IAMロールを1000個作って遊んでいたらAWS利用費が50ドルを超えていた話です。遊ぶな。
*".ϩʔϧΛݸ࡞ͬͯ༡ΜͰ͍ͨΒ"84ར༻අ͕υϧΛ͍͑ͯͨઍ༿ʢνόϢΩʣ
View Slide
ࠓ࣋ͪؼ͍͖͍ͬͯͨͩͨ͜ͱ ʮ͋ɺ͜͜ʹར༻අ͔͔ΔΜͩͳʯʮAWS Config ͷϕετϓϥΫςΟεʯʁʁʁʁʁ
ࣗݾհ ɾ20201݄Ϋϥεϝιου ೖࣾɾITΤϯδχΞྺ7ऑɺɹɹ͏ͪAWSྺ6ऑɾAWSԿΘ͔ΒΜɻɻ😇ɾ࠲ӈͷɿɹʮIAM ϩʔϧ͓໘ͷΑ͏ͳͷʯ
ಥવͰ͕͢ ͜Μͳ͜ͱɺΑ͋͘Γ·ͤΜ͔ʁʁ
͋Γ;Εͨৗͷ෩ܠ
͋Γ;Εͨৗͷ෩ܠ ʮ͋ʔ……ʯ
͋Γ;Εͨৗͷ෩ܠ ʮIAMϩʔϧɹ1000ݸɹɹ࡞Γ͍ͨͳ……ʯʮ͋ʔ……ʯ
͋ʔʜʜ *".ϩʔϧɹݸ࡞Γ͍ͨͳᴸᴸᴸ
͍ͱͨ͘͢ߦΘΕΔߟྀͷΓͳ͍ߦҝ ʮͲ͏ͤ IAM ͬͯɹɹແྉͩ͠ͳʯΘͨ͠
͍ͱͨ͘͢ߦΘΕΔߟྀͷΓͳ͍ߦҝ ʮͲ͏ͤ IAM ͬͯɹɹແྉͩ͠ͳʯ˛Կ͔͕ߦΘΕ͍ͯΔ༷ࢠԿ͔Λ͢ΔΘͨ͠
શ༰ͪ͜ΒΛͲ͏ͧ Զୡ͍ͭ·Ͱཱͪਚ͘͠ݟͭΊ͍ͯͨᴸᴸᴸଟͷ*".ϩʔϧ͕ҠΖ͏Α͏ʹ࿈͍ͯ͘͠ɺͦͷ͞·Λɻ
:PV`WF(PU"/PUJpDBUJPO ✉ 💨💨💨
:PV`WF(PU"/PUJpDBUJPO
:PV`WF(PU"/PUJpDBUJPO 65.3υϧ
:PV`WF(PU"/PUJpDBUJPO 65.3υϧ👁👁👄͕ܲ౾మ๒ΛᷰΒͬͨΑ͏ͳإΛ͢ΔΘͨ͠
γϯΩϯάλΠϜ ʮߟ͑Ζᴸᴸߟ͑ΔΜͩᴸᴸᴸʜʜʯ
ʁʁʁʁݪҼ$POpHͰͨ͠ 👁 👁ʮ*".ϩʔϧΛݸ࡞ͬͨΒɹ֤Ϧʔδϣϯͷ$POpHʹิ͞Ε·ͨ͠ʯʮෆཁͳهΛࢭΊ·ͨ͠ʯʁʁʁʁʁʁʁʁʁʁʁ
ݪҼ$POpHͰͨ͠ 👁 👁ʮ*".ϩʔϧΛݸ࡞ͬͨΒɹ֤Ϧʔδϣϯͷ$POpHʹิ͞Ε·ͨ͠ʯʮෆཁͳهΛࢭΊ·ͨ͠ʯ
$POpH $POpH<ίϯϑΟά>
"84$POpHͱ l"84$POpHɺ"84ϦιʔεͷઃఆΛධՁɺࠪɺ৹ࠪͰ͖ΔαʔϏεͰ͢ɻ$POpHͰɺ"84Ϧιʔεͷઃఆ͕ܧଓతʹϞχλϦϯά͓Αͼه͞Εɺ·ΕΔઃఆʹର͢Δه͞ΕͨઃఆͷධՁΛࣗಈతʹ࣮ߦͰ͖·͢ɻzhttps://aws.amazon.com/jp/config/https://www.slideshare.net/AmazonWebServicesJapan/20190618-aws-black-belt-online-seminar-aws-config
5SBJMͱ$POpHͷҧ͍ A͞ΜB͞ΜΠϯελϯεAΠϯελϯε৽ن࡞ΠϯελϯελΠϓมߋm5.xlargem5.large
5SBJMͱ$POpHͷҧ͍ A͞ΜB͞ΜΠϯελϯεAΠϯελϯε৽ن࡞ΠϯελϯελΠϓมߋm5.xlargem5.largeCloud Trail AWS Config
ͦΕΛ౿·͑ͯ Կ͕ى͍ͬͯͨ͜ͷ͔
Կ͕ى͍ͬͯͨ͜ͷ͔ ͍ͬͪΐͬͯΈ͔ͬʂ
Կ͕ى͍ͬͯͨ͜ͷ͔ ϩʔϧΛͨ͘͞Μ࡞Δͧʂ
Կ͕ى͍ͬͯͨ͜ͷ͔ ϙϦγʔΛͦΕͧΕ͚ͭΔͧʂ
Կ͕ى͍ͬͯͨ͜ͷ͔ ͍ͬͨΜআ͢Δͧʂ
શ෦هͯ͠·ͨ͠Α ώΟશ෦هͯ͠·ͨ͠Α౦ژͷConfigʁʁʁ
ࢲશ෦هͯ͠·ͨ͠Α ώΟ౦ژͷConfigʁʁʁ όʔδχΞͷConfigʁʁʁࢲશ෦هͯ͠·ͨ͠Α
ح۰ͩͳɺԶهͯͨ͠Α ώΟ౦ژͷConfigʁʁʁ όʔδχΞͷConfigʁʁʁح۰ͩͳɺԶهͯͨ͠ΑϜϯόΠͷConfigʁʁʁ
ʮʮʮ͓͍͓͍ɺԶͨͪΛΕΔͳΑʜʁʯʯʯ ౦ژͷConfigʁʁʁ όʔδχΞͷConfigʁʁʁح۰ͩͳɺԶهͯͨ͠ΑϜϯόΠͷConfigʁʁʁ֤ϦʔδϣϯͷConfigͨͪʁʁʁώϡοح۰ͩͳɺԶهͯͨ͠Αح۰ͩͳɺԶهͯͨ͠Αح۰ͩͳɺԶهͯͨ͠Αح۰ͩͳɺԶهͯͨ͠Αح۰ͩͳɺԶهͯͨ͠Αح۰ͩͳɺԶهͯͨ͠Αح۰ͩͳɺԶهͯͨ͠Αح۰ͩͳɺԶهͯͨ͠Α͓͍͓͍ɺԶͨͪΛΕΔͳΑʜʁ͓͍͓͍ɺԶͨͪΛΕΔͳΑʜʁ
֤Ϧʔδϣϯʢݸʣͷ$POpH ౦ژͷConfigόʔδχΞͷConfigϜϯόΠͷConfig֤ϦʔδϣϯͷConfigͨͪ͋Γ͕ͱ͏͍͟͝·͢
νϦੵΕυϧ͑Δ 46υϧ5υϧ20213݄શମ20214݄த०ʮ͓΅Ζ͛ͳ͕Βු͔ΜͰ͖ͨΜͰ͢ɻʯ
$POpHͷྉۚ ɾه͞Εͨઃఆ߲͝ͱʹ0.003USDɾ1000ΠϕϯτͰ3USDɾIAM άϩʔόϧϦιʔεͳͷͰɹશϦʔδϣϯͷ Config ͕ه͋Γ͕ͱ͏͍͟͝·͢
$POpH͚ͩ͡Όͳ͍ େྔͷAPIίʔϧͲ͏ͨ͠Ͳ͏ͨ͠Ͳ͏ͨ͠Ͳ͏֤ͨ͠ϦʔδϣϯͷTrail֤ϦʔδϣϯͷGuardDuty
5SBJMͱ(VBSE%VUZͷྉۚ Ճͷίϐʔ৴͞Εͨ ཧΠϕϯτ͋ͨΓ64%6υϧTrail9υϧGuardDutyສΠϕϯτ͋ͨΓ64% ສΠϕϯτ͋ͨΓ64%
͘͠͡Βͳ͍ͨΊʹ Ͳ͏͢Εආ͚ΒΕͨͷ͔
̏ͭ͋Γ·͢ • ɹ• ɹ• ɹ
̏ͭ͋Γ·͢ • IAMϩʔϧͰ༡ͳ͍• ɹ• ɹ
̏ͭ͋Γ·͢ • IAMϩʔϧͰ༡ͳ͍• ྉۚʹ͍ͭͯͷ௨Λ༗ޮԽ͢Δ• ɹ
ྫ͑ • ٻΞϥʔτ• AWS Budgets• ࡞ΓࠐΈʹΑΔఆظऔಘhttps://dev.classmethod.jp/articles/aws-budgets-alert-by-aws-chatbot/https://dev.classmethod.jp/articles/notify-slack-aws-billing/
ࢲͬͯ·͢ ͍ʜʜ
̏ͭ • IAMϩʔϧͰ༡ͳ͍• ྉۚʹ͍ͭͯͷ௨Λ༗ޮԽ͢Δ• ConfigͷϕετϓϥΫςΟεʹͷͬͱΔ
$POpHͷϕετϓϥΫςΟε https://aws.amazon.com/jp/blogs/news/aws-config-best-practices/Config ϕετϓϥΫςΟε ϒϩά | ݕࡧ20ݸͷϓϥΫςΟε
$POpHͷϕετϓϥΫςΟεʢൈਮʣ 1. ͯ͢ͷΞΧϯτͱϦʔδϣϯͰ AWS Config Λ༗ޮʹ͢Δ2. ͯ͢ͷϦιʔελΠϓͷઃఆมߋΛه͢Δ3. 1ͭͷϦʔδϣϯͰͷΈάϩʔόϧϦιʔεΛه͢Δ4. ઃఆཤྺͱεφοϓγϣοτϑΝΠϧΛऩू͢ΔϓϥΠϕʔτͳ S3 όέοτΛ༻͢Δ5. ……
ͭͷϦʔδϣϯͰͷΈάϩʔόϧϦιʔεΛه͢Δ ౦ژͷConfig֤Ϧʔδϣϯͷ Configͨͪࢲ͚͕ͩه͠·͢……͍ʜʜ
ҰํͰ
$POpHͷϕετϓϥΫςΟεʢൈਮʣ 1. ͯ͢ͷΞΧϯτͱϦʔδϣϯͰ AWS Config Λ༗ޮʹ͢Δ2. ͯ͢ͷϦιʔελΠϓͷઃఆมߋΛه͢Δ3. 1ͭͷϦʔδϣϯͰͷΈάϩʔόϧϦιʔεΛه͢Δ4. ઃఆཤྺͱεφοϓγϣοτϑΝΠϧΛऩू͢ΔϓϥΠϕʔτͳ S3 όέοτΛ༻͢Δ5. …… ͷͬͱΔͷ͕ϚετͰͳ͍
$POpHͷهରͷબ https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/resource-config-reference.htmlݸऑͷϦιʔελΠϓͷத͔ΒඞཁͷΈΛબ
ຊʹه͕ඞཁʁίετΛҙࣝ͠Α͏ ྫʣAutoScaling ؔ࿈Ϧιʔε͕ͯ͢هରͱͳΔͨΊɺසൟʹஔ͖͕͑ߦΘΕΔ߹ɺίετ͕ਹΉ͜ͱɻAuto scalingInstanceElastic networkinterfaceVolumeSecurity groupશ෦هʹ͢ඞཁ͋Δ͔ͳʁ
৽نରԠϦιʔεهͯ͘͠ΕΔͷخ͍͚͠ΕͲ 2021/2/26•Configͷهର͕૿͑ͨ•ʮͯ͢Λهʯͷ߹ɺ৽نͷରࣗಈతʹه։࢝•͜Ε·Ͱൃੜ͍ͯ͠ͳ͔ͬͨίετ͕ٸʹ૿͑ͨɺͱ͍͏͜ͱى͜Γ͏Δ
ه͢Δ͜ͱΛݪଇͱͭͭ͠ίετҙࣝ • هΛ͢ͷେࣄ• ίετݟ߹͍ͰऔࣺબΛConfig Trail GuardDutyϦιʔεͷઃఆ༰Λه͠·͢ΠϕϯτΛه͠·͢ෆ৹ͳΞΫςΟϏςΟΛݕ͠·͢
·ͱΊ
࣋ͪؼ͍ͬͯͩ͘͞ ʮ͋ɺ͜͜ʹར༻අ͔͔ΔΜͩͳʯʮAWS Config ͷϕετϓϥΫςΟεʯ
࣋ͪؼ͍ͬͯͩ͘͞ ʮ͋ɺ͜͜ʹར༻අ͔͔ΔΜͩͳʯʮAWS Config ͷϕετϓϥΫςΟεʯʮIAMϩʔϧͰ༡ΜͰ͍͚ͳ͍ʯ
yukihirochiba
poteboy
etaroid
yuya4
optimisuke
you
sansantech
kazukihayase
lmi
line_developers_tw
keiko713
yoshiitaka
route06
edds
sferik
morganepeng
holman
zakiyama
colly
reverentgeek
gr2m
trallard
cromwellryan
bermonpainter
cassininazir