「IAM Access Analyzer を活用して最小権限を目指そう」というタイトルで登壇した際の資料です
IAM Access AnalyzerΛ׆༻ͯ͠࠷খݖݶΛࢦͦ͏ઍ༿ʢνόϢΩʣ
View Slide
͍͖ͳΓͰ͕͢ ͜Μͳ͜ͱΛࢥΘͳ͔ͬͨͩΖ͏͔
ʮ͔Ϳͬͯͳ͍ʜʜʁʯ
ࢲʮ͔ͿͬͯΔͳʜʜʯ
ΑΖ͓͘͠ئ͍͠·͢ ͓͞Β͍ɺ͘͠τΠϨٳܜͷ࣌ؒͱͯ͠͝׆༻͍ͩ͘͞
ࣗݾհ ઍ༿ • 2020 ΫϥεϝιουδϣΠϯ• 2021 APN AWS Top EngineerΑ• ͖ͳAWSΞΫγϣϯɿ• sts:AssumeRole
"HFOEB 1.࠷খݖݶͱ2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔3.IAM Access Analyzer ͱ4.࠷খݖݶΛࢦͨ͢Ίͷػೳ
͢͜ͱ͞ͳ͍͜ͱ •͢͜ͱ•࠷খݖݶͱԿ͔ͷલఏࣝ•࠷খݖݶΛࢦͨ͢Ίͷػೳͷ֓ཁ•͞ͳ͍͜ͱ•IAM Access Analyzerͷ۩ମతͳ׆༻ྫ
1. IAM ͷ࠷খݖݶͱ͡Ίʹ
Ͳ͜ʹॻ͍ͯ͋Δͷʁ*".ʹ͓͚Δ࠷খݖݶͷݪଇ
ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/best-practices.html#grant-least-privilege
•ΞΫηεϨϕϧͷάϧʔϓԽͷѲ•ॻ͖ࠐΈɺಡΈऔΓɺཧ……•ϙϦγʔͷݕূ•ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ͢Δ•࠷ऴΞΫηεใͷར༻•AWS CloudTrail ͰͷΞΧϯτͷΠϕϯτͷ֬ೝᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε
ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/permissions-management.html
ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப • ΞΠσϯςΟςΟϕʔεϙϦγʔ• ϚωʔδυϙϦγʔ• AWS ཧϙϦγʔ• ΧελϚʔཧϙϦγʔ• ΠϯϥΠϯϙϦγʔʮ΄ͱΜͲͷ߹ɺ࠷খݖݶͷݪଇʹैͬͯɺɹಠࣗͷΧελϚʔཧϙϦγʔΛ࡞͢Δඞཁ͕͋Γ·͢ɻʯ
ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப • ݅ɺϦιʔεɺΞΫγϣϯΛ࠷খԽ͢Δ• άϧʔϓଐੑʹΑΓಈతʹΞΫηεڐՄΛ༩͑ΔʢݸʑͷϢʔβʔʹ༩͠ͳ͍ʣ• ϦιʔεIAMΤϯςΟςΟʹΞλον͢ΔϙϦγʔʹΑΓΞΫηεΛ੍ޚ͢Δ• Permissions boundaryABACΛ׆༻͢Δʮ͜ͷݪଇʹج͍ͮͯӡ༻͢Δͱɺҙਤ͠ͳ͍ΞΫηε੍͕ݶ͞Εɺɹɹ୭͕ͲͷϦιʔεʹΞΫηεͰ͖Δ͔ࠪͰ͖ΔΑ͏ʹͳΓ·͢ɻʯ
࠷খݖݶ͕कΒΕ͍ͯͳ͍ͱͲ͏ͳΔʁ࠷খݖݶͷݪଇ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ• ɹ• ɹ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ• ෆਖ਼ΞΫηεʹΑΔඃ͕֦େ͢Δ• ɹ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ• ෆਖ਼ΞΫηεʹΑΔඃ͕֦େ͢Δ• ෦൜ߦʹΑΔඃ͕֦େ͢Δ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ• ෆਖ਼ΞΫηεʹΑΔඃ͕֦େ͢Δ• ෦൜ߦʹΑΔඃ͕֦େ͢Δʮڱ࢝͘ΊͯඞཁʹԠͯ͡Ճʯ͕ཧ
2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔࣍ʹ
ϙϦγʔͷछྨ࠷খݖݶΛͲ͜Ͱ࣮ݱ͢Δ͔
ಥવͰ͕͢ AWSʹ͓͚ΔϙϦγʔλΠϓ̒ͭશͯ͑ΒΕ·͔͢ʁ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ• ϦιʔεϕʔεϙϦγʔ• ΞΫηεڐՄͷڥքʢPermissions boundaryʣ• Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ• ΞΫηείϯτϩʔϧϦετʢACLʣ• ηογϣϯϙϦγʔʁʁʁ ʁʁʁʁ ʁʁ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ• ϦιʔεϕʔεϙϦγʔ• ΞΫηεڐՄͷڥքʢPermissions boundaryʣ• Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ• ΞΫηείϯτϩʔϧϦετʢACLʣ• ηογϣϯϙϦγʔʁʁʁ ʁʁʁʁ ʁʁ71$ΤϯυϙΠϯτϙϦγʔ͜͜ʹଐ͢Δ͕ɺʮͪΐͬͱ܅͕ͪ͘ͳ͍ʁʯͱࢥ͍ͬͯΔ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ• ϦιʔεϕʔεϙϦγʔ• ΞΫηεڐՄͷڥքʢPermissions boundaryʣ• Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ• ΞΫηείϯτϩʔϧϦετʢACLʣ• ηογϣϯϙϦγʔ͍ΘΏΔʮIAMϙϦγʔʯόέοτϙϦγʔɺIAMϩʔϧ৴པϙϦγʔͳͲόέοτACLͳͲIAMϩʔϧͷҾ͖ड͚࣌ʹઃఆՄೳ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ• ϦιʔεϕʔεϙϦγʔ• ΞΫηεڐՄͷڥքʢPermissions boundaryʣ• Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ• ΞΫηείϯτϩʔϧϦετʢACLʣ• ηογϣϯϙϦγʔ+40/+40/+40/+40/+40/
JSON ϙϦγʔͷཁૉ࠷খݖݶΛͲ͜Ͱ࣮͢Δ͔
+40/ϙϦγʔͷཁૉ https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-black-belt-online-seminar-aws-identity-and-access-management-iam-part1
+40/ϙϦγʔͷཁૉ1SJODJQBM https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-black-belt-online-seminar-aws-identity-and-access-management-iam-part11SJODJQBMʢ/PU1SJODJQMʣϦιʔεϕʔεϙϦγʔͰ༻ɻΞΫηεͷ࣮ߦݩʢओମʣΛ੍ݶɻʮ୭͕ʯ
+40/ϙϦγʔͷཁૉ"DUJPO https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-black-belt-online-seminar-aws-identity-and-access-management-iam-part1"DUJPOʢ/PU"DUJPOʣ࣮ߦՄೳͳΞΫγϣϯΛ੍ݶɻʮԿΛʯ
+40/ϙϦγʔͷཁૉ3FTPVSDF https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-black-belt-online-seminar-aws-identity-and-access-management-iam-part1ΞΫηεՄೳͳϦιʔεΛ੍ݶɻ3FTPVSDFʢ/PU3FTPVSDFʣʮԿʹରͯ͠ʯ
+40/ϙϦγʔͷཁૉ$POEJUJPO https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws-black-belt-online-seminar-aws-identity-and-access-management-iam-part1ಛఆͷ݅ԼͰͷΈΞΫηεΛڐՄʢ͋Δ͍ڋ൱ʣɻ$POEJUJPOʮͲΜͳ߹ʹʯ
࠷খݖݶΛͲ͜Ͱ࣮͢Δ͔ ΞΠσϯςΟςΟϕʔεϙϦγʔͰActionΛߜΔ͚͕ͩ࠷খݖݶͷ࣮Ͱͳ͍
3. IAM Access AnalyzerͱมΘͬͯ
IAM Access AnalyzerͱԿ͔ͦͦ
*"."DDFTT"OBMZ[FSͱԿ͔ ʮϦιʔεϕʔεϙϦγʔͷPrincipalΛݟͯ͘ΕΔͷʯ͕ͩͬͨɺ͍ͭͷؒʹ͔͍ΖΜͳ͜ͱ͕Ͱ͖ΔΑ͏ʹͳ͍ͬͯͨ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε• S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε• S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ• 2021/01 ੳର͕Ճ• Secrets Manager γʔΫϨοτʹରԠ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε• S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ• 2021/01 ੳର͕Ճ• Secrets Manager γʔΫϨοτʹରԠ• 2021/03 ʮࣄલݕূʯʹରԠ• ϦιʔεϕʔεϙϦγʔͷมߋલʹੳ͕Մೳ• ϚωδϝϯτίϯιʔϧͰ S3 όέοτϙϦγʔͷΈ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε• S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ• 2021/01 ੳର͕Ճ• Secrets Manager γʔΫϨοτʹରԠ• 2021/03 ʮࣄલݕূʯʹରԠ• ϦιʔεϕʔεϙϦγʔͷมߋલʹੳ͕Մೳ• ϚωδϝϯτίϯιʔϧͰ S3 όέοτϙϦγʔͷΈٸʹྲྀΕ͕มΘΔ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε• 2021/01 ੳର͕Ճ• 2021/03 ʮࣄલݕূʯʹରԠ• 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ• ϙϦγʔݕূʢValidationʣͱ• ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ• AWS CLI Ͱ SCP ϦιʔεϕʔεϙϦγʔʹରԠ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε• 2021/01 ੳର͕Ճ• 2021/03 ʮࣄલݕূʯʹରԠ• 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ• ϙϦγʔݕূʢValidationʣͱ• ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ• AWS CLI Ͱ SCP ϦιʔεϕʔεϙϦγʔʹରԠ• 2021/04 ʮϙϦγʔͷੜʯʹରԠ• ΞΠσϯςΟςΟϕʔεϙϦγʔͷΈ͕ର
ͬ͘͟ΓԿ͕ҧ͏͔ RegionΞφϥΠβʔIAM Access AnalyzerϦιʔεϕʔεϙϦγʔͷੳαʔϏεʹϦϯΫ͞ΕͨϩʔϧϙϦγʔͷݕূϙϦγʔͷੜαʔϏε͕༻͢Δϩʔϧ
ͬ͘͟ΓԿ͕ҧ͏͔ • ϦιʔεϕʔεϙϦγʔͷੳʹϦʔδϣφϧϦιʔεͰ͋ΔʮΞφϥΠβʔʯͷ࡞͕ඞཁ• ϙϦγʔͷݕূʹϦιʔεϩʔϧཁΒͳ͍• ϙϦγʔͷੜʹϩʔϧ͚ͩཁΔ
IAM ΞΫηεΞυόΠβʔͱԿ͕ҧ͏͔ࠞཚ͕ͪ͠
ΞφϥΠβʔͱΞυόΠβʔ *"."DDFTT"OBMZ[FS *"."DDFTT"EWJTPS*".ΞΫηεʁ ΞφϥΠβʔʂ ΞυόΠβʔʂԿ͕Ͱ͖Δ͔ɾϦιʔεϕʔεϙϦγʔͷੳɾ֤छϙϦγʔͷݕূɾΞΠσϯςΟςΟϕʔεϙϦγʔͷੜɾ*".Ϧιʔε୯ҐͰͷɺΞΫηεڐՄͱΞΫηεཤྺͷදࣔαʔϏε͔Ͳ͏͔ɾ"84αʔϏεͰ͋ΔɾϦιʔεଘࡏ͢ΔɾαʔϏε༻ͷϩʔϧଘࡏ͢Δɾ"84αʔϏεͰͳ͍ɾෳͷ"1*ʹΑΔػೳͷ໊শར༻ྉ ແྉͰࠓ͙͓͍͍͚ͨͩ͢·͢ ແྉͰࠓ͙͓͍͍͚ͨͩ͢·͢
ΞΫηεΞυόΠβʔͷ֓ཁ •ΞΠσϯςΟςΟϕʔεϙϦγʔΛج४ͱͨ͠ʮΞΫηεՄೳͳαʔϏεʯͷදࣔ•Cloud TrailΛϕʔεͱͨ͠ʮΞΫηεཤྺʯͷදࣔ
4. ࠷খݖݶΛࢦͨ͢ΊͷػೳΑ͏͘
औΓ্͛Δͷ͜ͷͭͰ͢
ͦͷ1. ϙϦγʔͷݕূ࠷খݖݶΛࢦͨ͢Ίͷػೳ
ϙϦγʔͷݕূͱ • IAM Access Analyzer ʹΑΔػೳ• ҎԼͷϙϦγʔʹର͍͍ͯ͠ײ͡ͷνΣοΫΛͯ͘͠ΕΔ• ΞΠσϯςΟςΟϕʔεϙϦγʔ• SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ※ϚωίϯෆՄ• ϦιʔεϕʔεϙϦγʔɹ※ϚωίϯෆՄ
ϙϦγʔͷݕূͱ • ϙϦγʔͷνΣοΫͷ؍• ηΩϡϦςΟɹηΩϡϦςΟϦεΫͱΈͳ͞ΕΔ༰• ΤϥʔɹߏจΤϥʔແޮͳͳͲ• ܯࠂɹηΩϡϦςΟϦεΫͰͳ͍͕ϕετϓϥΫςΟεͰͳ͍• ఏҊɹΞΫηεڐՄʹӨڹΛ༩͑ͳ͍ఏҊʢͳهड़ͳͲʣ
ϙϦγʔͷݕূͷྫ • ηΩϡϦςΟͷΧςΰϦͷνΣοΫ߲ྫ• NotPrincipalͰڐՄΛ༩͍͑ͯΔ• PassRoleΛڐՄ͢ΔResourceʢϩʔϧʣ͕͗͢Δ• PassRoleΛڐՄ͢ΔAction͕͗͢Δ
ϙϦγʔͷݕূ • Ϛωίϯ͔ΒΞΠσϯςΟςΟϕʔεϙϦγʔΛฤू͢Δͱ͖Կߟ͑ͣศརʹ͏• ϙϦγʔΛ CI/CD ཧ͍ͯ͠Δͱ͖ϓϩάϥϜʹΑΓࣗಈͰݕূͤ͞Δ͍ํ͋Γ• ʮ࠷খݖݶΛࢦ͢ʯͱ͍͏؍Ͱͦ͜·Ͱڧ͘ͳ͍
ͦͷ2. ϙϦγʔͷੜ࠷খݖݶΛࢦͨ͢Ίͷػೳ
ϙϦγʔͷੜͱ • IAM Access Analyzer ʹΑΔػೳ• աڈͷΞΫςΟϏςΟΛجʹɺΞΠσϯςΟςΟϕʔεϙϦγʔͷܗΛੜͯ͘͠ΕΔ
ϙϦγʔͷੜʂخ͍͠ ͏͔ͬΓߏͰϒϩάԽ͞ΕΔ΄ͲͷΞπ͞
ҙ͕͋Γ·͍͔ͭ͘͢
ҙͦͷʢͨͪʣ •աڈͷΞΫςΟϏςΟ͕͋Δ͜ͱ͕લఏͳͷͰɺʮ࠷খͰελʔτʯͷέʔεͰ͑ͳ͍•ରϢʔβʔ/ϩʔϧͱಉ͡ΞΧϯτͰ Trail ͕༗ޮʹͳ͍ͬͯΔඞཁ͕͋Δ•ϕʔεͱͰ͖Δظؒ࠷େͰ90ؒ•ෳͷϢʔβʔ/ϩʔϧʹରͯ͠ಉ࣌ʹੜͰ͖ͳ͍•1ʹੜͰ͖Δͷ5݅·Ͱ
ҙͦͷ •ਫ਼ࠪͯ͘͠ΕΔͷ Action ͷΈ•Resource Codition ʹաڈͷΞΫςΟϏςΟө͞Εͳ͍ʮ͜ͷϢʔβʔաڈؒͰಛఆͷ4όέοτʹରͯ͠ͷΈΞΫηεͯ͠Δ͔Β3FTPVSDFͰ͜ͷ4όέοτ͚ͩʹߜΔͱ͍͍ΑʯͳΜͯ͜ͱͯ͘͠Ε·ͤΜɻ
ҙͦͷ •ͯ͢ͷαʔϏεͰ Action ϨϕϧͰਫ਼ࠪͯ͘͠ΕΔΘ͚Ͱͳ্͍هҎ֎ͷαʔϏεʮαʔϏεϨϕϧʯͰͷચ͍ग़ͩ͠Α◦ IAM ◦ AWS KMS ◦ AWS Lambda ◦ AWS RAM ◦ Amazon RDS ◦ AWS Resource Groups ◦ Amazon S3 ◦ AWS Security Token Service ◦ AWS Systems Manager ◦ IAM Access Analyzer ◦ Amazon CloudWatch ◦ Amazon Cognito Identity ◦ Amazon Cognito user pools ◦ Amazon EC2 ◦ Amazon ECS ◦ Elastic Load Balancing
ϙϦγʔͷੜ •։ൃظؒͷ࣮Λͱʹʮ࠷খݖݶΛࢦ͢ʯͱ͍͏έʔεͰ༗ޮ•ʮΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔʯʹ͔͑͠ͳ͍ͷΛཧղ͢Δ•Action ͕ͯ͢ચ͍ग़͞ΕΔΘ͚Ͱͳ͍͜ͱΛཧղ͢Δ
ͦͷ3. ࠷ऴΞΫηεใͷར༻࠷খݖݶΛࢦͨ͢Ίͷػೳ
࠷ऴΞΫηεใͷར༻ͱ • IAM ΞΫηεΞυόΠβʔ ʹΑΔػೳ• IAMϦιʔεʢϢʔβʔ/άϧʔϓ/ϩʔϧ/ϙϦγʔʣ୯ҐͰҎԼΛ֬ೝͰ͖Δ• ΞΫηεՄೳͳAWSαʔϏε• ࠷ऴΞΫηεཤྺ• ҎԼͷAWSαʔϏεʹରͯ͠ΞΫγϣϯϨϕϧͰ֬ೝՄೳ• Amazon S3• Amazon EC2• AWS IAM• AWS Lambda
࠷ऴΞΫηεใͷར༻ • ϚωίϯͩͬͨΒ͔͜͜Β؆୯ʹݟΕ·͢ɻ
࠷ऴΞΫηεใͷར༻ •ΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔͷʹ͑Δ•ʮϙϦγʔͷੜʯͱػೳࣅ͍ͯΔ͕ɺͰ͖Δ͜ͱ͕গͳ͍ɺΑΓ͓खܰ•AWS CLI ͰΔͱ݁ߏָ͍͠
·ͱΊ ·ͱΊ
·ͱΊ • ʮ࠷খݖݶʯ͍ΖΜͳϙϦγʔͷ͍ΖΜͳཁૉΛ࣮ͬͯ͢Δ• IAM Access Analyzer(ͱΞυόΠβʔ)ͦͷҰ෦Λνϡʔχϯά͢Δͷʹศར• ʮ͜Ε͓͚͑ͬͯ͞OKʯͳ͍ͷͰɺܧଓͯ͠಄Λ·ͤ·͠ΐ͏