SREãã¼ã ã® @tmknom ã§ããã¸ã§ã¸ã§5é¨ã®ã¢ãã¡åã«è奮ãé ããªãä»æ¥ãã®ããã§ãã
ã¿ãªãããAWS Organizationsã¯ä½¿ã£ã¦ã¾ããï¼
ã¯ã©ã¦ãã¯ã¼ã¯ã¹ã§ãæè¿ä½¿ãå§ãã¾ãããAWS Organizationsãè¶ çµ¶ä¾¿å©ã§ãããããªã«ä¾¿å©ãªã®ã«ãæå¤ã¨å ¬éããã¦ãäºä¾ãå°ãªãã¦ããã¬ã¬ã£ã¦ãªãã¾ããã¨ããããã§ã使ãå§ããã°ããã§ããããµã¯ãã¨å ¬éãã¦ã¿ã¾ããä»ã®ä¼ç¤¾ããããå ¬éãã¦ããï¼ï¼
- AWS Organizations
- ãã«ãã¢ã«ã¦ã³ãæ¦ç¥
- Masterã¢ã«ã¦ã³ãã«ããã¢ã«ã¦ã³ã管ç
- Auditã¢ã«ã¦ã³ãã«ããç£æ»ãã°ã®éç´ç®¡ç
- Custodianã¢ã«ã¦ã³ãã«ããIAMã¦ã¼ã¶ã®éç´ç®¡ç
- å種AWSã¢ã«ã¦ã³ãã®åæã»ããã¢ãã
- ä»å¾ã®å±æ
AWS Organizations
AWS Organizationsã¨ã¯ãè¤æ°ã® AWS ã¢ã«ã¦ã³ããçµ±åãã¦ç®¡çãããµã¼ãã¹ã§ãã
- æ°è¦ã¢ã«ã¦ã³ãä½æ
- ã¢ã«ã¦ã³ãã®é層çãªã°ã«ã¼ãå
- åã¢ã«ã¦ã³ãã®APIã¸ã®ã¢ã¯ã»ã¹å¶å¾¡ï¼rootå«ãï¼
- ä¸æ¬è«æ±
ç¹ã«ã¹ã´ãã®ããæ°è¦ã¢ã«ã¦ã³ãä½æã§ããªãã¨AWSã¢ã«ã¦ã³ããAPIã§ä½æãããã¨ãå¯è½ã§ããããã¼ã¯ãé£çµ¡å
æ
å ±ãå
¥åãã¦ãã«ã¼ãçªå·ãå
¥åãã¦ãé»è©±èªè¨¼ãã¦ãã¨ããã¯ã½ãã«ãæéã®ãããæé ãå¿
è¦ã§ãããããããããªæãã®ã³ãã³ãã§ãä¸ç¬ã«ãã¦AWSã¢ã«ã¦ã³ããä½æã§ãã¾ãã
aws organizations create-account \ --iam-user-access-to-billing ALLOW \ --account-name "Giorno Giovanna" \ --email "[email protected]"
ãããã®æç¹ã§ãã¯ã¯ã¯ã¯ãæ¢ã¾ãã¾ãããããããªãã¹ãããããAWS Organizationsã®è©³ç´°ã¯ãå ¬å¼ã®AWS Organizations ã®ç¨èªã¨æ¦å¿µãåç §ããã ãã¨ãã¦ãæ¦å¿µå³ã ãå¼ç¨ãã¾ãã
ãªãã¨ãªãç解ã§ããã¨æãã¾ãããOUï¼Organizational Unitï¼ã¨ããåä½ã§AWSã¢ã«ã¦ã³ããã°ã«ã¼ãåãããã¨ãã§ãã¾ããããã¦ãOUãããã¯AWSã¢ã«ã¦ã³ãã«å¯¾ãã¦ãããªã·ã¼ãå®ç¾©ããAPIã¸ã®ã¢ã¯ã»ã¹å¶å¾¡ããããã¨ãã§ãã¾ãã
ãã«ãã¢ã«ã¦ã³ãæ¦ç¥
AWS Organizationsã§AWSã¢ã«ã¦ã³ããä½ãã¾ããåã«ãå ¨ä½è¨è¨ããã¾ãã
- å è¡äºä¾ã®èª¿æ»
- ã³ã³ã»ããçå®
- Terraformæ¦ç¥
- VPCã®IPã¢ãã¬ã¹ç©ºé
- ã¡ã¼ã«ã¢ãã¬ã¹ã®ç®¡çããªã·ã¼
- OUï¼Organizational Unitï¼ã®è²¬å
- 管çç¨AWSã¢ã«ã¦ã³ãã®è²¬å
ãã®ä¸ã§ãåãè¿ããã¤ããªãã®ãããVPCã®IPã¢ãã¬ã¹ç©ºéãã ã£ãããã¾ãã
å è¡äºä¾ã®èª¿æ»
AWS Organizationsã§ãAWSã¢ã«ã¦ã³ããä½ãã®ã¯ç°¡åã«ãªãã¾ããããã¬ããã³ã¹ã¨å©ä¾¿æ§ã®ãã©ã³ã¹ãã©ãåãããã¨ããã®ã¯çµæ§æ©ã¾ããã§ããããã§å é§è ã®ç¥è¦ãå ¨åã§åãå ¥ãã¾ãã
- Architecting Security and Governance Across a Multi-Account Strategy ï¼æ¥æ¬èªã¬ãï¼
- AWSã«ããããã«ãã¢ã«ã¦ã³ã管çã®ææ³ã¨ãã¹ããã©ã¯ãã£ã¹
- ã¼ããã®ã¢ã«ã¦ã³ãæ¦ç¥ããã«ãã¢ã«ã¦ã³ãã¦ãã®ã«ããããã³ã¹ã¨æ¨©é管çã®å ¨ã¦ã
ç¹ã«ããã ã½ã³ã»ãã¤ã¿ã¼ç¤¾ã®äºä¾ã¯å¿ è¦ãªã®ã§ããã²åèã«ãã¾ãããã
ã³ã³ã»ããçå®
ãã«ãã¢ã«ã¦ã³ã管çã«ãããã³ã³ã»ããã¯ãTrust, but verifyãã§ãã
ã¨ã³ã¸ãã¢ã«ã¯èªç±ãªç°å¢ãæä¾ãããï¼ä¸æ¹ã§ã社ä¼ç責任ããããªãã«ããä¼ç¤¾ã§ãã¼ã±ã¢ã¨ããããã«ããããªãâ¦ï¼ï¼
ã¨ããããã§ãAWSã¢ã«ã¦ã³ãã«ã¤ãã¦ã¯ããã¹ã¦ã®è¡åãè¨é²ãã¦ãããºãããªãã¨ãèµ·ãããå³åº§ã«æ¤ç¥ããç°å¢ãæ´åãã¦ããã¾ãããããã¡ãªæ¹éã§ã¯ããã¾ãããææåãã¦ãããªãã¨ãæ¹éãã¶ãã¦ãã¾ã£ã¦ããããªãã¨ã«ãªããããã®ã§ãæèãã¦ææåãã¾ãã
æè¿ã ã¨ããµã¤ãã¼ã¨ã¼ã¸ã§ã³ãããã®äºä¾ã大å¤ç´ æ´ããããå ¨åã§è¦ç¿ããããã³ãã§ãã
Terraformæ¦ç¥
ããããã®AWSã¢ã«ã¦ã³ããéç¨ããã®ã«ãæä½æ¥ã¯ãããã¾ãããå½ç¶ã³ã¼ãåãã¾ãã
AWSã®å ´åãCloudFormationã¨ããé¸æè¢ãããã¾ãããTerraformã®ã»ãããªã¼ããã«ã§ã¢ã¸ã¥ã©ãªãã£ã®é«ãã³ã¼ããæ¸ããã®ã§Terraformã§ç®¡çãã¾ããæ©ãã ã®ã¯Terraformã®ã³ã¼ããã©ã®ç¨åº¦å ±æãããã§ãã
Terraformã¢ã¸ã¥ã¼ã«ã«ããå ±éå
Terraformã«ã¯ã¢ã¸ã¥ã¼ã«åã®æ©è½ããããåããããªãªã½ã¼ã¹ãDRYã«è¡¨ç¾ã§ãã¾ããããããçµé¨åçã«ãAWSã®ã¤ã³ãã©ã¹ãã©ã¯ãã£ã®ãããªè¤éãªãã®ã¯ã大ä½åãã ãã©ãã¡ãã£ã¨ã ãéãè¨å®ã«ãããï¼ã¨ããç¶æ ã«ããã«ãªãã¾ãã
ãã¡ãããã¢ã¸ã¥ã¼ã«ãä¿®æ£ãã¦ãå¤æ§ãªãã¼ãºã«å¿ããããæ±ç¨çãªã¢ã¸ã¥ã¼ã«ãå®è£ ãããã¨ãå¯è½ã§ããããããããã¨Terraformä¸ã«ç¬èªDSLãå®è£ ãããã¡ã«ãªããå§åçã³ã¬ã¸ã£ãã¤æãå³ãããã¨ã«ãªãã¾ãã
ã¤ã³ãã©ãã³ãã¬ã¼ã
ã¨ããããã§ãTerraformã®åä¸ã¢ã¸ã¥ã¼ã«ãè¤æ°ã®AWSã¢ã«ã¦ã³ãã§å ±æããªããã¨ã«ãã¾ããããã®ããããTerraformã«ãããã¤ã³ãã©ãã³ãã¬ã¼ãããç¨æããåAWSã¢ã«ã¦ã³ãã§ã¯ããããforkãã¦ãåå¥ã«ã³ã¼ãã管çããæ¹éã«ãã¾ããããã¡ãããforkå¾ã¯ç¬èªã«é²åããã¦OKã¨ããåæã§ãã
ãã¹ããã©ã¯ãã£ã¹ãã¤ã³ãã©ãã³ãã¬ã¼ãã«éç´ãã社å ã§ç¥è¦ãã·ã§ã¢ã§ããããã«ãã¦ããå¼·ãã¦ãã¥ã¼ã²ã¼ã ããå®ç¾ãã¾ããå ¨ç¶DRYãããªãã§ãããå ±éåãããã¦èº«åããåããªããªãããã¯ããããã¨å²ãåã£ã¦ãã¾ããããã¯ããã¤ã¯ããµã¼ãã¹ã¢ã¼ããã¯ãã£ã§ç´¹ä»ããã¦ãããã©ã¯ãã£ã¹ããµã¼ãã¹ãã³ãã¬ã¼ããã¨åãçºæ³ã§ãã
VPCã®IPã¢ãã¬ã¹ç©ºé
AWSã¢ã«ã¦ã³ããå¥ãªããVPCã®IPã¢ãã¬ã¹ç©ºéãªãã¦å¥½ãã«è¨è¨ããã°ããããããªãµãã«èãã¦ããææã俺ã«ãããã¾ããã
ãã¡ãªãã§ããVPCãã¢ãªã³ã°ã§ããªããªãå¯è½æ§ãããã¾ããå ¬å¼ã®ç¡å¹ãª VPC ãã¢ãªã³ã°æ¥ç¶è¨å®ã«ã¯ãä¸è¨ã®ããã«æè¨ããã¦ãã¾ãã
IPv4 CIDR ãããã¯ãä¸è´ã¾ãã¯éè¤ãã VPC é㧠VPC ãã¢ãªã³ã°æ¥ç¶ãä½æãããã¨ã¯ã§ãã¾ããã
ä¾ãã°ãã¯ã©ã¦ãã¯ã¼ã¯ã¹ã®å ´åãRedshiftãä¸å¿ã¨ããããã¼ã¿åºç¤ã®æ´åãé²ãã¦ããã®ã§ãããããã«VPCãã¢ãªã³ã°ã§ããªãã¨ãNATãµã¼ã1ãVPNãµã¼ããèªåã§ç«ã¦ã¦éç¨ãããã¡ã«ãªãã¾ãã
ä»æ¹ãªãã®ã§ãIPã¢ãã¬ã¹å°å¸³ãä½ã£ã¦ãä¸å¤®é権çã«ç®¡çãããã¨ã«ãã¾ãããã¯ã©ã¦ãã¨ã¯ä¸ä½â¦ã¨ããæ°æã¡ããããã¾ããããæä½ã§ãã社å ã®å ±éãµã¼ãã¹ãç½®ãããIPã¢ãã¬ã¹ç©ºéã¨ã¯éè¤ãããªãããã«é æ ®ãã¾ã2ã
ã¡ã¼ã«ã¢ãã¬ã¹ã®ç®¡çããªã·ã¼
AWSã¢ã«ã¦ã³ãä½ææã«ã¯ãå¿ ãã¡ã¼ã«ã¢ãã¬ã¹ãç´ã¥ãã¾ãããã®ã¡ã¼ã«ã¢ãã¬ã¹ã¯ãAWSããã®å種éç¥ããã«ã¼ãã¦ã¼ã¶ã®ãã¹ã¯ã¼ã復æ§ããã»ã¹ã§ä½¿ç¨ããéè¦ãªã¢ããªã®ã§ãé©åã«ã³ã³ããã¼ã«ããªããã°ããã¾ããã
ããã§ã¯ã©ã¦ãã¯ã¼ã¯ã¹ã§ã¯ãSREãã¼ã ã®ç®¡çããã¡ã¼ã«ã¢ãã¬ã¹ãAWSã¢ã«ã¦ã³ãã«ç´ã¥ãã¦ãã¾ããã¾ãã[email protected]
ã®ããã«ãAWSã¢ã«ã¦ã³ããã¨ã«ã¨ã¤ãªã¢ã¹ãåããã©ã®AWSã¢ã«ã¦ã³ãå®ã®ã¡ã¼ã«ã§ããããèå¥ã§ãããããã¦ãã¾ãã
ããã«å ããSREãã¼ã ã®ã¡ã¼ã«ã¢ãã¬ã¹ã¨ã¯å¥ã«ãAWSã¢ã«ã¦ã³ããææããåãã¼ã ã®ã¡ã¼ã«ã¢ãã¬ã¹ãã代æ¿ã®é£çµ¡å ã«ç»é²ãã¦ãã¾ãã
ããã¨ãAWSã¢ã«ã¦ã³ããææãããã¼ã ã¨ãå ¨ä½ãçµ±æ¬ããSREãã¼ã ã®åæ¹ã«ãéè¦ãªæ å ±ããããªãéç¥ã§ãã¾ããåæã«ãäºæ ãèµ·ããå ´åã«ããã¡ã¼ã¸ãç大ãªã«ã¼ãã¦ã¼ã¶ã®ç®¡çãSREãã¼ã ã«éç´ããããã¨ãå¯è½ã§ãã
OUï¼Organizational Unitï¼ã®è²¬å
ãã ã½ã³ã»ãã¤ã¿ã¼ç¤¾ã®äºä¾ããã¯ã£ã¦åèã«ãã¦ã3ã¤ã®OUãå®ç¾©ãã¾ããã
- service
- ã·ã¹ãã æ¯ã»ãã¸ãã¹ã¦ãããæ¯ã«AWSã¢ã«ã¦ã³ããä½æ
- æ¬çªç¨ãéçºç¨ãªã©ãç°å¢ãã¨ã«å¥ã¢ã«ã¦ã³ããæãåºã
- åã·ã¹ãã ã®æ å½ãã¼ã ã«ã管ç権éã¨ç®¡ç責任ãå§è²
- admin
- 管çç¨ã®AWSã¢ã«ã¦ã³ããä½æ
- SREãã¼ã ã§ä¸å¤®é権çã«ç®¡ç
- sandbox
- æ¤è¨¼ç¨ã®AWSã¢ã«ã¦ã³ããä½æ
- ã¨ã³ã¸ãã¢å人ç¨ã®ã¢ã«ã¦ã³ããé ã£ã¦ãèªç±ã«å®é¨ã§ããç°å¢ãæä¾
ã³ã³ã§éè¦ãªã®ã¯service OUã®AWSã¢ã«ã¦ã³ãã®ç®¡ç権éãã¾ãã£ã¨ãæ å½ãã¼ã ã«æ¸¡ãã¦ãã¾ããã¨ã§ããåãã¼ã ã«èªç±ã¨è²¬ä»»ã渡ããã¨ã§ãããèªå¾æ§ã®é«ãã¨ã³ã¸ãã¢ãªã³ã°æåã®é¸æãå³ãã¾ãã
ã¾ããæ§æ³æ®µéã§ã¯ããã¾ãããå®å ¨ã«ä½¿ããsandboxç°å¢ãã¨ã³ã¸ãã¢ä¸äººã²ã¨ãã«æä¾ãããã¨ã§ãå人ã®ã¹ãã«ã¢ãããå®é¨ã«æ´»ç¨ãã¦ãããäºå®ã§ãã
管çç¨AWSã¢ã«ã¦ã³ãã®è²¬å
ä»å¾ãããå°ãå¢ããäºå®ã§ãããç¾å¨ã¯ç®¡çç¨ã®ç¹æ®ãªã¢ã«ã¦ã³ãã3ã¤éç¨ãã¦ãã¾ãã
- Masterã¢ã«ã¦ã³ã
- Auditã¢ã«ã¦ã³ã
- CloudTrailãªã©ã®ç£æ»ãã°ãéä¸ç®¡ç
- åAWSã¢ã«ã¦ã³ãã¯ãAuditã¢ã«ã¦ã³ãã®S3ãã±ããããã°ä¿åå ã«è¨å®
- Custodianã¢ã«ã¦ã³ã
ãªããCustodianã¨ããåèªã¯ã管ç人ã¨ãå®è¡ããçãªãã¥ã¢ã³ã¹ã®åèªã§ããã ã½ã³ã»ãã¤ã¿ã¼ç¤¾ã®äºä¾ããæåãã¾ãããBastionï¼è¸ã¿å°ï¼ã«ãããè¿·ã£ããã§ãããBastionãµã¼ãã¨åºå¥ããã¨ãã«ããããããªãããã ã£ãã®ã§ãä»ã§ä½¿ãããªããããªåèªãæ¡ç¨ãã¦ã¾ãã
Masterã¢ã«ã¦ã³ãã«ããã¢ã«ã¦ã³ã管ç
Masterã¢ã«ã¦ã³ãã¯ãAWSã¢ã«ã¦ã³ãã®ç®¡çã®ã¿ãæ ãã¾ããAWSã«ããããã«ãã¢ã«ã¦ã³ã管çã®ææ³ã¨ãã¹ããã©ã¯ãã£ã¹ã«ãAWS Organizationsã®ãã¹ããã©ã¯ãã£ã¹ãç´¹ä»ããã¦ããã®ã§ãå¼ç¨ãã¾ããMasterã¢ã«ã¦ã³ãã¯ãããåæã«è¨è¨ãã¾ãã
- ãã¹ã¿ã¼ã¢ã«ã¦ã³ãå ã®ã¢ã¯ãã£ããã£ã¯CloudTrailãå©ç¨ãã¦ç£è¦
- çµç¹ã®ãã¹ã¿ã¼ã¢ã«ã¦ã³ãã§ãªã½ã¼ã¹ç®¡çã¯è¡ããªã
- ãæå°æ¨©éãã®ååã«åã£ã¦çµç¹ã管ç
- ã³ã³ããã¼ã«ããªã·ã¼ã¯OUã«å¯¾ãã¦ã¢ã¿ãã
- ã¾ãã¯åä¸AWSã¢ã«ã¦ã³ãã§ã³ã³ããã¼ã«ããªã·ã¼ããã¹ã
- çµç¹ã®ç®¡çç¨ã«ã¼ãã«å¯¾ãã¦ã¯å¿ è¦ãªæã®ã¿ã³ã³ããã¼ã«ããªã·ã¼ãã¢ã¿ãã
- SCPã§âãã¯ã¤ããªã¹ãâã¨âãã©ãã¯ãªã¹ãâãæ··å¨ãããªãããã«ãã
- æ°è¦ã¢ã«ã¦ã³ãã¯å¿ è¦ãããæã®ã¿ä½æãã
çµç¹
Masterã¢ã«ã¦ã³ãã§ã¯ãã¾ãæåã«ãçµç¹ããä½æãã¾ããå ¬å¼ã®çµç¹ã®ä½æãåèã«ãAWSããã¸ã¡ã³ãã³ã³ã½ã¼ã«ããä½æããã®ãæ©ãã§ããã¡ãªã¿ã«ãAWS CLIãTerraformã§ãä½æå¯è½ã§ãã
çµç¹ä½ææã«ãããã¹ã¦ã®æ©è½ããæå¹åãããããä¸æ¬è«æ±æ©è½ã®ã¿ãæå¹åãããé¸æã§ãã¾ãããåçç¡ç¨ã§ããã¹ã¦ã®æ©è½ããæå¹ã«ãã¾ãã
OUï¼Organizational Unitï¼
AWSããã¸ã¡ã³ãã³ã³ã½ã¼ã«ããä½ãå ´åã¯ãå ¬å¼ã®çµç¹åä½ (OU) ã®ç®¡çãåèã«ãã¾ããAWS CLIã§ãä½æå¯è½ã§ãããã ãã2018å¹´7æç¾å¨ãTerraformã«ã¯ãªã½ã¼ã¹ãåå¨ãã¾ããã3
ãã¨ã§ç°¡åã«å¤æ´å¯è½ãªã®ã§ããµã¯ãã¨ä½æãã¾ãã
AWSã¢ã«ã¦ã³ã
AWSã¢ã«ã¦ã³ãã¯ããã¨é »ç¹ã«ä½ããã¨ã«ãªãã®ã§ãAWS CLIã使ãã¾ãã
aws organizations create-account \ --iam-user-access-to-billing ALLOW \ --account-name "Giorno Giovanna" \ --email "[email protected]"
ãªããTerraformã§ãaws_organizations_accountãªã½ã¼ã¹ãæä¾ããã¦ãã¾ããããããTerraformã®ããã¥ã¡ã³ãã§ãè¦åããã¦ããã¨ãããTerraformåä½ã§ã¯AWS ã¢ã«ã¦ã³ãã®ééãã§ãã¾ããã
aws_organizations_accountã®ãªã½ã¼ã¹åé¤ã¯åç´ã«çµç¹ããåé¤ãã¦ãã¹ã¿ã³ãã¢ãã³åããã ãã§ããããããã¹ã¿ã³ãã¢ãã³åããã«ã¯äºåã«ãã«ã¹ã¿ãã¼ã¢ã°ãªã¼ã¡ã³ãã«åæããé£çµ¡å æ å ±ã¨æ¯ææ¹æ³ãå ¥åããå¿ è¦ãããããã¡ããã¡ãã¡ã³ãã¦ã§ãã
ãã®ãããä»ã®ã¨ãããAWSã¢ã«ã¦ã³ãã¯Terraform管çå¤ã«ãã¦ã¾ãã
ãµã¼ãã¹ã³ã³ããã¼ã«ããªã·ã¼ï¼SCPï¼
ãµã¼ãã¹ã³ã³ããã¼ã«ããªã·ã¼ã§ã¯ãããã©ãã¯ãªã¹ãæ¹å¼ãã¨ããã¯ã¤ããªã¹ãæ¹å¼ãã®ã©ã¡ãã§ããããæåã«æ±ºãã¾ããæã ã¯ããã©ãã¯ãªã¹ãæ¹å¼ããæ¡ç¨ããã¬ããã³ã¹ä¸ãéè¦ãªãªã½ã¼ã¹ã®æä½ã®ã¿ãç¦æ¢ãã¦ãã¾ãã
ããã§ã¯ãCloudTrailã®æ´æ°ã»åé¤ãç¦æ¢ãããTerraformå®ç¾©ã示ãã¾ããããã§ãã«ã¼ãã¦ã¼ã¶ãå«ããCloudTrailã®è¨å®ãå¼ããªããªãã¾ãã
resource "aws_organizations_policy" "cloudtrail" { name = "deny_cloudtrail_deletion" content = <<CONTENT { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "cloudtrail:DeleteTrail", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail" ], "Resource": "*" } ] } CONTENT } resource "aws_organizations_policy_attachment" "service" { policy_id = "${aws_organizations_policy.cloudtrail.id}" target_id = "ou-abcd-12345678" }
Auditã¢ã«ã¦ã³ãã«ããç£æ»ãã°ã®éç´ç®¡ç
Auditã¢ã«ã¦ã³ãã¯ç£æ»ãã°ã®ç®¡çãæ ãã¾ããç£æ»ãã°ãéç´ããããã®S3ãã±ãããä½æãããã°æ¤ç´¢ã®ä»çµã¿ãæä¾ãã¾ããç¾ç¶ã¯ãCloudTrailãã°ã®éç´ã®ã¿ãã¦ãã¾ãã
CloudTrailéç´ç¨ãã±ãã
S3ãã±ãã
CloudTrailç¨ã®ãã±ããã¯ä¸è¨ã®è¨å®ãè¡ãã¾ãã
- ãã¼ã¸ã§ãã³ã°ã®æå¹å
- S3ã¢ã¯ã»ã¹ãã°é ä¿¡ã®æå¹å
- ããã©ã«ãæå·å
ç¹ã«éè¦ãªã®ã¯ããã¼ã¸ã§ãã³ã°è¨å®ã§ãä¸ãä¸ããã°ãæ¹ããããã¦ãæ»ããããã«ãã¦ããã¾ããåAWSã¢ã«ã¦ã³ãã¯ã³ã³ã§å®ç¾©ããS3ãã±ããããCloudTrailã®ä¿åå ã«æå®ãã¾ãã
# S3ã¢ã¯ã»ã¹ãã°ç¨ãã±ãã resource "aws_s3_bucket" "s3_log" { bucket = "audit-s3-log" acl = "log-delivery-write" versioning { enabled = true } server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } } } lifecycle { prevent_destroy = true } } # CloudTrailç¨ãã±ãã resource "aws_s3_bucket" "cloudtrail" { bucket = "audit-cloudtrail" acl = "private" logging { target_bucket = "${aws_s3_bucket.s3_log.id}" target_prefix = "logs/audit-cloudtrail/" } versioning { enabled = true } server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } } } lifecycle { prevent_destroy = true } }
ãã±ããããªã·ã¼
CloudTrailãã°ãéç´ãããããä»ã®AWSã¢ã«ã¦ã³ãããæ¸ãè¾¼ããããè¨å®ãã¾ãããã¤ã³ã㯠s3:PutObject
ã¢ã¯ã·ã§ã³ã®å®ç¾©ã§ããå
¬å¼ããã¥ã¡ã³ãã®è¤æ°ã®ã¢ã«ã¦ã³ãã®ãã±ããããªã·ã¼ã®è¨å®ã§ã¯ãAWSã¢ã«ã¦ã³ããã¨ã«åå¥ã«ãªã½ã¼ã¹ãå®ç¾©ããè¨è¿°ãç´¹ä»ããã¦ãã¾ãã
"Resource": [ "arn:aws:s3:::myBucketName/AWSLogs/111111111111/*", "arn:aws:s3:::myBucketName/AWSLogs/222222222222/*" ]
ããããAWS Organizationsã®ç°å¢ä¸ã§ã¯ãå¤æ°ã®AWSã¢ã«ã¦ã³ããä½æããããããAWSã¢ã«ã¦ã³ããå¢ãããã³ã«ãã®å®ç¾©ãä¿®æ£ããã®ã¯ã¡ã³ãã¦ã§ããã¾ããä¿®æ£ãæ¼ãã¦ããã°ãä¿åãããããäºæ ãèµ·ããã¨ããªããã©ã¤ã§ããããã§ãã©ã®ã¢ã«ã¦ã³ãã®CloudTrailããã§ãæ¸ãè¾¼ããããã«ãã¾ã4ã
"Resource": "arn:aws:s3:::myBucketName/*"
ãã®è¨å®ã ã¨ã赤ã®ä»äººã®AWSã¢ã«ã¦ã³ãã®ãã°ãæ¸ãè¾¼ã¾ããå¯è½æ§ãããã¾ãããåç §æ¨©éã¯æ¸¡ãã¦ãªãã®ã§ã許容å¯è½ã¨å¤æãã¦ãã¾ãã
# CloudTrailç¨ãã±ããã®ãã±ããããªã·ã¼ resource "aws_s3_bucket_policy" "cloudtrail" { bucket = "${aws_s3_bucket.cloudtrail.id}" policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::${aws_s3_bucket.cloudtrail.id}" }, { "Sid": "AWSCloudTrailWrite", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::${aws_s3_bucket.cloudtrail.id}/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] } POLICY }
Athena
CloudTrailã®ãã°ã¯Athenaã§æ¤ç´¢ã§ããããã«ããã®ãæ軽ã§ãã
ãªããCloudTrailã®ç»é¢ããã¯ã³ã¯ãªãã¯ã§Athenaæ¤ç´¢ã§ããç°å¢ãæ§ç¯ããæ©è½ãæä¾ããã¦ãã¾ãããããã¯ãã«ãã¢ã«ã¦ã³ãåæã§ã¯ãªããããä»åã®ã¦ã¼ã¹ã±ã¼ã¹ã§ã¯ãã®ä»çµã¿ã«ã¯é ¼ãã¾ããã
Athenaã®ãã¼ã¿ãã¼ã¹å®ç¾©
Athenaã®ãã¼ã¿ãã¼ã¹å®ç¾©ã¯Terraformã§è¡ãã¾ãããã¼ã¿ãã¼ã¹åã«ç¹ã«ç¸ãã¯ããã¾ããããåãããããååã«ãã¾ãã
# Athenaã®ã¯ã¨ãªçµæä¿åãã±ãã resource "aws_s3_bucket" "athena" { bucket = "audit-athena-query-result" acl = "private" } # CloudTrailç¨ãã¼ã¿ãã¼ã¹ resource "aws_athena_database" "cloudtrail" { name = "cloudtrail" bucket = "${aws_s3_bucket.athena.bucket}" }
Athenaã®ãã¼ãã«å®ç¾©
ãã¼ãã«å®ç¾©ã¯ãAWSããã¸ã¡ã³ãã³ã³ã½ã¼ã«ã®Athenaã®Query EditorãããDDLãå ¥åãã¦ä½æããã®ãç°¡åã§ãã
LOCATIONå®ç¾©ã§ãAWSLogs
ãã£ã¬ã¯ããªç´ä¸ãæå®ãããã¨ã§ãå
¨AWSã¢ã«ã¦ã³ãã®ãã°ã®æ¨ªææ¤ç´¢ãå¯è½ã§ããããããããããã¨ããã°ä»¶æ°ãå¤ããªããããã®ã§ãå®éã®éç¨ã§ã¯ãAWSã¢ã«ã¦ã³ããã¨ã«ãã¼ãã«ãä½æããããæéã§ãã¼ãã£ã·ã§ã³ãåããã¨ã«ãªãã§ããã5ã
CREATE EXTERNAL TABLE all_cloudtrail ( eventVersion STRING, userIdentity STRUCT< type: STRING, principalId: STRING, arn: STRING, accountId: STRING, invokedBy: STRING, accessKeyId: STRING, userName: STRING, sessionContext: STRUCT< attributes: STRUCT< mfaAuthenticated: STRING, creationDate: STRING>, sessionIssuer: STRUCT< type: STRING, principalId: STRING, arn: STRING, accountId: STRING, userName: STRING>>>, eventTime STRING, eventSource STRING, eventName STRING, awsRegion STRING, sourceIpAddress STRING, userAgent STRING, errorCode STRING, errorMessage STRING, requestParameters STRING, responseElements STRING, additionalEventData STRING, requestId STRING, eventId STRING, resources ARRAY<STRUCT< arn: STRING, accountId: STRING, type: STRING>>, eventType STRING, apiVersion STRING, readOnly STRING, recipientAccountId STRING, serviceEventDetails STRING, sharedEventID STRING, vpcEndpointId STRING ) COMMENT 'CloudTrail table for audit-cloudtrail bucket' ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde' STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat' OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat' LOCATION 's3://audit-cloudtrail/AWSLogs/' TBLPROPERTIES ('classification'='cloudtrail');
Custodianã¢ã«ã¦ã³ãã«ããIAMã¦ã¼ã¶ã®éç´ç®¡ç
AWSããã¸ã¡ã³ãã³ã³ã½ã¼ã«ã¸ã®ãã°ã¤ã³ã¯ããã®Custodianã¢ã«ã¦ã³ãã«éç´ãã¾ããåAWSã¢ã«ã¦ã³ãã«ã¯ãCustodianã¢ã«ã¦ã³ãããAssumeRoleãããã¨ã§åãæ¿ãã¾ãã
ãããããã¨ã§ãåã¨ã³ã¸ãã¢ã管çããIAMã¦ã¼ã¶ã®ãã¹ã¯ã¼ãã»å¤è¦ç´ èªè¨¼ãä¸ã¤ã ãã§ãããªããAWSã¢ã«ã¦ã³ãã®æ°ãå¢ãã¦ããç ©éã«ãªãã¾ããã
IAMããªã·ã¼ã¨IAMã¦ã¼ã¶
ã©ã®IAMã¦ã¼ã¶ããã©ã®AWSã¢ã«ã¦ã³ãã«AssumeRoleã§ããããã«ãããã¯ãCustodianã¢ã«ã¦ã³ãã®ããªã·ã¼å®ç¾©ã§ä¸å 管çãã¾ãã
ä¾ãã°ãã¢ã«ã¦ã³ãID111111111111
ã«ã®ã¿ãAssumeRoleã§ããããã«ããã«ã¯ãIAMããªã·ã¼ã®sts:AssumeRole
ã¢ã¯ã·ã§ã³ã®ãªã½ã¼ã¹ã«ã対象ã¢ã«ã¦ã³ãã®IAMãã¼ã«ARNãæå®ãã¾ãããã®è¨å®ã§ãã¢ã«ã¦ã³ãID111111111111
ã®admin_role
ã«åãæ¿ãããã¨ãå¯è½ã§ãã
statement { effect = "Allow" actions = ["sts:AssumeRole"] resources = ["arn:aws:iam::111111111111:role/admin_role"] }
admin_role
ã«ã¤ãã¦ã¯ãå¾è¿°ããã¨ãã¦ãã²ã¨ã¾ããCustodianã¢ã«ã¦ã³ãã®Terraformå®ç¾©ã®å
¨ä½åã示ãã¾ãããªããIAMé¢é£ã®ãªã½ã¼ã¹ã¯ãIAM ãªã½ã¼ã¹ã®ç®¡çã«é¢ããããªã·ã¼ã®ä¾ãåèã«ãé©å½ã«çµã£ã¦ã¾ãã
# IAM ããªã·ã¼ resource "aws_iam_policy" "group" { name = "${aws_iam_group.group.name}" policy = "${data.aws_iam_policy_document.group.json}" } data "aws_iam_policy_document" "group" { statement { effect = "Allow" actions = [ "sts:DecodeAuthorizationMessage", "sts:GetCallerIdentity", "sts:GetSessionToken", ] resources = ["*"] } statement { effect = "Allow" actions = ["sts:AssumeRole"] resources = [ "arn:aws:iam::111111111111:role/admin_role", ] } statement { effect = "Allow" actions = [ "iam:Get*", "iam:List*", ] resources = ["*"] } statement { effect = "Allow" actions = [ "iam:ChangePassword", "iam:*LoginProfile", "iam:*AccessKey*", ] resources = [ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/&{aws:username}", ] } statement { effect = "Allow" actions = [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:ResyncMFADevice", "iam:DeleteVirtualMFADevice", ] resources = [ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:mfa/&{aws:username}", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/&{aws:username}", ] } statement { effect = "Allow" actions = [ "iam:DeactivateMFADevice", ] resources = [ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:mfa/&{aws:username}", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/&{aws:username}", ] condition { test = "Bool" variable = "aws:MultiFactorAuthPresent" values = ["true"] } } } data "aws_caller_identity" "current" {} # IAMã°ã«ã¼ã resource "aws_iam_group" "group" { name = "passione" } resource "aws_iam_group_policy_attachment" "group" { group = "${aws_iam_group.group.name}" policy_arn = "${aws_iam_policy.group.arn}" } # IAMã¦ã¼ã¶ resource "aws_iam_user" "bruno_bucciarati" { name = "BrunoBucciarati" } resource "aws_iam_group_membership" "group" { name = "${aws_iam_group.group.name}" group = "${aws_iam_group.group.name}" users = [ "${aws_iam_user.bruno_bucciarati.name}", ] }
å種AWSã¢ã«ã¦ã³ãã®åæã»ããã¢ãã
service OUãªã©ã«ä½æãããå種AWSã¢ã«ã¦ã³ãã«ã¯æåã«ã2ã¤ã®ãªã½ã¼ã¹ãä½æãã¾ãã
- AssumeRole対象ã®IAMãã¼ã«
- CloudTrail
ã¡ã³ãã¦ã§ãããåAWSã¢ã«ã¦ã³ãã«ä¸ã¤ä¸ã¤è¨å®ããå¿ è¦ãããã¾ãã
AssumeRole対象ã®IAMãã¼ã«
Custodianã¢ã«ã¦ã³ãããAssumeRoleããããã®IAMãã¼ã«ãå®ç¾©ãã¾ããIAMãã¼ã«ã§ã¯ãAssumeRolePolicyDocumentããã¤ã³ãã«ãªãã¾ãã
ã¾ããAssumeRolePolicyDocumentã®ããªã³ã·ãã«ã«ã¯ãCustodianã¢ã«ã¦ã³ãã®ã¢ã«ã¦ã³ãIDãæå®ãã¾ããä¾ãã°ãCustodianã¢ã«ã¦ã³ãã®IDã999999999999
ã®å ´åã¯ãããªæãã§ãã
principals { type = "AWS" identifiers = ["arn:aws:iam::999999999999:root"] }
ã¾ããConditionå®ç¾©ã§aws:MultiFactorAuthPresent
ãè¨å®ãã¾ãããããå®ç¾©ãã¦ãããã¨ã§ãAssumeRoleããIAMã¦ã¼ã¶ã«ãå¤è¦ç´ èªè¨¼ãå¼·å¶ãããã¨ãå¯è½ã§ããå¤è¦ç´ èªè¨¼ãè¨å®ãã¦ãªãã¨ãCustodianã¢ã«ã¦ã³ã以å¤ã«ãã°ã¤ã³ã§ããªããªãã®ã§ãã»ãã¥ãªãã£ã¬ãã«ã大å¹
ã«åä¸ãã¾ãã
ãªãããã®è¨å®ã追å ããã¨ãTerraformå®è¡æã«ããå¤è¦ç´ èªè¨¼ãæ±ãããã¾ããããããTerraformåä½ã§ã¯ãå¤è¦ç´ èªè¨¼ã«å¯¾å¿ãã¦ãã¾ããããã®ãããcoinbase/assume-roleãªã©ã§ãäºåã«AssumeRoleããããã§ãTerraformãå®è¡ããå¿ è¦ãããã¾ãã
condition { test = "Bool" variable = "aws:MultiFactorAuthPresent" values = ["true"] }
AssumeRolePolicyDocument以å¤ã¯ãæ®éã®IAMãã¼ã«ã®å®ç¾©ã§ãã
# IAMãã¼ã« resource "aws_iam_role" "admin" { name = "admin_role" assume_role_policy = "${data.aws_iam_policy_document.assume_role_policy.json}" } data "aws_iam_policy_document" "assume_role_policy" { statement { effect = "Allow" actions = ["sts:AssumeRole"] principals { type = "AWS" identifiers = ["arn:aws:iam::999999999999:root"] } condition { test = "Bool" variable = "aws:MultiFactorAuthPresent" values = ["true"] } } } # IAMããªã·ã¼ resource "aws_iam_policy" "admin" { name = "admin_policy" policy = "${data.aws_iam_policy_document.admin.json}" } data "aws_iam_policy_document" "admin" { statement { effect = "Allow" actions = ["*"] resources = ["*"] } } resource "aws_iam_role_policy_attachment" "admin" { role = "${aws_iam_role.admin.name}" policy_arn = "${aws_iam_policy.admin.arn}" }
CloudTrail
Auditã¢ã«ã¦ã³ãã«ä½æããS3ãã±ãããCloudTrailã®ãã°ä¿åå ã«æå®ãã¾ããã¾ããå種ãªãã·ã§ã³ãæå¹ã«ãã¦ããã¾ãã
- å ¨ãªã¼ã¸ã§ã³ã§æå¹å
- IAMãªã©ã®ã°ãã¼ãã«ãµã¼ãã¹ã®ãã°ãåå¾
- ãã°ãã¡ã¤ã«ã®ããªãã¼ã·ã§ã³ã®æå¹å
# CloudTrail resource "aws_cloudtrail" "cloudtrail" { name = "default-trail" enable_logging = true s3_bucket_name = "audit-cloudtrail" is_multi_region_trail = true include_global_service_events = true enable_log_file_validation = true }
ä»å¾ã®å±æ
CloudTrailã®ãã°ã®ä¿åã¯ãã¦ãã®ã§ãæä½éã®ãã¬ã¼ã¹ã¯å¯è½ã§ãããããããåé¡çºçãæ¤ç¥ãã¦éç¥ããä»çµã¿ãããã¾ãããããã§ã次ã¯æ¤ç¥ã®ä»çµã¿ãæ´ããäºå®ã§ãã
ã¾ããCloudWatch Event BusãAWS Config Aggregatorãªã©ããã«ãã¢ã«ã¦ã³ã管çãåæ»ã«è¡ãããã®ãµã¼ãã¹ãæä¾ããã¦ããã®ã§ããã¾ãæ´»ç¨ãã¦ããããã¨ããã§ãããã®æã®æ´»åã¯ãåããããã売ä¸ã«è²¢ç®ãããã®ã§ã¯ããã¾ããããæç¶çã«ãã¸ãã¹ããã¦ããããã«ã¯éè¦ãªã®ã§ãä»å¾ãã«ã¤ã¼ã³ãã¦ããäºå®ã§ãã
ãããªããã§ãã¯ã©ã¦ãã¯ã¼ã¯ã¹ã§ã¯ããã«ãã¢ã«ã¦ã³ã管çãã´ãªã´ãªãã£ã¦ããããããã¢ãã¯ãªã¨ã³ã¸ãã¢ãåéãã¦ã¾ãã®ã§ããèå³ããã¾ããããã²ã
-
AWSã®ãã«ããã¼ã¸ããµã¼ãã¹ã§ããNAT ã²ã¼ãã¦ã§ã¤ã¯ãæ®å¿µãªããVPCãã¢ãªã³ã°ã«å¯¾å¿ãã¦ãã¾ããã↩
-
ä½è«ã§ãããAWS Solutions Architect ããã°ã§ã¯ããä¸è¬ã«ãã¾ãé¸ã°ãã«ããã¬ã³ã¸ãå ±éãµã¼ãã¹åãVPCã«å²ãå½ã¦ãããã«ããã¨ãå°ãã§ãéè¤ãèµ·ããå¯è½æ§ãä¸ãããããã¨ããTipsããã¸ã¡ã«ç´¹ä»ããã¦ãã¾ãã↩
-
ãã«ãªã¯ã¨ã¹ãã¯åºã¦ããã®ã§ãè¿ããã¡ã«ä½¿ããããã«ãªãã¨æãã¾ãã↩
-
ããªã³ã·ãã«ã
cloudtrail.amazonaws.com
ã«çµã£ã¦ããã®ã§ã誰ã§ãæ¸ãè¾¼ããããã§ã¯ããã¾ããã↩ -
æµ·å¤ã®äºä¾ã§ãããæ¯æ¥Lambdaã§ãã¼ãã£ã·ã§ã³ä½æããã¹ã¯ãªãããå®è£ ãã¦ãã人ããã¾ãã↩