠ΕΔ •
ΞΠσϯςΟςΟϕʔεϙϦγʔ • SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ※ϚωίϯෆՄ • ϦιʔεϕʔεϙϦγʔɹ※ϚωίϯෆՄ
ϙϦγʔͷݕূͱ • ϙϦγʔͷνΣοΫͷ؍ • ηΩϡϦςΟɹηΩϡϦςΟϦεΫͱΈͳ͞ΕΔ༰ • ΤϥʔɹߏจΤϥʔແޮͳͳͲ • ܯࠂɹηΩϡϦςΟϦεΫͰͳ͍͕ϕετϓϥΫςΟεͰͳ͍
• ఏҊɹΞΫηεڐՄʹӨڹΛ༩͑ͳ͍ఏҊʢͳهड़ͳͲʣ
ϙϦγʔͷݕূͷྫ • ηΩϡϦςΟͷΧςΰϦͷνΣοΫ߲ྫ • NotPrincipalͰڐՄΛ༩͍͑ͯΔ • PassRoleΛڐՄ͢ΔResourceʢϩʔϧʣ͕͗͢Δ • PassRoleΛڐՄ͢ΔAction͕͗͢Δ
ϙϦγʔͷݕূ • Ϛωίϯ͔ΒΞΠσϯςΟςΟϕʔεϙϦγʔΛฤू͢Δͱ͖Կ ߟ͑ͣศརʹ͏ • ϙϦγʔΛ CI/CD ཧ͍ͯ͠Δͱ͖ϓϩάϥϜʹΑΓࣗಈͰݕ ূͤ͞Δ͍ํ͋Γ
• ʮ࠷খݖݶΛࢦ͢ʯͱ͍͏؍Ͱͦ͜·Ͱڧ͘ͳ͍
ͦͷ2. ϙϦγʔͷੜ ࠷খݖݶΛࢦͨ͢Ίͷػೳ
ϙϦγʔͷੜͱ • IAM Access Analyzer ʹΑΔػೳ • աڈͷΞΫςΟϏςΟΛجʹɺΞΠσϯςΟςΟϕʔεϙϦγʔͷ ܗΛੜͯ͘͠ΕΔ
ϙϦγʔͷੜʂخ͍͠ ͏͔ͬΓߏͰϒϩάԽ͞ΕΔ΄ͲͷΞπ͞
ҙ͕͋Γ·͢ ͍͔ͭ͘
ҙͦͷʢͨͪʣ •աڈͷΞΫςΟϏςΟ͕͋Δ͜ͱ͕લఏͳͷͰɺʮ࠷খͰελʔ τʯͷέʔεͰ͑ͳ͍ •ରϢʔβʔ/ϩʔϧͱಉ͡ΞΧϯτͰ Trail ͕༗ޮʹͳ͍ͬͯ Δඞཁ͕͋Δ •ϕʔεͱͰ͖Δظؒ࠷େͰ90ؒ •ෳͷϢʔβʔ/ϩʔϧʹରͯ͠ಉ࣌ʹੜͰ͖ͳ͍
•1ʹੜͰ͖Δͷ5݅·Ͱ
ҙͦͷ •ਫ਼ࠪͯ͘͠ΕΔͷ Action ͷΈ •Resource Codition ʹաڈͷΞΫςΟϏςΟө͞Ε ͳ͍
ʮ͜ͷϢʔβʔաڈؒͰ ಛఆͷ4όέοτʹରͯ͠ͷΈΞΫηεͯ͠Δ͔Β 3FTPVSDFͰ͜ͷ4όέοτ͚ͩʹߜΔͱ͍͍Αʯ ͳΜͯ͜ͱͯ͘͠Ε·ͤΜɻ
ҙͦͷ •ͯ͢ͷαʔϏεͰ Action ϨϕϧͰਫ਼ࠪͯ͘͠ΕΔΘ͚Ͱͳ͍ ্هҎ֎ͷαʔϏε ʮαʔϏεϨϕϧʯͰͷ ચ͍ग़ͩ͠Α ◦ IAM
◦ AWS KMS ◦ AWS Lambda ◦ AWS RAM ◦ Amazon RDS ◦ AWS Resource Groups ◦ Amazon S3 ◦ AWS Security Token Service ◦ AWS Systems Manager ◦ IAM Access Analyzer ◦ Amazon CloudWatch ◦ Amazon Cognito Identity ◦ Amazon Cognito user pools ◦ Amazon EC2 ◦ Amazon ECS ◦ Elastic Load Balancing
ϙϦγʔͷੜ •։ൃظؒͷ࣮Λͱʹʮ࠷খݖݶΛࢦ͢ʯͱ͍͏έʔεͰ ༗ޮ •ʮΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔʯʹ͔͠ ͑ͳ͍ͷΛཧղ͢Δ •Action ͕ͯ͢ચ͍ग़͞ΕΔΘ͚Ͱͳ͍͜ͱΛཧղ͢Δ
ͦͷ3. ࠷ऴΞΫηεใͷར༻ ࠷খݖݶΛࢦͨ͢Ίͷػೳ
࠷ऴΞΫηεใͷར༻ͱ • IAM ΞΫηεΞυόΠβʔ ʹΑΔػೳ • IAMϦιʔεʢϢʔβʔ/άϧʔϓ/ϩʔϧ/ϙϦγʔʣ୯ҐͰҎԼΛ֬ ೝͰ͖Δ •
ΞΫηεՄೳͳAWSαʔϏε • ࠷ऴΞΫηεཤྺ • ҎԼͷAWSαʔϏεʹରͯ͠ΞΫγϣϯϨϕϧͰ֬ೝՄೳ • Amazon S3 • Amazon EC2 • AWS IAM • AWS Lambda
࠷ऴΞΫηεใͷར༻ • ϚωίϯͩͬͨΒ͔͜͜Β؆୯ʹݟΕ·͢ɻ
࠷ऴΞΫηεใͷར༻ •ΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔͷʹ͑Δ •ʮϙϦγʔͷੜʯͱػೳࣅ͍ͯΔ͕ɺͰ͖Δ͜ͱ͕গͳ ͍ɺΑΓ͓खܰ •AWS CLI ͰΔͱ݁ߏָ͍͠
·ͱΊ ·ͱΊ
·ͱΊ • ʮ࠷খݖݶʯ͍ΖΜͳϙϦγʔͷ͍ΖΜͳཁૉ Λ࣮ͬͯ͢Δ • IAM Access Analyzer(ͱΞυόΠβʔ)ͦͷҰ ෦Λνϡʔχϯά͢Δͷʹศར
• ʮ͜Ε͓͚͑ͬͯ͞OKʯͳ͍ͷͰɺܧଓ ͯ͠಄Λ·ͤ·͠ΐ͏