Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CloudFormation StackSets with AWS Organizations

CloudFormation StackSets with AWS Organizations

JAWS-UG朝会で発表した"CloudFormation StackSets × AWS Organizationsで設定の自動化"の発表資料です

Takuro SASAKI

August 25, 2020
Tweet

More Decks by Takuro SASAKI

Other Decks in Technology

Transcript

  1. "84ͱηΩϡϦςΟ "84ͷηΩϡϦςΟ͸̏ͭͷ࣠Ͱߟ͑Δ ᶃ"84಺ʹߏஙͨ͠ωοτϫʔΫͱαʔόʔͷηΩϡϦςΟ ᶄ"84ૢ࡞ʹؔ͢Δݖݶʢ*".ʣ ᶅηΩϡϦςΟΛҡ࣋؅ཧ͢ΔͨΊͷ"84αʔϏε AWS Management Console Role VPC

    AWS Cloud Subnet Internet gateway Amazon Simple Storage Service (S3) VPN gateway Endpoints User ૢ࡞ݖݶ Instance Instance Instance AWS Lambda Role ᶄ ᶃ AWS Command Line Interface AWS Config AWS Systems Manager AWS Service Catalog AWS Trusted Advisor AWS CloudTrail ᶅ ηΩϡϦςΟΛҡ࣋ ؅ཧ͢ΔαʔϏε #jawsug_asa
  2. $MPVE5SBJM AWS Management Console User AWS Command Line Interface AWS

    CloudTrail Amazon Simple Storage Service (S3) Amazon CloudWatch "84Ϧιʔεͷૢ࡞ཤྺΛه࿥ɾ௨஌ ᶃϚωδϝϯτίϯιʔϧͱ"1*ͷૢ࡞ཤྺΛ4ʹอଘ ᶄ$MPVE8BUDI-PHTΛར༻ͯ͠4/4ܦ༝Ͱ௨஌΋Մೳ AWSϦιʔε #jawsug_asa
  3. /*45αΠόʔηΩϡϦςΟϑϨʔϜϫʔΫ ෼ྨ ΧςΰϦʔ ಛఆ ʢ*EFOUJGZʣ ɾࢿ࢈؅ཧ ɾϏδωε؀ڥ ɾΨόφϯε ɾϦεΫΞηεϝϯτɺϦεΫΞηεϝϯτ؅ཧ ɾαϓϥΠνΣʔϯϦεΫϚωδϝϯτ

    ๷ޚ ʢ1SPUFDUʣ ɾΞΫηε੍ޚ ɾҙࣝ޲্͓ΑͼτϨʔχϯά ɾσʔληΩϡϦςΟ ɾ৘ใΛอޢ͢ΔͨΊͷϓϩηε͓Αͼखॱ ɾอक ɾอޢٕज़ ݕ஌ ʢ%FUFDUʣ ɾҟৗͱΠϕϯτ ɾηΩϡϦςΟͷܧଓతͳϞχλϦϯά ɾݕ஌ϓϩηε ରԠ ʢ3FTQPOEʣ ɾରԠܭըͷ࡞੒ ɾίϛϡχέʔγϣϯ ɾ෼ੳ ɾ௿ݮ ෮چ ʢ3FDPWFSʣ ɾ෮چܭըͷ࡞੒ ɾվળ ɾίϛχέʔγϣϯ IPA CSFίΞ https://www.ipa.go.jp/files/000071204.pdf
  4. "848FMM—"SDIJUFDUFEϑϨʔϜϫʔΫ ப ઃܭݪଇ ӡ༻্ͷ ༏लੑ ɾӡ༻Λίʔυͱͯ͠ӡ༻ ɾఆظతʹɺখن໛ͳɺݩʹ໭͢͜ͱ͕Ͱ͖ΔมߋΛద༻͢Δ ɾӡ༻खॱΛఆظతʹվળ͢Δ ɾো֐Λ༧૝͢Δ ɾ͋ΒΏΔӡ༻্ͷো֐͔ΒֶͿ

    ηΩϡϦςΟ ɾڧݻͳೝূج൫ͷ࣮૷ ɾτϨαϏϦςΟʔͷ࣮ݱ ɾશϨΠϠʔ΁ͷηΩϡϦςΟͷద༻ ɾηΩϡϦςΟͷϕετϓϥΫςΟεͷࣗಈԽ ɾ఻ૹத͓Αͼอ؅தͷσʔλอޢ ɾσʔλʹਓͷखΛೖΕͳ͍ ɾηΩϡϦςΟΠϕϯτ΁ͷඋ͑ ৴པੑ ɾো֐͔Βࣗಈతʹ෮چ͢Δ ɾ෮چखॱΛςετ͢Δ ɾਫฏํ޲ʹεέʔϧͯ͠ू߹తͳϫʔΫϩʔυͷՄ༻ੑΛߴΊΔ ɾΩϟύγςΟʔΛײʹཔΒͳ͍ ɾࣗಈԽͰมߋΛ؅ཧ͢Δ ύϑΥʔϚϯεޮ཰ ɾߴ౓ͳςΫϊϩδʔΛ୭Ͱ΋࢖͑ΔΑ͏ʹ͢Δ ɾ͢෼Ͱάϩʔόϧʹల։͢Δ ɾαʔόʔϨεΞʔΩςΫνϟΛ࢓༷͢Δ ɾΑΓසൟʹ࣮ݧ͢Δ ɾϝΧχΧϧγϯύγʔΛߟྀ͢Δ ίετ࠷దԽ ɾΫϥ΢υͷࡒ຿؅ཧͷӡ༻ ɾফඅϞσϧΛಋೖ͢Δ ɾશମతͳޮ཰Λଌఆ͢Δ ɾඅ༻Λ෼ੳ͠ɺؼ݁ͤ͞Δ AWS Well-Architected ϑϨʔϜϫʔΫ https://aws.amazon.com/jp/architecture/well-architected/
  5. ϑϨʔϜϫʔΫʹ౰ͯ͸ΊͯΈΔͱʁ Lambda Systems Manager Automation CloudFormation Organizations SCP IAM SNS

    Config CloudWatch Inspector Macie GuardDuty Shield Firewall Manager WAF VPC ༧๷ ๷ޚ ݕ஌ ରԠ ෮چ ௨஌ ࣗಈԽ Lambda CloudWatch ௐࠪ CloudWatch CloudTrail ౷߹ Security Hub #jawsug_asa
  6. ΞʔΩςΫνϟʔผʹݟͯΈΔͱ Shield WAF CloudFront ELB ߈ܸରࡦ ର৅Ϧιʔε NACL Security Group

    ωοτϫʔΫ๷ޚ ର৅Ϧιʔε ELB EC2 RDS KMS σʔλอޢ ର৅Ϧιʔε EC2 RDS S3 %%P4߈ܸ ΞϓϦέʔγϣϯ ߈ܸ ෆਖ਼ ωοτϫʔΫ ΞΫηε ෆਖ਼ ɹσʔλΞΫηε Inspector Systems Manager αʔόʔ؅ཧ Security Hub CloudTrail CloudWatch GuardDuty Config VPC Flow logs ՄࢹԽɾϞχλϦϯά ௨஌ ௨஌ SNS ௨஌ ӡ༻୲౰ ؂ࢹ ɾશϨΠϠʔ΁ͷηΩϡϦςΟͷద༻ ɾτϨαϏϦςΟʔͷ࣮ݱ #jawsug_asa
  7. γεςϜͷϨΠϠʔผʹ౰ͯ͸ΊΔͱ Ϛωδϝϯτ ίϯιʔϧ 71$Ծ૝ઐ༗ྖҬ &$04ྖҬ &#4ϩʔΧϧσΟεΫ 3%4σʔλϕʔε 4ετϨʔδ $MPVE8BUDI؂ࢹ %JSFDU$POOFDU/8

    ηΩϡϦςΟͷରԠྫʢ๷ޚʣ ݕ஌ͷରԠྫ (VBSE%VUZ $POUSPM5PXFS 4FDVSJUZ)VC 'JSFXBMM.BOBHFS .BDJF 5SVTUFE"EWJTPS ɾ"84ΞΧ΢ϯτɿར༻੍ݶ ɾ*".Ϣʔβɿૢ࡞ݖݶͱ઀ଓݩ੍ݶ ɹར༻ՄೳϦιʔεʹର͢ΔΞΫηείϯτϩʔϧɺଟཁૉೝূͷಋೖ ɾຊ൪؀ڥɺ։ൃ؀ڥͱ͍ͬͨ؀ڥ୯ҐͰ71$ͷ෼཭ ɾαϒωοτ୯ҐͰͷ௨৴੍ޚɺϧʔςΟϯάઃఆ ɾ71$ϑϩʔϩάͷऔಘ ɾ4FDVSJUZ(SPVQʹΑΔαʔόؒ௨৴੍ޚ ɾ4ZTUFNT.BOBHFS౳Λར༻ͯ͠ͷɺαʔόঢ়ଶͷ೺ѲͱҰׅύον౰ͯ ɾαʔόͷϩάΠϯ؅ཧͷ࢓૊Έͱɺϩάू໿ͷ࢓૊Έͷಋೖ ɾ҉߸ԽΦϓγϣϯʹΑΔσΟεΫશମͷ҉߸Խ $MPVE5SBJMʹΑΔ "84ૢ࡞ཤྺ τϥϑΟοΫϩά ֤छΞϓϦέʔγϣϯϩά 04ϩάΠϯཤྺ %#؂ࠪϩά "84αʔϏε֤छʹΑΔ ϩάɾΞϥʔτ ݕࠪ͢Δ΂͖ϩά ɾઐ༻ઢʢ%9ʣ΍71/Λར༻ͨ͠ܦ࿏҆શͷ֬อ ɾ5SBOTJU(BUFXBZΛར༻ͨ͠71$ɾܦ࿏ͷ؅ཧ ɾܦ࿏ͷ৑௕ԽʹΑΔࣄۀܧଓੑͷ֬อ ɾDBMSͷػೳʹΑΔςʔϒϧશମʢදྖҬʣͷ҉߸Խ ɾDBʹର͢ΔΞΫηεݖݶͷ؅ཧ ɾ҉߸ԽΦϓγϣϯʹΑΔετϨʔδશମͷ҉߸Խ ɾΫϥΠΞϯταΠυ͸҉߸ԽΩʔʹΑΓσʔλΛอޢ ɾCloudWatchʹΑΔAWSͷ؂ࢹͱɺӡ༻؂ࢹιϑτ΢ΣΞΛར༻ͨ͠αʔ ϏεɺΞϓϦέʔγϣϯ؂ࢹͷซ༻ *OTQFDUPS "84ͷར༻ঢ়گͷ؂ࠪ "84ΞΧ΢ϯτͷઃఆͱΨόφϯε ηΩϡϦςΟʔΞϥʔτͷू໿ͱݕ஌ɾରԠ "84ͷෆਖ਼ར༻ͷݕ஌ 04ɺΞϓϦͷηΩϡϦςΟධՁ 'JSFXBMMͷҰݩ؅ཧͱݕ஌ɾରԠ 4಺ͷػີ৘ใͷݕग़ɺ෼ྨɺอޢ 0SHBOJ[BUJPOT #jawsug_asa
  8. ༧๷త౷੍ͱൃݟత౷੍ ηΩϡϦςΟͷϕετϓϥΫςΟεͷҰͭ 0SHBOJ[BUJPO6OJU Automation AWS Systems Manager AWS Config Rule

    ઃఆෆඋΛ ݕ஌ म෮ࢦࣔ ༧๷త౷੍ ൃݟత౷੍ SCP AWS Organizations SCPΛར༻ͯ͠ ΞΧ΢ϯτશମʹ ېࢭࣄ߲ͷઃఆ AWSΞΧ΢ϯτ IAM User ྫʣ SPPUϢʔβʔͷΞΫηεΩʔͷ ࡞੒Λېࢭ͢Δ ྫʣ *".Ϣʔβʔͷ.'"͕༗ޮʹ ͳ͍ͬͯΔ͔νΣοΫ͢Δ Ұ࣌తʹ IAMϢʔβʔͷ ແޮԽ #jawsug_asa
  9. "840SHBOJ[BUJPOTͷ༻ޠ #jawsug_asa ཁૉ໊ ֓ཁ ૊৫ "840SHBOJ[BUJPOTͰ؅ཧ͢Δର৅ͷશମ ࢀՃ͢Δ"84ΞΧ΢ϯτશͯ Ϛελʔ ΞΧ΢ϯτ "840SHBOJ[BUJPOTΛઃఆͨ͠"84ΞΧ΢ϯτ

    ʢ૊৫಺ʹ̍ͭͷΈʣ ϝϯόʔ ΞΧ΢ϯτ ૊৫಺ͷϚελʔΞΧ΢ϯτҎ֎ͷશͯͷ"84ΞΧ΢ ϯτ ૊৫୯Ґ ʢ06 ૊৫಺ͷ࿦ཧతͳάϧʔϓ ؅ཧ༻ϧʔτ ʢSPPUʣ ૊৫಺ͷ֊૚ͷ࠷্Ґ αʔϏείϯτϩ ʔϧϙϦγʔ ར༻Ͱ͖Δ"84αʔϏεͷ੍ޚΛهड़ͨ͠ϙϦγʔ
  10. 0SHBOJ[BUJPOTͷ֊૚ߏ଄ Account Account Account Organizational unit Organizational unit 3PPU Account

    Root௚Լʹ ΞΧ΢ϯτͷ ഑ஔ΋Մೳ ʢඇਪ঑ʣ OUͷ֊૚ߏ଄΋ ઃఆՄೳ #jawsug_asa ૊৫୯Ґʢ06ʣͰ؅ཧ͞Εɺ্Ґͷઃఆ͸ ԼҐʹܧঝ͞ΕΔ
  11. 4$1ͷ੍ޚͷܧঝ #jawsug_asa 0SHBOJ[BUJPOTͷ֊૚ͱݖݶͷܧঝ Account Account Account Organizational unit Organizational unit

    SCP ΞΧ΢ϯτ୯Ґʹ ద༻ SCP OUશମʹ ద༻ 3PPU ΞΧ΢ϯτ಺Ͱ*".ΛؤுΔΑΓɺ੍ޚ͞Εͨαϯυ ϘοΫεΞΧ΢ϯτΛ࡞Δ΄͏ָ͕͔΋͠Εͳ͍
  12. $MPVE'PSNBUJPO4UBDL4FUT #jawsug_asa CloudFormation StackSets Stack ΞΧ΢ϯτAʢϝϯόʔΞΧ΢ϯτʣ ౦ژϦʔδϣϯ Stack ΦϋΠΦϦʔδϣϯ ਌ΞΧ΢ϯτʢϚελʔΞΧ΢ϯτʣ

    Stack ΞΧ΢ϯτBʢϝϯόʔΞΧ΢ϯτʣ ౦ژϦʔδϣϯ Stackͷ࡞੒ͱ࣮ߦ ෳ਺ͷ"84ΞΧ΢ϯτ΍Ϧʔδϣϯʹର͠ $MPVE'PSNBUJPOͷελοΫΛ࡞੒Ͱ͖Δػೳ
  13. 0SHBOJ[BUJPOTº4UBDL4FUT #jawsug_asa AWS Account AWS Account OUʢ૊৫୯Ґʣ 3PPU CloudFormation StackSets

    with Organizations AWS Account OUʹࢀՃ AWS Account ελοΫͷ࡞੒ ʢOUઃఆͷ௥Ճʣ ελοΫͷ࡟আ ʢOUઃఆͷ࡟আʣ OU͔Β཭୤ 0SHBOJ[BUJPOTͱ࿈ܞͤͯ͞ɺ 06ࡿԼʹࣗಈతʹ4UBDL4FUTͷద༻ ΊͪΌͪ͘Όศར