Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
IAM Access Analyzer を活用して最小権限を目指そう
Search
YukihiroChiba
May 19, 2021
Technology
0
2.9k
IAM Access Analyzer を活用して最小権限を目指そう
「IAM Access Analyzer を活用して最小権限を目指そう」というタイトルで登壇した際の資料です
YukihiroChiba
May 19, 2021
Tweet
Share
More Decks by YukihiroChiba
See All by YukihiroChiba
AWS IAM の結果整合性を避けるためセッションポリシーを用いてポリシーの動作確認を行う、を解説する
yukihirochiba
0
500
SSMエージェントはIAMロールの夢を見るか/ Do SSM Agents Dream Of IAM Roles?
yukihirochiba
0
1.7k
AWS IAM の知っておくべき話と知らなくてもいい話 DevIO2023/ AWS IAM DevIO 2023
yukihirochiba
0
2.9k
デジタルアイデンティティWGミニウェビナー第4回「IaaSとアイデンティティ」/ jnsa-iaas-identity
yukihirochiba
0
580
学習エンジンがうなりを上げているチームの作り方 / How to build a team with a learning engine humming along
yukihirochiba
0
3.6k
Amazon Route 53 Application Recovery Controller zonal shift 試してみた
yukihirochiba
0
1.5k
re:Growth 2022 Amazon Verified Permissions/妄想を膨らませる_チバユキ
yukihirochiba
0
4.5k
どこで動いてるの?AWS IAM のコントロールプレーンとデータプレーンに思いを馳せる/iam-background
yukihirochiba
0
4.2k
ここが好きだよAWS管理ポリシー_devio2022/i_am_iam_lover
yukihirochiba
0
4.8k
Other Decks in Technology
See All in Technology
NgRx Signal Store
rainerhahnekamp
0
140
プロトタイピングによる不確実性の低減 / Reducing Uncertainty through Prototyping
ohbarye
5
380
長期間TiDBを使ってきた話 @ 私たちはなぜNewSQLを使うのかTiDB選定5社が語る選定理由と活用LT / Experiences with TiDB Over Time
chibiegg
2
870
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
290
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
1
270
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
280
web-application-security
matsuihidetoshi
0
140
Cracking the KubeCon CfP
inductor
2
220
〜小さく始めて大きく育てる〜データ分析基盤の開発から活用まで
kniino
0
2.1k
開発生産性向上サービスを作るFindyが自分たちで開発生産性を爆上げした組織づくりの歩み / Findy's path to boosting its own development productivity 2024-04-17
ma3tk
3
600
2024/4/26 コンピュータ歴史博物館解説告知
toshi_atsumi
0
220
どうするコスト最適化のトレードオフ
tetsuyaooooo
1
490
Featured
See All Featured
The Invisible Customer
myddelton
114
12k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
244
20k
Infographics Made Easy
chrislema
238
18k
Building a Modern Day E-commerce SEO Strategy
aleyda
17
6.4k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Designing with Data
zakiwarfel
96
4.8k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
Designing Experiences People Love
moore
136
23k
The Cost Of JavaScript in 2023
addyosmani
16
3.8k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
6
1.5k
Web Components: a chance to create the future
zenorocha
305
41k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
Transcript
IAM Access AnalyzerΛ ׆༻ͯ͠࠷খݖݶΛࢦͦ͏ ઍ༿ʢνόϢΩʣ
͍͖ͳΓͰ͕͢ ͜Μͳ͜ͱΛࢥΘͳ͔ͬͨͩΖ͏͔
ʮ͔Ϳͬͯͳ͍ʜʜʁʯ
ࢲʮ͔ͿͬͯΔͳʜʜʯ
ΑΖ͓͘͠ئ͍͠·͢ ͓͞Β͍ɺ͘͠ τΠϨٳܜͷ࣌ؒͱͯ͠ ͝׆༻͍ͩ͘͞
ࣗݾհ ઍ༿ • 2020 ΫϥεϝιουδϣΠϯ • 2021 APN
AWS Top EngineerΑ • ͖ͳAWSΞΫγϣϯɿ • sts:AssumeRole
"HFOEB 1.࠷খݖݶͱ 2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔ 3.IAM Access Analyzer ͱ 4.࠷খݖݶΛࢦͨ͢Ίͷػೳ
͢͜ͱ͞ͳ͍͜ͱ •͢͜ͱ •࠷খݖݶͱԿ͔ͷલఏࣝ •࠷খݖݶΛࢦͨ͢Ίͷػೳͷ֓ཁ •͞ͳ͍͜ͱ •IAM Access Analyzerͷ۩ମతͳ׆༻ྫ
1. IAM ͷ࠷খݖݶͱ ͡Ίʹ
Ͳ͜ʹॻ͍ͯ͋Δͷʁ *".ʹ͓͚Δ࠷খݖݶͷݪଇ
ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/ best-practices.html#grant-least-privilege
•ΞΫηεϨϕϧͷάϧʔϓԽͷѲ •ॻ͖ࠐΈɺಡΈऔΓɺཧ…… •ϙϦγʔͷݕূ •ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ͢Δ •࠷ऴΞΫηεใͷར༻ •AWS CloudTrail ͰͷΞΧϯτͷΠϕϯτͷ֬ೝ ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε
•ΞΫηεϨϕϧͷάϧʔϓԽͷѲ •ॻ͖ࠐΈɺಡΈऔΓɺཧ…… •ϙϦγʔͷݕূ •ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ͢Δ •࠷ऴΞΫηεใͷར༻ •AWS CloudTrail ͰͷΞΧϯτͷΠϕϯτͷ֬ೝ ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε
ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப https://docs.aws.amazon.com/wellarchitected/latest/ security-pillar/permissions-management.html
ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϚωʔδυϙϦγʔ • AWS ཧϙϦγʔ •
ΧελϚʔཧϙϦγʔ • ΠϯϥΠϯϙϦγʔ ʮ΄ͱΜͲͷ߹ɺ࠷খݖݶͷݪଇʹैͬͯɺ ɹಠࣗͷΧελϚʔཧϙϦγʔΛ࡞͢Δඞཁ͕͋Γ·͢ɻʯ
ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப • ݅ɺϦιʔεɺΞΫγϣϯΛ࠷খԽ͢Δ • άϧʔϓଐੑʹΑΓಈతʹΞΫηεڐՄΛ༩͑Δ ʢݸʑͷϢʔβʔʹ༩͠ͳ͍ʣ • ϦιʔεIAMΤϯςΟςΟʹΞλον͢ΔϙϦ γʔʹΑΓΞΫηεΛ੍ޚ͢Δ
• Permissions boundaryABACΛ׆༻͢Δ ʮ͜ͷݪଇʹج͍ͮͯӡ༻͢Δͱɺҙਤ͠ͳ͍ΞΫηε੍͕ݶ͞Εɺ ɹɹ୭͕ͲͷϦιʔεʹΞΫηεͰ͖Δ͔ࠪͰ͖ΔΑ͏ʹͳΓ·͢ɻʯ
࠷খݖݶ͕कΒΕ͍ͯͳ͍ͱͲ͏ͳΔʁ ࠷খݖݶͷݪଇ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ɹ • ɹ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ͕֦େ͢Δ • ɹ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ͕֦େ͢Δ • ෦൜ߦʹΑΔඃ͕֦େ͢Δ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ͕֦େ͢Δ • ෦൜ߦʹΑΔඃ͕֦େ͢Δ ʮڱ࢝͘ΊͯඞཁʹԠͯ͡Ճʯ͕ཧ
2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔ ࣍ʹ
ϙϦγʔͷछྨ ࠷খݖݶΛͲ͜Ͱ࣮ݱ͢Δ͔
ಥવͰ͕͢ AWSʹ͓͚ΔϙϦγʔλΠϓ ̒ͭશͯ͑ΒΕ·͔͢ʁ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •
Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •
Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ 71$ΤϯυϙΠϯτϙϦγʔ ͜͜ʹଐ͢Δ͕ɺ ʮͪΐͬͱ܅͕ͪ͘ͳ͍ʁʯͱ ࢥ͍ͬͯΔ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •
Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ͍ΘΏΔʮIAMϙϦγʔʯ όέοτϙϦγʔɺIAMϩʔϧ৴པϙϦγʔͳͲ όέοτACLͳͲ IAMϩʔϧͷҾ͖ड͚࣌ʹઃఆՄೳ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •
Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ +40/ +40/ +40/ +40/ +40/
JSON ϙϦγʔͷཁૉ ࠷খݖݶΛͲ͜Ͱ࣮͢Δ͔
+40/ϙϦγʔͷཁૉ https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1
+40/ϙϦγʔͷཁૉ1SJODJQBM https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 1SJODJQBM ʢ/PU1SJODJQMʣ ϦιʔεϕʔεϙϦγʔͰ༻ɻ ΞΫηεͷ࣮ߦݩʢओମʣΛ੍ݶɻ ʮ୭͕ʯ
+40/ϙϦγʔͷཁૉ"DUJPO https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 "DUJPO ʢ/PU"DUJPOʣ ࣮ߦՄೳͳΞΫγϣϯΛ੍ݶɻ ʮԿΛʯ
+40/ϙϦγʔͷཁૉ3FTPVSDF https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 ΞΫηεՄೳͳϦιʔεΛ੍ݶɻ 3FTPVSDF ʢ/PU3FTPVSDFʣ ʮԿʹରͯ͠ʯ
+40/ϙϦγʔͷཁૉ$POEJUJPO https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 ಛఆͷ݅ԼͰͷΈ ΞΫηεΛڐՄʢ͋Δ͍ڋ൱ʣɻ $POEJUJPO ʮͲΜͳ߹ʹʯ
࠷খݖݶΛͲ͜Ͱ࣮͢Δ͔ ΞΠσϯςΟςΟϕʔεϙϦγʔͰ ActionΛߜΔ͚͕ͩ ࠷খݖݶͷ࣮Ͱͳ͍
3. IAM Access Analyzerͱ มΘͬͯ
IAM Access AnalyzerͱԿ͔ ͦͦ
*"."DDFTT"OBMZ[FSͱԿ͔ ʮϦιʔεϕʔεϙϦγʔͷ PrincipalΛݟͯ͘ΕΔͷʯ͕ͩͬͨɺ ͍ͭͷؒʹ͔͍ΖΜͳ͜ͱ͕ Ͱ͖ΔΑ͏ʹͳ͍ͬͯͨ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ • 2021/01
ੳର͕Ճ • Secrets Manager γʔΫϨοτʹରԠ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ • 2021/01
ੳର͕Ճ • Secrets Manager γʔΫϨοτʹରԠ • 2021/03 ʮࣄલݕূʯʹରԠ • ϦιʔεϕʔεϙϦγʔͷมߋલʹੳ͕Մೳ • ϚωδϝϯτίϯιʔϧͰ S3 όέοτϙϦγʔͷΈ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ • 2021/01
ੳର͕Ճ • Secrets Manager γʔΫϨοτʹରԠ • 2021/03 ʮࣄલݕূʯʹରԠ • ϦιʔεϕʔεϙϦγʔͷมߋલʹੳ͕Մೳ • ϚωδϝϯτίϯιʔϧͰ S3 όέοτϙϦγʔͷΈ ٸʹྲྀΕ͕มΘΔ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • 2021/01 ੳର͕Ճ • 2021/03
ʮࣄલݕূʯʹରԠ • 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ • ϙϦγʔݕূʢValidationʣͱ • ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ • AWS CLI Ͱ SCP ϦιʔεϕʔεϙϦγʔʹରԠ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • 2021/01 ੳର͕Ճ • 2021/03
ʮࣄલݕূʯʹରԠ • 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ • ϙϦγʔݕূʢValidationʣͱ • ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ • AWS CLI Ͱ SCP ϦιʔεϕʔεϙϦγʔʹରԠ • 2021/04 ʮϙϦγʔͷੜʯʹରԠ • ΞΠσϯςΟςΟϕʔεϙϦγʔͷΈ͕ର
ͬ͘͟ΓԿ͕ҧ͏͔ Region ΞφϥΠβʔ IAM Access Analyzer ϦιʔεϕʔεϙϦγʔͷੳ αʔϏεʹ ϦϯΫ͞Εͨ
ϩʔϧ ϙϦγʔͷݕূ ϙϦγʔͷੜ αʔϏε͕ ༻͢Δ ϩʔϧ
ͬ͘͟ΓԿ͕ҧ͏͔ • ϦιʔεϕʔεϙϦγʔͷੳʹϦʔδϣφϧϦιʔεͰ ͋ΔʮΞφϥΠβʔʯͷ࡞͕ඞཁ • ϙϦγʔͷݕূʹϦιʔεϩʔϧཁΒͳ͍ • ϙϦγʔͷੜʹϩʔϧ͚ͩཁΔ
IAM ΞΫηεΞυόΠβʔ ͱԿ͕ҧ͏͔ ࠞཚ͕ͪ͠
ΞφϥΠβʔͱΞυόΠβʔ *"."DDFTT"OBMZ[FS *"."DDFTT"EWJTPS *".ΞΫηεʁ ΞφϥΠβʔʂ ΞυόΠβʔʂ Կ͕Ͱ͖Δ͔ ɾϦιʔεϕʔεϙϦγʔͷੳ ɾ֤छϙϦγʔͷݕূ
ɾΞΠσϯςΟςΟϕʔεϙϦγʔͷੜ ɾ*".Ϧιʔε୯ҐͰͷɺ ΞΫηεڐՄͱΞΫηεཤྺͷදࣔ αʔϏε͔Ͳ͏͔ ɾ"84αʔϏεͰ͋Δ ɾϦιʔεଘࡏ͢Δ ɾαʔϏε༻ͷϩʔϧଘࡏ͢Δ ɾ"84αʔϏεͰͳ͍ ɾෳͷ"1*ʹΑΔػೳͷ໊শ ར༻ྉ ແྉͰࠓ͙͓͍͍͚ͨͩ͢·͢ ແྉͰࠓ͙͓͍͍͚ͨͩ͢·͢
ΞΫηεΞυόΠβʔͷ֓ཁ •ΞΠσϯςΟςΟϕʔεϙϦγʔΛج४ͱͨ͠ʮΞΫ ηεՄೳͳαʔϏεʯͷදࣔ •Cloud TrailΛϕʔεͱͨ͠ʮΞΫηεཤྺʯͷදࣔ
4. ࠷খݖݶΛࢦͨ͢Ίͷػೳ Α͏͘
औΓ্͛Δͷ͜ͷͭͰ͢
ͦͷ1. ϙϦγʔͷݕূ ࠷খݖݶΛࢦͨ͢Ίͷػೳ
ϙϦγʔͷݕূͱ • IAM Access Analyzer ʹΑΔػೳ • ҎԼͷϙϦγʔʹର͍͍ͯ͠ײ͡ͷνΣοΫΛͯ͘͠ΕΔ •
ΞΠσϯςΟςΟϕʔεϙϦγʔ • SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ※ϚωίϯෆՄ • ϦιʔεϕʔεϙϦγʔɹ※ϚωίϯෆՄ
ϙϦγʔͷݕূͱ • ϙϦγʔͷνΣοΫͷ؍ • ηΩϡϦςΟɹηΩϡϦςΟϦεΫͱΈͳ͞ΕΔ༰ • ΤϥʔɹߏจΤϥʔແޮͳͳͲ • ܯࠂɹηΩϡϦςΟϦεΫͰͳ͍͕ϕετϓϥΫςΟεͰͳ͍
• ఏҊɹΞΫηεڐՄʹӨڹΛ༩͑ͳ͍ఏҊʢͳهड़ͳͲʣ
ϙϦγʔͷݕূͷྫ • ηΩϡϦςΟͷΧςΰϦͷνΣοΫ߲ྫ • NotPrincipalͰڐՄΛ༩͍͑ͯΔ • PassRoleΛڐՄ͢ΔResourceʢϩʔϧʣ͕͗͢Δ • PassRoleΛڐՄ͢ΔAction͕͗͢Δ
ϙϦγʔͷݕূ • Ϛωίϯ͔ΒΞΠσϯςΟςΟϕʔεϙϦγʔΛฤू͢Δͱ͖Կ ߟ͑ͣศརʹ͏ • ϙϦγʔΛ CI/CD ཧ͍ͯ͠Δͱ͖ϓϩάϥϜʹΑΓࣗಈͰݕ ূͤ͞Δ͍ํ͋Γ
• ʮ࠷খݖݶΛࢦ͢ʯͱ͍͏؍Ͱͦ͜·Ͱڧ͘ͳ͍
ͦͷ2. ϙϦγʔͷੜ ࠷খݖݶΛࢦͨ͢Ίͷػೳ
ϙϦγʔͷੜͱ • IAM Access Analyzer ʹΑΔػೳ • աڈͷΞΫςΟϏςΟΛجʹɺΞΠσϯςΟςΟϕʔεϙϦγʔͷ ܗΛੜͯ͘͠ΕΔ
ϙϦγʔͷੜʂخ͍͠ ͏͔ͬΓߏͰϒϩάԽ͞ΕΔ΄ͲͷΞπ͞
ҙ͕͋Γ·͢ ͍͔ͭ͘
ҙͦͷʢͨͪʣ •աڈͷΞΫςΟϏςΟ͕͋Δ͜ͱ͕લఏͳͷͰɺʮ࠷খͰελʔ τʯͷέʔεͰ͑ͳ͍ •ରϢʔβʔ/ϩʔϧͱಉ͡ΞΧϯτͰ Trail ͕༗ޮʹͳ͍ͬͯ Δඞཁ͕͋Δ •ϕʔεͱͰ͖Δظؒ࠷େͰ90ؒ •ෳͷϢʔβʔ/ϩʔϧʹରͯ͠ಉ࣌ʹੜͰ͖ͳ͍
•1ʹੜͰ͖Δͷ5݅·Ͱ
ҙͦͷ •ਫ਼ࠪͯ͘͠ΕΔͷ Action ͷΈ •Resource Codition ʹաڈͷΞΫςΟϏςΟө͞Ε ͳ͍
ʮ͜ͷϢʔβʔաڈؒͰ ಛఆͷ4όέοτʹରͯ͠ͷΈΞΫηεͯ͠Δ͔Β 3FTPVSDFͰ͜ͷ4όέοτ͚ͩʹߜΔͱ͍͍Αʯ ͳΜͯ͜ͱͯ͘͠Ε·ͤΜɻ
ҙͦͷ •ͯ͢ͷαʔϏεͰ Action ϨϕϧͰਫ਼ࠪͯ͘͠ΕΔΘ͚Ͱͳ͍ ্هҎ֎ͷαʔϏε ʮαʔϏεϨϕϧʯͰͷ ચ͍ग़ͩ͠Α ◦ IAM
◦ AWS KMS ◦ AWS Lambda ◦ AWS RAM ◦ Amazon RDS ◦ AWS Resource Groups ◦ Amazon S3 ◦ AWS Security Token Service ◦ AWS Systems Manager ◦ IAM Access Analyzer ◦ Amazon CloudWatch ◦ Amazon Cognito Identity ◦ Amazon Cognito user pools ◦ Amazon EC2 ◦ Amazon ECS ◦ Elastic Load Balancing
ϙϦγʔͷੜ •։ൃظؒͷ࣮Λͱʹʮ࠷খݖݶΛࢦ͢ʯͱ͍͏έʔεͰ ༗ޮ •ʮΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔʯʹ͔͠ ͑ͳ͍ͷΛཧղ͢Δ •Action ͕ͯ͢ચ͍ग़͞ΕΔΘ͚Ͱͳ͍͜ͱΛཧղ͢Δ
ͦͷ3. ࠷ऴΞΫηεใͷར༻ ࠷খݖݶΛࢦͨ͢Ίͷػೳ
࠷ऴΞΫηεใͷར༻ͱ • IAM ΞΫηεΞυόΠβʔ ʹΑΔػೳ • IAMϦιʔεʢϢʔβʔ/άϧʔϓ/ϩʔϧ/ϙϦγʔʣ୯ҐͰҎԼΛ֬ ೝͰ͖Δ •
ΞΫηεՄೳͳAWSαʔϏε • ࠷ऴΞΫηεཤྺ • ҎԼͷAWSαʔϏεʹରͯ͠ΞΫγϣϯϨϕϧͰ֬ೝՄೳ • Amazon S3 • Amazon EC2 • AWS IAM • AWS Lambda
࠷ऴΞΫηεใͷར༻ • ϚωίϯͩͬͨΒ͔͜͜Β؆୯ʹݟΕ·͢ɻ
࠷ऴΞΫηεใͷར༻ •ΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔͷʹ͑Δ •ʮϙϦγʔͷੜʯͱػೳࣅ͍ͯΔ͕ɺͰ͖Δ͜ͱ͕গͳ ͍ɺΑΓ͓खܰ •AWS CLI ͰΔͱ݁ߏָ͍͠
·ͱΊ ·ͱΊ
·ͱΊ • ʮ࠷খݖݶʯ͍ΖΜͳϙϦγʔͷ͍ΖΜͳཁૉ Λ࣮ͬͯ͢Δ • IAM Access Analyzer(ͱΞυόΠβʔ)ͦͷҰ ෦Λνϡʔχϯά͢Δͷʹศར
• ʮ͜Ε͓͚͑ͬͯ͞OKʯͳ͍ͷͰɺܧଓ ͯ͠಄Λ·ͤ·͠ΐ͏