[B! iam] tk-1124ã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

tk-1124 id:tk-1124

iamã«é–¢ã™ã‚‹tk-1124ã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (13)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

Amplified exposure: How AWS flaws made Amplify IAM roles vulnerable to takeover | Datadog Security Labs
research Amplified exposure: How AWS flaws made Amplify IAM roles vulnerable to takeover April 15, 2024 aws vulnerability disclosure Key Points We identified two variants of a vulnerability in AWS Amplify that exposed identity and access management (IAM) roles associated with Amplify projects, allowing them to become assumable by anyone in the world. If the authentication component was removed fro
tk-1124 2024/04/27
aws

iam

Security
ãƒªãƒ³ã‚¯
IAM Roles Anywhere + è‡ªå·±ç½²åè¨¼æ˜Žæ›¸ ã‚’çˆ†é€Ÿã§ä½œã£ã¦ã¿ãŸ
èƒŒæ™¯ åŽ»å¹´7æœˆã«IAM Roles AnywhereãŒãƒªãƒªãƒ¼ã‚¹ã•ã‚Œã€ã‚¢ã‚¯ã‚»ã‚¹ã‚ãƒ¼ç®¡ç†ãŒä¸è¦ã§AWSã®å¤–éƒ¨ã®ãƒªã‚½ãƒ¼ã‚¹ã«å¯¾ã—ã¦IAMãƒãƒ¼ãƒ«ã‚’å‰²ã‚Šå½“ã¦ã‚‹ã§ãã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚ ã—ã‹ã—å…¬å¼ã®ãƒ‰ã‚ãƒ¥ãƒ¡ãƒ³ãƒˆã«ã¯è‡ªå·±ç½²åè¨¼æ˜Žæ›¸ã‚’ä½œæˆã™ã‚‹æ–¹æ³•ãŒè¨˜è¼‰ã•ã‚Œã¦ã„ã¾ã›ã‚“ã—ã€ç¾åœ¨ãƒãƒƒãƒˆä¸Šã«ä¸ŠãŒã£ã¦ã„ã‚‹è¨˜äº‹ã§ã¯æ‰‹é †ã‚‚è¤‡é›‘ã§ãªã‹ãªã‹å®¹æ˜“ã«ä½œæˆã§ããªã„ã‚‚ã®ãŒå¤šã„ã¨æ„Ÿã˜ã¾ã—ãŸã€‚ ãªã®ã§ä»Šå›žã¯IAM Roles Anywhere + è‡ªå·±ç½²åè¨¼æ˜Žæ›¸ã‚’çˆ†é€Ÿã§ä½œæˆã™ã‚‹æ–¹æ³•ã‚’ç´¹ä»‹ã—ã¾ã™ã€‚ ã¾ãŸã€GitHubä¸Šã«IAM Roles Anywhereä½œæˆã®ã‚¹ã‚¯ãƒªãƒ—ãƒˆã‚‚å…¬é–‹ã—ã¦ã„ã¾ã™ã®ã§ã€è‰¯ã‹ã£ãŸã‚‰ã”æ´»ç”¨ãã ã•ã„ã€‚ 1. cfsslã®ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ« ã¾ãšã¯cfsslã‚’ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ã¾ã™ã€‚cfsslã¯ç°¡å˜ã«CSRã€ç§˜å¯†éµã‚’ä½œæˆã§ãã‚‹ãƒ„ãƒ¼ãƒ«ã§ã™ã€‚ opensslã§ã™ã¨ã„ã‚ã‚“ãªã‚ªãƒ—ã‚·ãƒ§ãƒ³ã‚’æŒ‡å®šã—ãªã„ã¨ã„ã‘ãªã„ã—ã€ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ ã‚’é–“é•ãˆãŸã‚‰ä¿¡é ¼ã‚¢
tk-1124 2023/02/05
aws

iam
ãƒªãƒ³ã‚¯
Lake Formation ã‚’ä½¿ç”¨ã— AWS ã‚¢ã‚«ã‚¦ãƒ³ãƒˆé–“ã§ã‚»ã‚ãƒ¥ã‚¢ã«ãƒ‡ãƒ¼ã‚¿å…±æœ‰ã‚’å®Ÿç¾ | Amazon Web Services
Amazon Web Services ãƒ–ãƒã‚° Lake Formation ã‚’ä½¿ç”¨ã— AWS ã‚¢ã‚«ã‚¦ãƒ³ãƒˆé–“ã§ã‚»ã‚ãƒ¥ã‚¢ã«ãƒ‡ãƒ¼ã‚¿å…±æœ‰ã‚’å®Ÿç¾ è¿‘å¹´ã€å¤šãã®ä¼æ¥ã§æ§‹é€ åŒ–ãƒ‡ãƒ¼ã‚¿ãƒ»éžæ§‹é€ åŒ–ãƒ‡ãƒ¼ã‚¿ã‚’ã‚¹ã‚±ãƒ¼ãƒ©ãƒ–ãƒ«ãªå½¢ã§ä¸€ç®‡æ‰€ã«é›†ç´„ã—ãŸã„ãƒ‹ãƒ¼ã‚ºãŒå¢—ãˆã¦ããŸã“ã¨ã‹ã‚‰ã€ãƒ‡ãƒ¼ã‚¿ãƒ¬ã‚¤ã‚¯ãŒéžå¸¸ã«æ³¨ç›®ã‚’é›†ã‚ã¦ã„ã¾ã™ã€‚ãƒ‡ãƒ¼ã‚¿ã¯å…ƒã®ã¾ã¾ä¿ç®¡ã•ã‚Œã¦ã„ã‚‹ãŸã‚ã€äº‹å‰ã«å®šã‚ã‚‰ã‚ŒãŸã‚¹ã‚ãƒ¼ãƒžã¸ã®å¤‰æ›ã¯å¿…è¦ãªãã€ãƒ“ã‚¸ãƒã‚¹ãƒ¦ãƒ¼ã‚¹ã‚±ãƒ¼ã‚¹ã«å¿œã˜ã¦æŸ”è»Ÿã«æ–°ãŸãªåˆ†æžã‚’ãƒ‡ãƒ¼ã‚¿ãƒ¬ã‚¤ã‚¯ä¸Šã§å§‹ã‚ã‚‹ã“ã¨ãŒã§ãã¾ã™ã€‚ å®Ÿåˆ©ç”¨ã«ãŠã„ã¦ã¯ã€è‡ªç¤¾ãŒæ‰€æœ‰ã™ã‚‹ãƒ‡ãƒ¼ã‚¿ã‚’ä»–ã®ä¼æ¥ã€çµ„ç¹”ã€ã¾ãŸã¯ãƒ“ã‚¸ãƒã‚¹ãƒ¦ãƒ‹ãƒƒãƒˆã«å…±æœ‰ã—ãŸã„è¦ä»¶ãŒã‚ˆãã‚ã‚Šã¾ã™ã€‚ä¾‹ã¨ã—ã¦ã€ä»–ç¤¾ã®ã‚¹ãƒ†ãƒ¼ã‚¯ãƒ›ãƒ«ãƒ€ãƒ¼ã«è‡ªç¤¾ã®ãƒ‡ãƒ¼ã‚¿ã‚’å…±æœ‰ã—ã€å…±åŒã®ãƒžãƒ¼ã‚±ãƒ†ã‚£ãƒ³ã‚°ã‚ãƒ£ãƒ³ãƒšãƒ¼ãƒ³ã‚’æ‰“ã¡å‡ºã™ãªã©ãŒè€ƒãˆã‚‰ã‚Œã¾ã™ã€‚ã“ã®ã‚ˆã†ãªãƒ¦ãƒ¼ã‚¹ã‚±ãƒ¼ã‚¹ã§ã€ãƒ‡ãƒ¼ã‚¿ã®æä¾›å…ƒ (ãƒ—ãƒãƒ‡ãƒ¥ãƒ¼ã‚µãƒ¼) ã¯è‡ªèº«ã®ãƒ‡ãƒ¼ã‚¿ã‚’ä¸¸ã”ã¨ã‚³ãƒ”ãƒ¼ã™ã‚‹ã“ã¨ãªãã€ã‚»ã‚ãƒ¥ã‚¢ã‹ã¤
tk-1124 2022/03/16
iam

aws

ãƒ‡ãƒ¼ã‚¿
ãƒªãƒ³ã‚¯
AWS IAMã®å±žäººçš„ãªç®¡ç†ã‹ã‚‰ã®è„±å´ã€DeNA TechCon 2021ã€‘/techcon2021-19
AWSã‚’ã¯ã˜ã‚ã¨ã™ã‚‹ã‚¯ãƒ©ã‚¦ãƒ‰ãƒ—ãƒ©ãƒƒãƒˆãƒ•ã‚©ãƒ¼ãƒ ã®æ™®åŠã«ä¼´ã„ã€Devã¨Opsã®å¢ƒç›®ã¯ã‹ãªã‚Šæ›–æ˜§ã«ãªã£ã¦ã„ã¾ã™ã€‚ãã®ä¸ã§ã‚‚IAMã®ç®¡ç†ã¯è¨å®šã«ã‚ˆã£ã¦ã¯æ¨©é™æ˜‡æ ¼ã‚’å¼•ãèµ·ã“ã—ã‹ããªã„ã“ã¨ã‹ã‚‰ã€ãã®ç®¡ç†æ¨©é™ã¯æ…Žé‡ãªç®¡ç†ã«ãªã‚ŠãŒã¡ã§ã™ã€‚çµæžœçš„ã«ã€IAMã¯å±žäººçš„ãªç®¡ç†ã‚’è¡Œã£ã¦ã„ã‚‹çµ„ç¹”ãŒå¤šã„ã®ã§ã¯ãªã„ã§ã—ã‚‡ã†ã‹ã€‚ â€¦
tk-1124 2021/03/03
iam

ç®¡ç†

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

aws
ãƒªãƒ³ã‚¯
[ã‚¢ãƒƒãƒ—ãƒ‡ãƒ¼ãƒˆ]æ–°IAM Policy Condition aws:CalledVia ã‚’å¦ã¶ | DevelopersIO
IAM Policyã®Conditionã«aws:CalledViaã¨ã„ã†ã‚ãƒ¼ãŒè¿½åŠ ã•ã‚Œã¾ã—ãŸã€‚ã©ã†ã„ã£ãŸã‚ãƒ¼ãªã®ã‹ã”èª¬æ˜Žã—ã¾ã™ã€‚ ä¸€è¨€ã§ã„ã†ã¨ ã€Œç‰¹å®šã®ã‚µãƒ¼ãƒ“ã‚¹çµŒç”±ã§å®Ÿè¡Œã—ã¦ã„ã‚‹/ã„ãªã„ã€ã¨ã„ã†æ¨©é™ä»˜ä¸Žã®æ¡ä»¶ãŒè¨å®šå¯èƒ½ã«ãªã‚Šã¾ã—ãŸã€‚ å…·ä½“ä¾‹ã‚’å‡ºã—ã¦èª¬æ˜Žã—ã¾ã™ã€‚ ã“ã‚Œã¾ã§: aws:CalledViaãŒç„¡ã„ä¸–ç•Œ CloudFormationï¼ˆä»¥ä¸‹CFnï¼‰ã‚’ä½¿ã£ã¦ã€VPCã‚’ä½œæˆã—ãŸã„ã¨ã—ã¾ã™ã€‚ CFnãƒ†ãƒ³ãƒ—ãƒ¬ãƒ¼ãƒˆã¯è‡³æ¥µã‚·ãƒ³ãƒ—ãƒ«ã§ã™ã€‚ AWS TemplateFormatVersion: "2010-09-09" Description: Create VPC Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: "192.168.0.0/16" EnableDnsSupport: "true" EnableDnsHostnames
tk-1124 2020/02/24
aws

iam
ãƒªãƒ³ã‚¯
IAM Policies for integrated services - AWS Step Functions
tk-1124 2019/05/12
aws

stepfunctions

iam
ãƒªãƒ³ã‚¯
[æ–°æ©Ÿèƒ½]IAMã®å§”è²æ¨©é™ã‚’åˆ¶é™å¯èƒ½ãªPermissions BoundaryãŒç™»å ´ã—ãŸã®ã§è©¦ã—ã¦ã¿ãŸ | DevelopersIO
æ–°æ©Ÿèƒ½ã¨ã—ã¦IAMã®å§”è²æ¨©é™ã‚’åˆ¶é™å¯èƒ½ãªPermissions BoundaryãŒç™»å ´ã—ãŸã®ã§è©¦ã—ã¦ã¿ã¾ã—ãŸã€‚ ã«ã—ã–ã‚ã§ã™ã€‚ãƒ–ãƒã‚°ã¨ã„ã†ã‹æ–°æ©Ÿèƒ½ã«ã¤ã„ã¦è§¦ã‚‹ã®ã‚‚ä¹…ã€…ãªæ„Ÿã˜ã§ã™ãŒã€å¤§å¥½ããªã‚µãƒ¼ãƒ“ã‚¹ã®1ã¤ã§ã‚ã‚‹IAMã‚µãƒ¼ãƒ“ã‚¹ã«ã€"Permissions Boundary"ã¨ã„ã†æ–°ãŸãªæ©Ÿèƒ½ãŒç™»å ´ã—ãŸã®ã§ã€è©¦ã—ã¦ã¿ãŸã„ã¨æ€ã„ã¾ã™ã€‚ã»ã¼ä¸‹è¨˜ã®ãƒ‰ã‚ãƒ¥ãƒ¡ãƒ³ãƒˆã®ã‚·ãƒŠãƒªã‚ªé€šã‚Šãªã®ã§ã™ãŒã€ã‚ˆã‚Šã‚·ãƒ³ãƒ—ãƒ«ã«èª¬æ˜Žã§ãã‚‹ã‚ˆã†ã«å°‘ã—è¨å®šã‚’å¤‰ãˆãªãŒã‚‰è©¦ã—ãŸçµæžœã‚’ã”ç´¹ä»‹ã—ã¾ã™ã€‚ AWS Developer Forums: Delegate Permission Management to Employees by Using IAM Permissions Boundaries Permissions Boundaries for IAM Identities - AWS Identity and Access Mana
tk-1124 2018/07/17
ã‚ã¨ã§èªã‚€

iam

aws

ç®¡ç†
ãƒªãƒ³ã‚¯
[AWS] ãƒžãƒã‚¸ãƒ¡ãƒ³ãƒˆã‚³ãƒ³ã‚½ãƒ¼ãƒ«ã¸ã®IAMãƒ¦ãƒ¼ã‚¶ãƒ¼ãƒã‚°ã‚¤ãƒ³æ™‚ã«ç™ºç”Ÿã™ã‚‹ã‚¤ãƒ™ãƒ³ãƒˆ - Qiita
ç™ºç«¯ CloudWatch Events ã‚’ä½¿ã£ã¦ã€AWSãƒžãƒã‚¸ãƒ¡ãƒ³ãƒˆã‚³ãƒ³ã‚½ãƒ¼ãƒ«ã¸ã®IAMãƒ¦ãƒ¼ã‚¶ãƒ¼ã®ãƒã‚°ã‚¤ãƒ³å¤±æ•—ã‚’æ¤œçŸ¥ã—ã¦ã„ã¾ã—ãŸã€‚ ã§ã™ãŒã€ã©ã†ã‚„ã‚‰ã€Œéžå˜åœ¨ãƒ¦ãƒ¼ã‚¶ãƒ¼ã€ã®ãƒã‚°ã‚¤ãƒ³å¤±æ•—ã‚’æ¤œçŸ¥ã§ããªããªã£ã¦ã„ã‚‹ã‚ˆã†ã§ã™ã€‚ã“ã“ï¼‘ã€œï¼’ãƒ¶æœˆã®é–“ã«ã€‚ ã¨ã„ã†ã‚ã‘ã§ã€ç›®çš„â†“ ç›®çš„ IAMãƒ¦ãƒ¼ã‚¶ãƒ¼ã®ãƒžãƒã‚¸ãƒ¡ãƒ³ãƒˆã‚³ãƒ³ã‚½ãƒ¼ãƒ«ãƒã‚°ã‚¤ãƒ³æ™‚ã€æˆåŠŸ/å¤±æ•—ã§ãã‚Œãžã‚Œã©ã®ã‚ˆã†ãªã‚¤ãƒ™ãƒ³ãƒˆãŒç™ºç”Ÿã™ã‚‹ã‹ã‚’ç¢ºèªã™ã‚‹ã€‚ èª¿æŸ»æ–¹æ³• CloudWatch Events ã§ SignIn ã®ã‚¤ãƒ™ãƒ³ãƒˆã‚’æ¤œçŸ¥ã—ã€Lambdaã«æµã—ã¦ãƒã‚°å‡ºåŠ›ã—ã¾ã™ã€‚ â€»ä»¥å‰ã®ã‚¤ãƒ™ãƒ³ãƒˆãƒ‘ã‚¿ãƒ¼ãƒ³ã¨ã®æ¯”è¼ƒã‚‚ã§ãã‚Œã°ã‚ˆã‹ã£ãŸã®ã§ã™ãŒã€ã‚ã‹ã‚Šã‚„ã™ããƒã‚°ã‚’æ®‹ã—ã¦ãªã„ï¼†é¡ã£ã¦èª¿ã¹ã‚‹æ°—åŠ›ã¯ç„¡ã„ã®ã§ã€ã‚„ã‚Šã¾ã›ã‚“ã€‚ CloudWatch Event Rule ã®ã‚¤ãƒ™ãƒ³ãƒˆãƒ‘ã‚¿ãƒ¼ãƒ³
tk-1124 2018/06/14
aws

iam

ã‚ã¨ã§èªã‚€
ãƒªãƒ³ã‚¯
IAMãƒãƒ¼ãƒ«ã®ã‚»ãƒƒã‚·ãƒ§ãƒ³æœŸé–“ãŒ1æ™‚é–“ã‹ã‚‰12æ™‚é–“ã«å»¶é•·å¯èƒ½ã«ãªã‚Šã¾ã—ãŸ | DevelopersIO
è¨å®š IAMãƒ€ãƒƒã‚·ãƒ¥ãƒœãƒ¼ãƒ‰ã®ã€Œãƒãƒ¼ãƒ«ã€è¨å®šã¨ã—ã¦ã€CLI/API ã‚»ãƒƒã‚·ãƒ§ãƒ³æœŸé–“ã®æŒ‡å®šãŒå¯èƒ½ã«ãªã‚Šã¾ã—ãŸã€‚ æœŸé–“ã¨ã—ã¦ã€1æ™‚é–“(3600ç§’)ã‹ã‚‰ã€æœ€å¤§ã§ã¯12æ™‚é–“(43200ç§’)ã¾ã§ã®æŒ‡å®šå¯èƒ½ã§ã™ã€‚ ç¢ºèªæ‰‹é † åŒæ™‚åˆ»ã«2ã¤ã®ç•°ãªã‚‹ãƒ–ãƒ©ã‚¦ã‚¶(Firefox/Safari)ã‚’åˆ©ç”¨ã—ã¦AWSã‚³ãƒ³ã‚½ãƒ¼ãƒ«ã«IAMãƒã‚°ã‚¤ãƒ³ CLI/API ã‚»ãƒƒã‚·ãƒ§ãƒ³æœŸé–“ 1æ™‚é–“ã¨ã€12æ™‚é–“ã®ãƒãƒ¼ãƒ«ã«ã‚¹ã‚¤ãƒƒãƒã—ã¾ã—ãŸã€‚ CloudTrailãƒã‚°(æŠœç²‹) 1æ™‚é–“è¨å®šãƒãƒ¼ãƒ«(Firefox) "eventTime": "2018-03-29T12:55:07Z", "eventSource": "signin.amazon aws.com", "eventName": "SwitchRole", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59
tk-1124 2018/03/30
ã‚ã¨ã§èªã‚€

aws

iam
ãƒªãƒ³ã‚¯
ãƒžãƒã‚¸ãƒ¡ãƒ³ãƒˆã‚³ãƒ³ã‚½ãƒ¼ãƒ«ã§å‚ç…§å¯èƒ½ãªã‚µãƒ¼ãƒ“ã‚¹ã‚’åˆ¶é™ã™ã‚‹ | DevelopersIO
ã“ã‚“ã«ã¡ã¯ã€å‚å·»ã§ã™ã€‚ ä»Šå›žã¯ã€ç‰¹å®šã®IAMãƒ¦ãƒ¼ã‚¶ã«å¯¾ã—ã¦ã€ ãƒžãƒã‚¸ãƒ¡ãƒ³ãƒˆã‚³ãƒ³ã‚½ãƒ¼ãƒ«ã‹ã‚‰å‚ç…§ã§ãã‚‹ã‚µãƒ¼ãƒ“ã‚¹ã‚’åˆ¶é™ã—ã¦ã¿ãŸã„ã¨æ€ã„ã¾ã™ã€‚ ç›®æ¬¡ ã‚«ã‚¹ã‚¿ãƒžãƒ¼ç®¡ç†ãƒãƒªã‚·ãƒ¼ã®ä½œæˆ ãƒãƒªã‚·ãƒ¼ã®å†…å®¹ ãƒãƒªã‚·ãƒ¼ã®ä½œæˆ ãƒãƒªã‚·ãƒ¼ã®é©ç”¨ å‹•ä½œç¢ºèª ãƒžãƒã‚¸ãƒ¡ãƒ³ãƒˆã‚³ãƒ³ã‚½ãƒ¼ãƒ« AWS CLI æœ€å¾Œã« ã‚«ã‚¹ã‚¿ãƒžãƒ¼ç®¡ç†ãƒãƒªã‚·ãƒ¼ã®ä½œæˆ æœ¬ã‚¨ãƒ³ãƒˆãƒªã§ã¯ã€ãƒžãƒã‚¸ãƒ¡ãƒ³ãƒˆã‚³ãƒ³ã‚½ãƒ¼ãƒ«ã‚ˆã‚Šã‚«ã‚¹ã‚¿ãƒžãƒ¼ç®¡ç†ãƒãƒªã‚·ãƒ¼ã‚’ä½œæˆã—ã¾ã™ã€‚ ã‚¤ãƒ³ãƒ©ã‚¤ãƒ³ãƒãƒªã‚·ãƒ¼ã‚’åˆ©ç”¨ã—ã¦åŒæ§˜ã®åˆ¶é™ã‚’è¡Œã†äº‹ã‚‚ã§ãã¾ã™ãŒã€ ã‚¤ãƒ³ãƒ©ã‚¤ãƒ³ãƒãƒªã‚·ãƒ¼ã®å ´åˆã€ãƒ—ãƒªãƒ³ã‚·ãƒ‘ãƒ«ã‚¨ãƒ³ãƒ†ã‚£ãƒ†ã‚£(ãƒ¦ãƒ¼ã‚¶ãƒ¼ã€ã‚°ãƒ«ãƒ¼ãƒ—ã€ãƒãƒ¼ãƒ«)ã¨1å¯¾1ã®é–¢ä¿‚ã«ãªã‚Šã€ å†åˆ©ç”¨ã‚’è¡Œã†äº‹ãŒã§ãã¾ã›ã‚“ã€‚ ãƒãƒªã‚·ãƒ¼ã®åˆ†é¡žã«ã¤ã„ã¦ã®è©³ç´°ã¯ã€ä»¥ä¸‹ã®ã‚¨ãƒ³ãƒˆãƒªã‚’ã”ç¢ºèªãã ã•ã„ã€‚ AWS IAMãƒ›ã‚šãƒªã‚·ãƒ¼ã‚’ç†è§£ã™ã‚‹ ãƒãƒªã‚·ãƒ¼ã®å†…å®¹ ã“ã“ã§ã¯ã€EC2ã®ä¸€è¦§è¡¨ç¤ºã®ã¿å¯èƒ½ãªãƒãƒªã‚·ãƒ¼ã‚’ä½œæˆã—ã¾ã™ã€‚ ãƒãƒªã‚·ãƒ¼ã®å†…å®¹ã¯ä»¥ä¸‹ã¨ãªã‚Šã¾ã™ã€‚ {
tk-1124 2018/03/18
iam

ãƒãƒªã‚·ãƒ¼

ç®¡ç†

aws
ãƒªãƒ³ã‚¯
[ãƒ¬ãƒãƒ¼ãƒˆ] AWSä¸»å‚¬ã®IAMæŠ€è¡“ã‚»ãƒŸãƒŠãƒ¼ã«å‚åŠ ã—ã¦ãã¾ã—ãŸ | DevelopersIO
å…ˆæ—¥é–‹å‚¬ã•ã‚Œã¾ã—ãŸã€AWS ä¸»å‚¬ã®æŠ€è¡“ã‚»ãƒŸãƒŠãƒ¼ã«å‚åŠ ã—ã¦ãã¾ã—ãŸã®ã§ãƒ¬ãƒãƒ¼ãƒˆã—ã¾ã™ã€‚ ä»Šå›žã®ã‚»ãƒŸãƒŠãƒ¼ã¯ã€Œã‚¨ãƒ³ã‚¿ãƒ¼ãƒ—ãƒ©ã‚¤ã‚ºã‚µãƒãƒ¼ãƒˆå¥‘ç´„ã‚’çµã‚“ã§ã„ã‚‹ãƒ‘ãƒ¼ãƒˆãƒŠãƒ¼ä¼æ¥é™å®šã®ãƒˆãƒ¬ãƒ¼ãƒ‹ãƒ³ã‚°ã‚»ãƒƒã‚·ãƒ§ãƒ³ã€ã¨ã„ã†ã“ã¨ã§ã€ç‰¹ã«ã‚µãƒãƒ¼ãƒˆã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã‚’å¯¾è±¡ã¨ã—ã¦ 1/25 ã«é–‹å‚¬ã•ã‚ŒãŸã‚‚ã®ã§ã™ã€‚å¼Šç¤¾ã‹ã‚‰ã¯ã€ã‚ªãƒšãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ãƒãƒ¼ãƒ æ‰€å±žã®ã‚ãŸã—ä»¥å¤–ã« 2åã€ã¾ãŸãƒªãƒ¢ãƒ¼ãƒˆã§ 2åã®ã€è¨ˆ 5åã§å‚åŠ ã—ã¾ã—ãŸã€‚ é™å®šã‚»ãƒƒã‚·ãƒ§ãƒ³ã¨ã„ã†ã“ã¨ã§ã€ãã®å†…å®¹ã‚’è©³ç´°ã«ã¯æ›¸ã‘ãªã„ã®ã§ã™ãŒã€é›°å›²æ°—ã‚’ãŠä¼ãˆã§ãã‚Œã°ã¨æ€ã„ã¾ã™ã€‚ ã‚»ãƒƒã‚·ãƒ§ãƒ³å†…å®¹ ã‚»ãƒƒã‚·ãƒ§ãƒ³ã¯ AWS ã®ã‚ªãƒ•ã‚£ã‚¹ã§é–‹å‚¬ã•ã‚Œã¾ã—ãŸã€‚ ãƒ†ãƒ¼ãƒž : IAM (AWS Identity and Access Management) å†…å®¹ : IAMæŠ€è¡“ã‚»ãƒŸãƒŠãƒ¼ (ã‚¢ãƒ‰ãƒãƒ³ã‚¹ãƒ‰) äº‹å‰ã«å‚åŠ è€…ã‹ã‚‰å¯„ã›ã‚‰ã‚ŒãŸè³ªå•ã«å¯¾ã™ã‚‹ Q&A ã‚±ãƒ¼ã‚¹äº‹ä¾‹ã«ã¤ã„ã¦ å¯¾è±¡ : IAM Black Belt ãƒ¬ãƒ™
tk-1124 2018/02/08
aws

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

iam
ãƒªãƒ³ã‚¯
Ansibleã§AssumeRoleã‚’è¡Œã„botoã«ã‚ˆã‚‹MFAå…¥åŠ›ã‚’å›žé¿ã™ã‚‹ | DevelopersIO
æ¸¡è¾ºã§ã™ã€‚ è¤‡æ•°ã®AWSã‚¢ã‚«ã‚¦ãƒ³ãƒˆã«å¯¾ã—ã€IAMãƒãƒ¼ãƒ«ã‚’ç®¡ç†ã—ã‚ˆã†ã¨ã—ã¦è‰²ã€…ãƒãƒžã‚Šã¾ã—ãŸãƒ»ãƒ»ãƒ»ã€‚ ç®¡ç†æ–¹æ³•ã¨ã—ã¦ã€Ansibleã€Terraformã€CloudFormationã¨æ¤œè¨Žã—ã¾ã—ãŸãŒã€æœ€çµ‚çš„ã«Ansibleã«è½ã¡ç€ãã¾ã—ãŸã€‚ å‰æã¨ã—ã¦æ¬¡ã®ã‚ˆã†ãªåˆ¶ç´„ãŒã‚ã‚Šã¾ã™ã€‚ ãƒ¡ã‚¤ãƒ³ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã®ã¿MFAã‚’æœ‰åŠ¹ã«ã—ãŸIAMãƒ¦ãƒ¼ã‚¶ã‚’ä½œæˆã—ã€ã‚¢ã‚¯ã‚»ã‚¹ã‚ãƒ¼/ã‚·ãƒ¼ã‚¯ãƒ¬ãƒƒãƒˆã‚ãƒ¼ã¯ä½œæˆã™ã‚‹ ç®¡ç†å¯¾è±¡ã®AWSã‚¢ã‚«ã‚¦ãƒ³ãƒˆã®ã‚¢ã‚¯ã‚»ã‚¹ã‚ãƒ¼/ã‚·ãƒ¼ã‚¯ãƒ¬ãƒƒãƒˆã‚ãƒ¼ã¯ä½œæˆã—ãªã„ è¨å®šãƒ•ã‚¡ã‚¤ãƒ«ãªã©ã§æ§‹æˆç®¡ç†ã‚’è¡Œã† ãªãŠã€æ§‹æˆç®¡ç†ã‚’è¡Œã†ã«ã¯ã€Ansibleä»¥å¤–ã«ã€CloudFormationã‚„Terraformãªã©ãŒé¸æŠžè‚¢ã¨ã—ã¦ã‚ã‚Šã¾ã™ã€‚ iam_role ãƒ¢ã‚¸ãƒ¥ãƒ¼ãƒ«ã¨with_it ems Ansibleã§ã¯ã€AWSé–¢é€£ãƒ¢ã‚¸ãƒ¥ãƒ¼ãƒ«ã‚‚å¤šãæä¾›ã•ã‚Œã¦ã„ã¾ã™ã€‚ ã¯ã˜ã‚ã«ã€ iam_roleãƒ¢ã‚¸ãƒ¥ãƒ¼ãƒ«ã¨ã€ç¹°ã‚Šè¿”ã—å‡¦ç†ã‚’è¡Œã† with_
tk-1124 2018/02/08
ã‚ã¨ã§èªã‚€

aws

iam

ansible

sts
ãƒªãƒ³ã‚¯
IAMã®EC2æ¨©é™ã‚’ã¾ã¨ã‚ã¦ã¿ãŸ - ã‚µãƒ¼ãƒãƒ¼ãƒ¯ãƒ¼ã‚¯ã‚¹ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒ–ãƒã‚°
ã¿ãªã•ã‚“ã“ã‚“ã«ã¡ã¯ã€‚ ãƒ†ã‚¯ãƒ‹ã‚«ãƒ«ã‚°ãƒ«ãƒ¼ãƒ—ã®å±±ç”°ã§ã™ã€‚ æœ€è¿‘ã€IAMã§æ¨©é™ã‚’ç®¡ç†/è¨å®šã™ã‚‹æ©Ÿä¼šãŒå¤šã„ã®ã§ã™ãŒã€ãã®ä¸ã§ã‚‚ç‰¹ã«è¨å®šã™ã‚‹æ©Ÿä¼šãŒå¤šã„Â EC2ã®æ¨©é™Â ã‚’ä¸€è¦§ã«ã—ã¦ã¾ã¨ã‚ã¾ã—ãŸã€‚ IAMã§è¨å®šãŒå‡ºæ¥ã‚‹EC2ã®æ¨©é™ã‚’å…¨ã¦ç¶²ç¾…ã—ã¦ãŠã‚Šã¾ã™ã€‚ EC2ã®IAMæ¨©é™ ã‚¢ã‚¯ã‚·ãƒ§ãƒ³ ã‚¢ã‚¯ã‚·ãƒ§ãƒ³ã®å†…å®¹ ec2:ActivateLicense ãƒ©ã‚¤ã‚»ãƒ³ã‚¹ã‚’æœ‰åŠ¹åŒ–ã™ã‚‹ ec2:AllocateAddress EIPã‚’å–å¾—ã™ã‚‹ ec2:AssignPrivateIpAddresses ENIã«Secondary Private IPã‚’è¿½åŠ ã™ã‚‹ ec2:AssociateAddress ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹/ENIã«EIPã‚’å‰²ã‚Šå½“ã¦ã‚‹ ec2:AssociateDhcpOptions VPCã«DHCP Option Setã‚’é–¢é€£ä»˜ã‘ã‚‹ ec2:AssociateRouteTable ã‚µãƒ–ãƒãƒƒãƒˆã«å¯¾ã—ã¦RouteTab
tk-1124 2016/01/04
aws

EC2

iam
ãƒªãƒ³ã‚¯
1