Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
IAM Access Analyzer を活用して最小権限を目指そう
Search
YukihiroChiba
May 19, 2021
Technology
0
3.4k
IAM Access Analyzer を活用して最小権限を目指そう
「IAM Access Analyzer を活用して最小権限を目指そう」というタイトルで登壇した際の資料です
YukihiroChiba
May 19, 2021
Tweet
Share
More Decks by YukihiroChiba
See All by YukihiroChiba
わたしの業務の中に住み着いたCacoo/Cacoo has taken up residence in my work routine
yukihirochiba
0
880
Amazon VPCでの IPv6利用に向けた はじめの一歩/first-step-towards-using-ipv6-in-amazon-vpc
yukihirochiba
0
380
AWS IAM の結果整合性を避けるためセッションポリシーを用いてポリシーの動作確認を行う、を解説する
yukihirochiba
0
760
SSMエージェントはIAMロールの夢を見るか/ Do SSM Agents Dream Of IAM Roles?
yukihirochiba
0
2.3k
AWS IAM の知っておくべき話と知らなくてもいい話 DevIO2023/ AWS IAM DevIO 2023
yukihirochiba
0
3.2k
デジタルアイデンティティWGミニウェビナー第4回「IaaSとアイデンティティ」/ jnsa-iaas-identity
yukihirochiba
0
660
学習エンジンがうなりを上げているチームの作り方 / How to build a team with a learning engine humming along
yukihirochiba
0
3.9k
Amazon Route 53 Application Recovery Controller zonal shift 試してみた
yukihirochiba
0
1.8k
re:Growth 2022 Amazon Verified Permissions/妄想を膨らませる_チバユキ
yukihirochiba
0
5.2k
Other Decks in Technology
See All in Technology
UI State設計とテスト方針
rmakiyama
2
600
Oracle Cloudの生成AIサービスって実際どこまで使えるの? エンジニア目線で試してみた
minorun365
PRO
4
280
ハイテク休憩
sat
PRO
2
160
祝!Iceberg祭開幕!re:Invent 2024データレイク関連アップデート10分総ざらい
kniino
3
300
Qiita埋め込み用スライド
naoki_0531
0
5.1k
ガバメントクラウドのセキュリティ対策事例について
fujisawaryohei
0
550
新機能VPCリソースエンドポイント機能検証から得られた考察
duelist2020jp
0
220
AWS re:Invent 2024で発表された コードを書く開発者向け機能について
maruto
0
190
社外コミュニティで学び社内に活かす共に学ぶプロジェクトの実践/backlogworld2024
nishiuma
0
270
サービスでLLMを採用したばっかりに振り回され続けたこの一年のあれやこれや
segavvy
2
480
統計データで2024年の クラウド・インフラ動向を眺める
ysknsid25
2
850
2024年にチャレンジしたことを振り返るぞ
mitchan
0
140
Featured
See All Featured
Fashionably flexible responsive web design (full day workshop)
malarkey
405
66k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
28
900
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.4k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
45
2.2k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Done Done
chrislema
181
16k
A Philosophy of Restraint
colly
203
16k
Designing Experiences People Love
moore
138
23k
Transcript
IAM Access AnalyzerΛ ׆༻ͯ͠࠷খݖݶΛࢦͦ͏ ઍ༿ʢνόϢΩʣ
͍͖ͳΓͰ͕͢ ͜Μͳ͜ͱΛࢥΘͳ͔ͬͨͩΖ͏͔
ʮ͔Ϳͬͯͳ͍ʜʜʁʯ
ࢲʮ͔ͿͬͯΔͳʜʜʯ
ΑΖ͓͘͠ئ͍͠·͢ ͓͞Β͍ɺ͘͠ τΠϨٳܜͷ࣌ؒͱͯ͠ ͝׆༻͍ͩ͘͞
ࣗݾհ ઍ༿ • 2020 ΫϥεϝιουδϣΠϯ • 2021 APN
AWS Top EngineerΑ • ͖ͳAWSΞΫγϣϯɿ • sts:AssumeRole
"HFOEB 1.࠷খݖݶͱ 2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔ 3.IAM Access Analyzer ͱ 4.࠷খݖݶΛࢦͨ͢Ίͷػೳ
͢͜ͱ͞ͳ͍͜ͱ •͢͜ͱ •࠷খݖݶͱԿ͔ͷલఏࣝ •࠷খݖݶΛࢦͨ͢Ίͷػೳͷ֓ཁ •͞ͳ͍͜ͱ •IAM Access Analyzerͷ۩ମతͳ׆༻ྫ
1. IAM ͷ࠷খݖݶͱ ͡Ίʹ
Ͳ͜ʹॻ͍ͯ͋Δͷʁ *".ʹ͓͚Δ࠷খݖݶͷݪଇ
ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/ best-practices.html#grant-least-privilege
•ΞΫηεϨϕϧͷάϧʔϓԽͷѲ •ॻ͖ࠐΈɺಡΈऔΓɺཧ…… •ϙϦγʔͷݕূ •ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ͢Δ •࠷ऴΞΫηεใͷར༻ •AWS CloudTrail ͰͷΞΧϯτͷΠϕϯτͷ֬ೝ ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε
•ΞΫηεϨϕϧͷάϧʔϓԽͷѲ •ॻ͖ࠐΈɺಡΈऔΓɺཧ…… •ϙϦγʔͷݕূ •ΞΫηεΞΫςΟϏςΟʹج͍ͮͯϙϦγʔΛੜ͢Δ •࠷ऴΞΫηεใͷར༻ •AWS CloudTrail ͰͷΞΧϯτͷΠϕϯτͷ֬ೝ ᶃ*".ͷηΩϡϦςΟϕετϓϥΫςΟε
ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப https://docs.aws.amazon.com/wellarchitected/latest/ security-pillar/permissions-management.html
ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϚωʔδυϙϦγʔ • AWS ཧϙϦγʔ •
ΧελϚʔཧϙϦγʔ • ΠϯϥΠϯϙϦγʔ ʮ΄ͱΜͲͷ߹ɺ࠷খݖݶͷݪଇʹैͬͯɺ ɹಠࣗͷΧελϚʔཧϙϦγʔΛ࡞͢Δඞཁ͕͋Γ·͢ɻʯ
ᶄ8"ϑϨʔϜϫʔΫηΩϡϦςΟͷப • ݅ɺϦιʔεɺΞΫγϣϯΛ࠷খԽ͢Δ • άϧʔϓଐੑʹΑΓಈతʹΞΫηεڐՄΛ༩͑Δ ʢݸʑͷϢʔβʔʹ༩͠ͳ͍ʣ • ϦιʔεIAMΤϯςΟςΟʹΞλον͢ΔϙϦ γʔʹΑΓΞΫηεΛ੍ޚ͢Δ
• Permissions boundaryABACΛ׆༻͢Δ ʮ͜ͷݪଇʹج͍ͮͯӡ༻͢Δͱɺҙਤ͠ͳ͍ΞΫηε੍͕ݶ͞Εɺ ɹɹ୭͕ͲͷϦιʔεʹΞΫηεͰ͖Δ͔ࠪͰ͖ΔΑ͏ʹͳΓ·͢ɻʯ
࠷খݖݶ͕कΒΕ͍ͯͳ͍ͱͲ͏ͳΔʁ ࠷খݖݶͷݪଇ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ɹ • ɹ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ͕֦େ͢Δ • ɹ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ͕֦େ͢Δ • ෦൜ߦʹΑΔඃ͕֦େ͢Δ
࠷খݖݶ͕कΒΕ͍ͯͳ͍߹ • ૢ࡞ϛεʹΑΔҙਤ͠ͳ͍มߋ͕ߦΘΕΔ • ෆਖ਼ΞΫηεʹΑΔඃ͕֦େ͢Δ • ෦൜ߦʹΑΔඃ͕֦େ͢Δ ʮڱ࢝͘ΊͯඞཁʹԠͯ͡Ճʯ͕ཧ
2.Ͳ͜Ͱ࠷খݖݶΛ࣮ݱ͢Δ͔ ࣍ʹ
ϙϦγʔͷछྨ ࠷খݖݶΛͲ͜Ͱ࣮ݱ͢Δ͔
ಥવͰ͕͢ AWSʹ͓͚ΔϙϦγʔλΠϓ ̒ͭશͯ͑ΒΕ·͔͢ʁ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •
Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •
Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ ʁ 71$ΤϯυϙΠϯτϙϦγʔ ͜͜ʹଐ͢Δ͕ɺ ʮͪΐͬͱ܅͕ͪ͘ͳ͍ʁʯͱ ࢥ͍ͬͯΔ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •
Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ ͍ΘΏΔʮIAMϙϦγʔʯ όέοτϙϦγʔɺIAMϩʔϧ৴པϙϦγʔͳͲ όέοτACLͳͲ IAMϩʔϧͷҾ͖ड͚࣌ʹઃఆՄೳ
ͭͷϙϦγʔλΠϓ • ΞΠσϯςΟςΟϕʔεϙϦγʔ • ϦιʔεϕʔεϙϦγʔ • ΞΫηεڐՄͷڥքʢPermissions boundaryʣ •
Organizations SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ • ΞΫηείϯτϩʔϧϦετʢACLʣ • ηογϣϯϙϦγʔ +40/ +40/ +40/ +40/ +40/
JSON ϙϦγʔͷཁૉ ࠷খݖݶΛͲ͜Ͱ࣮͢Δ͔
+40/ϙϦγʔͷཁૉ https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1
+40/ϙϦγʔͷཁૉ1SJODJQBM https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 1SJODJQBM ʢ/PU1SJODJQMʣ ϦιʔεϕʔεϙϦγʔͰ༻ɻ ΞΫηεͷ࣮ߦݩʢओମʣΛ੍ݶɻ ʮ୭͕ʯ
+40/ϙϦγʔͷཁૉ"DUJPO https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 "DUJPO ʢ/PU"DUJPOʣ ࣮ߦՄೳͳΞΫγϣϯΛ੍ݶɻ ʮԿΛʯ
+40/ϙϦγʔͷཁૉ3FTPVSDF https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 ΞΫηεՄೳͳϦιʔεΛ੍ݶɻ 3FTPVSDF ʢ/PU3FTPVSDFʣ ʮԿʹରͯ͠ʯ
+40/ϙϦγʔͷཁૉ$POEJUJPO https://www.slideshare.net/AmazonWebServicesJapan/20190129-aws- black-belt-online-seminar-aws-identity-and-access-management-iam-part1 ಛఆͷ݅ԼͰͷΈ ΞΫηεΛڐՄʢ͋Δ͍ڋ൱ʣɻ $POEJUJPO ʮͲΜͳ߹ʹʯ
࠷খݖݶΛͲ͜Ͱ࣮͢Δ͔ ΞΠσϯςΟςΟϕʔεϙϦγʔͰ ActionΛߜΔ͚͕ͩ ࠷খݖݶͷ࣮Ͱͳ͍
3. IAM Access Analyzerͱ มΘͬͯ
IAM Access AnalyzerͱԿ͔ ͦͦ
*"."DDFTT"OBMZ[FSͱԿ͔ ʮϦιʔεϕʔεϙϦγʔͷ PrincipalΛݟͯ͘ΕΔͷʯ͕ͩͬͨɺ ͍ͭͷؒʹ͔͍ΖΜͳ͜ͱ͕ Ͱ͖ΔΑ͏ʹͳ͍ͬͯͨ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ • 2021/01
ੳର͕Ճ • Secrets Manager γʔΫϨοτʹରԠ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ • 2021/01
ੳର͕Ճ • Secrets Manager γʔΫϨοτʹରԠ • 2021/03 ʮࣄલݕূʯʹରԠ • ϦιʔεϕʔεϙϦγʔͷมߋલʹੳ͕Մೳ • ϚωδϝϯτίϯιʔϧͰ S3 όέοτϙϦγʔͷΈ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • S3ɺIAM ϩʔϧɺKMSɺLambdaɺSQSͷϦιʔεϕʔεϙϦγʔΛੳ • 2021/01
ੳର͕Ճ • Secrets Manager γʔΫϨοτʹରԠ • 2021/03 ʮࣄલݕূʯʹରԠ • ϦιʔεϕʔεϙϦγʔͷมߋલʹੳ͕Մೳ • ϚωδϝϯτίϯιʔϧͰ S3 όέοτϙϦγʔͷΈ ٸʹྲྀΕ͕มΘΔ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • 2021/01 ੳର͕Ճ • 2021/03
ʮࣄલݕূʯʹରԠ • 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ • ϙϦγʔݕূʢValidationʣͱ • ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ • AWS CLI Ͱ SCP ϦιʔεϕʔεϙϦγʔʹରԠ
*"."DDFTT"OBMZ[FSͷྺ࢙ • 2019/12 ϦϦʔε • 2021/01 ੳର͕Ճ • 2021/03
ʮࣄલݕূʯʹରԠ • 2021/03 ʮϙϦγʔνΣοΫʯʹରԠ • ϙϦγʔݕূʢValidationʣͱ • ΞΠσϯςΟςΟϕʔεϙϦγʔ͕ϝΠϯ • AWS CLI Ͱ SCP ϦιʔεϕʔεϙϦγʔʹରԠ • 2021/04 ʮϙϦγʔͷੜʯʹରԠ • ΞΠσϯςΟςΟϕʔεϙϦγʔͷΈ͕ର
ͬ͘͟ΓԿ͕ҧ͏͔ Region ΞφϥΠβʔ IAM Access Analyzer ϦιʔεϕʔεϙϦγʔͷੳ αʔϏεʹ ϦϯΫ͞Εͨ
ϩʔϧ ϙϦγʔͷݕূ ϙϦγʔͷੜ αʔϏε͕ ༻͢Δ ϩʔϧ
ͬ͘͟ΓԿ͕ҧ͏͔ • ϦιʔεϕʔεϙϦγʔͷੳʹϦʔδϣφϧϦιʔεͰ ͋ΔʮΞφϥΠβʔʯͷ࡞͕ඞཁ • ϙϦγʔͷݕূʹϦιʔεϩʔϧཁΒͳ͍ • ϙϦγʔͷੜʹϩʔϧ͚ͩཁΔ
IAM ΞΫηεΞυόΠβʔ ͱԿ͕ҧ͏͔ ࠞཚ͕ͪ͠
ΞφϥΠβʔͱΞυόΠβʔ *"."DDFTT"OBMZ[FS *"."DDFTT"EWJTPS *".ΞΫηεʁ ΞφϥΠβʔʂ ΞυόΠβʔʂ Կ͕Ͱ͖Δ͔ ɾϦιʔεϕʔεϙϦγʔͷੳ ɾ֤छϙϦγʔͷݕূ
ɾΞΠσϯςΟςΟϕʔεϙϦγʔͷੜ ɾ*".Ϧιʔε୯ҐͰͷɺ ΞΫηεڐՄͱΞΫηεཤྺͷදࣔ αʔϏε͔Ͳ͏͔ ɾ"84αʔϏεͰ͋Δ ɾϦιʔεଘࡏ͢Δ ɾαʔϏε༻ͷϩʔϧଘࡏ͢Δ ɾ"84αʔϏεͰͳ͍ ɾෳͷ"1*ʹΑΔػೳͷ໊শ ར༻ྉ ແྉͰࠓ͙͓͍͍͚ͨͩ͢·͢ ແྉͰࠓ͙͓͍͍͚ͨͩ͢·͢
ΞΫηεΞυόΠβʔͷ֓ཁ •ΞΠσϯςΟςΟϕʔεϙϦγʔΛج४ͱͨ͠ʮΞΫ ηεՄೳͳαʔϏεʯͷදࣔ •Cloud TrailΛϕʔεͱͨ͠ʮΞΫηεཤྺʯͷදࣔ
4. ࠷খݖݶΛࢦͨ͢Ίͷػೳ Α͏͘
औΓ্͛Δͷ͜ͷͭͰ͢
ͦͷ1. ϙϦγʔͷݕূ ࠷খݖݶΛࢦͨ͢Ίͷػೳ
ϙϦγʔͷݕূͱ • IAM Access Analyzer ʹΑΔػೳ • ҎԼͷϙϦγʔʹର͍͍ͯ͠ײ͡ͷνΣοΫΛͯ͘͠ΕΔ •
ΞΠσϯςΟςΟϕʔεϙϦγʔ • SCPʢαʔϏείϯτϩʔϧϙϦγʔʣ※ϚωίϯෆՄ • ϦιʔεϕʔεϙϦγʔɹ※ϚωίϯෆՄ
ϙϦγʔͷݕূͱ • ϙϦγʔͷνΣοΫͷ؍ • ηΩϡϦςΟɹηΩϡϦςΟϦεΫͱΈͳ͞ΕΔ༰ • ΤϥʔɹߏจΤϥʔແޮͳͳͲ • ܯࠂɹηΩϡϦςΟϦεΫͰͳ͍͕ϕετϓϥΫςΟεͰͳ͍
• ఏҊɹΞΫηεڐՄʹӨڹΛ༩͑ͳ͍ఏҊʢͳهड़ͳͲʣ
ϙϦγʔͷݕূͷྫ • ηΩϡϦςΟͷΧςΰϦͷνΣοΫ߲ྫ • NotPrincipalͰڐՄΛ༩͍͑ͯΔ • PassRoleΛڐՄ͢ΔResourceʢϩʔϧʣ͕͗͢Δ • PassRoleΛڐՄ͢ΔAction͕͗͢Δ
ϙϦγʔͷݕূ • Ϛωίϯ͔ΒΞΠσϯςΟςΟϕʔεϙϦγʔΛฤू͢Δͱ͖Կ ߟ͑ͣศརʹ͏ • ϙϦγʔΛ CI/CD ཧ͍ͯ͠Δͱ͖ϓϩάϥϜʹΑΓࣗಈͰݕ ূͤ͞Δ͍ํ͋Γ
• ʮ࠷খݖݶΛࢦ͢ʯͱ͍͏؍Ͱͦ͜·Ͱڧ͘ͳ͍
ͦͷ2. ϙϦγʔͷੜ ࠷খݖݶΛࢦͨ͢Ίͷػೳ
ϙϦγʔͷੜͱ • IAM Access Analyzer ʹΑΔػೳ • աڈͷΞΫςΟϏςΟΛجʹɺΞΠσϯςΟςΟϕʔεϙϦγʔͷ ܗΛੜͯ͘͠ΕΔ
ϙϦγʔͷੜʂخ͍͠ ͏͔ͬΓߏͰϒϩάԽ͞ΕΔ΄ͲͷΞπ͞
ҙ͕͋Γ·͢ ͍͔ͭ͘
ҙͦͷʢͨͪʣ •աڈͷΞΫςΟϏςΟ͕͋Δ͜ͱ͕લఏͳͷͰɺʮ࠷খͰελʔ τʯͷέʔεͰ͑ͳ͍ •ରϢʔβʔ/ϩʔϧͱಉ͡ΞΧϯτͰ Trail ͕༗ޮʹͳ͍ͬͯ Δඞཁ͕͋Δ •ϕʔεͱͰ͖Δظؒ࠷େͰ90ؒ •ෳͷϢʔβʔ/ϩʔϧʹରͯ͠ಉ࣌ʹੜͰ͖ͳ͍
•1ʹੜͰ͖Δͷ5݅·Ͱ
ҙͦͷ •ਫ਼ࠪͯ͘͠ΕΔͷ Action ͷΈ •Resource Codition ʹաڈͷΞΫςΟϏςΟө͞Ε ͳ͍
ʮ͜ͷϢʔβʔաڈؒͰ ಛఆͷ4όέοτʹରͯ͠ͷΈΞΫηεͯ͠Δ͔Β 3FTPVSDFͰ͜ͷ4όέοτ͚ͩʹߜΔͱ͍͍Αʯ ͳΜͯ͜ͱͯ͘͠Ε·ͤΜɻ
ҙͦͷ •ͯ͢ͷαʔϏεͰ Action ϨϕϧͰਫ਼ࠪͯ͘͠ΕΔΘ͚Ͱͳ͍ ্هҎ֎ͷαʔϏε ʮαʔϏεϨϕϧʯͰͷ ચ͍ग़ͩ͠Α ◦ IAM
◦ AWS KMS ◦ AWS Lambda ◦ AWS RAM ◦ Amazon RDS ◦ AWS Resource Groups ◦ Amazon S3 ◦ AWS Security Token Service ◦ AWS Systems Manager ◦ IAM Access Analyzer ◦ Amazon CloudWatch ◦ Amazon Cognito Identity ◦ Amazon Cognito user pools ◦ Amazon EC2 ◦ Amazon ECS ◦ Elastic Load Balancing
ϙϦγʔͷੜ •։ൃظؒͷ࣮Λͱʹʮ࠷খݖݶΛࢦ͢ʯͱ͍͏έʔεͰ ༗ޮ •ʮΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔʯʹ͔͠ ͑ͳ͍ͷΛཧղ͢Δ •Action ͕ͯ͢ચ͍ग़͞ΕΔΘ͚Ͱͳ͍͜ͱΛཧղ͢Δ
ͦͷ3. ࠷ऴΞΫηεใͷར༻ ࠷খݖݶΛࢦͨ͢Ίͷػೳ
࠷ऴΞΫηεใͷར༻ͱ • IAM ΞΫηεΞυόΠβʔ ʹΑΔػೳ • IAMϦιʔεʢϢʔβʔ/άϧʔϓ/ϩʔϧ/ϙϦγʔʣ୯ҐͰҎԼΛ֬ ೝͰ͖Δ •
ΞΫηεՄೳͳAWSαʔϏε • ࠷ऴΞΫηεཤྺ • ҎԼͷAWSαʔϏεʹରͯ͠ΞΫγϣϯϨϕϧͰ֬ೝՄೳ • Amazon S3 • Amazon EC2 • AWS IAM • AWS Lambda
࠷ऴΞΫηεใͷར༻ • ϚωίϯͩͬͨΒ͔͜͜Β؆୯ʹݟΕ·͢ɻ
࠷ऴΞΫηεใͷར༻ •ΞΠσϯςΟςΟϕʔεϙϦγʔͷ Action ΛߜΔͷʹ͑Δ •ʮϙϦγʔͷੜʯͱػೳࣅ͍ͯΔ͕ɺͰ͖Δ͜ͱ͕গͳ ͍ɺΑΓ͓खܰ •AWS CLI ͰΔͱ݁ߏָ͍͠
·ͱΊ ·ͱΊ
·ͱΊ • ʮ࠷খݖݶʯ͍ΖΜͳϙϦγʔͷ͍ΖΜͳཁૉ Λ࣮ͬͯ͢Δ • IAM Access Analyzer(ͱΞυόΠβʔ)ͦͷҰ ෦Λνϡʔχϯά͢Δͷʹศར
• ʮ͜Ε͓͚͑ͬͯ͞OKʯͳ͍ͷͰɺܧଓ ͯ͠಄Λ·ͤ·͠ΐ͏