Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
medibaにおけるIAMユーザ管理の歴史 / instudystyle LT mediba...
Search
Kazuki Numazawa
August 02, 2019
Technology
2
1.3k
medibaにおけるIAMユーザ管理の歴史 / instudystyle LT mediba IAM Management History
2019/08/02 インフラ・ネットワークエンジニア勉強会 Vol.1
https://istyle.connpass.com/event/133989/
にて、LT発表した資料。
Kazuki Numazawa
August 02, 2019
Tweet
Share
More Decks by Kazuki Numazawa
See All by Kazuki Numazawa
システムのログは保存したか?で、その後どうする?システムのログ保存先とコスト最適化について
numasawa
2
450
AWS account and user management design in asken
numasawa
2
1k
日本からでも楽しめる!re:Inventの楽しみ方 / re:Invent 2018 from Japan
numasawa
1
210
英語?なにそれおいしいの?人向けre:Inventを楽しむ方法 / re:Invent 2018 Standby
numasawa
0
940
Utilization of data of RDS aurora
numasawa
0
84
reinvent ultra quiz champion
numasawa
0
590
AWS導入事例と失敗談
numasawa
1
600
Other Decks in Technology
See All in Technology
Oracle Cloud Infrastructure:2025年6月度サービス・アップデート
oracle4engineer
PRO
2
310
ドメイン特化なCLIPモデルとデータセットの紹介
tattaka
1
360
Fabric + Databricks 2025.6 の最新情報ピックアップ
ryomaru0825
1
150
生成AI開発案件におけるClineの業務活用事例とTips
shinya337
0
170
mrubyと micro-ROSが繋ぐロボットの世界
kishima
2
380
Snowflake Summit 2025全体振り返り / Snowflake Summit 2025 Overall Review
mtpooh
2
440
変化する開発、進化する体系時代に適応するソフトウェアエンジニアの知識と考え方(JaSST'25 Kansai)
mizunori
1
260
より良いプロダクトの開発を目指して - 情報を中心としたプロダクト開発 #phpcon #phpcon2025
bengo4com
1
3.2k
Geminiとv0による高速プロトタイピング
shinya337
0
190
Should Our Project Join the CNCF? (Japanese Recap)
whywaita
PRO
0
290
Amazon Bedrockで実現する 新たな学習体験
kzkmaeda
2
670
モバイル界のMCPを考える
naoto33
0
330
Featured
See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.8k
Code Reviewing Like a Champion
maltzj
524
40k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Documentation Writing (for coders)
carmenintech
72
4.9k
Facilitating Awesome Meetings
lara
54
6.4k
Into the Great Unknown - MozCon
thekraken
39
1.9k
Done Done
chrislema
184
16k
Mobile First: as difficult as doing things right
swwweet
223
9.7k
Unsuck your backbone
ammeep
671
58k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.8k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
181
53k
Transcript
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE mediba ʹ͓͚Δ IAM Ϣʔβཧͷྺ࢙ ΠϯϑϥɾωοτϫʔΫΤϯδχΞษڧձ Vol.1
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣗݾհ ໊લ: প Ұथ ॴଐ: ɹגࣜձࣾmediba ΠϯϑϥετϥΫνϟʔ෦ ͬͯΔ͜ͱ: ɹओʹ
AWS ΛͬͨγεςϜΠϯϑϥͷઃܭɾߏஙɾӡ༻ AWS ྺ: 7 ɹ2016 AWS ϧτϥΫΠζνϟϯϐΦϯ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾհ גࣜձࣾmediba ۀ༰: KDDI גࣜձࣾͷ au εϚʔτύεΛத৺ͱͨ͠ au ؔ࿈αʔϏεӡӦ
ͷଞɺࠃ֎ʹͯΧϧνϟʔɾήʔϜɾࢠҭͯɺ෯͍Ͱαʔ ϏεΛల։͠ɺϢʔβʔ͕ΠϯλʔωοτΛ௨ͯ͡ඞཁͳ࣌ʹඞཁͳ ใʹΞΫηεͰ͖Δڥͮ͘ΓͷͨΊͷαʔϏεΛఏڙ͍ͯ͠· ͢ɻ ※auεϚʔτύε KDDI גࣜձࣾͷඪ·ͨొඪͰ͢ɻ https://www.mediba.jp/company/info.html ΑΓൈਮ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾհ ؆୯ʹݴ͏ͱɺ • au ؔ࿈αʔϏεͬͯ·͢ • au ֎ͷαʔϏεॾʑͬͯ·͢ ͜ΕΒΛ௨ͯ͡
ʮώτʹ“HAPPY”Λʯಧ͚Δͷ͕ զʑͷϛογϣϯͰ͢ɻ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾհ ѻ͍ͬͯΔ au ؔ࿈αʔϏε(Ұ෦) • au Web ϙʔλϧ (
https://auone.jp/ ) • au Web ϙʔλϧͷχϡʔε໘ ( https://article.auone.jp/ ) • au ఱؾ ( https://tenki.auone.jp/ ) • ϙΠϯτஷΊΔ ( https://enjoy.point.auone.jp/ ) • au εϚʔτύεͷҰ෦ίϯςϯπ • ձһಛయɺΞϓϦऔΓ์ɺೖୀձɺetc…
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ຊ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ظ] (2013ʙ2015ࠒ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβཧ[ظ] • mediba ʹ͓͚Δ AWS ར༻ 2013ࠒ͔Β • ϒϩάͷձࣾܦ༝Ͱ
AWS ΞΧϯτΛൃߦ ͯ͠ར༻ • ͳͷͰɺ͕͢͞ʹʮroot ϢʔβΛར༻͢Δʯͱ ͍͏ΞϯνύλʔϯதͷΞϯνύλʔϯঢ়ଶ ආ͚ΒΕ͍ͯͨ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͪͳΈʹલ৬ͰͬͯͨYOʂ(খ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβཧ[ظ] • ࠷ॳͷࠒɺ·ͩ • ΞΧϯτݸఔ • ར༻ऀਓఔ • ͦͷ࣌ͷ
IAM Ϣʔβ • ֤ AWS ΞΧϯτͦΕͧΕʹ ݸਓ༻ IAM ϢʔβΛ࡞
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβཧ[ظ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [సػ] (2015)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సػ] ࣌2015 ؾ͚ΞΧϯτ͕େྔʹ → ࣗવͱ IAM Ϣʔβେʹ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE Why ?
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సػ] • AWS Λར༻ͨ͠ϓϩμΫτ͕૿͑Δͨͼʹ3ͭ ͣͭΞΧϯτ͕૿͑Δঢ়ଶ • 2015ࠒʹ40͍ۙΞΧϯτ͕͋ͬͨͱ͔ͳ ͔ͬͨͱ͔
• ΞΧϯτ͝ͱʹ IAM ϢʔβΛ࡞ɾཧ͢Δ ͷਖ਼͖ͭ͘ͳ͖ͬͯͨ • ར༻ऀଆɺϩάΠϯɾϩάΞτΛ܁Γ ฦ͢ͷ͕͠ΜͲ͔ͬͨͱࢥ͏
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సػ] • ͍ͭͰʹɺ͜ͷࠒ͔ΒηΩϡϦςΟ໘͕ؾʹͳ Γͩ͢ • ͜͜·ͰɺID/ύεϫʔυ ͷΈͰϩάΠϯ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [సظ] (2015)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సظ] • IAM Ϣʔβͷཧ͕ࡶ • IAM ϢʔβͷηΩϡϦςΟ໘͕ؾʹͳΔ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͜ͷ2ͭΛಉ࣌ʹղܾ͢ΔͨΊ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ʮ౿Έ AWS ΞΧϯτํࣜʯ Λ࠾༻
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సظ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సظ] • Πϝʔδ౿Έαʔόͱಉ͡ • ֤ϓϩμΫτͷ֤ڥͷೖΓޱͱ͚ͯͩ͠ͷ AWS ΞΧϯτΛ༻ҙ •
ೖΓޱ͕1ͭʹͳΔͷͰɺ͜͜ͷ CloudTrail Λ ༗ޮԽͯ͠ɺϩάΠϯهΛอଘɺࢹ • ౿Έ্ͷ IAM Ϣʔβͷ MFA ઃఆΛඞਢͱ͢ Δ͜ͱͰηΩϡϦςΟΛ্
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ख़ظ] (2016ʙݱࡏ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͔͜͜Βɺ࣮ࡍʹͲ͏͍͏ ઃఆʹͳ͍ͬͯΔ͔Λ͝հ͠·͢ɻ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ֤ϓϩμΫτͷ֤ڥͷ AWS ΞΧϯτଆ (࣮ڥ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ • ৽ن AWS ΞΧϯτൃߦޙɺ࠷ॳʹ ΫϩεΞΧϯτΞΫηε༻ͷ IAM ϩʔϧΛ༻ҙ •
͜ͷ IAM ϩʔϧʹɺ౿ΈΞΧϯτ͔Βͷ ར༻ڐՄΛઃఆ • ʮMFA ඞਢʯΛ݅ʹઃఆ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ • IAM ϩʔϧେ·͔ʹҎԼͷछྨͷͷΛ༻ҙ • ཧऀ༻ • Administrator •
ਖ਼ࣾһ༻ • IAM ͷҰ෦ݖݶҎ֎શͯڐՄ • (ਖ਼ࣾһҎ֎ͷ)։ൃऀ༻ • ୲͍ͯ͠ΔϓϩμΫτͰར༻͢ΔαʔϏεͷݖݶͷΈڐՄ • ReadOnly ༻ • ROMઐ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ ͪͳΈʹɺ సظʹ͜ͷΛಋೖͨ͠ࡍɺͦͷ࣌ଘࡏ͍ͯͨ͠ AWSΞΧϯτશͯʹલड़ͷϩʔϧΛ࡞ɻ ͦͷޙɺ౿Έ AWS ΞΧϯτʹݸਓ༻ IAM Ϣʔβͷ
࡞ͱεΠον֬ೝ͕औΕͨஈ֊Ͱɺ࣮ڥଆͷݸਓ༻ IAM ϢʔβΛશͯআͨ͠ɻ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ • ͜ΕҎ߱ɺIAM Ϣʔβͷ࡞Λݪଇېࢭ • IAM ϩʔϧͷར༻Λܒɾਪਐ • ͨͩ͠ɺͨ·ʔʹΞΫηεΩʔ/γʔΫϨοτΞΫηε
ΩʔͰ͔͠ରԠͰ͖ͳ͍ύςΟʔϯ͕͋Δ • ͜ͷ߹૬ஊͷ্Ͱɺྫ֎తʹ IAM ϢʔβΛ࡞
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έ AWS ΞΧϯτଆ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έଆ • ݸਓ༻ͷ IAM Ϣʔβ͜͜ʹ͔͠࡞Βͳ͍ • IAM Ϣʔβʹ MFA
Λઃఆ • ཧऀܥͷ IAM ϢʔβҎ֎ɺҎԼͷݖݶͷΈ༩ • εΠον͢ΔͨΊͷݖݶ (sts:AssumeRole) • ࣗͷ MFA ઃఆΛ͢Δݖݶ • ࣗͷύεϫʔυΛઃఆ͢Δݖݶ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έଆ • MFA ͷઃఆΛ͍ͯ͠ͳͯ͘౿ΈͷϩάΠϯ Ͱ͖ͯ͠·͏ • લड़ͷʮMFA ඞਢʯͷ͕݅ΫϩεΞΧϯτ༻ͷ ϩʔϧʹ͍͍ͯΔ
• ͜ͷ݅ͰɺMFA ະઃఆऀͷεΠονΛ੍ • ͜ΕʹΑΓɺMFA ͕ઃఆ͞Εͳ͍··ͷར༻Λ͙
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έଆ • ਖ਼ࣾһҎ֎ͷ IAM Ϣʔβ Source IP Ͱͷૢ࡞੍ݶ ༩
• AWS ίϯιʔϧͷΞΫηεΛ੍ݶͰ͖ͳ͍ͷ Ͱɺ౿ΈͷϩάΠϯͲ͔͜ΒͰͰ͖Δ • ͨͩɺਖ਼ࣾһҎ֎ɺΦϑΟε֎Ͱͷར༻Λఆ ͍ͯ͠ͳ͍ • ͦͷҝͷ Source IP ʹΑΔૢ࡞੍ݶ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ • ਖ਼ࣾһ • ձ͔ࣾΒۀ༻ͱͯ͠ εϚʔτϑΥϯΛࢧڅ͞Ε͍ͯΔ • ͦͷۀʹ
MFA ༻ͷΞϓϦ (mediba Ͱ Authy ͷར༻Λਪ)Λ Πϯετʔϧͯ͠ར༻
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ • ਖ਼ࣾһҎ֎ • Χʔυܕͷཧ MFA σόΠεΛར༻ •
ਖ਼ࣾһಉ༷ɺձࣾཧͷσόΠεʹඥ͚͔ͨͬ ͨͨΊɺձࣾͰΧʔυΛ༻ҙ • ཧऀଆͰMFA Λઃఆͯ͠ΧʔυΛି༩
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ݱࡏ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ݱࡏ] ݱࡏ͜Ε·Ͱઆ໌ͨ͠ঢ়ଶͰӡ༻ AWS ΞΧϯτ80ఔ ·͊ಛʹେ͖ͳࢧোແ͍
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ະདྷ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • MFA ΧʔυܕσόΠεΊ͍ͨ • ୯७ʹɺཧΧʔυͷཧ͕໘ • mediba
ͰχΞγϣΞ։ൃΛ͍ͯ͠Δ • ํڌͷձࣾʹσόΠεΛି༩Ͱ͖ͳ͍ • IP ΞυϨεʹΑΔར༻ڌͷ੍ݶΛ͍ͯ͠Δ͔Β ݸਓͰྑ͍ͷͰʁͷొ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • MFA ΧʔυܕσόΠεΊ͍ͨ • ୯७ʹɺཧΧʔυͷཧ͕໘ • mediba
ͰχΞγϣΞ։ൃΛ͍ͯ͠Δ • ํڌͷձࣾʹσόΠεΛି༩Ͱ͖ͳ͍ • IP ΞυϨεʹΑΔར༻ڌͷ੍ݶΛ͍ͯ͠Δ͔Β ݸਓͰྑ͍ͷͰʁͷొ ͜ΕΒͷ͔Βɺ ΊΔํͰௐத
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • OS ΞΧϯτ IAM Ϣʔβ͚ͩͰཧ • Systems
Manager ͷ Session Manager Λར༻ • طʹ Session Manager ͚ͩͰ։ൃΛߦͬͯΒͬ ͍ͯΔϓϩμΫτ͋Δ • ࠓޙɺ৽نʹߏங͢ΔϓϩμΫτͰجຊతʹ Session Manager Λ࠾༻͍ͯ͘͠
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • Session Manager ͷϝϦοτ • SSH ͷ͚݀͋ෆཁ
• ౿Έαʔόෆཁ • Private Subnet ʹ͋ͬͯར༻Մೳ • ૢ࡞ϩάΛ S3 ͱ CloudWatch Logs ʹग़ྗՄೳ • IAM ϙϦγʔͰ EC2 ΠϯελϯεͷΞΫηε੍ݶՄೳ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • Session Manager ͷσϝϦοτ • SSM Agent
ͷಋೖ͕ඞཁ • OS ΞΧϯτ͕ ssm-user ͱ͍͏ͷݻఆ • no pass Ͱ sudo ՄೳͳݖݶΛ͍࣋ͬͯΔ • IAM Ϣʔβຖʹར༻ίϚϯυΛ੍ݶ͍ͨ͠ɺͱ͍͏͜ͱ ͕Ͱ͖ͳ͍ • ↑ͷέʔε EC2 Instance Connect Ͱղܾ͠Α͏ʂ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • Session Manager ͷσϝϦοτ • SSM Agent
ͷಋೖ͕ඞཁ • OS ΞΧϯτ͕ ssm-user ͱ͍͏ͷݻఆ • no pass Ͱ sudo ՄೳͳݖݶΛ͍࣋ͬͯΔ • IAM Ϣʔβຖʹར༻ίϚϯυΛ੍ݶ͍ͨ͠ɺͱ͍͏͜ͱ ͕Ͱ͖ͳ͍ • ↑ͷέʔε EC2 Instance Connect Ͱղܾ͠Α͏ʂ ݱ࣌Ͱɺ͜ΕΒͷ σϝϦοτ͕ϋʔυϧʹ ͳΔ͜ͱͳ͍ͨΊɺ ՄೳͳݶΓ࠾༻͍ͯ͘͠