IAM Access Analyzer を活用して最小権限を目指そう

Transcript

1. IAM Access AnalyzerΛ ׆༻ͯ͠࠷খݖݶΛ໨ࢦͦ͏ 
   ઍ༿
   ޾޺ʢνόϢΩʣ

2. ͍͖ͳΓͰ͕͢  ͜Μͳ͜ͱΛࢥΘͳ͔ͬͨͩΖ͏͔

3. ʮ͔Ϳͬͯͳ͍ʜʜʁʯ 

4. ࢲʮ͔ͿͬͯΔͳʜʜʯ 

5. ΑΖ͓͘͠ئ͍͠·͢  ͓͞Β͍ɺ΋͘͠͸ τΠϨٳܜͷ࣌ؒͱͯ͠ ͝׆༻͍ͩ͘͞

6. ࣗݾ঺հ  ઍ༿ ޾޺ • 2020 ΫϥεϝιουδϣΠϯ • 2021 APN

   AWS Top EngineerΑ • ޷͖ͳAWSΞΫγϣϯɿ • sts:AssumeRole

7. "HFOEB  1.࠷খݖݶͱ͸ 2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔ 3.IAM Access Analyzer ͱ͸ 4.࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ

8. ࿩͢͜ͱ࿩͞ͳ͍͜ͱ  •࿩͢͜ͱ •࠷খݖݶͱ͸Կ͔ͷલఏ஌ࣝ •࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳͷ֓ཁ •࿩͞ͳ͍͜ͱ •IAM Access Analyzerͷ۩ମతͳ׆༻ྫ

9.  1. IAM ͷ࠷খݖݶͱ͸ ͸͡Ίʹ

10.  Ͳ͜ʹॻ͍ͯ͋Δͷʁ *".
    ʹ͓͚Δ࠷খݖݶͷݪଇ

11. ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε  https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/ best-practices.html#grant-least-privilege

12.  •ΞΫηεϨϕϧͷάϧʔϓԽͷ೺Ѳ •ॻ͖ࠐΈɺಡΈऔΓɺ؅ཧ…… •ϙϦγʔͷݕূ •ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ੒͢Δ •࠷ऴΞΫηε৘ใͷར༻ •AWS CloudTrail ͰͷΞΧ΢ϯτͷΠϕϯτͷ֬ೝ ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε

13.  •ΞΫηεϨϕϧͷάϧʔϓԽͷ೺Ѳ •ॻ͖ࠐΈɺಡΈऔΓɺ؅ཧ…… •ϙϦγʔͷݕূ •ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ੒͢Δ •࠷ऴΞΫηε৘ใͷར༻ •AWS CloudTrail ͰͷΞΧ΢ϯτͷΠϕϯτͷ֬ೝ ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε

      

14. ᶄ8"ϑϨʔϜϫʔΫ
    ηΩϡϦςΟͷப  https://docs.aws.amazon.com/wellarchitected/latest/ security-pillar/permissions-management.html

15. ᶄ8"ϑϨʔϜϫʔΫ
    ηΩϡϦςΟͷப  • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϚωʔδυϙϦγʔ • AWS ؅ཧϙϦγʔ •

    ΧελϚʔ؅ཧϙϦγʔ • ΠϯϥΠϯϙϦγʔ ʮ΄ͱΜͲͷ৔߹ɺ࠷খݖݶͷݪଇʹैͬͯɺ ɹಠࣗͷΧελϚʔ؅ཧϙϦγʔΛ࡞੒͢Δඞཁ͕͋Γ·͢ɻʯ

16. ᶄ8"ϑϨʔϜϫʔΫ
    ηΩϡϦςΟͷப  • ৚݅ɺϦιʔεɺΞΫγϣϯΛ࠷খԽ͢Δ • άϧʔϓ΍ଐੑʹΑΓಈతʹΞΫηεڐՄΛ༩͑Δ ʢݸʑͷϢʔβʔʹ෇༩͠ͳ͍ʣ • Ϧιʔε΍IAMΤϯςΟςΟʹΞλον͢ΔϙϦ γʔʹΑΓΞΫηεΛ੍ޚ͢Δ

    • Permissions boundary΍ABACΛ׆༻͢Δ ʮ͜ͷݪଇʹج͍ͮͯӡ༻͢Δͱɺҙਤ͠ͳ͍ΞΫηε੍͕ݶ͞Εɺ ɹɹ୭͕ͲͷϦιʔεʹΞΫηεͰ͖Δ͔؂ࠪͰ͖ΔΑ͏ʹͳΓ·͢ɻʯ

17.  ࠷খݖݶ͕कΒΕ͍ͯͳ͍ͱͲ͏ͳΔʁ ࠷খݖݶͷݪଇ

18. ࠷খݖݶ͕कΒΕ͍ͯͳ͍৔߹  • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ɹ • ɹ

19. ࠷খݖݶ͕कΒΕ͍ͯͳ͍৔߹  • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ֐͕֦େ͢Δ • ɹ

20. ࠷খݖݶ͕कΒΕ͍ͯͳ͍৔߹  • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ֐͕֦େ͢Δ • ಺෦൜ߦʹΑΔඃ֐͕֦େ͢Δ

21. ࠷খݖݶ͕कΒΕ͍ͯͳ͍৔߹  • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ֐͕֦େ͢Δ • ಺෦൜ߦʹΑΔඃ֐͕֦େ͢Δ ʮڱ࢝͘ΊͯඞཁʹԠͯ͡௥Ճʯ͕ཧ૝

22.  2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔ ࣍ʹ

23.  ϙϦγʔͷछྨ ࠷খݖݶΛͲ͜Ͱ࣮ݱ͢Δ͔

24. ಥવͰ͕͢  AWSʹ͓͚ΔϙϦγʔλΠϓ ̒ͭશͯ౴͑ΒΕ·͔͢ʁ

25. ͭͷϙϦγʔλΠϓ  • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •

    Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ

26. ͭͷϙϦγʔλΠϓ  • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •

    Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ 71$ΤϯυϙΠϯτϙϦγʔ͸
    ͜͜ʹଐ͢Δ͕ɺ
    ʮͪΐͬͱ܅
    ͕ͪ͘ͳ͍ʁʯͱ
    ࢥ͍ͬͯΔ

27. ͭͷϙϦγʔλΠϓ  • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •

    Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ͍ΘΏΔʮIAMϙϦγʔʯ όέοτϙϦγʔɺIAMϩʔϧ৴པϙϦγʔͳͲ όέοτACLͳͲ IAMϩʔϧͷҾ͖ड͚࣌ʹઃఆՄೳ

28. ͭͷϙϦγʔλΠϓ  • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •

    Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ +40/ +40/ +40/ +40/ +40/

29.  JSON ϙϦγʔͷཁૉ ࠷খݖݶΛͲ͜Ͱ࣮૷͢Δ͔

30. +40/ϙϦγʔͷཁૉ  https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1

31. +40/ϙϦγʔͷཁૉ
    
    1SJODJQBM  https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 1SJODJQBM
    ʢ/PU1SJODJQMʣ ϦιʔεϕʔεϙϦγʔͰ࢖༻ɻ ΞΫηεͷ࣮ߦݩʢओମʣΛ੍ݶɻ ʮ୭͕ʯ

32. +40/ϙϦγʔͷཁૉ
    
    "DUJPO  https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 "DUJPO
    ʢ/PU"DUJPOʣ ࣮ߦՄೳͳΞΫγϣϯΛ੍ݶɻ ʮԿΛʯ

33. +40/ϙϦγʔͷཁૉ
    
    3FTPVSDF  https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 ΞΫηεՄೳͳϦιʔεΛ੍ݶɻ 3FTPVSDF
    ʢ/PU3FTPVSDFʣ ʮԿʹରͯ͠ʯ

34. +40/ϙϦγʔͷཁૉ
    
    $POEJUJPO  https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 ಛఆͷ৚݅ԼͰͷΈ ΞΫηεΛڐՄʢ͋Δ͍͸ڋ൱ʣɻ $POEJUJPO ʮͲΜͳ৔߹ʹʯ

35. ࠷খݖݶΛͲ͜Ͱ࣮૷͢Δ͔  ΞΠσϯςΟςΟϕʔεϙϦγʔͰ ActionΛߜΔ͚͕ͩ ࠷খݖݶͷ࣮૷Ͱ͸ͳ͍

36.  3. IAM Access Analyzerͱ͸ ࿩͸มΘͬͯ

37.  IAM Access Analyzerͱ͸Կ͔ ͦ΋ͦ΋

38. *".
    "DDFTT
    "OBMZ[FSͱ͸Կ͔  ʮϦιʔεϕʔεϙϦγʔͷ PrincipalΛݟͯ͘ΕΔ΋ͷʯ͕ͩͬͨɺ ͍ͭͷؒʹ͔͍ΖΜͳ͜ͱ͕ Ͱ͖ΔΑ͏ʹͳ͍ͬͯͨ

39. *".
    "DDFTT
    "OBMZ[FSͷྺ࢙  • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛ෼ੳ

40. *".
    "DDFTT
    "OBMZ[FSͷྺ࢙  • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛ෼ੳ • 2021/01

    ෼ੳର৅͕௥Ճ • Secrets Manager γʔΫϨοτʹରԠ

41. *".
    "DDFTT
    "OBMZ[FSͷྺ࢙  • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛ෼ੳ • 2021/01

    ෼ੳର৅͕௥Ճ • Secrets Manager γʔΫϨοτʹରԠ • 2021/03 ʮࣄલݕূʯʹରԠ • ϦιʔεϕʔεϙϦγʔͷมߋલʹ෼ੳ͕Մೳ • ϚωδϝϯτίϯιʔϧͰ͸ S3 όέοτϙϦγʔͷΈ

42. *".
    "DDFTT
    "OBMZ[FSͷྺ࢙  • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛ෼ੳ • 2021/01

    ෼ੳର৅͕௥Ճ • Secrets Manager γʔΫϨοτʹରԠ • 2021/03 ʮࣄલݕূʯʹରԠ • ϦιʔεϕʔεϙϦγʔͷมߋલʹ෼ੳ͕Մೳ • ϚωδϝϯτίϯιʔϧͰ͸ S3 όέοτϙϦγʔͷΈ ٸʹྲྀΕ͕มΘΔ

43. *".
    "DDFTT
    "OBMZ[FSͷྺ࢙  • 2019/12 ϦϦʔε • 2021/01 ෼ੳର৅͕௥Ճ • 2021/03

    ʮࣄલݕূʯʹରԠ • 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ • ϙϦγʔݕূʢValidationʣͱ΋ • ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ • AWS CLI Ͱ͸ SCP ΍ϦιʔεϕʔεϙϦγʔʹ΋ରԠ

44. *".
    "DDFTT
    "OBMZ[FSͷྺ࢙  • 2019/12 ϦϦʔε • 2021/01 ෼ੳର৅͕௥Ճ • 2021/03

    ʮࣄલݕূʯʹରԠ • 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ • ϙϦγʔݕূʢValidationʣͱ΋ • ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ • AWS CLI Ͱ͸ SCP ΍ϦιʔεϕʔεϙϦγʔʹ΋ରԠ • 2021/04 ʮϙϦγʔͷੜ੒ʯʹରԠ • ΞΠσϯςΟςΟϕʔεϙϦγʔͷΈ͕ର৅

45. ͬ͘͟ΓԿ͕ҧ͏͔  Region ΞφϥΠβʔ IAM Access Analyzer ϦιʔεϕʔεϙϦγʔͷ෼ੳ αʔϏεʹ ϦϯΫ͞Εͨ

    ϩʔϧ ϙϦγʔͷݕূ ϙϦγʔͷੜ੒ αʔϏε͕ ࢖༻͢Δ ϩʔϧ

46. ͬ͘͟ΓԿ͕ҧ͏͔  • ϦιʔεϕʔεϙϦγʔͷ෼ੳʹ͸ϦʔδϣφϧϦιʔεͰ ͋ΔʮΞφϥΠβʔʯͷ࡞੒͕ඞཁ • ϙϦγʔͷݕূʹ͸Ϧιʔε΋ϩʔϧ΋ཁΒͳ͍ • ϙϦγʔͷੜ੒ʹ͸ϩʔϧ͚ͩཁΔ

47.  IAM ΞΫηεΞυόΠβʔ ͱԿ͕ҧ͏͔ ࠞཚ͕ͪ͠

48. ΞφϥΠβʔͱΞυόΠβʔ  *".
    "DDFTT
    "OBMZ[FS *".
    "DDFTT
    "EWJTPS *".ΞΫηεʁ ΞφϥΠβʔʂ ΞυόΠβʔʂ Կ͕Ͱ͖Δ͔ ɾϦιʔεϕʔεϙϦγʔͷ෼ੳ
    ɾ֤छϙϦγʔͷݕূ
    

    ɾΞΠσϯςΟςΟϕʔεϙϦγʔͷੜ੒ ɾ*".Ϧιʔε୯ҐͰͷɺ
    ΞΫηεڐՄͱΞΫηεཤྺͷදࣔ αʔϏε͔Ͳ͏͔ ɾ"84αʔϏεͰ͋Δ
    ɾϦιʔε΋ଘࡏ͢Δ
    ɾαʔϏε༻ͷϩʔϧ΋ଘࡏ͢Δ ɾ"84αʔϏεͰ͸ͳ͍
    ɾෳ਺ͷ"1*ʹΑΔػೳͷ໊শ ར༻ྉ ແྉͰࠓ͙͓͢࢖͍͍͚ͨͩ·͢ ແྉͰࠓ͙͓͢࢖͍͍͚ͨͩ·͢

49. ΞΫηεΞυόΠβʔͷ֓ཁ  •ΞΠσϯςΟςΟϕʔεϙϦγʔΛج४ͱͨ͠ʮΞΫ ηεՄೳͳαʔϏεʯͷදࣔ •Cloud TrailΛϕʔεͱͨ͠ʮΞΫηεཤྺʯͷදࣔ

50.  4. ࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ Α͏΍͘

51. औΓ্͛Δͷ͸͜ͷͭͰ͢ 

52.  ͦͷ1. ϙϦγʔͷݕূ ࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ

53. ϙϦγʔͷݕূͱ͸  • IAM Access Analyzer ʹΑΔػೳ • ҎԼͷϙϦγʔʹର͍͍ͯ͠ײ͡ͷνΣοΫΛͯ͘͠ΕΔ •

    ΞΠσϯςΟςΟϕʔεϙϦγʔ • SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ※ϚωίϯෆՄ • ϦιʔεϕʔεϙϦγʔɹ※ϚωίϯෆՄ

54. ϙϦγʔͷݕূͱ͸  • ϙϦγʔͷνΣοΫͷ؍఺ • ηΩϡϦςΟɹηΩϡϦςΟϦεΫͱΈͳ͞ΕΔ಺༰ • ΤϥʔɹߏจΤϥʔ΍ແޮͳ஋ͳͲ • ܯࠂɹηΩϡϦςΟϦεΫͰ͸ͳ͍͕ϕετϓϥΫςΟεͰͳ͍

    • ఏҊɹΞΫηεڐՄʹӨڹΛ༩͑ͳ͍ఏҊʢ৑௕ͳهड़ͳͲʣ

55. ϙϦγʔͷݕূͷྫ  • ηΩϡϦςΟͷΧςΰϦͷνΣοΫ߲໨ྫ • NotPrincipalͰڐՄΛ༩͍͑ͯΔ • PassRoleΛڐՄ͢ΔResourceʢϩʔϧʣ͕޿͗͢Δ • PassRoleΛڐՄ͢ΔAction͕޿͗͢Δ

56. ϙϦγʔͷݕূ  • Ϛωίϯ͔ΒΞΠσϯςΟςΟϕʔεϙϦγʔΛฤू͢Δͱ͖͸Կ ΋ߟ͑ͣศརʹ࢖͏ • ϙϦγʔΛ CI/CD ؅ཧ͍ͯ͠Δͱ͖͸ϓϩάϥϜʹΑΓࣗಈͰݕ ূͤ͞Δ࢖͍ํ΋͋Γ

    • ʮ࠷খݖݶΛ໨ࢦ͢ʯͱ͍͏؍఺Ͱ͸ͦ͜·Ͱڧ͘ͳ͍

57.  ͦͷ2. ϙϦγʔͷੜ੒ ࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ

58. ϙϦγʔͷੜ੒ͱ͸  • IAM Access Analyzer ʹΑΔػೳ • աڈͷΞΫςΟϏςΟΛجʹɺΞΠσϯςΟςΟϕʔεϙϦγʔͷ ਽ܗΛੜ੒ͯ͘͠ΕΔ

59. ϙϦγʔͷੜ੒ʂخ͍͠  ͏͔ͬΓ৑௕ߏ੒ͰϒϩάԽ͞ΕΔ΄ͲͷΞπ͞

60.  ஫ҙ఺͕͋Γ·͢ ͍͔ͭ͘

61. ஫ҙ఺ͦͷʢͨͪʣ  •աڈͷΞΫςΟϏςΟ͕͋Δ͜ͱ͕લఏͳͷͰɺʮ࠷খͰελʔ τʯͷέʔεͰ͸࢖͑ͳ͍ •ର৅Ϣʔβʔ/ϩʔϧͱಉ͡ΞΧ΢ϯτͰ Trail ͕༗ޮʹͳ͍ͬͯ Δඞཁ͕͋Δ •ϕʔεͱͰ͖Δظؒ͸࠷େͰ90೔ؒ •ෳ਺ͷϢʔβʔ/ϩʔϧʹରͯ͠ಉ࣌ʹੜ੒Ͱ͖ͳ͍

    •1೔ʹੜ੒Ͱ͖Δͷ͸5݅·Ͱ

62. ஫ҙ఺ͦͷ  •ਫ਼ࠪͯ͘͠ΕΔͷ͸ Action ͷΈ •Resource ΍ Codition ʹ͸աڈͷΞΫςΟϏςΟ͸൓ө͞Ε ͳ͍

    ʮ͜ͷϢʔβʔ͸աڈ೔ؒͰ
    ಛఆͷ4όέοτʹରͯ͠ͷΈΞΫηεͯ͠Δ͔Β
    3FTPVSDF
    Ͱ͜ͷ
    4
    όέοτ͚ͩʹߜΔͱ͍͍Αʯ
    ͳΜͯ͜ͱ͸ͯ͘͠Ε·ͤΜɻ

63. ஫ҙ఺ͦͷ  •͢΂ͯͷαʔϏεͰ Action ϨϕϧͰਫ਼ࠪͯ͘͠ΕΔΘ͚Ͱ͸ͳ͍ ্هҎ֎ͷαʔϏε͸
    ʮαʔϏεϨϕϧʯͰͷ
    ચ͍ग़ͩ͠Α ◦ IAM


    ◦ AWS KMS
 ◦ AWS Lambda
 ◦ AWS RAM
 ◦ Amazon RDS
 ◦ AWS Resource Groups
 ◦ Amazon S3
 ◦ AWS Security Token Service
 ◦ AWS Systems Manager
 ◦ IAM Access Analyzer
 ◦ Amazon CloudWatch
 ◦ Amazon Cognito Identity
 ◦ Amazon Cognito user pools
 ◦ Amazon EC2
 ◦ Amazon ECS
 ◦ Elastic Load Balancing


64. ϙϦγʔͷੜ੒  •։ൃظؒͷ࣮੷Λ΋ͱʹʮ࠷খݖݶΛ໨ࢦ͢ʯͱ͍͏έʔεͰ ͸༗ޮ •ʮΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔʯʹ͔͠ ࢖͑ͳ͍ͷΛཧղ͢Δ •Action ͕͢΂ͯચ͍ग़͞ΕΔΘ͚Ͱ͸ͳ͍͜ͱΛཧղ͢Δ

65.  ͦͷ3. ࠷ऴΞΫηε৘ใͷར༻ ࠷খݖݶΛ໨ࢦͨ͢Ίͷػೳ

66. ࠷ऴΞΫηε৘ใͷར༻ͱ͸  • IAM ΞΫηεΞυόΠβʔ ʹΑΔػೳ • IAMϦιʔεʢϢʔβʔ/άϧʔϓ/ϩʔϧ/ϙϦγʔʣ୯ҐͰҎԼΛ֬ ೝͰ͖Δ •

    ΞΫηεՄೳͳAWSαʔϏε • ࠷ऴΞΫηεཤྺ • ҎԼͷAWSαʔϏεʹରͯ͠͸ΞΫγϣϯϨϕϧͰ֬ೝՄೳ • Amazon S3 • Amazon EC2 • AWS IAM • AWS Lambda

67. ࠷ऴΞΫηε৘ใͷར༻  • ϚωίϯͩͬͨΒ͔͜͜Β؆୯ʹݟΕ·͢ɻ

68. ࠷ऴΞΫηε৘ใͷར༻  •ΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔͷʹ࢖͑Δ •ʮϙϦγʔͷੜ੒ʯͱػೳ͸ࣅ͍ͯΔ͕ɺͰ͖Δ͜ͱ͕গͳ ͍෼ɺΑΓ͓खܰ •AWS CLI Ͱ΍Δͱ݁ߏָ͍͠

69. ·ͱΊ  ·ͱΊ

70. ·ͱΊ  • ʮ࠷খݖݶʯ͸͍ΖΜͳϙϦγʔͷ͍ΖΜͳཁૉ Λ࢖࣮ͬͯ૷͢Δ • IAM Access Analyzer(ͱΞυόΠβʔ)͸ͦͷҰ ෦Λνϡʔχϯά͢Δͷʹศར

    • ʮ͜Ε͑͞΍͓͚ͬͯ͹OKʯ͸ͳ͍ͷͰɺܧଓ ͯ͠಄Λ೰·ͤ·͠ΐ͏