Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
IAM Access Analyzer を活用して最小権限を目指そう
Search
YukihiroChiba
May 19, 2021
Technology
3.9k
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
IAM Access Analyzer を活用して最小権限を目指そう
「IAM Access Analyzer を活用して最小権限を目指そう」というタイトルで登壇した際の資料です
YukihiroChiba
May 19, 2021
More Decks by YukihiroChiba
See All by YukihiroChiba
DevelopersIO 2025 RIとSP基礎講座
yukihirochiba
1
2.4k
わたしの業務の中に住み着いたCacoo/Cacoo has taken up residence in my work routine
yukihirochiba
0
1.3k
Amazon VPCでの IPv6利用に向けた はじめの一歩/first-step-towards-using-ipv6-in-amazon-vpc
yukihirochiba
0
1.2k
AWS IAM の結果整合性を避けるためセッションポリシーを用いてポリシーの動作確認を行う、を解説する
yukihirochiba
0
1.2k
SSMエージェントはIAMロールの夢を見るか/ Do SSM Agents Dream Of IAM Roles?
yukihirochiba
0
3.2k
AWS IAM の知っておくべき話と知らなくてもいい話 DevIO2023/ AWS IAM DevIO 2023
yukihirochiba
0
3.7k
デジタルアイデンティティWGミニウェビナー第4回「IaaSとアイデンティティ」/ jnsa-iaas-identity
yukihirochiba
0
860
学習エンジンがうなりを上げているチームの作り方 / How to build a team with a learning engine humming along
yukihirochiba
0
7.4k
Amazon Route 53 Application Recovery Controller zonal shift 試してみた
yukihirochiba
0
2.4k
Other Decks in Technology
See All in Technology
AI 不只幫你寫 Code: 當專案從 300 暴增到 1500, 我們如何撐住 DevOps
appleboy
0
260
MySQL & MySQL HeatWave Report - June 2026
freshdaz
0
180
2026-06-24_人とAIの責務分離に基づく開発プロセスの提案.pdf
takahiromatsui
0
230
コミットの「なぜ」を読む
ota1022
0
120
秘密度ラベル初心者が第1歩でつまづかないための「設計・運用」ポイント
seafay
PRO
1
500
5分でわかる Amazon Connect_20260608
hwangbyeonghun
0
120
起点・思考・出力で分解する 〜PM業務の自動化設計〜
kazu_kichi_67
2
1.1k
AIに障害切り分けを全部やってもらった。 。 。 。
estie
0
200
不要なレビューをAIにまかせて AIコーディングの環境改善を加速した
shoota
1
270
AI-DLCを “そのまま導入しなかった”話 ~組織に合わせてアジャストした 私たちの実践共有~
hiroramos4
PRO
1
430
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
11k
2026-06-23 知らないままで大丈夫?開発品質・効率向上が期待できるIBM Bob便利機能6選
yutanonaka
0
120
Featured
See All Featured
First, design no harm
axbom
PRO
2
1.2k
Build The Right Thing And Hit Your Dates
maggiecrowley
39
3.2k
Primal Persuasion: How to Engage the Brain for Learning That Lasts
tmiket
0
380
Marketing Yourself as an Engineer | Alaka | Gurzu
gurzu
0
240
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
370
AI in Enterprises - Java and Open Source to the Rescue
ivargrimstad
0
1.3k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
A Guide to Academic Writing Using Generative AI - A Workshop
ks91
PRO
1
340
Leading Effective Engineering Teams in the AI Era
addyosmani
9
2.1k
SEO Brein meetup: CTRL+C is not how to scale international SEO
lindahogenes
1
2.7k
Faster Mobile Websites
deanohume
310
32k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
35k
Transcript
IAM Access AnalyzerΛ ׆༻ͯ͠࠷খݖݶΛࢦͦ͏ ઍ༿ʢνόϢΩʣ
͍͖ͳΓͰ͕͢ ͜Μͳ͜ͱΛࢥΘͳ͔ͬͨͩΖ͏͔
ʮ͔Ϳͬͯͳ͍ʜʜʁʯ
ࢲʮ͔ͿͬͯΔͳʜʜʯ
ΑΖ͓͘͠ئ͍͠·͢ ͓͞Β͍ɺ͘͠ τΠϨٳܜͷ࣌ؒͱͯ͠ ͝׆༻͍ͩ͘͞
ࣗݾհ ઍ༿ • 2020 ΫϥεϝιουδϣΠϯ • 2021 APN
AWS Top EngineerΑ • ͖ͳAWSΞΫγϣϯɿ • sts:AssumeRole
"HFOEB 1.࠷খݖݶͱ 2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔ 3.IAM Access Analyzer ͱ 4.࠷খݖݶΛࢦͨ͢Ίͷػೳ
͢͜ͱ͞ͳ͍͜ͱ •͢͜ͱ •࠷খݖݶͱԿ͔ͷલఏࣝ •࠷খݖݶΛࢦͨ͢Ίͷػೳͷ֓ཁ •͞ͳ͍͜ͱ •IAM Access Analyzerͷ۩ମతͳ׆༻ྫ
1. IAM ͷ࠷খݖݶͱ ͡Ίʹ
Ͳ͜ʹॻ͍ͯ͋Δͷʁ *".ʹ͓͚Δ࠷খݖݶͷݪଇ
ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/ best-practices.html#grant-least-privilege
•ΞΫηεϨϕϧͷάϧʔϓԽͷѲ •ॻ͖ࠐΈɺಡΈऔΓɺཧ…… •ϙϦγʔͷݕূ •ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ͢Δ •࠷ऴΞΫηεใͷར༻ •AWS CloudTrail ͰͷΞΧϯτͷΠϕϯτͷ֬ೝ ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε
•ΞΫηεϨϕϧͷάϧʔϓԽͷѲ •ॻ͖ࠐΈɺಡΈऔΓɺཧ…… •ϙϦγʔͷݕূ •ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ͢Δ •࠷ऴΞΫηεใͷར༻ •AWS CloudTrail ͰͷΞΧϯτͷΠϕϯτͷ֬ೝ ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε
ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப https://docs.aws.amazon.com/wellarchitected/latest/ security-pillar/permissions-management.html
ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϚωʔδυϙϦγʔ • AWS ཧϙϦγʔ •
ΧελϚʔཧϙϦγʔ • ΠϯϥΠϯϙϦγʔ ʮ΄ͱΜͲͷ߹ɺ࠷খݖݶͷݪଇʹैͬͯɺ ɹಠࣗͷΧελϚʔཧϙϦγʔΛ࡞͢Δඞཁ͕͋Γ·͢ɻʯ
ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப • ݅ɺϦιʔεɺΞΫγϣϯΛ࠷খԽ͢Δ • άϧʔϓଐੑʹΑΓಈతʹΞΫηεڐՄΛ༩͑Δ ʢݸʑͷϢʔβʔʹ༩͠ͳ͍ʣ • ϦιʔεIAMΤϯςΟςΟʹΞλον͢ΔϙϦ γʔʹΑΓΞΫηεΛ੍ޚ͢Δ
• Permissions boundaryABACΛ׆༻͢Δ ʮ͜ͷݪଇʹج͍ͮͯӡ༻͢Δͱɺҙਤ͠ͳ͍ΞΫηε੍͕ݶ͞Εɺ ɹɹ୭͕ͲͷϦιʔεʹΞΫηεͰ͖Δ͔ࠪͰ͖ΔΑ͏ʹͳΓ·͢ɻʯ
࠷খݖݶ͕कΒΕ͍ͯͳ͍ͱͲ͏ͳΔʁ ࠷খݖݶͷݪଇ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ɹ • ɹ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ͕֦େ͢Δ • ɹ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ͕֦େ͢Δ • ෦൜ߦʹΑΔඃ͕֦େ͢Δ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ͕֦େ͢Δ • ෦൜ߦʹΑΔඃ͕֦େ͢Δ ʮڱ࢝͘ΊͯඞཁʹԠͯ͡Ճʯ͕ཧ
2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔ ࣍ʹ
ϙϦγʔͷछྨ ࠷খݖݶΛͲ͜Ͱ࣮ݱ͢Δ͔
ಥવͰ͕͢ AWSʹ͓͚ΔϙϦγʔλΠϓ ̒ͭશͯ͑ΒΕ·͔͢ʁ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •
Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •
Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ 71$ΤϯυϙΠϯτϙϦγʔ ͜͜ʹଐ͢Δ͕ɺ ʮͪΐͬͱ܅͕ͪ͘ͳ͍ʁʯͱ ࢥ͍ͬͯΔ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •
Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ͍ΘΏΔʮIAMϙϦγʔʯ όέοτϙϦγʔɺIAMϩʔϧ৴པϙϦγʔͳͲ όέοτACLͳͲ IAMϩʔϧͷҾ͖ड͚࣌ʹઃఆՄೳ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •
Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ +40/ +40/ +40/ +40/ +40/
JSON ϙϦγʔͷཁૉ ࠷খݖݶΛͲ͜Ͱ࣮͢Δ͔
+40/ϙϦγʔͷཁૉ https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1
+40/ϙϦγʔͷཁૉ1SJODJQBM https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 1SJODJQBM ʢ/PU1SJODJQMʣ ϦιʔεϕʔεϙϦγʔͰ༻ɻ ΞΫηεͷ࣮ߦݩʢओମʣΛ੍ݶɻ ʮ୭͕ʯ
+40/ϙϦγʔͷཁૉ"DUJPO https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 "DUJPO ʢ/PU"DUJPOʣ ࣮ߦՄೳͳΞΫγϣϯΛ੍ݶɻ ʮԿΛʯ
+40/ϙϦγʔͷཁૉ3FTPVSDF https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 ΞΫηεՄೳͳϦιʔεΛ੍ݶɻ 3FTPVSDF ʢ/PU3FTPVSDFʣ ʮԿʹରͯ͠ʯ
+40/ϙϦγʔͷཁૉ$POEJUJPO https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 ಛఆͷ݅ԼͰͷΈ ΞΫηεΛڐՄʢ͋Δ͍ڋ൱ʣɻ $POEJUJPO ʮͲΜͳ߹ʹʯ
࠷খݖݶΛͲ͜Ͱ࣮͢Δ͔ ΞΠσϯςΟςΟϕʔεϙϦγʔͰ ActionΛߜΔ͚͕ͩ ࠷খݖݶͷ࣮Ͱͳ͍
3. IAM Access Analyzerͱ มΘͬͯ
IAM Access AnalyzerͱԿ͔ ͦͦ
*"."DDFTT"OBMZ[FSͱԿ͔ ʮϦιʔεϕʔεϙϦγʔͷ PrincipalΛݟͯ͘ΕΔͷʯ͕ͩͬͨɺ ͍ͭͷؒʹ͔͍ΖΜͳ͜ͱ͕ Ͱ͖ΔΑ͏ʹͳ͍ͬͯͨ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ • 2021/01
ੳର͕Ճ • Secrets Manager γʔΫϨοτʹରԠ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ • 2021/01
ੳର͕Ճ • Secrets Manager γʔΫϨοτʹରԠ • 2021/03 ʮࣄલݕূʯʹରԠ • ϦιʔεϕʔεϙϦγʔͷมߋલʹੳ͕Մೳ • ϚωδϝϯτίϯιʔϧͰ S3 όέοτϙϦγʔͷΈ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ • 2021/01
ੳର͕Ճ • Secrets Manager γʔΫϨοτʹରԠ • 2021/03 ʮࣄલݕূʯʹରԠ • ϦιʔεϕʔεϙϦγʔͷมߋલʹੳ͕Մೳ • ϚωδϝϯτίϯιʔϧͰ S3 όέοτϙϦγʔͷΈ ٸʹྲྀΕ͕มΘΔ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • 2021/01 ੳର͕Ճ • 2021/03
ʮࣄલݕূʯʹରԠ • 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ • ϙϦγʔݕূʢValidationʣͱ • ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ • AWS CLI Ͱ SCP ϦιʔεϕʔεϙϦγʔʹରԠ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • 2021/01 ੳର͕Ճ • 2021/03
ʮࣄલݕূʯʹରԠ • 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ • ϙϦγʔݕূʢValidationʣͱ • ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ • AWS CLI Ͱ SCP ϦιʔεϕʔεϙϦγʔʹରԠ • 2021/04 ʮϙϦγʔͷੜʯʹରԠ • ΞΠσϯςΟςΟϕʔεϙϦγʔͷΈ͕ର
ͬ͘͟ΓԿ͕ҧ͏͔ Region ΞφϥΠβʔ IAM Access Analyzer ϦιʔεϕʔεϙϦγʔͷੳ αʔϏεʹ ϦϯΫ͞Εͨ
ϩʔϧ ϙϦγʔͷݕূ ϙϦγʔͷੜ αʔϏε͕ ༻͢Δ ϩʔϧ
ͬ͘͟ΓԿ͕ҧ͏͔ • ϦιʔεϕʔεϙϦγʔͷੳʹϦʔδϣφϧϦιʔεͰ ͋ΔʮΞφϥΠβʔʯͷ࡞͕ඞཁ • ϙϦγʔͷݕূʹϦιʔεϩʔϧཁΒͳ͍ • ϙϦγʔͷੜʹϩʔϧ͚ͩཁΔ
IAM ΞΫηεΞυόΠβʔ ͱԿ͕ҧ͏͔ ࠞཚ͕ͪ͠
ΞφϥΠβʔͱΞυόΠβʔ *"."DDFTT"OBMZ[FS *"."DDFTT"EWJTPS *".ΞΫηεʁ ΞφϥΠβʔʂ ΞυόΠβʔʂ Կ͕Ͱ͖Δ͔ ɾϦιʔεϕʔεϙϦγʔͷੳ ɾ֤छϙϦγʔͷݕূ
ɾΞΠσϯςΟςΟϕʔεϙϦγʔͷੜ ɾ*".Ϧιʔε୯ҐͰͷɺ ΞΫηεڐՄͱΞΫηεཤྺͷදࣔ αʔϏε͔Ͳ͏͔ ɾ"84αʔϏεͰ͋Δ ɾϦιʔεଘࡏ͢Δ ɾαʔϏε༻ͷϩʔϧଘࡏ͢Δ ɾ"84αʔϏεͰͳ͍ ɾෳͷ"1*ʹΑΔػೳͷ໊শ ར༻ྉ ແྉͰࠓ͙͓͍͍͚ͨͩ͢·͢ ແྉͰࠓ͙͓͍͍͚ͨͩ͢·͢
ΞΫηεΞυόΠβʔͷ֓ཁ •ΞΠσϯςΟςΟϕʔεϙϦγʔΛج४ͱͨ͠ʮΞΫ ηεՄೳͳαʔϏεʯͷදࣔ •Cloud TrailΛϕʔεͱͨ͠ʮΞΫηεཤྺʯͷදࣔ
4. ࠷খݖݶΛࢦͨ͢Ίͷػೳ Α͏͘
औΓ্͛Δͷ͜ͷͭͰ͢
ͦͷ1. ϙϦγʔͷݕূ ࠷খݖݶΛࢦͨ͢Ίͷػೳ
ϙϦγʔͷݕূͱ • IAM Access Analyzer ʹΑΔػೳ • ҎԼͷϙϦγʔʹର͍͍ͯ͠ײ͡ͷνΣοΫΛͯ͘͠ΕΔ •
ΞΠσϯςΟςΟϕʔεϙϦγʔ • SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ※ϚωίϯෆՄ • ϦιʔεϕʔεϙϦγʔɹ※ϚωίϯෆՄ
ϙϦγʔͷݕূͱ • ϙϦγʔͷνΣοΫͷ؍ • ηΩϡϦςΟɹηΩϡϦςΟϦεΫͱΈͳ͞ΕΔ༰ • ΤϥʔɹߏจΤϥʔແޮͳͳͲ • ܯࠂɹηΩϡϦςΟϦεΫͰͳ͍͕ϕετϓϥΫςΟεͰͳ͍
• ఏҊɹΞΫηεڐՄʹӨڹΛ༩͑ͳ͍ఏҊʢͳهड़ͳͲʣ
ϙϦγʔͷݕূͷྫ • ηΩϡϦςΟͷΧςΰϦͷνΣοΫ߲ྫ • NotPrincipalͰڐՄΛ༩͍͑ͯΔ • PassRoleΛڐՄ͢ΔResourceʢϩʔϧʣ͕͗͢Δ • PassRoleΛڐՄ͢ΔAction͕͗͢Δ
ϙϦγʔͷݕূ • Ϛωίϯ͔ΒΞΠσϯςΟςΟϕʔεϙϦγʔΛฤू͢Δͱ͖Կ ߟ͑ͣศརʹ͏ • ϙϦγʔΛ CI/CD ཧ͍ͯ͠Δͱ͖ϓϩάϥϜʹΑΓࣗಈͰݕ ূͤ͞Δ͍ํ͋Γ
• ʮ࠷খݖݶΛࢦ͢ʯͱ͍͏؍Ͱͦ͜·Ͱڧ͘ͳ͍
ͦͷ2. ϙϦγʔͷੜ ࠷খݖݶΛࢦͨ͢Ίͷػೳ
ϙϦγʔͷੜͱ • IAM Access Analyzer ʹΑΔػೳ • աڈͷΞΫςΟϏςΟΛجʹɺΞΠσϯςΟςΟϕʔεϙϦγʔͷ ܗΛੜͯ͘͠ΕΔ
ϙϦγʔͷੜʂخ͍͠ ͏͔ͬΓߏͰϒϩάԽ͞ΕΔ΄ͲͷΞπ͞
ҙ͕͋Γ·͢ ͍͔ͭ͘
ҙͦͷʢͨͪʣ •աڈͷΞΫςΟϏςΟ͕͋Δ͜ͱ͕લఏͳͷͰɺʮ࠷খͰελʔ τʯͷέʔεͰ͑ͳ͍ •ରϢʔβʔ/ϩʔϧͱಉ͡ΞΧϯτͰ Trail ͕༗ޮʹͳ͍ͬͯ Δඞཁ͕͋Δ •ϕʔεͱͰ͖Δظؒ࠷େͰ90ؒ •ෳͷϢʔβʔ/ϩʔϧʹରͯ͠ಉ࣌ʹੜͰ͖ͳ͍
•1ʹੜͰ͖Δͷ5݅·Ͱ
ҙͦͷ •ਫ਼ࠪͯ͘͠ΕΔͷ Action ͷΈ •Resource Codition ʹաڈͷΞΫςΟϏςΟө͞Ε ͳ͍
ʮ͜ͷϢʔβʔաڈؒͰ ಛఆͷ4όέοτʹରͯ͠ͷΈΞΫηεͯ͠Δ͔Β 3FTPVSDFͰ͜ͷ4όέοτ͚ͩʹߜΔͱ͍͍Αʯ ͳΜͯ͜ͱͯ͘͠Ε·ͤΜɻ
ҙͦͷ •ͯ͢ͷαʔϏεͰ Action ϨϕϧͰਫ਼ࠪͯ͘͠ΕΔΘ͚Ͱͳ͍ ্هҎ֎ͷαʔϏε ʮαʔϏεϨϕϧʯͰͷ ચ͍ग़ͩ͠Α ◦ IAM
◦ AWS KMS ◦ AWS Lambda ◦ AWS RAM ◦ Amazon RDS ◦ AWS Resource Groups ◦ Amazon S3 ◦ AWS Security Token Service ◦ AWS Systems Manager ◦ IAM Access Analyzer ◦ Amazon CloudWatch ◦ Amazon Cognito Identity ◦ Amazon Cognito user pools ◦ Amazon EC2 ◦ Amazon ECS ◦ Elastic Load Balancing
ϙϦγʔͷੜ •։ൃظؒͷ࣮Λͱʹʮ࠷খݖݶΛࢦ͢ʯͱ͍͏έʔεͰ ༗ޮ •ʮΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔʯʹ͔͠ ͑ͳ͍ͷΛཧղ͢Δ •Action ͕ͯ͢ચ͍ग़͞ΕΔΘ͚Ͱͳ͍͜ͱΛཧղ͢Δ
ͦͷ3. ࠷ऴΞΫηεใͷར༻ ࠷খݖݶΛࢦͨ͢Ίͷػೳ
࠷ऴΞΫηεใͷར༻ͱ • IAM ΞΫηεΞυόΠβʔ ʹΑΔػೳ • IAMϦιʔεʢϢʔβʔ/άϧʔϓ/ϩʔϧ/ϙϦγʔʣ୯ҐͰҎԼΛ֬ ೝͰ͖Δ •
ΞΫηεՄೳͳAWSαʔϏε • ࠷ऴΞΫηεཤྺ • ҎԼͷAWSαʔϏεʹରͯ͠ΞΫγϣϯϨϕϧͰ֬ೝՄೳ • Amazon S3 • Amazon EC2 • AWS IAM • AWS Lambda
࠷ऴΞΫηεใͷར༻ • ϚωίϯͩͬͨΒ͔͜͜Β؆୯ʹݟΕ·͢ɻ
࠷ऴΞΫηεใͷར༻ •ΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔͷʹ͑Δ •ʮϙϦγʔͷੜʯͱػೳࣅ͍ͯΔ͕ɺͰ͖Δ͜ͱ͕গͳ ͍ɺΑΓ͓खܰ •AWS CLI ͰΔͱ݁ߏָ͍͠
·ͱΊ ·ͱΊ
·ͱΊ • ʮ࠷খݖݶʯ͍ΖΜͳϙϦγʔͷ͍ΖΜͳཁૉ Λ࣮ͬͯ͢Δ • IAM Access Analyzer(ͱΞυόΠβʔ)ͦͷҰ ෦Λνϡʔχϯά͢Δͷʹศར
• ʮ͜Ε͓͚͑ͬͯ͞OKʯͳ͍ͷͰɺܧଓ ͯ͠಄Λ·ͤ·͠ΐ͏