[B! IAM] rikubaã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

rikuba id:rikuba

IAMã«é–¢ã™ã‚‹rikubaã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (6)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

GitHub - iann0036/iamlive: Generate an IAM policy from AWS, Azure, or Google Cloud (GCP) calls using client-side monitoring (CSM) or embedded proxy
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
rikuba 2021/03/15
AWS

IAM
ãƒªãƒ³ã‚¯
AWS IAMã®æœ€å°æ¨©é™è¿½æ±‚ã®æ—… - ãƒ—ãƒã‚°ãƒ©ãƒžã§ã‚ã‚ŠãŸã„
çš†ã•ã‚“ã€IAMä½¿ã£ã¦ã¾ã™ã‹ã€œï¼Ÿ ä»Šæ—¥ã¯ã€IAMã®ãƒ™ã‚¹ãƒˆãƒ—ãƒ©ã‚¯ãƒ†ã‚£ã‚¹ã®ä¸ã«å‘ªç¸›ã®ã‚ˆã†ã«å˜åœ¨ã™ã‚‹ã€æœ€å°æ¨©é™ã‚’ãƒ†ãƒ¼ãƒžã«æ‚©ã¿ã‚’èªžã£ã¦ã¿ã‚ˆã†ã¨æ€ã„ã¾ã™ã€‚ IAMã§ã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã®ãƒ™ã‚¹ãƒˆãƒ—ãƒ©ã‚¯ãƒ†ã‚£ã‚¹ ã¾ãšã¯ã€IAMã®ãƒ™ã‚¹ãƒˆãƒ—ãƒ©ã‚¯ãƒ†ã‚£ã‚¹ã®ç¢ºèªã§ã™ã€‚2020å¹´7æœˆç¾åœ¨ã§ã¯ã€17å€‹å˜åœ¨ã—ã¦ã„ã¾ã™ã€‚ä¸€ç•ªæœ€å¾Œã®ãƒ“ãƒ‡ã‚ªã§èª¬æ˜Žã™ã‚‹ã®å”çªæ„Ÿä»¥å¤–ã¯ã€ã©ã‚Œã‚‚ç´å¾—æ„ŸãŒã‚ã‚‹å†…å®¹ã§å®Ÿè·µãƒ»éµå®ˆã™ã¹ãã§ã™ã€‚ docs.aws.amazon.com AWS ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã®ãƒ«ãƒ¼ãƒˆãƒ¦ãƒ¼ã‚¶ãƒ¼ ã‚¢ã‚¯ã‚»ã‚¹ã‚ãƒ¼ã‚’ãƒãƒƒã‚¯ã™ã‚‹ å€‹ã€…ã® IAM ãƒ¦ãƒ¼ã‚¶ãƒ¼ã®ä½œæˆ IAM ãƒ¦ãƒ¼ã‚¶ãƒ¼ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹è¨±å¯ã‚’å‰²ã‚Šå½“ã¦ã‚‹ãŸã‚ã«ã‚°ãƒ«ãƒ¼ãƒ—ã‚’ä½¿ç”¨ã™ã‚‹ æœ€å°æ¨©é™ã‚’ä»˜ä¸Žã™ã‚‹ AWS ç®¡ç†ãƒãƒªã‚·ãƒ¼ã‚’ä½¿ç”¨ã—ãŸã‚¢ã‚¯ã‚»ã‚¹è¨±å¯ã®ä½¿ç”¨é–‹å§‹ ã‚¤ãƒ³ãƒ©ã‚¤ãƒ³ãƒãƒªã‚·ãƒ¼ã§ã¯ãªãã‚«ã‚¹ã‚¿ãƒžãƒ¼ç®¡ç†ãƒãƒªã‚·ãƒ¼ã‚’ä½¿ç”¨ã™ã‚‹ ã‚¢ã‚¯ã‚»ã‚¹ãƒ¬ãƒ™ãƒ«ã‚’ä½¿ç”¨ã—ã¦ã€IAM æ¨©é™ã‚’ç¢ºèªã™ã‚‹ ãƒ¦ãƒ¼ã‚¶ãƒ¼ã®å¼·åŠ›ãªãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ãƒãƒªã‚·ãƒ¼ã‚’è¨å®š
rikuba 2020/07/24
AWS

IAM
ãƒªãƒ³ã‚¯
ç‰¹å®šã® IAM ãƒãƒ¼ãƒ«ã®ã¿ã‚¢ã‚¯ã‚»ã‚¹ã§ãã‚‹ S3 ãƒã‚±ãƒƒãƒˆã‚’å®Ÿè£…ã™ã‚‹éš›ã«æ¤œè¨Žã—ãŸã‚ã‚Œã“ã‚Œ | DevelopersIO
ä»Šå›žã¯ S3 ãƒã‚±ãƒƒãƒˆã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’ç‰¹å®š IAM ãƒãƒ¼ãƒ«ã‹ã‚‰ã®ã¿ã«é™å®šã—ã¦åˆ©ç”¨ã™ã‚‹æ©Ÿä¼šãŒã‚ã‚Šã¾ã—ãŸã®ã§ã€è¨å®šæ–¹æ³•ã¨æ¤œè¨Žã—ãŸã‚ã‚Œã“ã‚Œã‚’ã”ç´¹ä»‹ã—ã¾ã™ã€‚ ã‚„ã‚ŠãŸã„ã“ã¨ æ§‹æˆå›³ã¯ã“ã‚“ãªæ„Ÿã˜ å‰ææ¡ä»¶ IAM ãƒãƒ¼ãƒ«ã¨ S3 ãƒã‚±ãƒƒãƒˆã¯åŒä¸€ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã«å˜åœ¨ã™ã‚‹ IAM ãƒãƒ¼ãƒ«ã«ã¯ S3 ã‚’ç®¡ç†ã™ã‚‹æ¨©é™ãŒã‚¢ã‚¿ãƒƒãƒã•ã‚Œã¦ã„ã‚‹ ä»Šå›žã¯ AmazonS3FullAccessã€€ãƒãƒªã‚·ãƒ¼ã‚’ã‚¢ã‚¿ãƒƒãƒã—ã¦ã„ã¾ã™ NotPrincipal ã§ã‚„ã£ã¦ã¿ã‚‹ ã€Œç‰¹å®š IAM ãƒãƒ¼ãƒ«ä»¥å¤–ã¯åˆ¶é™ã™ã‚‹ã€ã¨ã„ã†è€ƒãˆæ–¹ã§ãƒ‘ãƒƒã¨æ€ã„ã¤ãã®ã¯ã€ä»¥ä¸‹ã®ã‚ˆã†ãª NotPrincipal ã§åˆ¶é™ã™ã‚‹æ–¹æ³•ã‹ã¨æ€ã„ã¾ã™ã€‚ { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "NotPrincipal": { "AWS": "arn:aws:iam::xxxxxxxxxxxx:
rikuba 2020/03/15
AWS

IAM
ãƒªãƒ³ã‚¯
S3ã®ç‰¹å®šãƒ‘ã‚¹ã®ã¿ã«å¯¾ã—ã¦å…¨ã¦ã®æ“ä½œãŒå¯èƒ½ãªIAMãƒãƒªã‚·ãƒ¼ | DevelopersIO
ã“ã®ã†ã¡ã€å¾Œã‚ã®2ç¨®é¡žã¯ã€ãƒã‚±ãƒƒãƒˆã«å¯¾ã™ã‚‹ã‚¢ã‚¯ã‚·ãƒ§ãƒ³ã§ã™ã€‚ã¤ã¾ã‚Šã€å‰è¿°ã®ãƒãƒªã‚·ãƒ¼ã§ã¯ã€s3:*ã¨ã„ã†å…¨ã‚¢ã‚¯ã‚·ãƒ§ãƒ³æŒ‡å®šã‚’ã—ã¦ã„ã‚‹ã‚‚ã®ã®ã€arn:aws:s3:::access-control-on-specific-path/dir_a/*ã¨ã„ã†å½¢å¼ã§ãƒã‚±ãƒƒãƒˆã§ã¯ãªãã‚ªãƒ–ã‚¸ã‚§ã‚¯ãƒˆã§ãƒªã‚½ãƒ¼ã‚¹æŒ‡å®šã‚’ã—ã¦ã„ã‚‹ç‚ºã«ã€å®Ÿè³ªçš„ã«ã¯å¾Œã‚ã®2ç¨®é¡žã®ãƒã‚±ãƒƒãƒˆæ“ä½œç³»ã®æ¨©é™ã¯ä»˜ä¸Žã•ã‚Œã¦ã„ãªã„ã¨ã„ã†ã“ã¨ã«ãªã‚Šã¾ã™ã€‚ ListObjectsã™ã‚‹ã«ã¯s3:ListBucketãŒå¿…è¦ ä»Šå›žã‚¨ãƒ©ãƒ¼ã¨ãªã£ã¦å®Ÿè¡Œã§ãã¦ã„ãªã„ListObjectsã‚’ã™ã‚‹ç‚ºã«ã¯ã€s3:ListBucketæ¨©é™ãŒå¿…è¦ãªã“ã¨ãŒã‚ã‹ã‚Šã¾ã—ãŸã€‚s3:ListBucketã¯ãƒã‚±ãƒƒãƒˆã‚ªãƒšãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ã¨ãªã‚‹ç‚ºã€ãƒã‚±ãƒƒãƒˆã‚’ãƒªã‚½ãƒ¼ã‚¹ã¨ã—ã¦æ¨©é™ã‚’ä»˜ä¸Žã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚ ã‚ªãƒ–ã‚¸ã‚§ã‚¯ãƒˆã‚ªãƒšãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ s3:GetObject s3:GetObjectVersion s3
rikuba 2017/08/08
AWS

S3

IAM
ãƒªãƒ³ã‚¯
IAMã«ã‚ˆã‚‹AWSæ¨©é™ç®¡ç†é‹ç”¨ãƒ™ã‚¹ãƒˆãƒ—ãƒ©ã‚¯ãƒ†ã‚£ã‚¹ (1) | DevelopersIO
ã‚ˆãè¨“ç·´ã•ã‚ŒãŸã‚¢ãƒƒãƒ—ãƒ«ä¿¡è€…ã€éƒ½å…ƒã§ã™ã€‚AWSã«ã¯IAMã¨ã„ã†æ¨©é™ç®¡ç†ã®ã‚µãƒ¼ãƒ“ã‚¹ãŒã‚ã‚Šã¾ã™ã€‚AWSã‚’å°‚é–€ã¨ã—ã¦ã„ã‚‹æˆ‘ã€…ã«ã¨ã£ã¦ã¯å½“ãŸã‚Šå‰ã®çŸ¥è˜ãªã®ã§ã™ãŒã€çš†ã•ã‚“ã¯ã“ã®æ©Ÿèƒ½ã‚’ä¸Šæ‰‹ãä½¿ãˆã¦ã„ã‚‹ã§ã—ã‚‡ã†ã‹ã€‚ AWSã«ãŠã‘ã‚‹ã‚¯ãƒ¬ãƒ‡ãƒ³ã‚·ãƒ£ãƒ«ã¨ãƒ—ãƒªãƒ³ã‚·ãƒ‘ãƒ« ã¾ãšã€AWSã«ãŠã‘ã‚‹ã‚¯ãƒ¬ãƒ‡ãƒ³ã‚·ãƒ£ãƒ«ã¯å¤§ãã2ç¨®é¡ž *1ã«åˆ†ã‹ã‚Œã¾ã™ã€‚ Sign-In Credentialï¼šManagement Consoleãƒã‚°ã‚¤ãƒ³ã®ãŸã‚ã®ã‚¯ãƒ¬ãƒ‡ãƒ³ã‚·ãƒ£ãƒ«ï¼ˆè¦ã™ã‚‹ã«ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ï¼‰ Access Credentialsï¼šAPIã‚¢ã‚¯ã‚»ã‚¹ã®ãŸã‚ã®ã‚¯ãƒ¬ãƒ‡ãƒ³ã‚·ãƒ£ãƒ«ï¼ˆè¦ã™ã‚‹ã«APIã‚ãƒ¼ï¼‰ ã¾ãŸã€ãƒ—ãƒªãƒ³ã‚·ãƒ‘ãƒ«ï¼ˆãƒã‚°ã‚¤ãƒ³ã™ã‚‹ä¸»ä½“ã€ãƒ¦ãƒ¼ã‚¶åç‰ï¼‰ã«ã‚‚å¤§ãã2ç¨®é¡ž *2ãŒã‚ã‚Šã¾ã™ã€‚ AWSã‚¢ã‚«ã‚¦ãƒ³ãƒˆ IAMãƒ¦ãƒ¼ã‚¶ ã“ã‚Œã‚‰ã®çµ„ã¿åˆã‚ã›ã¨ã—ã¦ã€ŒAWSã‚¢ã‚«ã‚¦ãƒ³ãƒˆã®ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã€ã€ŒAWSã‚¢ã‚«ã‚¦ãƒ³ãƒˆã®APIã‚ãƒ¼ã€ã€ŒIAMãƒ¦ãƒ¼ã‚¶ã®ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã€ã€ŒIAMãƒ¦ãƒ¼ã‚¶ã®APIã‚ãƒ¼
rikuba 2017/08/08
AWS

IAM
ãƒªãƒ³ã‚¯
IAMãƒãƒ¼ãƒ«å¾¹åº•ç†è§£ ã€œ AssumeRoleã®æ£ä½“ | DevelopersIO
ã•ã¦ã€çš†æ§˜ã¯IAMã«ã©ã®ã‚ˆã†ãªã‚¤ãƒ¡ãƒ¼ã‚¸ã‚’ãŠæŒã¡ã§ã—ã‚‡ã†ã‹ã€‚ãƒ—ãƒã‚¸ã‚§ã‚¯ãƒˆã«é–¢ã‚ã‚‹è¤‡æ•°äººã§1ã¤ã®AWSã‚¢ã‚«ã‚¦ãƒ³ãƒˆã‚’æ‰±ã†æ™‚ã€å„ãƒ¡ãƒ³ãƒãƒ¼ã«é…å¸ƒã™ã‚‹ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã‚’ä½œã‚Œã‚‹æ©Ÿèƒ½ã€‚ãã—ã¦ã€ãã®æ°—ã«ãªã‚Œã°ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã‚’ã‚°ãƒ«ãƒ¼ãƒ—åˆ†ã‘ã—ã€æ¨©é™ã‚’åŽ³å¯†ã«ç®¡ç†ã§ãã‚‹æ©Ÿèƒ½ã€‚ã¨ã„ã£ãŸã¨ã“ã‚ã‹ã¨æ€ã„ã¾ã™ã€‚ ä¸Šè¨˜ã®ãƒ¦ãƒ¼ã‚¹ã‚±ãƒ¼ã‚¹ã§å‡ºã¦ããŸä¸»ãªã‚¨ãƒ³ãƒ†ã‚£ãƒ†ã‚£ï¼ˆè¦ç´ ï¼‰ã¯Userã¨Groupã§ã™ãã€‚IAMã®Management Consoleã§è¦‹ã¦ã¿ã‚‹ã¨ã€IAMã¯ã“ã‚Œã‚‰ã®ä»–ã«Roleã‚„Identity Providerã¨ã„ã†ã‚¨ãƒ³ãƒ†ã‚£ãƒ†ã‚£ã«ã‚ˆã£ã¦æ§‹æˆã•ã‚Œã¦ã„ã‚‹ã‚ˆã†ã ã€ã¨ã„ã†ã“ã¨ãŒã‚ã‹ã‚Šã¾ã™ã€‚ä»Šæ—¥ã¯Roleã«ãƒ•ã‚©ãƒ¼ã‚«ã‚¹ã‚’å½“ã¦ã¦ã€ãã®å®Ÿæ…‹ã‚’è©³ã—ãç†è§£ã—ã¾ã™ã€‚ IAM Role IAM Roleã‚’ä½¿ã†ã¨ã€å…ˆã«æŒ™ã’ãŸIAMã®ãƒ¦ãƒ¼ã‚¹ã‚±ãƒ¼ã‚¹ã®ä»–ã«ã€ä¸‹è¨˜ã®ã‚ˆã†ãªã“ã¨ãŒå‡ºæ¥ã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚ IAM roles for EC2 instancesã‚’ä½¿ã£ã¦ã¿
rikuba 2017/08/08
AWS

IAM
ãƒªãƒ³ã‚¯
1