Classmethod-developers.io-2016-d4-45min-aws-security
- 25. Amazon EC2 の IAM ロール
• アプリケーションからAWSリソースにアクセスするに
はAWS認証情報を持ってAPIリクエストする必要がある
• サンプル:AWS SDK for Ruby
25
AWS.config({
:access_key_id => 'ACCESS_KEY_ID',
:secret_access_key => 'SECRET_ACCESS_KEY',
:region => 'us-west-2',
})
プログラム
IAMユーザで利⽤ 認証情報をEC2
内に持たせる。
保管やローテー
ションの検討が
必要
プログラム
IAM ロールで利⽤
IAMロールによ
る権限はテンポ
ラリ。ローテー
ションも⾃動
- 26. Amazon EC2 の IAM ロール
• IAM roleをEC2に割り当てることでローカ
ルにセキュリティ情報を持たなくて良い
26
プログラム
IAM ロールで利⽤
IAMロールによ
る権限はテンポ
ラリ。ローテー
ションも⾃動
- 27. Amazon EC2 の IAM ロール
• 注意
• IAM roleはEC2 Launch時にしか割り当
てられない。
• Launchしたあとには割り当て不可
• 割り当てさえしておけば、後からroleが
持つ権限の内容を変更可能。
27
- 42. 和訳との差異 セキュリティプロセス(2016年2⽉14
⽇現在)
• Changes since last version (Nov 2014):
• Updated compliance programs
• Updated shared security responsibility model
• Updated AWS Account security features
• Reorganized services into categories
• Updated several services with new features: CloudWatch, CloudTrail,
CloudFront, EBS, ElastiCache, Redshift,Route 53, S3, Trusted Advisor,
and WorkSpaces
• Added Cognito Security
• Added Mobile Analytics Security
• Added WorkDocs Security
42
- 50. 和訳との差異 リスクとコンプライアンス
(2016年2⽉14⽇現在)
• January 2016
• Added GxP Compliance Program
• Twelfth region added (Asia Pacific - Seoul)
• December 2015
• Updates to certifications and third-party attestations summaries
• Added ISO 27017 certification
• Added ISO 27018 certification
• Eleventh region added (China - Beijing)
• November 2015
• Update to CSA v3.0.1
50
- 60. 60
AWS Global
Infrastructure
Edge Location
Region
Availability Zone
AWS Foundation Services
Compute Storage Database Networking
Network
Security
Customer Applications & Content
https://d0.awsstatic.com/whitepapers/Security/Intro_to_AWS_Security.pdf
Inventory &
Config
Access
Control
Data
Security
AWSの部分は準拠済み
- 61. 61
AWS Global
Infrastructure
Edge Location
Region
Availability Zone
AWS Foundation Services
Compute Storage Database Networking
Network
Security
Customer Applications & Content
https://d0.awsstatic.com/whitepapers/Security/Intro_to_AWS_Security.pdf
Inventory &
Config
Access
Control
Data
Security
Network
Security
Customer Applications & Content
Inventory &
Config
Access
Control
Data
Security
- 62. 62
AWS Global
Infrastructure
Edge Location
Region
Availability Zone
AWS Foundation Services
Compute Storage Database Networking
Network
Security
Customer Applications & Content
https://d0.awsstatic.com/whitepapers/Security/Intro_to_AWS_Security.pdf
Inventory &
Config
Access
Control
Data
Security
Network
Security
Customer Applications & Content
Inventory &
Config
Access
Control
Data
Security
ユーザはAWSがカバーしていない部
分を準拠させれば良い
- 67. 67
AWS Global
Infrastructure
Edge Location
Region
Availability Zone
AWS Foundation Services
Compute Storage Database Networking
Network
Security
Customer Applications & Content
https://d0.awsstatic.com/whitepapers/Security/Intro_to_AWS_Security.pdf
Inventory &
Config
Access
Control
Data
Security
Network
Security
Customer Applications & Content
Inventory &
Config
Access
Control
Data
Security
- 68. 68
AWS Global
Infrastructure
Edge Location
Region
Availability Zone
AWS Foundation Services
Compute Storage Database Networking
Network
Security
Customer Applications & Content
https://d0.awsstatic.com/whitepapers/Security/Intro_to_AWS_Security.pdf
Inventory &
Config
Access
Control
Data
Security
Network
Security
Customer Applications & Content
Inventory &
Config
Access
Control
Data
Security
ユーザはAWSがカバーしていない部
分を準拠させれば良い