AWS Management Services

AWS Management Services JAWSUG Yokohama #73 @ijin Sep 3, 2024

AWS Management services 1. Control Tower 2. IAM Identity Center
3. Organizations

• ϚϧνΞΧ΢ϯτઓུ • ؀ڥͷ෼཭؅ཧ • νʔϜɾϢʔβʔͷ෼཭؅ཧ • ηΩϡϦςΟͱ౷੍ͷ؅ཧ • ίετ؅ཧ
AWS Organizations

AWS Organizations ߏ੒ྫɿ Organization UnitʢOUʣͰά ϧʔϐϯάΛ͠ɺOU୯ҐͰͷݖݶ ΍SCPઃఆ͕Մೳ

AWS Organizations ஫ҙ఺ “Unable to create the environment. You must
verify your account before accessing CloudShell. To verify your account, contact AWS Support .” ৽ن࡞੒ΞΧ΢ϯτ͸͍Ζ͍Ζ੍ݶ͞ΕΔ৔߹͕͋Δɻverify͕ඞཁ ͩͬͨΓquota͕ஶ͘͠௿͔ͬͨΓɻ → Service Quotas request templatesͰΞΧ΢ϯτ࡞੒࣌ʹQuotaͷ ্ݶ؇࿨ΛϦΫΤετ͢ΔςϯϓϨʔτΛ࢖ͬͨΓ΋Ͱ͖Δ

• چAWS Single Sign-On • IAMϢʔβʔΛഇࢭ͠ɺSSOϢʔβʔͰSSOϩάΠϯ • Identity Source΋બ୒Մೳ •
Identity Center • Active Directory • ֎෦Identity Provider (IdP) - GoogleϩάΠϯ౳ AWS IAM Identity Center

AWS IAM Identity Center Users x Groups x Permission Sets
x Accounts ΞϓϦͷׂΓ౰ͯϩʔϧ (Permission Set) ʮʓʓΞϓϦBASEʯάϧʔϓʹଐ͍ͯ͠Δ৔߹ɺʓʓΞϓϦ༻ͷ֤؀ڥ ʢ։ൃ/εςʔδϯά/ڭҭ/ຊ൪ʣͷAWSΞΧ΢ϯτʹ ReadOnlyAccess ͕ Մೳ ʮʓʓΞϓϦ։ൃʯάϧʔϓʹଐ͍ͯ͠Δ৔߹ɺ։ൃ/εςʔδϯά؀ڥͷ AWSΞΧ΢ϯτʹରͯ͠ AdministratorAccess ͕Մೳ ʮʓʓΞϓϦADMINʯάϧʔϓʹଐ͍ͯ͠Δ৔߹ɺڭҭ/ຊ൪؀ڥͷAWSΞ Χ΢ϯτʹରͯ͠ AdministratorAccess ͕Մೳ ʮSandboxʯͷׂΓ౰ͯϩʔϧ͸ɺʮSandboxʯAWSΞΧ΢ϯτʹରͯ͠ AdministratorAccess ͕Մೳ

AWS IAM Identity Center Permission Set΍Groupsͷઃఆ Iac (Terraform)

AWS IAM Identity Center Iac (Terraform) Permission Set΍Groupsͷ࣮૷

AWS IAM Identity Center IaC (Terraform) • ୭Ͱ΋༰қʹϢʔβʔ௥Ճɾมߋɾ࡟আͰ͖ΔΑ͏ʹCSV؅ཧ

AWS IAM Identity Center ஫ҙ఺ • Ϧʔϯδϣϯ࡞੒ʹ஫ҙʢus-east-1Ͱ࡞ͬͪΌͬͨʣ • Access Portal
URL (https://s9.awsapps.com/start )ઃఆ͸1ճͷΈʂ • TerraformͰsso user࡞੒ޙʹࣗಈϝʔϧૹ৴͸͞Εͳ͍ɻAPIͷ੍ݶΒ͍͠ɻ • https://github.com/hashicorp/terraform-provider-aws/issues/28102 • ॳճϩάΠϯ࣌ʹύεϫʔυઃఆϦϯΫ͸ϝʔϧૹ৴͞ΕΔ • ύεϫʔυڧ౓౳ͷཁ݅͸ݻఆ • https://docs.aws.amazon.com/singlesignon/latest/userguide/password- requirements.html

AWS Control Tower • ૊৫ͷ౷߹؅ཧ • ΞΧ΢ϯτൃߦ • SCP؅ཧʢControls͸چGuardrailsʣ •
preventativeʢ༧๷ʣ • detectiveʢݕग़ʣ • proactiveʢϓϩΞΫςΟϒʣ • ࣮ଶ͸Con fi g rules, Security Hub΍Cloudformation Hooks/Guard

AWS Control Tower • SCP͸શ513छྨʂʢ2024/9/3ݱࡏʣ • Ͳ͏ద༻͢Δ͔ʁ • Strongly recommendʢڧ͘ਪ঑͞ΕΔʣcontrol͸جຊઃఆ͢Δ
• AWS Foundational Best practices౳ͷΨΠυϥΠϯΛݩʹ͢Δ • ཁ݅ʹԠͯ͡ݸผOUΛઃఆ͍ͯ͘͠

AWS Control Tower ΨΠυϥΠϯ͔Β४ڌ͢ΔControlΛ൑ผʢۤߦɻɻʣ

AWS Control Tower • universal controls • શͯͷOUʹద༻͍ͨ͠control • main_ou_controls
• Sandbox OU͸ಛघͳҝʢޙड़ʣɺ  ෼͚ͯΔ • Individual ou controls • ݸผʹద༻͍ͨ͠OU Iac (Terraform) Controlͷઃఆ

AWS Control Tower • Map͔Β͍͍ײ͡ʹՃ޻ͨ͠controlͱou ͷηοτΛ࡞੒ • ou x controlͰͦΕͧΕద༻
• ਌OUʹద༻ͯ͠΋ࢠOUʹ͸͸ޮ͔ͳ͍ • ݁ߏͳ૊Έ߹ΘͤʹͳΔͷͰ࣌ؒ͸͔͔Δ • Terraform΍CI/CDͷద੾ͳλΠϜΞ΢ τઃఆ͕ඞཁ Iac (Terraform) Controlͷ࣮૷

AWS Control Tower Accont Factory for Terraform • accountൃߦࣗମ͸AWSެࣜͷιϦϡʔγϣϯͰࣗಈԽ •
΍΍ෳࡶͳҹ৅ • 4ͭͷϦϙδτϦ͕ඞཁ

AWS Control Tower ஫ҙ఺ “Error: updating ControlTower Landing Zone (4BN0Z52M0WTJOIGE):
operation error ControlTower: UpdateLandingZone, https response error StatusCode: 400, RequestID: af1803fb-35c6-40c6-9e2c-777db5d8956c, ValidationException: The LandingZoneManifest that you provided is not compliant with the LandingZoneManifest schema. For information about formatting, see https://docs.aws.amazon.com/controltower/latest/ userguide/lz-api-launch.html.”  Control TowerͷLanding zoneΛTerraformͰ؅ཧ͠Α͏ͱͨ͠ΒΤϥʔ͕ɻݱঢ়͸landing zoneʹݶͬͯ͸؅ཧର৅֎ʹ͢ΔͷΛਪ঑͢Δɻcontrol౳͸ok ɾͦ΋ͦ΋ৄࡉAPIυΩϡϝϯτͷෆ଍ ɾTerraform issue ɾhttps://github.com/hashicorp/terraform-provider-aws/issues/35763

AWS Control Tower ஫ҙ఺ Control Tower༗ޮԽʹ࡞੒͞ΕΔSecurity OUʢLog Archive΍ Audit account༻ʣ͸ಛผʹઃܭ͞Ε͓ͯΓɺಛఆͷ੍໿΍ඞਢͷ
control͕ద༻͞Ε͍ͯΔͨΊɺ௥Ճͷબ୒తcontrolΛద༻͠Α͏ ͱ͢Δͱڝ߹ͯ͠ΤϥʔʹͳΔՄೳੑ͋Γ →ɹSecurity OU͸ผ࿮ͱͯ͠ѻ͏

AWS Control Tower ஫ҙ఺ ControlͷARN͸چGuardrailͷํ͕෼͔Γ΍͔ͬͨ͢ arn:aws:controltower:us-east-1::control/AWS- GR_CLOUDTRAIL_CHANGE_PROHIBITED ࠓ͸ϥϯμϜจࣈྻ͕ࣝผࢠɻ͔͠΋Ϧʔδϣϯ୯ҐͰҧ͏ʂ😱 CT.CLOUDFORMATION.PR.1 →
ɾarn:aws:controltower:us-east-1::control/WTDSMKDKDNLE ɾarn:aws:controltower:ap-northeast-1::control/TUJJPJIYTMNX https://docs.aws.amazon.com/controltower/latest/controlreference/control-region- tables.html

AWS management services ࠓ΋ઈࢍऔΓࠐΈதʂ • Security Hub • Guardrails •
Macie • Etc..

AWS Management Services

AWS Management Services

Michael H. Oshita

More Decks by Michael H. Oshita

Other Decks in Technology

Featured

Transcript