Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
medibaにおけるIAMユーザ管理の歴史 / instudystyle LT mediba...
Search
Kazuki Numazawa
August 02, 2019
Technology
2
1.3k
medibaにおけるIAMユーザ管理の歴史 / instudystyle LT mediba IAM Management History
2019/08/02 インフラ・ネットワークエンジニア勉強会 Vol.1
https://istyle.connpass.com/event/133989/
にて、LT発表した資料。
Kazuki Numazawa
August 02, 2019
Tweet
Share
More Decks by Kazuki Numazawa
See All by Kazuki Numazawa
システムのログは保存したか?で、その後どうする?システムのログ保存先とコスト最適化について
numasawa
2
410
AWS account and user management design in asken
numasawa
2
950
日本からでも楽しめる!re:Inventの楽しみ方 / re:Invent 2018 from Japan
numasawa
1
200
英語?なにそれおいしいの?人向けre:Inventを楽しむ方法 / re:Invent 2018 Standby
numasawa
0
930
Utilization of data of RDS aurora
numasawa
0
70
reinvent ultra quiz champion
numasawa
0
580
AWS導入事例と失敗談
numasawa
1
580
Other Decks in Technology
See All in Technology
Symfony in 2025: Scaling to 0
fabpot
2
220
OCI見積もり入門セミナー
oracle4engineer
PRO
0
120
銀行でDevOpsを進める理由と実践例 / 20250317 Masaki Iwama
shift_evolve
1
110
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
20k
Cloud Native PG 使ってみて気づいたことと最新機能の紹介 - 第52回PostgreSQLアンカンファレンス
seinoyu
2
230
17年のQA経験が導いたスクラムマスターへの道 / 17 Years in QA to Scrum Master
toma_sm
0
420
コード品質向上で得られる効果と実践的取り組み
ham0215
2
210
Enterprise AI in 2025?
pamelafox
0
110
AIエージェント完全に理解した
segavvy
4
290
20250328_RubyKaigiで出会い鯛_____RubyKaigiから始まったはじめてのOSSコントリビュート.pdf
mterada1228
0
180
一人QA時代が終わり、 QAチームが立ち上がった話
ma_cho29
0
290
Amazon GuardDuty Malware Protection for Amazon S3を使おう
ryder472
2
110
Featured
See All Featured
How STYLIGHT went responsive
nonsquared
99
5.4k
Why Our Code Smells
bkeepers
PRO
336
57k
How to train your dragon (web standard)
notwaldorf
91
5.9k
Rails Girls Zürich Keynote
gr2m
94
13k
Fontdeck: Realign not Redesign
paulrobertlloyd
83
5.5k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
22
2.6k
Navigating Team Friction
lara
184
15k
Side Projects
sachag
452
42k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5.3k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
29
2k
Building Your Own Lightsaber
phodgson
104
6.3k
Transcript
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE mediba ʹ͓͚Δ IAM Ϣʔβཧͷྺ࢙ ΠϯϑϥɾωοτϫʔΫΤϯδχΞษڧձ Vol.1
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣗݾհ ໊લ: প Ұथ ॴଐ: ɹגࣜձࣾmediba ΠϯϑϥετϥΫνϟʔ෦ ͬͯΔ͜ͱ: ɹओʹ
AWS ΛͬͨγεςϜΠϯϑϥͷઃܭɾߏஙɾӡ༻ AWS ྺ: 7 ɹ2016 AWS ϧτϥΫΠζνϟϯϐΦϯ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾհ גࣜձࣾmediba ۀ༰: KDDI גࣜձࣾͷ au εϚʔτύεΛத৺ͱͨ͠ au ؔ࿈αʔϏεӡӦ
ͷଞɺࠃ֎ʹͯΧϧνϟʔɾήʔϜɾࢠҭͯɺ෯͍Ͱαʔ ϏεΛల։͠ɺϢʔβʔ͕ΠϯλʔωοτΛ௨ͯ͡ඞཁͳ࣌ʹඞཁͳ ใʹΞΫηεͰ͖Δڥͮ͘ΓͷͨΊͷαʔϏεΛఏڙ͍ͯ͠· ͢ɻ ※auεϚʔτύε KDDI גࣜձࣾͷඪ·ͨొඪͰ͢ɻ https://www.mediba.jp/company/info.html ΑΓൈਮ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾհ ؆୯ʹݴ͏ͱɺ • au ؔ࿈αʔϏεͬͯ·͢ • au ֎ͷαʔϏεॾʑͬͯ·͢ ͜ΕΒΛ௨ͯ͡
ʮώτʹ“HAPPY”Λʯಧ͚Δͷ͕ զʑͷϛογϣϯͰ͢ɻ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾհ ѻ͍ͬͯΔ au ؔ࿈αʔϏε(Ұ෦) • au Web ϙʔλϧ (
https://auone.jp/ ) • au Web ϙʔλϧͷχϡʔε໘ ( https://article.auone.jp/ ) • au ఱؾ ( https://tenki.auone.jp/ ) • ϙΠϯτஷΊΔ ( https://enjoy.point.auone.jp/ ) • au εϚʔτύεͷҰ෦ίϯςϯπ • ձһಛయɺΞϓϦऔΓ์ɺೖୀձɺetc…
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ຊ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ظ] (2013ʙ2015ࠒ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβཧ[ظ] • mediba ʹ͓͚Δ AWS ར༻ 2013ࠒ͔Β • ϒϩάͷձࣾܦ༝Ͱ
AWS ΞΧϯτΛൃߦ ͯ͠ར༻ • ͳͷͰɺ͕͢͞ʹʮroot ϢʔβΛར༻͢Δʯͱ ͍͏ΞϯνύλʔϯதͷΞϯνύλʔϯঢ়ଶ ආ͚ΒΕ͍ͯͨ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͪͳΈʹલ৬ͰͬͯͨYOʂ(খ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβཧ[ظ] • ࠷ॳͷࠒɺ·ͩ • ΞΧϯτݸఔ • ར༻ऀਓఔ • ͦͷ࣌ͷ
IAM Ϣʔβ • ֤ AWS ΞΧϯτͦΕͧΕʹ ݸਓ༻ IAM ϢʔβΛ࡞
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβཧ[ظ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [సػ] (2015)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సػ] ࣌2015 ؾ͚ΞΧϯτ͕େྔʹ → ࣗવͱ IAM Ϣʔβେʹ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE Why ?
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సػ] • AWS Λར༻ͨ͠ϓϩμΫτ͕૿͑Δͨͼʹ3ͭ ͣͭΞΧϯτ͕૿͑Δঢ়ଶ • 2015ࠒʹ40͍ۙΞΧϯτ͕͋ͬͨͱ͔ͳ ͔ͬͨͱ͔
• ΞΧϯτ͝ͱʹ IAM ϢʔβΛ࡞ɾཧ͢Δ ͷਖ਼͖ͭ͘ͳ͖ͬͯͨ • ར༻ऀଆɺϩάΠϯɾϩάΞτΛ܁Γ ฦ͢ͷ͕͠ΜͲ͔ͬͨͱࢥ͏
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సػ] • ͍ͭͰʹɺ͜ͷࠒ͔ΒηΩϡϦςΟ໘͕ؾʹͳ Γͩ͢ • ͜͜·ͰɺID/ύεϫʔυ ͷΈͰϩάΠϯ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [సظ] (2015)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సظ] • IAM Ϣʔβͷཧ͕ࡶ • IAM ϢʔβͷηΩϡϦςΟ໘͕ؾʹͳΔ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͜ͷ2ͭΛಉ࣌ʹղܾ͢ΔͨΊ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ʮ౿Έ AWS ΞΧϯτํࣜʯ Λ࠾༻
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సظ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సظ] • Πϝʔδ౿Έαʔόͱಉ͡ • ֤ϓϩμΫτͷ֤ڥͷೖΓޱͱ͚ͯͩ͠ͷ AWS ΞΧϯτΛ༻ҙ •
ೖΓޱ͕1ͭʹͳΔͷͰɺ͜͜ͷ CloudTrail Λ ༗ޮԽͯ͠ɺϩάΠϯهΛอଘɺࢹ • ౿Έ্ͷ IAM Ϣʔβͷ MFA ઃఆΛඞਢͱ͢ Δ͜ͱͰηΩϡϦςΟΛ্
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ख़ظ] (2016ʙݱࡏ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͔͜͜Βɺ࣮ࡍʹͲ͏͍͏ ઃఆʹͳ͍ͬͯΔ͔Λ͝հ͠·͢ɻ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ֤ϓϩμΫτͷ֤ڥͷ AWS ΞΧϯτଆ (࣮ڥ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ • ৽ن AWS ΞΧϯτൃߦޙɺ࠷ॳʹ ΫϩεΞΧϯτΞΫηε༻ͷ IAM ϩʔϧΛ༻ҙ •
͜ͷ IAM ϩʔϧʹɺ౿ΈΞΧϯτ͔Βͷ ར༻ڐՄΛઃఆ • ʮMFA ඞਢʯΛ݅ʹઃఆ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ • IAM ϩʔϧେ·͔ʹҎԼͷछྨͷͷΛ༻ҙ • ཧऀ༻ • Administrator •
ਖ਼ࣾһ༻ • IAM ͷҰ෦ݖݶҎ֎શͯڐՄ • (ਖ਼ࣾһҎ֎ͷ)։ൃऀ༻ • ୲͍ͯ͠ΔϓϩμΫτͰར༻͢ΔαʔϏεͷݖݶͷΈڐՄ • ReadOnly ༻ • ROMઐ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ ͪͳΈʹɺ సظʹ͜ͷΛಋೖͨ͠ࡍɺͦͷ࣌ଘࡏ͍ͯͨ͠ AWSΞΧϯτશͯʹલड़ͷϩʔϧΛ࡞ɻ ͦͷޙɺ౿Έ AWS ΞΧϯτʹݸਓ༻ IAM Ϣʔβͷ
࡞ͱεΠον֬ೝ͕औΕͨஈ֊Ͱɺ࣮ڥଆͷݸਓ༻ IAM ϢʔβΛશͯআͨ͠ɻ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ • ͜ΕҎ߱ɺIAM Ϣʔβͷ࡞Λݪଇېࢭ • IAM ϩʔϧͷར༻Λܒɾਪਐ • ͨͩ͠ɺͨ·ʔʹΞΫηεΩʔ/γʔΫϨοτΞΫηε
ΩʔͰ͔͠ରԠͰ͖ͳ͍ύςΟʔϯ͕͋Δ • ͜ͷ߹૬ஊͷ্Ͱɺྫ֎తʹ IAM ϢʔβΛ࡞
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έ AWS ΞΧϯτଆ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έଆ • ݸਓ༻ͷ IAM Ϣʔβ͜͜ʹ͔͠࡞Βͳ͍ • IAM Ϣʔβʹ MFA
Λઃఆ • ཧऀܥͷ IAM ϢʔβҎ֎ɺҎԼͷݖݶͷΈ༩ • εΠον͢ΔͨΊͷݖݶ (sts:AssumeRole) • ࣗͷ MFA ઃఆΛ͢Δݖݶ • ࣗͷύεϫʔυΛઃఆ͢Δݖݶ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έଆ • MFA ͷઃఆΛ͍ͯ͠ͳͯ͘౿ΈͷϩάΠϯ Ͱ͖ͯ͠·͏ • લड़ͷʮMFA ඞਢʯͷ͕݅ΫϩεΞΧϯτ༻ͷ ϩʔϧʹ͍͍ͯΔ
• ͜ͷ݅ͰɺMFA ະઃఆऀͷεΠονΛ੍ • ͜ΕʹΑΓɺMFA ͕ઃఆ͞Εͳ͍··ͷར༻Λ͙
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έଆ • ਖ਼ࣾһҎ֎ͷ IAM Ϣʔβ Source IP Ͱͷૢ࡞੍ݶ ༩
• AWS ίϯιʔϧͷΞΫηεΛ੍ݶͰ͖ͳ͍ͷ Ͱɺ౿ΈͷϩάΠϯͲ͔͜ΒͰͰ͖Δ • ͨͩɺਖ਼ࣾһҎ֎ɺΦϑΟε֎Ͱͷར༻Λఆ ͍ͯ͠ͳ͍ • ͦͷҝͷ Source IP ʹΑΔૢ࡞੍ݶ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ • ਖ਼ࣾһ • ձ͔ࣾΒۀ༻ͱͯ͠ εϚʔτϑΥϯΛࢧڅ͞Ε͍ͯΔ • ͦͷۀʹ
MFA ༻ͷΞϓϦ (mediba Ͱ Authy ͷར༻Λਪ)Λ Πϯετʔϧͯ͠ར༻
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ • ਖ਼ࣾһҎ֎ • Χʔυܕͷཧ MFA σόΠεΛར༻ •
ਖ਼ࣾһಉ༷ɺձࣾཧͷσόΠεʹඥ͚͔ͨͬ ͨͨΊɺձࣾͰΧʔυΛ༻ҙ • ཧऀଆͰMFA Λઃఆͯ͠ΧʔυΛି༩
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ݱࡏ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ݱࡏ] ݱࡏ͜Ε·Ͱઆ໌ͨ͠ঢ়ଶͰӡ༻ AWS ΞΧϯτ80ఔ ·͊ಛʹେ͖ͳࢧোແ͍
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ະདྷ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • MFA ΧʔυܕσόΠεΊ͍ͨ • ୯७ʹɺཧΧʔυͷཧ͕໘ • mediba
ͰχΞγϣΞ։ൃΛ͍ͯ͠Δ • ํڌͷձࣾʹσόΠεΛି༩Ͱ͖ͳ͍ • IP ΞυϨεʹΑΔར༻ڌͷ੍ݶΛ͍ͯ͠Δ͔Β ݸਓͰྑ͍ͷͰʁͷొ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • MFA ΧʔυܕσόΠεΊ͍ͨ • ୯७ʹɺཧΧʔυͷཧ͕໘ • mediba
ͰχΞγϣΞ։ൃΛ͍ͯ͠Δ • ํڌͷձࣾʹσόΠεΛି༩Ͱ͖ͳ͍ • IP ΞυϨεʹΑΔར༻ڌͷ੍ݶΛ͍ͯ͠Δ͔Β ݸਓͰྑ͍ͷͰʁͷొ ͜ΕΒͷ͔Βɺ ΊΔํͰௐத
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • OS ΞΧϯτ IAM Ϣʔβ͚ͩͰཧ • Systems
Manager ͷ Session Manager Λར༻ • طʹ Session Manager ͚ͩͰ։ൃΛߦͬͯΒͬ ͍ͯΔϓϩμΫτ͋Δ • ࠓޙɺ৽نʹߏங͢ΔϓϩμΫτͰجຊతʹ Session Manager Λ࠾༻͍ͯ͘͠
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • Session Manager ͷϝϦοτ • SSH ͷ͚݀͋ෆཁ
• ౿Έαʔόෆཁ • Private Subnet ʹ͋ͬͯར༻Մೳ • ૢ࡞ϩάΛ S3 ͱ CloudWatch Logs ʹग़ྗՄೳ • IAM ϙϦγʔͰ EC2 ΠϯελϯεͷΞΫηε੍ݶՄೳ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • Session Manager ͷσϝϦοτ • SSM Agent
ͷಋೖ͕ඞཁ • OS ΞΧϯτ͕ ssm-user ͱ͍͏ͷݻఆ • no pass Ͱ sudo ՄೳͳݖݶΛ͍࣋ͬͯΔ • IAM Ϣʔβຖʹར༻ίϚϯυΛ੍ݶ͍ͨ͠ɺͱ͍͏͜ͱ ͕Ͱ͖ͳ͍ • ↑ͷέʔε EC2 Instance Connect Ͱղܾ͠Α͏ʂ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • Session Manager ͷσϝϦοτ • SSM Agent
ͷಋೖ͕ඞཁ • OS ΞΧϯτ͕ ssm-user ͱ͍͏ͷݻఆ • no pass Ͱ sudo ՄೳͳݖݶΛ͍࣋ͬͯΔ • IAM Ϣʔβຖʹར༻ίϚϯυΛ੍ݶ͍ͨ͠ɺͱ͍͏͜ͱ ͕Ͱ͖ͳ͍ • ↑ͷέʔε EC2 Instance Connect Ͱղܾ͠Α͏ʂ ݱ࣌Ͱɺ͜ΕΒͷ σϝϦοτ͕ϋʔυϧʹ ͳΔ͜ͱͳ͍ͨΊɺ ՄೳͳݶΓ࠾༻͍ͯ͘͠