$30 off During Our Annual Pro Sale. View Details »

IAM Access Analyzer を活用して最小権限を目指そう

IAM Access Analyzer を活用して最小権限を目指そう

「IAM Access Analyzer を活用して最小権限を目指そう」というタイトルで登壇した際の資料です

YukihiroChiba

May 19, 2021
Tweet

More Decks by YukihiroChiba

Other Decks in Technology

Transcript

  1. IAM Access AnalyzerΛ
    ׆༻ͯ͠࠷খݖݶΛ໨ࢦͦ͏

    ઍ༿޾޺ʢνόϢΩʣ

    View Slide

  2. ͍͖ͳΓͰ͕͢
    ͜Μͳ͜ͱΛࢥΘͳ͔ͬͨͩΖ͏͔

    View Slide

  3. ʮ͔Ϳͬͯͳ͍ʜʜʁʯ

    View Slide

  4. ࢲʮ͔ͿͬͯΔͳʜʜʯ

    View Slide

  5. ΑΖ͓͘͠ئ͍͠·͢
    ͓͞Β͍ɺ΋͘͠͸
    τΠϨٳܜͷ࣌ؒͱͯ͠
    ͝׆༻͍ͩ͘͞

    View Slide

  6. ࣗݾ঺հ
    ઍ༿ ޾޺
    • 2020 ΫϥεϝιουδϣΠϯ
    • 2021 APN AWS Top EngineerΑ
    • ޷͖ͳAWSΞΫγϣϯɿ
    • sts:AssumeRole

    View Slide

  7. "HFOEB
    1.࠷খݖݶͱ͸
    2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔
    3.IAM Access Analyzer ͱ͸
    4.࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ

    View Slide

  8. ࿩͢͜ͱ࿩͞ͳ͍͜ͱ
    •࿩͢͜ͱ
    •࠷খݖݶͱ͸Կ͔ͷલఏ஌ࣝ
    •࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳͷ֓ཁ
    •࿩͞ͳ͍͜ͱ
    •IAM Access Analyzerͷ۩ମతͳ׆༻ྫ

    View Slide


  9. 1. IAM ͷ࠷খݖݶͱ͸
    ͸͡Ίʹ

    View Slide


  10. Ͳ͜ʹॻ͍ͯ͋Δͷʁ
    *".ʹ͓͚Δ࠷খݖݶͷݪଇ

    View Slide

  11. ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε
    https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/
    best-practices.html#grant-least-privilege

    View Slide


  12. •ΞΫηεϨϕϧͷάϧʔϓԽͷ೺Ѳ
    •ॻ͖ࠐΈɺಡΈऔΓɺ؅ཧ……
    •ϙϦγʔͷݕূ
    •ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ੒͢Δ
    •࠷ऴΞΫηε৘ใͷར༻
    •AWS CloudTrail ͰͷΞΧ΢ϯτͷΠϕϯτͷ֬ೝ
    ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε

    View Slide


  13. •ΞΫηεϨϕϧͷάϧʔϓԽͷ೺Ѳ
    •ॻ͖ࠐΈɺಡΈऔΓɺ؅ཧ……
    •ϙϦγʔͷݕূ
    •ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ੒͢Δ
    •࠷ऴΞΫηε৘ใͷར༻
    •AWS CloudTrail ͰͷΞΧ΢ϯτͷΠϕϯτͷ֬ೝ
    ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε



    View Slide

  14. ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப
    https://docs.aws.amazon.com/wellarchitected/latest/
    security-pillar/permissions-management.html

    View Slide

  15. ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப
    • ΞΠσϯςΟςΟϕʔεϙϦγʔ
    • ϚωʔδυϙϦγʔ
    • AWS ؅ཧϙϦγʔ
    • ΧελϚʔ؅ཧϙϦγʔ
    • ΠϯϥΠϯϙϦγʔ
    ʮ΄ͱΜͲͷ৔߹ɺ࠷খݖݶͷݪଇʹैͬͯɺ
    ɹಠࣗͷΧελϚʔ؅ཧϙϦγʔΛ࡞੒͢Δඞཁ͕͋Γ·͢ɻʯ

    View Slide

  16. ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப
    • ৚݅ɺϦιʔεɺΞΫγϣϯΛ࠷খԽ͢Δ
    • άϧʔϓ΍ଐੑʹΑΓಈతʹΞΫηεڐՄΛ༩͑Δ
    ʢݸʑͷϢʔβʔʹ෇༩͠ͳ͍ʣ
    • Ϧιʔε΍IAMΤϯςΟςΟʹΞλον͢ΔϙϦ
    γʔʹΑΓΞΫηεΛ੍ޚ͢Δ
    • Permissions boundary΍ABACΛ׆༻͢Δ
    ʮ͜ͷݪଇʹج͍ͮͯӡ༻͢Δͱɺҙਤ͠ͳ͍ΞΫηε੍͕ݶ͞Εɺ
    ɹɹ୭͕ͲͷϦιʔεʹΞΫηεͰ͖Δ͔؂ࠪͰ͖ΔΑ͏ʹͳΓ·͢ɻʯ

    View Slide


  17. ࠷খݖݶ͕कΒΕ͍ͯͳ͍ͱͲ͏ͳΔʁ
    ࠷খݖݶͷݪଇ

    View Slide

  18. ࠷খݖݶ͕कΒΕ͍ͯͳ͍৔߹
    • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ
    • ɹ
    • ɹ

    View Slide

  19. ࠷খݖݶ͕कΒΕ͍ͯͳ͍৔߹
    • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ
    • ෆਖ਼ΞΫηεʹΑΔඃ֐͕֦େ͢Δ
    • ɹ

    View Slide

  20. ࠷খݖݶ͕कΒΕ͍ͯͳ͍৔߹
    • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ
    • ෆਖ਼ΞΫηεʹΑΔඃ֐͕֦େ͢Δ
    • ಺෦൜ߦʹΑΔඃ֐͕֦େ͢Δ

    View Slide

  21. ࠷খݖݶ͕कΒΕ͍ͯͳ͍৔߹
    • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ
    • ෆਖ਼ΞΫηεʹΑΔඃ֐͕֦େ͢Δ
    • ಺෦൜ߦʹΑΔඃ֐͕֦େ͢Δ
    ʮڱ࢝͘ΊͯඞཁʹԠͯ͡௥Ճʯ͕ཧ૝

    View Slide


  22. 2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔
    ࣍ʹ

    View Slide


  23. ϙϦγʔͷछྨ
    ࠷খݖݶΛͲ͜Ͱ࣮ݱ͢Δ͔

    View Slide

  24. ಥવͰ͕͢
    AWSʹ͓͚ΔϙϦγʔλΠϓ
    ̒ͭશͯ౴͑ΒΕ·͔͢ʁ

    View Slide

  25. ͭͷϙϦγʔλΠϓ
    • ΞΠσϯςΟςΟϕʔεϙϦγʔ
    • ϦιʔεϕʔεϙϦγʔ
    • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ
    • Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ
    • ΞΫηείϯτϩʔϧϦετʢACLʣ
    • ηογϣϯϙϦγʔ
    ʁ
    ʁ
    ʁ ʁ
    ʁ
    ʁ
    ʁ ʁ
    ʁ

    View Slide

  26. ͭͷϙϦγʔλΠϓ
    • ΞΠσϯςΟςΟϕʔεϙϦγʔ
    • ϦιʔεϕʔεϙϦγʔ
    • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ
    • Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ
    • ΞΫηείϯτϩʔϧϦετʢACLʣ
    • ηογϣϯϙϦγʔ
    ʁ
    ʁ
    ʁ ʁ
    ʁ
    ʁ
    ʁ ʁ
    ʁ
    71$ΤϯυϙΠϯτϙϦγʔ͸
    ͜͜ʹଐ͢Δ͕ɺ
    ʮͪΐͬͱ܅͕ͪ͘ͳ͍ʁʯͱ
    ࢥ͍ͬͯΔ

    View Slide

  27. ͭͷϙϦγʔλΠϓ
    • ΞΠσϯςΟςΟϕʔεϙϦγʔ
    • ϦιʔεϕʔεϙϦγʔ
    • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ
    • Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ
    • ΞΫηείϯτϩʔϧϦετʢACLʣ
    • ηογϣϯϙϦγʔ
    ͍ΘΏΔʮIAMϙϦγʔʯ
    όέοτϙϦγʔɺIAMϩʔϧ৴པϙϦγʔͳͲ
    όέοτACLͳͲ
    IAMϩʔϧͷҾ͖ड͚࣌ʹઃఆՄೳ

    View Slide

  28. ͭͷϙϦγʔλΠϓ
    • ΞΠσϯςΟςΟϕʔεϙϦγʔ
    • ϦιʔεϕʔεϙϦγʔ
    • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ
    • Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ
    • ΞΫηείϯτϩʔϧϦετʢACLʣ
    • ηογϣϯϙϦγʔ
    +40/
    +40/
    +40/
    +40/
    +40/

    View Slide


  29. JSON ϙϦγʔͷཁૉ
    ࠷খݖݶΛͲ͜Ͱ࣮૷͢Δ͔

    View Slide

  30. +40/ϙϦγʔͷཁૉ
    https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-
    black-belt-online-seminar-aws-identity-and-access-management-iam-part1

    View Slide

  31. +40/ϙϦγʔͷཁૉ1SJODJQBM
    https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-
    black-belt-online-seminar-aws-identity-and-access-management-iam-part1
    1SJODJQBM
    ʢ/PU1SJODJQMʣ
    ϦιʔεϕʔεϙϦγʔͰ࢖༻ɻ
    ΞΫηεͷ࣮ߦݩʢओମʣΛ੍ݶɻ
    ʮ୭͕ʯ

    View Slide

  32. +40/ϙϦγʔͷཁૉ"DUJPO
    https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-
    black-belt-online-seminar-aws-identity-and-access-management-iam-part1
    "DUJPO
    ʢ/PU"DUJPOʣ
    ࣮ߦՄೳͳΞΫγϣϯΛ੍ݶɻ
    ʮԿΛʯ

    View Slide

  33. +40/ϙϦγʔͷཁૉ3FTPVSDF
    https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-
    black-belt-online-seminar-aws-identity-and-access-management-iam-part1
    ΞΫηεՄೳͳϦιʔεΛ੍ݶɻ
    3FTPVSDF
    ʢ/PU3FTPVSDFʣ
    ʮԿʹରͯ͠ʯ

    View Slide

  34. +40/ϙϦγʔͷཁૉ$POEJUJPO
    https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-
    black-belt-online-seminar-aws-identity-and-access-management-iam-part1
    ಛఆͷ৚݅ԼͰͷΈ
    ΞΫηεΛڐՄʢ͋Δ͍͸ڋ൱ʣɻ
    $POEJUJPO
    ʮͲΜͳ৔߹ʹʯ

    View Slide

  35. ࠷খݖݶΛͲ͜Ͱ࣮૷͢Δ͔
    ΞΠσϯςΟςΟϕʔεϙϦγʔͰ
    ActionΛߜΔ͚͕ͩ
    ࠷খݖݶͷ࣮૷Ͱ͸ͳ͍

    View Slide


  36. 3. IAM Access Analyzerͱ͸
    ࿩͸มΘͬͯ

    View Slide


  37. IAM Access Analyzerͱ͸Կ͔
    ͦ΋ͦ΋

    View Slide

  38. *"."DDFTT"OBMZ[FSͱ͸Կ͔
    ʮϦιʔεϕʔεϙϦγʔͷ
    PrincipalΛݟͯ͘ΕΔ΋ͷʯ͕ͩͬͨɺ
    ͍ͭͷؒʹ͔͍ΖΜͳ͜ͱ͕
    Ͱ͖ΔΑ͏ʹͳ͍ͬͯͨ

    View Slide

  39. *"."DDFTT"OBMZ[FSͷྺ࢙
    • 2019/12 ϦϦʔε
    • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛ෼ੳ

    View Slide

  40. *"."DDFTT"OBMZ[FSͷྺ࢙
    • 2019/12 ϦϦʔε
    • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛ෼ੳ
    • 2021/01 ෼ੳର৅͕௥Ճ
    • Secrets Manager γʔΫϨοτʹରԠ

    View Slide

  41. *"."DDFTT"OBMZ[FSͷྺ࢙
    • 2019/12 ϦϦʔε
    • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛ෼ੳ
    • 2021/01 ෼ੳର৅͕௥Ճ
    • Secrets Manager γʔΫϨοτʹରԠ
    • 2021/03 ʮࣄલݕূʯʹରԠ
    • ϦιʔεϕʔεϙϦγʔͷมߋલʹ෼ੳ͕Մೳ
    • ϚωδϝϯτίϯιʔϧͰ͸ S3 όέοτϙϦγʔͷΈ

    View Slide

  42. *"."DDFTT"OBMZ[FSͷྺ࢙
    • 2019/12 ϦϦʔε
    • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛ෼ੳ
    • 2021/01 ෼ੳର৅͕௥Ճ
    • Secrets Manager γʔΫϨοτʹରԠ
    • 2021/03 ʮࣄલݕূʯʹରԠ
    • ϦιʔεϕʔεϙϦγʔͷมߋલʹ෼ੳ͕Մೳ
    • ϚωδϝϯτίϯιʔϧͰ͸ S3 όέοτϙϦγʔͷΈ
    ٸʹྲྀΕ͕มΘΔ

    View Slide

  43. *"."DDFTT"OBMZ[FSͷྺ࢙
    • 2019/12 ϦϦʔε
    • 2021/01 ෼ੳର৅͕௥Ճ
    • 2021/03 ʮࣄલݕূʯʹରԠ
    • 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ
    • ϙϦγʔݕূʢValidationʣͱ΋
    • ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ
    • AWS CLI Ͱ͸ SCP ΍ϦιʔεϕʔεϙϦγʔʹ΋ରԠ

    View Slide

  44. *"."DDFTT"OBMZ[FSͷྺ࢙
    • 2019/12 ϦϦʔε
    • 2021/01 ෼ੳର৅͕௥Ճ
    • 2021/03 ʮࣄલݕূʯʹରԠ
    • 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ
    • ϙϦγʔݕূʢValidationʣͱ΋
    • ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ
    • AWS CLI Ͱ͸ SCP ΍ϦιʔεϕʔεϙϦγʔʹ΋ରԠ
    • 2021/04 ʮϙϦγʔͷੜ੒ʯʹରԠ
    • ΞΠσϯςΟςΟϕʔεϙϦγʔͷΈ͕ର৅

    View Slide

  45. ͬ͘͟ΓԿ͕ҧ͏͔
    Region
    ΞφϥΠβʔ
    IAM Access Analyzer
    ϦιʔεϕʔεϙϦγʔͷ෼ੳ
    αʔϏεʹ
    ϦϯΫ͞Εͨ
    ϩʔϧ
    ϙϦγʔͷݕূ
    ϙϦγʔͷੜ੒
    αʔϏε͕
    ࢖༻͢Δ
    ϩʔϧ

    View Slide

  46. ͬ͘͟ΓԿ͕ҧ͏͔
    • ϦιʔεϕʔεϙϦγʔͷ෼ੳʹ͸ϦʔδϣφϧϦιʔεͰ
    ͋ΔʮΞφϥΠβʔʯͷ࡞੒͕ඞཁ
    • ϙϦγʔͷݕূʹ͸Ϧιʔε΋ϩʔϧ΋ཁΒͳ͍
    • ϙϦγʔͷੜ੒ʹ͸ϩʔϧ͚ͩཁΔ

    View Slide


  47. IAM ΞΫηεΞυόΠβʔ
    ͱԿ͕ҧ͏͔
    ࠞཚ͕ͪ͠

    View Slide

  48. ΞφϥΠβʔͱΞυόΠβʔ
    *"."DDFTT"OBMZ[FS *"."DDFTT"EWJTPS
    *".ΞΫηεʁ ΞφϥΠβʔʂ ΞυόΠβʔʂ
    Կ͕Ͱ͖Δ͔
    ɾϦιʔεϕʔεϙϦγʔͷ෼ੳ
    ɾ֤छϙϦγʔͷݕূ
    ɾΞΠσϯςΟςΟϕʔεϙϦγʔͷੜ੒
    ɾ*".Ϧιʔε୯ҐͰͷɺ
    ΞΫηεڐՄͱΞΫηεཤྺͷදࣔ
    αʔϏε͔Ͳ͏͔
    ɾ"84αʔϏεͰ͋Δ
    ɾϦιʔε΋ଘࡏ͢Δ
    ɾαʔϏε༻ͷϩʔϧ΋ଘࡏ͢Δ
    ɾ"84αʔϏεͰ͸ͳ͍
    ɾෳ਺ͷ"1*ʹΑΔػೳͷ໊শ
    ར༻ྉ ແྉͰࠓ͙͓͢࢖͍͍͚ͨͩ·͢ ແྉͰࠓ͙͓͢࢖͍͍͚ͨͩ·͢

    View Slide

  49. ΞΫηεΞυόΠβʔͷ֓ཁ
    •ΞΠσϯςΟςΟϕʔεϙϦγʔΛج४ͱͨ͠ʮΞΫ
    ηεՄೳͳαʔϏεʯͷදࣔ
    •Cloud TrailΛϕʔεͱͨ͠ʮΞΫηεཤྺʯͷදࣔ

    View Slide


  50. 4. ࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ
    Α͏΍͘

    View Slide

  51. औΓ্͛Δͷ͸͜ͷͭͰ͢

    View Slide


  52. ͦͷ1. ϙϦγʔͷݕূ
    ࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ

    View Slide

  53. ϙϦγʔͷݕূͱ͸
    • IAM Access Analyzer ʹΑΔػೳ
    • ҎԼͷϙϦγʔʹର͍͍ͯ͠ײ͡ͷνΣοΫΛͯ͘͠ΕΔ
    • ΞΠσϯςΟςΟϕʔεϙϦγʔ
    • SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ※ϚωίϯෆՄ
    • ϦιʔεϕʔεϙϦγʔɹ※ϚωίϯෆՄ

    View Slide

  54. ϙϦγʔͷݕূͱ͸
    • ϙϦγʔͷνΣοΫͷ؍఺
    • ηΩϡϦςΟɹηΩϡϦςΟϦεΫͱΈͳ͞ΕΔ಺༰
    • ΤϥʔɹߏจΤϥʔ΍ແޮͳ஋ͳͲ
    • ܯࠂɹηΩϡϦςΟϦεΫͰ͸ͳ͍͕ϕετϓϥΫςΟεͰͳ͍
    • ఏҊɹΞΫηεڐՄʹӨڹΛ༩͑ͳ͍ఏҊʢ৑௕ͳهड़ͳͲʣ

    View Slide

  55. ϙϦγʔͷݕূͷྫ
    • ηΩϡϦςΟͷΧςΰϦͷνΣοΫ߲໨ྫ
    • NotPrincipalͰڐՄΛ༩͍͑ͯΔ
    • PassRoleΛڐՄ͢ΔResourceʢϩʔϧʣ͕޿͗͢Δ
    • PassRoleΛڐՄ͢ΔAction͕޿͗͢Δ

    View Slide

  56. ϙϦγʔͷݕূ
    • Ϛωίϯ͔ΒΞΠσϯςΟςΟϕʔεϙϦγʔΛฤू͢Δͱ͖͸Կ
    ΋ߟ͑ͣศརʹ࢖͏
    • ϙϦγʔΛ CI/CD ؅ཧ͍ͯ͠Δͱ͖͸ϓϩάϥϜʹΑΓࣗಈͰݕ
    ূͤ͞Δ࢖͍ํ΋͋Γ
    • ʮ࠷খݖݶΛ໨ࢦ͢ʯͱ͍͏؍఺Ͱ͸ͦ͜·Ͱڧ͘ͳ͍

    View Slide


  57. ͦͷ2. ϙϦγʔͷੜ੒
    ࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ

    View Slide

  58. ϙϦγʔͷੜ੒ͱ͸
    • IAM Access Analyzer ʹΑΔػೳ
    • աڈͷΞΫςΟϏςΟΛجʹɺΞΠσϯςΟςΟϕʔεϙϦγʔͷ
    ਽ܗΛੜ੒ͯ͘͠ΕΔ

    View Slide

  59. ϙϦγʔͷੜ੒ʂخ͍͠
    ͏͔ͬΓ৑௕ߏ੒ͰϒϩάԽ͞ΕΔ΄ͲͷΞπ͞

    View Slide


  60. ஫ҙ఺͕͋Γ·͢
    ͍͔ͭ͘

    View Slide

  61. ஫ҙ఺ͦͷʢͨͪʣ
    •աڈͷΞΫςΟϏςΟ͕͋Δ͜ͱ͕લఏͳͷͰɺʮ࠷খͰελʔ
    τʯͷέʔεͰ͸࢖͑ͳ͍
    •ର৅Ϣʔβʔ/ϩʔϧͱಉ͡ΞΧ΢ϯτͰ Trail ͕༗ޮʹͳ͍ͬͯ
    Δඞཁ͕͋Δ
    •ϕʔεͱͰ͖Δظؒ͸࠷େͰ90೔ؒ
    •ෳ਺ͷϢʔβʔ/ϩʔϧʹରͯ͠ಉ࣌ʹੜ੒Ͱ͖ͳ͍
    •1೔ʹੜ੒Ͱ͖Δͷ͸5݅·Ͱ

    View Slide

  62. ஫ҙ఺ͦͷ
    •ਫ਼ࠪͯ͘͠ΕΔͷ͸ Action ͷΈ
    •Resource ΍ Codition ʹ͸աڈͷΞΫςΟϏςΟ͸൓ө͞Ε
    ͳ͍
    ʮ͜ͷϢʔβʔ͸աڈ೔ؒͰ
    ಛఆͷ4όέοτʹରͯ͠ͷΈΞΫηεͯ͠Δ͔Β
    3FTPVSDFͰ͜ͷ4όέοτ͚ͩʹߜΔͱ͍͍Αʯ
    ͳΜͯ͜ͱ͸ͯ͘͠Ε·ͤΜɻ

    View Slide

  63. ஫ҙ఺ͦͷ
    •͢΂ͯͷαʔϏεͰ Action ϨϕϧͰਫ਼ࠪͯ͘͠ΕΔΘ͚Ͱ͸ͳ͍
    ্هҎ֎ͷαʔϏε͸
    ʮαʔϏεϨϕϧʯͰͷ
    ચ͍ग़ͩ͠Α
    ◦ IAM

    ◦ AWS KMS

    ◦ AWS Lambda

    ◦ AWS RAM

    ◦ Amazon RDS

    ◦ AWS Resource Groups

    ◦ Amazon S3

    ◦ AWS Security Token Service

    ◦ AWS Systems Manager

    ◦ IAM Access Analyzer

    ◦ Amazon CloudWatch

    ◦ Amazon Cognito Identity

    ◦ Amazon Cognito user pools

    ◦ Amazon EC2

    ◦ Amazon ECS

    ◦ Elastic Load Balancing


    View Slide

  64. ϙϦγʔͷੜ੒
    •։ൃظؒͷ࣮੷Λ΋ͱʹʮ࠷খݖݶΛ໨ࢦ͢ʯͱ͍͏έʔεͰ
    ͸༗ޮ
    •ʮΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔʯʹ͔͠
    ࢖͑ͳ͍ͷΛཧղ͢Δ
    •Action ͕͢΂ͯચ͍ग़͞ΕΔΘ͚Ͱ͸ͳ͍͜ͱΛཧղ͢Δ

    View Slide


  65. ͦͷ3. ࠷ऴΞΫηε৘ใͷར༻
    ࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ

    View Slide

  66. ࠷ऴΞΫηε৘ใͷར༻ͱ͸
    • IAM ΞΫηεΞυόΠβʔ ʹΑΔػೳ
    • IAMϦιʔεʢϢʔβʔ/άϧʔϓ/ϩʔϧ/ϙϦγʔʣ୯ҐͰҎԼΛ֬
    ೝͰ͖Δ
    • ΞΫηεՄೳͳAWSαʔϏε
    • ࠷ऴΞΫηεཤྺ
    • ҎԼͷAWSαʔϏεʹରͯ͠͸ΞΫγϣϯϨϕϧͰ֬ೝՄೳ
    • Amazon S3
    • Amazon EC2
    • AWS IAM
    • AWS Lambda

    View Slide

  67. ࠷ऴΞΫηε৘ใͷར༻
    • ϚωίϯͩͬͨΒ͔͜͜Β؆୯ʹݟΕ·͢ɻ

    View Slide

  68. ࠷ऴΞΫηε৘ใͷར༻
    •ΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔͷʹ࢖͑Δ
    •ʮϙϦγʔͷੜ੒ʯͱػೳ͸ࣅ͍ͯΔ͕ɺͰ͖Δ͜ͱ͕গͳ
    ͍෼ɺΑΓ͓खܰ
    •AWS CLI Ͱ΍Δͱ݁ߏָ͍͠

    View Slide

  69. ·ͱΊ
    ·ͱΊ

    View Slide

  70. ·ͱΊ
    • ʮ࠷খݖݶʯ͸͍ΖΜͳϙϦγʔͷ͍ΖΜͳཁૉ
    Λ࢖࣮ͬͯ૷͢Δ
    • IAM Access Analyzer(ͱΞυόΠβʔ)͸ͦͷҰ
    ෦Λνϡʔχϯά͢Δͷʹศར
    • ʮ͜Ε͑͞΍͓͚ͬͯ͹OKʯ͸ͳ͍ͷͰɺܧଓ
    ͯ͠಄Λ೰·ͤ·͠ΐ͏

    View Slide