Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
medibaにおけるIAMユーザ管理の歴史 / instudystyle LT mediba...
Search
Kazuki Numazawa
August 02, 2019
Technology
1.4k
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
medibaにおけるIAMユーザ管理の歴史 / instudystyle LT mediba IAM Management History
2019/08/02 インフラ・ネットワークエンジニア勉強会 Vol.1
https://istyle.connpass.com/event/133989/
にて、LT発表した資料。
Kazuki Numazawa
August 02, 2019
More Decks by Kazuki Numazawa
See All by Kazuki Numazawa
システムのログは保存したか?で、その後どうする?システムのログ保存先とコスト最適化について
numasawa
2
550
AWS account and user management design in asken
numasawa
2
1.1k
日本からでも楽しめる!re:Inventの楽しみ方 / re:Invent 2018 from Japan
numasawa
1
220
英語?なにそれおいしいの?人向けre:Inventを楽しむ方法 / re:Invent 2018 Standby
numasawa
0
960
Utilization of data of RDS aurora
numasawa
0
110
reinvent ultra quiz champion
numasawa
0
610
AWS導入事例と失敗談
numasawa
1
650
Other Decks in Technology
See All in Technology
データレイクの「見えない問題」を可視化する
sansantech
PRO
1
230
Fabricをフル活用する AI Agent Hub -製造業特化AIエージェントの設計
iotcomjpadmin
0
160
フルAIで個人開発して学んだあれこれ / yuruai vol.1
isaoshimizu
0
150
From Prompt Engineering to Loop Engineering
shibuiwilliam
1
280
AI-DLCを “そのまま導入しなかった”話 ~組織に合わせてアジャストした 私たちの実践共有~
hiroramos4
PRO
1
440
OTel × Datadog で 「AI活用」を計測し、改善に繋げる
shihochan
2
1.1k
IaC コードを資産へ:AWS CDK 社内ライブラリと横断展開 / aws-summit-japan-2026
gotok365
10
1.6k
脱SaaS!FDEを支えるプロビジョニングと分離設計
knih
0
300
製造現場での生成AIの活用、およびエージェントAIの実装のあり方、AVEVAの取り組み
iotcomjpadmin
0
180
AIは、人間らしい仕事の夢を見るか?─ AI時代のtoB/toEプロダクトを再設計する
techtekt
PRO
0
160
「勝手に広まる」人気 AI エージェントを爆速で作ろう!(AWS Summit Japan 2026講演資料)
minorun365
PRO
10
2.6k
AWS Summit 2026で見えたSIerにとっての Amazon Quickの位置づけ
maf_0521
0
120
Featured
See All Featured
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
techseoconnect
PRO
0
190
Paper Plane (Part 1)
katiecoart
PRO
0
9.3k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
870
Are puppies a ranking factor?
jonoalderson
1
3.7k
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
2.1k
The Illustrated Children's Guide to Kubernetes
chrisshort
51
52k
Neural Spatial Audio Processing for Sound Field Analysis and Control
skoyamalab
0
350
How Fast Is Fast Enough? [PerfNow 2025]
tammyeverts
3
620
Statistics for Hackers
jakevdp
799
230k
Practical Orchestrator
shlominoach
191
11k
Organizational Design Perspectives: An Ontology of Organizational Design Elements
kimpetersen
PRO
1
750
Collaborative Software Design: How to facilitate domain modelling decisions
baasie
1
250
Transcript
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE mediba ʹ͓͚Δ IAM Ϣʔβཧͷྺ࢙ ΠϯϑϥɾωοτϫʔΫΤϯδχΞษڧձ Vol.1
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣗݾհ ໊લ: প Ұथ ॴଐ: ɹגࣜձࣾmediba ΠϯϑϥετϥΫνϟʔ෦ ͬͯΔ͜ͱ: ɹओʹ
AWS ΛͬͨγεςϜΠϯϑϥͷઃܭɾߏஙɾӡ༻ AWS ྺ: 7 ɹ2016 AWS ϧτϥΫΠζνϟϯϐΦϯ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾհ גࣜձࣾmediba ۀ༰: KDDI גࣜձࣾͷ au εϚʔτύεΛத৺ͱͨ͠ au ؔ࿈αʔϏεӡӦ
ͷଞɺࠃ֎ʹͯΧϧνϟʔɾήʔϜɾࢠҭͯɺ෯͍Ͱαʔ ϏεΛల։͠ɺϢʔβʔ͕ΠϯλʔωοτΛ௨ͯ͡ඞཁͳ࣌ʹඞཁͳ ใʹΞΫηεͰ͖Δڥͮ͘ΓͷͨΊͷαʔϏεΛఏڙ͍ͯ͠· ͢ɻ ※auεϚʔτύε KDDI גࣜձࣾͷඪ·ͨొඪͰ͢ɻ https://www.mediba.jp/company/info.html ΑΓൈਮ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾհ ؆୯ʹݴ͏ͱɺ • au ؔ࿈αʔϏεͬͯ·͢ • au ֎ͷαʔϏεॾʑͬͯ·͢ ͜ΕΒΛ௨ͯ͡
ʮώτʹ“HAPPY”Λʯಧ͚Δͷ͕ զʑͷϛογϣϯͰ͢ɻ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ձࣾհ ѻ͍ͬͯΔ au ؔ࿈αʔϏε(Ұ෦) • au Web ϙʔλϧ (
https://auone.jp/ ) • au Web ϙʔλϧͷχϡʔε໘ ( https://article.auone.jp/ ) • au ఱؾ ( https://tenki.auone.jp/ ) • ϙΠϯτஷΊΔ ( https://enjoy.point.auone.jp/ ) • au εϚʔτύεͷҰ෦ίϯςϯπ • ձһಛయɺΞϓϦऔΓ์ɺೖୀձɺetc…
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ຊ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ظ] (2013ʙ2015ࠒ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβཧ[ظ] • mediba ʹ͓͚Δ AWS ར༻ 2013ࠒ͔Β • ϒϩάͷձࣾܦ༝Ͱ
AWS ΞΧϯτΛൃߦ ͯ͠ར༻ • ͳͷͰɺ͕͢͞ʹʮroot ϢʔβΛར༻͢Δʯͱ ͍͏ΞϯνύλʔϯதͷΞϯνύλʔϯঢ়ଶ ආ͚ΒΕ͍ͯͨ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͪͳΈʹલ৬ͰͬͯͨYOʂ(খ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβཧ[ظ] • ࠷ॳͷࠒɺ·ͩ • ΞΧϯτݸఔ • ར༻ऀਓఔ • ͦͷ࣌ͷ
IAM Ϣʔβ • ֤ AWS ΞΧϯτͦΕͧΕʹ ݸਓ༻ IAM ϢʔβΛ࡞
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAMϢʔβཧ[ظ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [సػ] (2015)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సػ] ࣌2015 ؾ͚ΞΧϯτ͕େྔʹ → ࣗવͱ IAM Ϣʔβେʹ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE Why ?
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సػ] • AWS Λར༻ͨ͠ϓϩμΫτ͕૿͑Δͨͼʹ3ͭ ͣͭΞΧϯτ͕૿͑Δঢ়ଶ • 2015ࠒʹ40͍ۙΞΧϯτ͕͋ͬͨͱ͔ͳ ͔ͬͨͱ͔
• ΞΧϯτ͝ͱʹ IAM ϢʔβΛ࡞ɾཧ͢Δ ͷਖ਼͖ͭ͘ͳ͖ͬͯͨ • ར༻ऀଆɺϩάΠϯɾϩάΞτΛ܁Γ ฦ͢ͷ͕͠ΜͲ͔ͬͨͱࢥ͏
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సػ] • ͍ͭͰʹɺ͜ͷࠒ͔ΒηΩϡϦςΟ໘͕ؾʹͳ Γͩ͢ • ͜͜·ͰɺID/ύεϫʔυ ͷΈͰϩάΠϯ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [సظ] (2015)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సظ] • IAM Ϣʔβͷཧ͕ࡶ • IAM ϢʔβͷηΩϡϦςΟ໘͕ؾʹͳΔ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͜ͷ2ͭΛಉ࣌ʹղܾ͢ΔͨΊ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ʮ౿Έ AWS ΞΧϯτํࣜʯ Λ࠾༻
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సظ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[సظ] • Πϝʔδ౿Έαʔόͱಉ͡ • ֤ϓϩμΫτͷ֤ڥͷೖΓޱͱ͚ͯͩ͠ͷ AWS ΞΧϯτΛ༻ҙ •
ೖΓޱ͕1ͭʹͳΔͷͰɺ͜͜ͷ CloudTrail Λ ༗ޮԽͯ͠ɺϩάΠϯهΛอଘɺࢹ • ౿Έ্ͷ IAM Ϣʔβͷ MFA ઃఆΛඞਢͱ͢ Δ͜ͱͰηΩϡϦςΟΛ্
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ख़ظ] (2016ʙݱࡏ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ͔͜͜Βɺ࣮ࡍʹͲ͏͍͏ ઃఆʹͳ͍ͬͯΔ͔Λ͝հ͠·͢ɻ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ֤ϓϩμΫτͷ֤ڥͷ AWS ΞΧϯτଆ (࣮ڥ)
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ • ৽ن AWS ΞΧϯτൃߦޙɺ࠷ॳʹ ΫϩεΞΧϯτΞΫηε༻ͷ IAM ϩʔϧΛ༻ҙ •
͜ͷ IAM ϩʔϧʹɺ౿ΈΞΧϯτ͔Βͷ ར༻ڐՄΛઃఆ • ʮMFA ඞਢʯΛ݅ʹઃఆ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ • IAM ϩʔϧେ·͔ʹҎԼͷछྨͷͷΛ༻ҙ • ཧऀ༻ • Administrator •
ਖ਼ࣾһ༻ • IAM ͷҰ෦ݖݶҎ֎શͯڐՄ • (ਖ਼ࣾһҎ֎ͷ)։ൃऀ༻ • ୲͍ͯ͠ΔϓϩμΫτͰར༻͢ΔαʔϏεͷݖݶͷΈڐՄ • ReadOnly ༻ • ROMઐ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ ͪͳΈʹɺ సظʹ͜ͷΛಋೖͨ͠ࡍɺͦͷ࣌ଘࡏ͍ͯͨ͠ AWSΞΧϯτશͯʹલड़ͷϩʔϧΛ࡞ɻ ͦͷޙɺ౿Έ AWS ΞΧϯτʹݸਓ༻ IAM Ϣʔβͷ
࡞ͱεΠον֬ೝ͕औΕͨஈ֊Ͱɺ࣮ڥଆͷݸਓ༻ IAM ϢʔβΛશͯআͨ͠ɻ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ࣮ڥଆ • ͜ΕҎ߱ɺIAM Ϣʔβͷ࡞Λݪଇېࢭ • IAM ϩʔϧͷར༻Λܒɾਪਐ • ͨͩ͠ɺͨ·ʔʹΞΫηεΩʔ/γʔΫϨοτΞΫηε
ΩʔͰ͔͠ରԠͰ͖ͳ͍ύςΟʔϯ͕͋Δ • ͜ͷ߹૬ஊͷ্Ͱɺྫ֎తʹ IAM ϢʔβΛ࡞
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έ AWS ΞΧϯτଆ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έଆ • ݸਓ༻ͷ IAM Ϣʔβ͜͜ʹ͔͠࡞Βͳ͍ • IAM Ϣʔβʹ MFA
Λઃఆ • ཧऀܥͷ IAM ϢʔβҎ֎ɺҎԼͷݖݶͷΈ༩ • εΠον͢ΔͨΊͷݖݶ (sts:AssumeRole) • ࣗͷ MFA ઃఆΛ͢Δݖݶ • ࣗͷύεϫʔυΛઃఆ͢Δݖݶ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έଆ • MFA ͷઃఆΛ͍ͯ͠ͳͯ͘౿ΈͷϩάΠϯ Ͱ͖ͯ͠·͏ • લड़ͷʮMFA ඞਢʯͷ͕݅ΫϩεΞΧϯτ༻ͷ ϩʔϧʹ͍͍ͯΔ
• ͜ͷ݅ͰɺMFA ະઃఆऀͷεΠονΛ੍ • ͜ΕʹΑΓɺMFA ͕ઃఆ͞Εͳ͍··ͷར༻Λ͙
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE ౿Έଆ • ਖ਼ࣾһҎ֎ͷ IAM Ϣʔβ Source IP Ͱͷૢ࡞੍ݶ ༩
• AWS ίϯιʔϧͷΞΫηεΛ੍ݶͰ͖ͳ͍ͷ Ͱɺ౿ΈͷϩάΠϯͲ͔͜ΒͰͰ͖Δ • ͨͩɺਖ਼ࣾһҎ֎ɺΦϑΟε֎Ͱͷར༻Λఆ ͍ͯ͠ͳ͍ • ͦͷҝͷ Source IP ʹΑΔૢ࡞੍ݶ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ • ਖ਼ࣾһ • ձ͔ࣾΒۀ༻ͱͯ͠ εϚʔτϑΥϯΛࢧڅ͞Ε͍ͯΔ • ͦͷۀʹ
MFA ༻ͷΞϓϦ (mediba Ͱ Authy ͷར༻Λਪ)Λ Πϯετʔϧͯ͠ར༻
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE MFA ʹ͍ͭͯ • ਖ਼ࣾһҎ֎ • Χʔυܕͷཧ MFA σόΠεΛར༻ •
ਖ਼ࣾһಉ༷ɺձࣾཧͷσόΠεʹඥ͚͔ͨͬ ͨͨΊɺձࣾͰΧʔυΛ༻ҙ • ཧऀଆͰMFA Λઃఆͯ͠ΧʔυΛି༩
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ݱࡏ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ݱࡏ] ݱࡏ͜Ε·Ͱઆ໌ͨ͠ঢ়ଶͰӡ༻ AWS ΞΧϯτ80ఔ ·͊ಛʹେ͖ͳࢧোແ͍
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE [ະདྷ]
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • MFA ΧʔυܕσόΠεΊ͍ͨ • ୯७ʹɺཧΧʔυͷཧ͕໘ • mediba
ͰχΞγϣΞ։ൃΛ͍ͯ͠Δ • ํڌͷձࣾʹσόΠεΛି༩Ͱ͖ͳ͍ • IP ΞυϨεʹΑΔར༻ڌͷ੍ݶΛ͍ͯ͠Δ͔Β ݸਓͰྑ͍ͷͰʁͷొ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • MFA ΧʔυܕσόΠεΊ͍ͨ • ୯७ʹɺཧΧʔυͷཧ͕໘ • mediba
ͰχΞγϣΞ։ൃΛ͍ͯ͠Δ • ํڌͷձࣾʹσόΠεΛି༩Ͱ͖ͳ͍ • IP ΞυϨεʹΑΔར༻ڌͷ੍ݶΛ͍ͯ͠Δ͔Β ݸਓͰྑ͍ͷͰʁͷొ ͜ΕΒͷ͔Βɺ ΊΔํͰௐத
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • OS ΞΧϯτ IAM Ϣʔβ͚ͩͰཧ • Systems
Manager ͷ Session Manager Λར༻ • طʹ Session Manager ͚ͩͰ։ൃΛߦͬͯΒͬ ͍ͯΔϓϩμΫτ͋Δ • ࠓޙɺ৽نʹߏங͢ΔϓϩμΫτͰجຊతʹ Session Manager Λ࠾༻͍ͯ͘͠
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • Session Manager ͷϝϦοτ • SSH ͷ͚݀͋ෆཁ
• ౿Έαʔόෆཁ • Private Subnet ʹ͋ͬͯར༻Մೳ • ૢ࡞ϩάΛ S3 ͱ CloudWatch Logs ʹग़ྗՄೳ • IAM ϙϦγʔͰ EC2 ΠϯελϯεͷΞΫηε੍ݶՄೳ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • Session Manager ͷσϝϦοτ • SSM Agent
ͷಋೖ͕ඞཁ • OS ΞΧϯτ͕ ssm-user ͱ͍͏ͷݻఆ • no pass Ͱ sudo ՄೳͳݖݶΛ͍࣋ͬͯΔ • IAM Ϣʔβຖʹར༻ίϚϯυΛ੍ݶ͍ͨ͠ɺͱ͍͏͜ͱ ͕Ͱ͖ͳ͍ • ↑ͷέʔε EC2 Instance Connect Ͱղܾ͠Α͏ʂ
$PQZSJHIUNFEJCB*OD"MM3JHIUT3FTFSWFE IAM Ϣʔβཧ[ະདྷ] • Session Manager ͷσϝϦοτ • SSM Agent
ͷಋೖ͕ඞཁ • OS ΞΧϯτ͕ ssm-user ͱ͍͏ͷݻఆ • no pass Ͱ sudo ՄೳͳݖݶΛ͍࣋ͬͯΔ • IAM Ϣʔβຖʹར༻ίϚϯυΛ੍ݶ͍ͨ͠ɺͱ͍͏͜ͱ ͕Ͱ͖ͳ͍ • ↑ͷέʔε EC2 Instance Connect Ͱղܾ͠Α͏ʂ ݱ࣌Ͱɺ͜ΕΒͷ σϝϦοτ͕ϋʔυϧʹ ͳΔ͜ͱͳ͍ͨΊɺ ՄೳͳݶΓ࠾༻͍ͯ͘͠