【SAP試験対策】IAMの勉強であやふやな理解だったポイントをしっかり整理する
AWS認定のSolution Architect Professional試験用に、AWS IAMに関連したキーポイントを断片的にまとめました。
「SAPの試験問題って、大学センター試験の国語に似てね?」
UdemyにあるAWS認定のSAP模擬試験を4本こなした結果、問題の傾向として気づいたことです。どう考えても絞りきれない選択肢が2つ3つあるんですよね〜。
私は受験教科の中で国語が一番苦手でだったので、塾の先生から「問題文に書いてあることに沿って、合っているものではなく、間違ってないものを選べ」と、しょっちゅう教えられていたことを思い出しました。SAPの試験でも同じように「問題の要件と関係ない用語が含まれている選択肢をまず消去し、選択肢が2つ残ってしまったら、問題文に書いてあることに沿った、間違っていない選択肢を選ぶ」ことが大事だなと感じています。
さて、「間違っていないかどうか」を判断するためには、サービスに関する正しい知識が必要です。個人的にIAM関連が苦手だったので、理解しておきたいキーポイントを断片的にまとめていきたいと思います。
インスタンスプロファイルとは何か?
インスタンスプロファイルは IAM ロールのコンテナであり、インスタンスの起動時に EC2 インスタンスにロール情報を渡すために使用できます。
EC2インスタンスにIAM Roleを付与した際、EC2インスタンス内で稼働するアプリケーション自体は、IAM Roleではなくインスタンスプロファイルを使用して一時的な認証情報を取得しています。インスタンスプロファイルは、マネジメントコンソールからEC2のロールを作成した場合は自動的に作成されますが、AWS CLIやAWS APIでロールを管理する場合は、ロールとインスタンスプロファイルをそれぞれ別に作成する必要が発生します。
アクセス権の付与について
今回は公式ドキュメントにある以下の5つの観点を取り上げます。(他にも別の観点があるかもしれません)
- 自身が所有している他のAWSアカウントのIAMユーザーに、権限を付与する
- サードパーティが所有しているAWSアカウントへ、権限を付与する
- AWSサービスに、権限を付与する
- 外部で認証されたユーザー(Identity Federation)へ、権限を付与する
- AWS RAMで、AWSリソースを別アカウントに共有する
1. 自身が所有している他のAWSアカウントのIAMユーザーに、権限を付与する
メインのAWSアカウントAで作成したIAM Roleに対して、別のアカウントBをPrincipalとした信頼ポリシー(Trust Policy)を定義し、アカウントBからアカウントAのそのRoleを使用できるようにする方法です。アカウントBでは、アカウントの管理者がアカウント内の開発ユーザーに対して、そのRoleの付与を行います。IAM Roleを中央集権化して管理したい場合に効果的な方針ですね。
2. サードパーティが所有しているAWSアカウントへ、権限を付与する
こちらも「自身が所有している他のAWSアカウントのIAMユーザーに、権限を付与する」と同じような方法で権限を付与しますが、サードパーティのAWSアカウントIDをPricipalにする以外に、外部IDが必要となります。外部IDはサードパーティを一意に決定するシークレット識別子で、以下のように信頼ポリシーのConditionで指定します。
"Principal": {"AWS": "Example Corp's AWS Account ID"},
"Condition": {"StringEquals": {"sts:ExternalId": "Unique ID Assigned by Example Corp"}}
- 参照
3. AWSサービスに、権限を付与する(Service Role)
あるAWSサービスが持つ、他のAWSサービスに対する権限のRoleを、Service Roleと呼びます。Service Roleには、Service Role for EC2 instancesとService-linked Roleの2種類あり、前者はまさに先ほど触れたインスタンスプロファイルと関係します。後者はマネージドサービスなどに付与されるRoleで、対応サービスはこちらの表にまとめられています。
- 参照
4. 外部で認証されたユーザー(Identity Federation)へ、権限を付与する
外部で認証されたユーザーに権限を付与する方法は、現時点では以下の4種類あります。これらによって、AWSマネージメントコンソールへIAMユーザなしでアクセスすることもできます。
- Amazon Cognito
- AWS STS AssumeRoleWithWebIdentity API
- AWS STS AssumeRoleWithSAML API
- カスタムIDブローカーアプリケーションを作成する
4.1 Amazon Cognito
モバイルやWebアプリで認証機能は、Amazon Cognitoでスケーラブルに実現できます。GoogleやFacebook、AmazonなどのソーシャルIDプロバイダー以外に、SAMLによるMicrosoft Active DirectoryなどのエンタープライズIDプロバイダーにも対応しています。
4.2 AWS STS AssumeRoleWithWebIdentity API
モバイルやWebアプリで認証機能を実装したい場合は、Amazon Cognitoを使用することを推奨されていますが、AssumeRoleWithWebIdentity APIを呼び出せば一から実装することも可能です。連携するIdPごとにIAM Roleの作成し、AssumeRoleWithWebIdentityAPIを通して一時的な認証情報を取得する流れとなります。
4.3 AWS STS AssumeRoleWithSAML API
SAML2.0を使用した認証機能の作成には、AssumeRoleWithSAML APIを使用します。流れはAssumeRoleWithWebIdentity APIとほぼ同じですね。
4.4 カスタムIDブローカーアプリケーションを作成する
IDストアがSAML2.0と互換性がない場合は、自身でIDブローカーアプリケーションを作成します。AssumeRoleやGetFederationTokenを駆使してSTSと直接やりとりする感じですね。
5. AWS RAMで、AWSリソースを別アカウントに共有する
最後はAWS RAMを用いて、AWSリソースを別アカウントに共有する方法です。基本的に各AWSリソースはアカウントごとに区切られていますが、AWS RAMを用いると複数アカウントから、同一のリソースを制御することができます。AWS Organizationと組み合わせて使用することも可能です。2020/08/13現在の共有可能なAWSリソースは以下の通りです。
- AWS App Mesh
- Amazon Aurora
- AWS CodeBuild
- Amazon EC2
- Amazon EC2 Image Builder
- AWS Glue
- AWS License Manager
- AWS Resource Groups
- Amazon Route 53
- Amazon VPC
-
参照
IAM Roleの関連用語
ロールに関する用語と概念にIAM Roleに関連する用語がずらっと並んでいるので、前述までに触れてなかった用語を中心に整理していこうと思います。
ロール(Role)
ユーザーと認可(ポリシー)が一対一の関係にあるIAM Userと異なり、IAM Roleは一つのポリシーを、複数のユーザー・リソースを適応することができます。「ユーザー・リソース」と書いた通り、ロールは以下の複数の形態で使用できます。
- アタッチするRoleと同じAWSアカウントのIAMユーザー
- アタッチするRoleとは異なるAWSアカウントのIAM ユーザー
- Amazon EC2など、AWSが提供するサービス
- SAML2.0またはOpenID Connectと互換性のある外部IDプロバイダー(IdP)サービスによって認証された外部ユーザー
また、公式ドキュメントから以下の文も引用しておきます。
IAMロールは、リソースベースのポリシーをサポートするアイデンティティかつリソースです。そのため、信頼ポリシーとアイデンティティベースのポリシーのいずれもIAMロールにアタッチする必要があります。 ポリシーとアクセス許可 - AWS Identity and Access Management
こちらが後の「委任」を理解することにおいて重要になってきます。
ロールの連鎖(Role chaining)
あるRoleを使って、AWS CLIやAPI越しに二つ目のRoleを取得して引き受けることを、ロールの連鎖といいます。一つのRoleから、AssumeRole APIで別のRoleを引き受けることができます。
委任(Delegation)
委任では、リソースを所有するアカウント(the trusting account)と、そのリソースにアクセスしたいユーザーを含むアカウント(the trusted account)の2アカウント間の信頼関係を設定します。この2つのアカウントというのは、同一のアカウントを指すこともありますし、異なるアカウントを指すこともあります。同じOrganization配下の別々のアカウントでも、異なるOrganization配下の別々のアカウントでも委任できます。
リソースへのアクセス許可を委任するためには、trusting account内で、アクセス許可ポリシー(permissions policy)と信頼ポリシー(trust policy)をアタッチしたIAM Roleを作成する必要があります。アクセス許可ポリシーは、リソースの対象タスクの実行権限を付与し、信頼ポリシーでは、trusted account内でどのメンバーにRoleの引き受けを許可するかを指定します。
さて、IAMの勉強を進めていれば、IAM Policyのレイヤーに関する集合のベン図を目にすると思います。このアクセス許可ポリシー(permissions policy)はIdentity-Based Policy、信頼ポリシーはResource-Based Policyの分類に入り、同じアカウントでは上図、クロスアカウントでは下図が当てはまります。同じアカウントでは、Identity-Based PolicyとResource-Based Policyのそれぞれで許可されているものが有効(OR条件)、クロスアカウントではIdentity-Based PolicyとResource-Based Policyの両方で許可されているものが有効(AND条件)となります。
ただし、信頼ポリシーではPrincipalのみしかアクセス許可に関する記述ができず、アクセス許可ポリシーではPrincipalを使用することができません。そのため、同一アカウントにせよクロスアカウントにせよ、アクセス許可ポリシーと信頼ポリシーの集合の関係性については、通常のIdentity-Based PolicyとResource-Based Policyの関係性とは例外であり、どちらもAND条件が課せられているようです。多分その意味で、公式ドキュメントの「半分(one-half / the other half)」という表現になっているのかなと思います。
委任に関してはまた、パラメータにexternal IDを指定することで、外部のアカウントとセキュアにRoleを引き渡すことができます。
- 参照
アクセス許可の境界(Permissions boundary)
Permissions boundaryは、先ほどのアクセス許可ポリシー(Permissions Policy)や信頼ポリシーに並び、別レイヤーでアクセス許可を担います。Permissions boundaryではその名の通り、許可して良いアクセス権限を指定して範囲を制限することができます。アクセス許可ポリシーとは異なり、それ自体ではアクセス権限を付与することはできず、アクセス許可ポリシーと合わせて使用します。
IAMでPermissions Policyを設定する画面と、同じ階層から設定できます。
- 参照
プリンシパル(Principal)
Resource-based policiesにおいて、そのリソースにアクセスし、アクションの実行を許可したいAWS内のエンティティ(AWSアカウント、IAM ユーザー、IAM ロールなど)に対して、Principalを指定します。信頼ポリシーでは、Principalにワイルドカード * を使用することができません。
クロスアカウントアクセスのロール(Role for cross-account access)
他のアカウント内の信頼関係にあるPrincipalに対して、リソースへのアクセス権を付与するロールのことです。クロスアカウントアクセスを付与するには、ロールをプロキシ的に扱うこの方法が一番主流ですが、AWSサービスの中にはポリシーをリソースに直接アタッチできるリソースもあります。これをResource-based policiesと呼び、Amazon S3バケットやAmazon SNSトピック、Amazon SQSキューなどがそれに当たります。
職務機能のAWS管理ポリシー(AWS Managed Policies for Job Functions)
職務機能のAWS管理ポリシーとは、IT業界の一般的な職種に合わせた、AWSマネージドのポリシーのことです。要はIAMポリシーのベストプラクティス的なものを、AWSがすでに提供してくれているわけですね。現在は以下の10個のポリシーが用意されています。このポリシーはそのまま使うほか、どうIAMポリシーを書くべきかの参考にもなりそうですね。
- 管理者(AdministratorAccess)
- 料金(Billing)
- データベース管理者(DatabaseAdministrator)
- データサイエンティスト(DataScientist)
- 開発者パワーユーザー(PowerUserAccess)
- ネットワーク管理者(NetworkAdministrator)
- セキュリティ監査人(SecurityAudit)
- サポートユーザー(SupportUser)
- システム管理者(SystemAdministrator)
- 閲覧専用ユーザー(ViewOnlyAccess)
ざっとポリシーのJSONを見た感じ、近年登場したサービスは網羅できていないようですね……。AdministratorAccessやBilling、PowerUserAccessのようなシンプルなポリシーの方が使い勝手が良さそうです。他はポリシーを付与してみて、足りない権限を追加していく形で、日々調節が必要になりそうですね。
管理者(AdministratorAccess)
文字通り、Admin権限的にAWSリソースへフルアクセスできる、最も権限の強いポリシーです。ActionとResourceにワイルドカードしかないですね。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
料金(Billing)
請求情報の確認や支払いの設定、支払いの承認を行うユーザーのためのポリシーです。請求関連のAWSサービスってサイロ化されてしまっているイメージがあるので、このポリシーは使いやすそうでありがたいですね。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-portal:*Billing",
"awsbillingconsole:*Billing",
"aws-portal:*Usage",
"awsbillingconsole:*Usage",
"aws-portal:*PaymentMethods",
"awsbillingconsole:*PaymentMethods",
"budgets:ViewBudget",
"budgets:ModifyBudget",
"cur:*",
"purchase-orders:*PurchaseOrders"
],
"Resource": "*"
}
]
}
データベース管理者(DatabaseAdministrator)
データベースのセットアップや設定、メンテナンスを行うユーザーのためのポリシーです。主要DBである、DynamoDBやElastiCache、RDS、Redshiftに対してはフルアクセスが可能で、加えて開発・運用に必要なActionが限定的に許可されています。また、このAWS管理ポリシーは、データベースに関連する一部のIAMロールをAWSサービスへ渡すことができるのも特徴ですね。よく使われるDBサービスがスポットに当てられているので、DocumentDBやAthenaなどを使いたい場合は、別途ポリシーを定義する必要があります。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:DeleteAlarms",
"cloudwatch:Describe*",
"cloudwatch:DisableAlarmActions",
"cloudwatch:EnableAlarmActions",
"cloudwatch:Get*",
"cloudwatch:List*",
"cloudwatch:PutMetricAlarm",
"datapipeline:ActivatePipeline",
"datapipeline:CreatePipeline",
"datapipeline:DeletePipeline",
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datapipeline:PutPipelineDefinition",
"datapipeline:QueryObjects",
"dynamodb:*",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"elasticache:*",
"iam:ListRoles",
"iam:GetRole",
"kms:ListKeys",
"lambda:CreateEventSourceMapping",
"lambda:CreateFunction",
"lambda:DeleteEventSourceMapping",
"lambda:DeleteFunction",
"lambda:GetFunctionConfiguration",
"lambda:ListEventSourceMappings",
"lambda:ListFunctions",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:Create*",
"logs:PutLogEvents",
"logs:PutMetricFilter",
"rds:*",
"redshift:*",
"s3:CreateBucket",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:Get*",
"sns:List*",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject*",
"s3:Get*",
"s3:List*",
"s3:PutAccelerateConfiguration",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutBucketWebsite",
"s3:PutLifecycleConfiguration",
"s3:PutReplicationConfiguration",
"s3:PutObject*",
"s3:Replicate*",
"s3:RestoreObject"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/rds-monitoring-role",
"arn:aws:iam::*:role/rdbms-lambda-access",
"arn:aws:iam::*:role/lambda_exec_role",
"arn:aws:iam::*:role/lambda-dynamodb-*",
"arn:aws:iam::*:role/lambda-vpc-execution-role",
"arn:aws:iam::*:role/DataPipelineDefaultRole",
"arn:aws:iam::*:role/DataPipelineDefaultResourceRole"
]
}
]
}
データサイエンティスト(DataScientist)
Hadoopジョブおよびクエリを実行するユーザーのためのポリシーです。ざっと眺めた感じ、EMRやSageMakerを使用するデータサイエンティストに向けたポリシーのようですね。こちらのAWS管理ポリシーでも、データサイエンスに関連する一部のIAMロールをAWSサービスへ渡すことができます。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:*",
"cloudwatch:*",
"cloudformation:CreateStack",
"cloudformation:DescribeStackEvents",
"datapipeline:Describe*",
"datapipeline:ListPipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:QueryObjects",
"dynamodb:*",
"ec2:CancelSpotInstanceRequests",
"ec2:CancelSpotFleetRequests",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:Describe*",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifySpotFleetRequest",
"ec2:RequestSpotInstances",
"ec2:RequestSpotFleet",
"elasticfilesystem:*",
"elasticmapreduce:*",
"es:*",
"firehose:*",
"fsx:DescribeFileSystems",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListRoles",
"kinesis:*",
"kms:List*",
"lambda:Create*",
"lambda:Delete*",
"lambda:Get*",
"lambda:InvokeFunction",
"lambda:PublishVersion",
"lambda:Update*",
"lambda:List*",
"machinelearning:*",
"sdb:*",
"rds:*",
"sns:ListSubscriptions",
"sns:ListTopics",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"redshift:*",
"s3:CreateBucket",
"sns:CreateTopic",
"sns:Get*",
"sns:List*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:Abort*",
"s3:DeleteObject",
"s3:Get*",
"s3:List*",
"s3:PutAccelerateConfiguration",
"s3:PutBucketCors",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketTagging",
"s3:PutObject",
"s3:Replicate*",
"s3:RestoreObject"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/DataPipelineDefaultRole",
"arn:aws:iam::*:role/DataPipelineDefaultResourceRole",
"arn:aws:iam::*:role/EMR_EC2_DefaultRole",
"arn:aws:iam::*:role/EMR_DefaultRole",
"arn:aws:iam::*:role/kinesis-*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "sagemaker.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"sagemaker:*"
],
"NotResource": [
"arn:aws:sagemaker:*:*:domain/*",
"arn:aws:sagemaker:*:*:user-profile/*",
"arn:aws:sagemaker:*:*:app/*",
"arn:aws:sagemaker:*:*:flow-definition/*"
]
},
{
"Effect": "Allow",
"Action": [
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:DescribeDomain",
"sagemaker:ListDomains",
"sagemaker:DescribeUserProfile",
"sagemaker:ListUserProfiles",
"sagemaker:*App",
"sagemaker:ListApps"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sagemaker:*FlowDefinition",
"sagemaker:*FlowDefinitions"
],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"sagemaker:WorkteamType": [
"private-crowd",
"vendor-crowd"
]
}
}
}
]
}
開発者パワーユーザー(PowerUserAccess)
こちらはAdmin権限に並ぶ強権限なポリシーですね。IAMとOrganizationとAccount以外のActionを全て許可する開発者向けのポリシーです。一部、開発ではよく使用されるService-linked Roleの作成やOrganizationsの閲覧などが許可されています。使いやすそうなポリシーです。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"organizations:*",
"account:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole",
"iam:ListRoles",
"organizations:DescribeOrganization",
"account:ListRegions"
],
"Resource": "*"
}
]
}
ネットワーク管理者(NetworkAdministrator)
ネットワークリソースの設定とメンテナンスを行うユーザーに付与するポリシーです。EC2周りの権限や、DirectConnect、Route53に対するフルアクセスが許可されています。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:Describe*",
"ec2:AcceptVpcEndpointConnections",
"ec2:AllocateAddress",
"ec2:AssignIpv6Addresses",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AssociateDhcpOptions",
"ec2:AssociateRouteTable",
"ec2:AssociateSubnetCidrBlock",
"ec2:AssociateVpcCidrBlock",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AttachVpnGateway",
"ec2:CreateCustomerGateway",
"ec2:CreateDefaultSubnet",
"ec2:CreateDefaultVpc",
"ec2:CreateDhcpOptions",
"ec2:CreateEgressOnlyInternetGateway",
"ec2:CreateFlowLogs",
"ec2:CreateInternetGateway",
"ec2:CreateNatGateway",
"ec2:CreateNetworkAcl",
"ec2:CreateNetworkAclEntry",
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:CreatePlacementGroup",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:CreateVpcEndpoint",
"ec2:CreateVpcEndpointConnectionNotification",
"ec2:CreateVpcEndpointServiceConfiguration",
"ec2:CreateVpnConnection",
"ec2:CreateVpnConnectionRoute",
"ec2:CreateVpnGateway",
"ec2:DeleteEgressOnlyInternetGateway",
"ec2:DeleteFlowLogs",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkInterface",
"ec2:DeleteNetworkInterfacePermission",
"ec2:DeletePlacementGroup",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVpc",
"ec2:DeleteVpcEndpointConnectionNotifications",
"ec2:DeleteVpcEndpoints",
"ec2:DeleteVpcEndpointServiceConfigurations",
"ec2:DeleteVpnConnection",
"ec2:DeleteVpnConnectionRoute",
"ec2:DeleteVpnGateway",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeClassicLinkInstances",
"ec2:DescribeCustomerGateways",
"ec2:DescribeDhcpOptions",
"ec2:DescribeEgressOnlyInternetGateways",
"ec2:DescribeFlowLogs",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeMovingAddresses",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePlacementGroups",
"ec2:DescribePrefixLists",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeSecurityGroups",
"ec2:DescribeStaleSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcEndpointConnectionNotifications",
"ec2:DescribeVpcEndpointConnections",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpointServicePermissions",
"ec2:DescribeVpcEndpointServices",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:DetachInternetGateway",
"ec2:DetachNetworkInterface",
"ec2:DetachVpnGateway",
"ec2:DisableVgwRoutePropagation",
"ec2:DisableVpcClassicLinkDnsSupport",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:DisassociateSubnetCidrBlock",
"ec2:DisassociateVpcCidrBlock",
"ec2:EnableVgwRoutePropagation",
"ec2:EnableVpcClassicLinkDnsSupport",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:ModifyVpcEndpoint",
"ec2:ModifyVpcEndpointConnectionNotification",
"ec2:ModifyVpcEndpointServiceConfiguration",
"ec2:ModifyVpcEndpointServicePermissions",
"ec2:ModifyVpcPeeringConnectionOptions",
"ec2:ModifyVpcTenancy",
"ec2:MoveAddressToVpc",
"ec2:RejectVpcEndpointConnections",
"ec2:ReleaseAddress",
"ec2:ReplaceNetworkAclAssociation",
"ec2:ReplaceNetworkAclEntry",
"ec2:ReplaceRoute",
"ec2:ReplaceRouteTableAssociation",
"ec2:ResetNetworkInterfaceAttribute",
"ec2:RestoreAddressToClassic",
"ec2:UnassignIpv6Addresses",
"ec2:UnassignPrivateIpAddresses",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"directconnect:*",
"route53:*",
"route53domains:*",
"cloudfront:ListDistributions",
"elasticloadbalancing:*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:RequestEnvironmentInfo",
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",
"sns:CreateTopic",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms",
"cloudwatch:GetMetricStatistics",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AcceptVpcPeeringConnection",
"ec2:AttachClassicLinkVpc",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateVpcPeeringConnection",
"ec2:DeleteCustomerGateway",
"ec2:DeleteDhcpOptions",
"ec2:DeleteInternetGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:DeleteVpcPeeringConnection",
"ec2:DetachClassicLinkVpc",
"ec2:DisableVpcClassicLink",
"ec2:EnableVpcClassicLink",
"ec2:GetConsoleScreenshot",
"ec2:RejectVpcPeeringConnection",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketWebsite"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListRoles",
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/flow-logs-*"
},
{
"Effect": "Allow",
"Action": [
"networkmanager:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AcceptTransitGatewayVpcAttachment",
"ec2:AssociateTransitGatewayRouteTable",
"ec2:CreateTransitGateway",
"ec2:CreateTransitGatewayRoute",
"ec2:CreateTransitGatewayRouteTable",
"ec2:CreateTransitGatewayVpcAttachment",
"ec2:DeleteTransitGateway",
"ec2:DeleteTransitGatewayRoute",
"ec2:DeleteTransitGatewayRouteTable",
"ec2:DeleteTransitGatewayVpcAttachment",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGatewayRouteTables",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeTransitGateways",
"ec2:DisableTransitGatewayRouteTablePropagation",
"ec2:DisassociateTransitGatewayRouteTable",
"ec2:EnableTransitGatewayRouteTablePropagation",
"ec2:ExportTransitGatewayRoutes",
"ec2:GetTransitGatewayAttachmentPropagations",
"ec2:GetTransitGatewayRouteTableAssociations",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:ModifyTransitGatewayVpcAttachment",
"ec2:RejectTransitGatewayVpcAttachment",
"ec2:ReplaceTransitGatewayRoute",
"ec2:SearchTransitGatewayRoutes"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": [
"transitgateway.amazonaws.com"
]
}
}
}
]
}
セキュリティ監査人(SecurityAudit)
セキュリティ要件の遵守、アカウントのモニタリングを行うユーザーのためのポリシーです。ほとんどのAWSリソースの閲覧権限が付与されるようですね。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"access-analyzer:GetAnalyzedResource",
"access-analyzer:GetAnalyzer",
"access-analyzer:GetArchiveRule",
"access-analyzer:GetFinding",
"access-analyzer:ListAnalyzedResources",
"access-analyzer:ListAnalyzers",
"access-analyzer:ListArchiveRules",
"access-analyzer:ListFindings",
"access-analyzer:ListTagsForResource",
"acm:Describe*",
"acm:List*",
"application-autoscaling:Describe*",
"appmesh:Describe*",
"appmesh:List*",
"appsync:List*",
"athena:GetWorkGroup",
"athena:List*",
"autoscaling:Describe*",
"batch:DescribeComputeEnvironments",
"batch:DescribeJobDefinitions",
"chime:List*",
"cloud9:Describe*",
"cloud9:ListEnvironments",
"clouddirectory:ListDirectories",
"cloudformation:DescribeStack*",
"cloudformation:GetTemplate",
"cloudformation:ListStack*",
"cloudformation:GetStackPolicy",
"cloudfront:Get*",
"cloudfront:List*",
"cloudhsm:ListHapgs",
"cloudhsm:ListHsms",
"cloudhsm:ListLunaClients",
"cloudsearch:DescribeDomains",
"cloudsearch:DescribeServiceAccessPolicies",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTags",
"cloudtrail:LookupEvents",
"cloudwatch:Describe*",
"codebuild:ListProjects",
"codecommit:BatchGetRepositories",
"codecommit:GetBranch",
"codecommit:GetObjectIdentifier",
"codecommit:GetRepository",
"codecommit:List*",
"codedeploy:Batch*",
"codedeploy:Get*",
"codedeploy:List*",
"codepipeline:ListPipelines",
"codestar:Describe*",
"codestar:List*",
"cognito-identity:ListIdentityPools",
"cognito-idp:ListUserPools",
"cognito-sync:Describe*",
"cognito-sync:List*",
"comprehend:Describe*",
"comprehend:List*",
"config:BatchGetAggregateResourceConfig",
"config:BatchGetResourceConfig",
"config:Deliver*",
"config:Describe*",
"config:Get*",
"config:List*",
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:EvaluateExpression",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datapipeline:QueryObjects",
"datapipeline:ValidatePipelineDefinition",
"datasync:Describe*",
"datasync:List*",
"dax:Describe*",
"dax:ListTags",
"directconnect:Describe*",
"dms:Describe*",
"dms:ListTagsForResource",
"ds:DescribeDirectories",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeGlobalTable",
"dynamodb:DescribeTable",
"dynamodb:DescribeTimeToLive",
"dynamodb:ListBackups",
"dynamodb:ListGlobalTables",
"dynamodb:ListStreams",
"dynamodb:ListTables",
"ec2:Describe*",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecs:Describe*",
"ecs:List*",
"eks:DescribeCluster",
"eks:ListClusters",
"elasticache:Describe*",
"elasticbeanstalk:Describe*",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeMountTargets",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",
"es:Describe*",
"es:ListDomainNames",
"events:Describe*",
"events:List*",
"firehose:Describe*",
"firehose:List*",
"fms:ListComplianceStatus",
"fms:ListPolicies",
"fsx:Describe*",
"fsx:List*",
"gamelift:ListBuilds",
"gamelift:ListFleets",
"glacier:DescribeVault",
"glacier:GetVaultAccessPolicy",
"glacier:ListVaults",
"globalaccelerator:Describe*",
"globalaccelerator:List*",
"greengrass:List*",
"guardduty:Get*",
"guardduty:List*",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:Get*",
"iam:List*",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy",
"inspector:Describe*",
"inspector:Get*",
"inspector:List*",
"inspector:Preview*",
"iot:Describe*",
"iot:GetPolicy",
"iot:GetPolicyVersion",
"iot:List*",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kinesisanalytics:ListApplications",
"kms:Describe*",
"kms:Get*",
"kms:List*",
"lambda:GetAccountSettings",
"lambda:GetFunctionConfiguration",
"lambda:GetLayerVersionPolicy",
"lambda:GetPolicy",
"lambda:List*",
"license-manager:List*",
"lightsail:GetInstances",
"lightsail:GetLoadBalancers",
"logs:Describe*",
"logs:ListTagsLogGroup",
"machinelearning:DescribeMLModels",
"mediaconnect:Describe*",
"mediaconnect:List*",
"mediastore:GetContainerPolicy",
"mediastore:ListContainers",
"opsworks:DescribeStacks",
"opsworks-cm:DescribeServers",
"organizations:List*",
"organizations:Describe*",
"quicksight:Describe*",
"quicksight:List*",
"ram:List*",
"rds:Describe*",
"rds:DownloadDBLogFilePortion",
"rds:ListTagsForResource",
"redshift:Describe*",
"rekognition:Describe*",
"rekognition:List*",
"robomaker:Describe*",
"robomaker:List*",
"route53:Get*",
"route53:List*",
"route53domains:GetDomainDetail",
"route53domains:GetOperationDetail",
"route53domains:ListDomains",
"route53domains:ListOperations",
"route53domains:ListTagsForDomain",
"route53resolver:List*",
"route53resolver:Get*",
"s3:GetAccelerateConfiguration",
"s3:GetAccessPoint",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyStatus",
"s3:GetAccountPublicAccessBlock",
"s3:GetAnalyticsConfiguration",
"s3:GetBucket*",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionAcl",
"s3:GetReplicationConfiguration",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets",
"sagemaker:Describe*",
"sagemaker:List*",
"sdb:DomainMetadata",
"sdb:ListDomains",
"secretsmanager:GetResourcePolicy",
"secretsmanager:ListSecrets",
"secretsmanager:ListSecretVersionIds",
"securityhub:Describe*",
"securityhub:Get*",
"securityhub:List*",
"serverlessrepo:GetApplicationPolicy",
"serverlessrepo:List*",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityPolicies",
"ses:GetIdentityVerificationAttributes",
"ses:ListIdentities",
"ses:ListIdentityPolicies",
"ses:ListVerifiedEmailAddresses",
"shield:Describe*",
"shield:List*",
"snowball:ListClusters",
"snowball:ListJobs",
"sns:GetTopicAttributes",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListDeadLetterSourceQueues",
"sqs:ListQueues",
"sqs:ListQueueTags",
"ssm:Describe*",
"ssm:GetAutomationExecution",
"ssm:ListDocuments",
"sso:DescribePermissionsPolicies",
"sso:List*",
"states:ListStateMachines",
"storagegateway:DescribeBandwidthRateLimit",
"storagegateway:DescribeCache",
"storagegateway:DescribeCachediSCSIVolumes",
"storagegateway:DescribeGatewayInformation",
"storagegateway:DescribeMaintenanceStartTime",
"storagegateway:DescribeNFSFileShares",
"storagegateway:DescribeSnapshotSchedule",
"storagegateway:DescribeStorediSCSIVolumes",
"storagegateway:DescribeTapeArchives",
"storagegateway:DescribeTapeRecoveryPoints",
"storagegateway:DescribeTapes",
"storagegateway:DescribeUploadBuffer",
"storagegateway:DescribeVTLDevices",
"storagegateway:DescribeWorkingStorage",
"storagegateway:List*",
"tag:GetResources",
"tag:GetTagKeys",
"transfer:Describe*",
"transfer:List*",
"translate:List*",
"trustedadvisor:Describe*",
"waf:ListWebACLs",
"waf-regional:ListWebACLs",
"workspaces:Describe*"
]
},
{
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": [
"arn:aws:apigateway:*::/apis",
"arn:aws:apigateway:*::/apis/*/stages",
"arn:aws:apigateway:*::/apis/*/stages/*",
"arn:aws:apigateway:*::/apis/*/routes",
"arn:aws:apigateway:*::/restapis",
"arn:aws:apigateway:*::/restapis/*/authorizers",
"arn:aws:apigateway:*::/restapis/*/authorizers/*",
"arn:aws:apigateway:*::/restapis/*/documentation/versions",
"arn:aws:apigateway:*::/restapis/*/resources",
"arn:aws:apigateway:*::/restapis/*/resources/*",
"arn:aws:apigateway:*::/restapis/*/resources/*/methods/*",
"arn:aws:apigateway:*::/restapis/*/stages",
"arn:aws:apigateway:*::/restapis/*/stages/*",
"arn:aws:apigateway:*::/vpclinks"
]
}
]
}
サポートユーザー(SupportUser)
AWSサポートへの連絡、サポートケースの作成、既存ケースの状態を確認するユーザーのためのポリシーです。support:*となっていることはもちろん、ケース起票の情報収集のための各種リソースの閲覧権限が付与されている点が特徴的ですね。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"support:*",
"acm:DescribeCertificate",
"acm:GetCertificate",
"acm:List*",
"apigateway:GET",
"appstream:Get*",
"autoscaling:Describe*",
"aws-marketplace:ViewSubscriptions",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:EstimateTemplateCost",
"cloudfront:Get*",
"cloudfront:List*",
"cloudsearch:Describe*",
"cloudsearch:List*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents",
"cloudtrail:ListTags",
"cloudtrail:ListPublicKeys",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"codecommit:BatchGetRepositories",
"codecommit:Get*",
"codecommit:List*",
"codedeploy:Batch*",
"codedeploy:Get*",
"codedeploy:List*",
"codepipeline:AcknowledgeJob",
"codepipeline:AcknowledgeThirdPartyJob",
"codepipeline:ListActionTypes",
"codepipeline:ListPipelines",
"codepipeline:PollForJobs",
"codepipeline:PollForThirdPartyJobs",
"codepipeline:GetPipelineState",
"codepipeline:GetPipeline",
"cognito-identity:List*",
"cognito-identity:LookupDeveloperIdentity",
"cognito-identity:Describe*",
"cognito-idp:Describe*",
"cognito-sync:Describe*",
"cognito-sync:GetBulkPublishDetails",
"cognito-sync:GetCognitoEvents",
"cognito-sync:GetIdentityPoolConfiguration",
"cognito-sync:List*",
"config:DescribeConfigurationRecorders",
"config:DescribeConfigurationRecorderStatus",
"config:DescribeConfigRuleEvaluationStatus",
"config:DescribeConfigRules",
"config:DescribeDeliveryChannels",
"config:DescribeDeliveryChannelStatus",
"config:GetResourceConfigHistory",
"config:ListDiscoveredResources",
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datapipeline:QueryObjects",
"datapipeline:ReportTaskProgress",
"datapipeline:ReportTaskRunnerHeartbeat",
"devicefarm:List*",
"devicefarm:Get*",
"directconnect:Describe*",
"discovery:Describe*",
"discovery:ListConfigurations",
"dms:Describe*",
"dms:List*",
"ds:DescribeDirectories",
"ds:DescribeSnapshots",
"ds:GetDirectoryLimits",
"ds:GetSnapshotLimits",
"ds:ListAuthorizedApplications",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:Describe*",
"ec2:DescribeHosts",
"ec2:describeIdentityIdFormat",
"ec2:DescribeIdFormat",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeNatGateways",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeTags",
"ecr:GetRepositoryPolicy",
"ecr:BatchCheckLayerAvailability",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecs:Describe*",
"ecs:List*",
"elasticache:Describe*",
"elasticache:List*",
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticfilesystem:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"elastictranscoder:List*",
"elastictranscoder:ReadJob",
"elasticfilesystem:DescribeFileSystems",
"es:Describe*",
"es:List*",
"es:ESHttpGet",
"es:ESHttpHead",
"events:DescribeRule",
"events:List*",
"events:TestEventPattern",
"firehose:Describe*",
"firehose:List*",
"gamelift:List*",
"gamelift:Describe*",
"glacier:ListVaults",
"glacier:DescribeVault",
"glacier:DescribeJob",
"glacier:Get*",
"glacier:List*",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:Get*",
"iam:List*",
"importexport:GetStatus",
"importexport:ListJobs",
"inspector:Describe*",
"inspector:List*",
"iot:Describe*",
"iot:Get*",
"iot:List*",
"kinesisanalytics:DescribeApplication",
"kinesisanalytics:DiscoverInputSchema",
"kinesisanalytics:GetApplicationState",
"kinesisanalytics:ListApplications",
"kinesis:Describe*",
"kinesis:Get*",
"kinesis:List*",
"kms:Describe*",
"kms:Get*",
"kms:List*",
"lambda:List*",
"lambda:Get*",
"logs:Describe*",
"logs:TestMetricFilter",
"machinelearning:Describe*",
"machinelearning:Get*",
"mobilehub:GetProject",
"mobilehub:List*",
"mobilehub:ValidateProject",
"mobilehub:VerifyServiceRole",
"opsworks:Describe*",
"rds:Describe*",
"rds:ListTagsForResource",
"redshift:Describe*",
"route53:Get*",
"route53:List*",
"route53domains:CheckDomainAvailability",
"route53domains:GetDomainDetail",
"route53domains:GetOperationDetail",
"route53domains:List*",
"s3:List*",
"sdb:GetAttributes",
"sdb:List*",
"sdb:Select*",
"servicecatalog:SearchProducts",
"servicecatalog:DescribeProduct",
"servicecatalog:DescribeProductView",
"servicecatalog:ListLaunchPaths",
"servicecatalog:DescribeProvisioningParameters",
"servicecatalog:ListRecordHistory",
"servicecatalog:DescribeRecord",
"servicecatalog:ScanProvisionedProducts",
"ses:Get*",
"ses:List*",
"sns:Get*",
"sns:List*",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListQueues",
"sqs:ReceiveMessage",
"ssm:List*",
"ssm:Describe*",
"storagegateway:Describe*",
"storagegateway:List*",
"swf:Count*",
"swf:Describe*",
"swf:Get*",
"swf:List*",
"waf:Get*",
"waf:List*",
"workspaces:Describe*",
"workdocs:Describe*",
"workmail:Describe*",
"workmail:Get*",
"workspaces:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
システム管理者(SystemAdministrator)
開発・運用リソースのセットアップやメンテナンスを行うユーザー用のポリシーです。名前的に強権限のように見えますが、EC2やLambda、RDSといった、AWSの基本的なサービスの作成・メンテナンスを許可するポリシーなので、PowerUserAccessより権限は弱いです。
{
"Statement": [
{
"Action": [
"acm:Describe*",
"acm:Get*",
"acm:List*",
"acm:Request*",
"acm:Resend*",
"autoscaling:*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListPublicKeys",
"cloudtrail:ListTags",
"cloudtrail:LookupEvents",
"cloudtrail:StartLogging",
"cloudtrail:StopLogging",
"cloudwatch:*",
"codecommit:BatchGetRepositories",
"codecommit:CreateBranch",
"codecommit:CreateRepository",
"codecommit:Get*",
"codecommit:GitPull",
"codecommit:GitPush",
"codecommit:List*",
"codecommit:Put*",
"codecommit:Test*",
"codecommit:Update*",
"codedeploy:*",
"codepipeline:*",
"config:*",
"ds:*",
"ec2:Allocate*",
"ec2:AssignPrivateIpAddresses*",
"ec2:Associate*",
"ec2:Allocate*",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AttachVpnGateway",
"ec2:Bundle*",
"ec2:Cancel*",
"ec2:Copy*",
"ec2:CreateCustomerGateway",
"ec2:CreateDhcpOptions",
"ec2:CreateFlowLogs",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateInternetGateway",
"ec2:CreateKeyPair",
"ec2:CreateNatGateway",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateReservedInstancesListing",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateSpotDatafeedSubscription",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateVpc",
"ec2:CreateVpcEndpoint",
"ec2:CreateVpnConnection",
"ec2:CreateVpnConnectionRoute",
"ec2:CreateVpnGateway",
"ec2:DeleteFlowLogs",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkInterface",
"ec2:DeletePlacementGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteSpotDatafeedSubscription",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVpc",
"ec2:DeleteVpcEndpoints",
"ec2:DeleteVpnConnection",
"ec2:DeleteVpnConnectionRoute",
"ec2:DeleteVpnGateway",
"ec2:DeregisterImage",
"ec2:Describe*",
"ec2:DetachInternetGateway",
"ec2:DetachNetworkInterface",
"ec2:DetachVpnGateway",
"ec2:DisableVgwRoutePropagation",
"ec2:DisableVpcClassicLinkDnsSupport",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:EnableVgwRoutePropagation",
"ec2:EnableVolumeIO",
"ec2:EnableVpcClassicLinkDnsSupport",
"ec2:GetConsoleOutput",
"ec2:GetHostReservationPurchasePreview",
"ec2:GetPasswordData",
"ec2:Import*",
"ec2:Modify*",
"ec2:MonitorInstances",
"ec2:MoveAddressToVpc",
"ec2:Purchase*",
"ec2:RegisterImage",
"ec2:Release*",
"ec2:Replace*",
"ec2:ReportInstanceStatus",
"ec2:Request*",
"ec2:Reset*",
"ec2:RestoreAddressToClassic",
"ec2:RunScheduledInstances",
"ec2:UnassignPrivateIpAddresses",
"ec2:UnmonitorInstances",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"elasticloadbalancing:*",
"events:*",
"iam:GetAccount*",
"iam:GetContextKeys*",
"iam:GetCredentialReport",
"iam:ListAccountAliases",
"iam:ListGroups",
"iam:ListOpenIDConnectProviders",
"iam:ListPolicies",
"iam:ListPoliciesGrantingServiceAccess",
"iam:ListRoles",
"iam:ListSAMLProviders",
"iam:ListServerCertificates",
"iam:Simulate*",
"iam:UpdateServerCertificate",
"iam:UpdateSigningCertificate",
"kinesis:ListStreams",
"kinesis:PutRecord",
"kms:CreateAlias",
"kms:CreateKey",
"kms:DeleteAlias",
"kms:Describe*",
"kms:GenerateRandom",
"kms:Get*",
"kms:List*",
"kms:Encrypt",
"kms:ReEncrypt*",
"lambda:Create*",
"lambda:Delete*",
"lambda:Get*",
"lambda:InvokeFunction",
"lambda:List*",
"lambda:PublishVersion",
"lambda:Update*",
"logs:*",
"rds:Describe*",
"rds:ListTagsForResource",
"route53:*",
"route53domains:*",
"ses:*",
"sns:*",
"sqs:*",
"trustedadvisor:*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:AcceptVpcPeeringConnection",
"ec2:AttachClassicLinkVpc",
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateVpcPeeringConnection",
"ec2:DeleteCustomerGateway",
"ec2:DeleteDhcpOptions",
"ec2:DeleteInternetGateway",
"ec2:DeleteNetworkAcl*",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:DeleteVpcPeeringConnection",
"ec2:DetachClassicLinkVpc",
"ec2:DetachVolume",
"ec2:DisableVpcClassicLink",
"ec2:EnableVpcClassicLink",
"ec2:GetConsoleScreenshot",
"ec2:RebootInstances",
"ec2:RejectVpcPeeringConnection",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"iam:GetAccessKeyLastUsed",
"iam:GetGroup*",
"iam:GetInstanceProfile",
"iam:GetLoginProfile",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicy*",
"iam:GetRole*",
"iam:GetSAMLProvider",
"iam:GetSSHPublicKey",
"iam:GetServerCertificate",
"iam:GetServiceLastAccessed*",
"iam:GetUser*",
"iam:ListAccessKeys",
"iam:ListAttached*",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroupsForUser",
"iam:ListInstanceProfiles*",
"iam:ListMFADevices",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListSSHPublicKeys",
"iam:ListSigningCertificates",
"iam:ListUserPolicies",
"iam:Upload*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"iam:GetRole",
"iam:ListRoles",
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:role/rds-monitoring-role",
"arn:aws:iam::*:role/ec2-sysadmin-*",
"arn:aws:iam::*:role/ecr-sysadmin-*",
"arn:aws:iam::*:role/lambda-sysadmin-*"
]
}
],
"Version": "2012-10-17"
}
閲覧専用ユーザー(ViewOnlyAccess)
最後は、ほとんどのAWSサービスのリソースに対してList*やDescribe*、Get*、View*、Lookup*を許可するポリシーです。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"acm:ListCertificates",
"athena:List*",
"aws-marketplace:ViewSubscriptions",
"autoscaling:Describe*",
"batch:ListJobs",
"clouddirectory:ListAppliedSchemaArns",
"clouddirectory:ListDevelopmentSchemaArns",
"clouddirectory:ListDirectories",
"clouddirectory:ListPublishedSchemaArns",
"cloudformation:List*",
"cloudformation:DescribeStacks",
"cloudfront:List*",
"cloudhsm:ListAvailableZones",
"cloudhsm:ListLunaClients",
"cloudhsm:ListHapgs",
"cloudhsm:ListHsms",
"cloudsearch:List*",
"cloudsearch:DescribeDomains",
"cloudtrail:DescribeTrails",
"cloudtrail:LookupEvents",
"cloudwatch:List*",
"cloudwatch:Get*",
"codebuild:ListBuilds*",
"codebuild:ListProjects",
"codecommit:List*",
"codedeploy:List*",
"codedeploy:Get*",
"codepipeline:ListPipelines",
"codestar:List*",
"codestar:Verify*",
"cognito-idp:List*",
"cognito-identity:ListIdentities",
"cognito-identity:ListIdentityPools",
"cognito-sync:ListDatasets",
"connect:List*",
"config:List*",
"config:Describe*",
"datapipeline:ListPipelines",
"datapipeline:DescribePipelines",
"datapipeline:GetAccountLimits",
"dax:DescribeClusters",
"dax:DescribeDefaultParameters",
"dax:DescribeEvents",
"dax:DescribeParameterGroups",
"dax:DescribeParameters",
"dax:DescribeSubnetGroups",
"dax:ListTags",
"devicefarm:List*",
"directconnect:Describe*",
"discovery:List*",
"dms:List*",
"ds:DescribeDirectories",
"dynamodb:DescribeBackup",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeGlobalTable",
"dynamodb:DescribeGlobalTableSettings",
"dynamodb:DescribeLimits",
"dynamodb:DescribeReservedCapacity",
"dynamodb:DescribeReservedCapacityOfferings",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:DescribeTimeToLive",
"dynamodb:ListBackups",
"dynamodb:ListGlobalTables",
"dynamodb:ListStreams",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeBundleTasks",
"ec2:DescribeClassicLinkInstances",
"ec2:DescribeConversionTasks",
"ec2:DescribeCustomerGateways",
"ec2:DescribeDhcpOptions",
"ec2:DescribeExportTasks",
"ec2:DescribeFlowLogs",
"ec2:DescribeHost*",
"ec2:DescribeIdentityIdFormat",
"ec2:DescribeIdFormat",
"ec2:DescribeImage*",
"ec2:DescribeImport*",
"ec2:DescribeInstance*",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeMovingAddresses",
"ec2:DescribeNatGateways",
"ec2:DescribeNetwork*",
"ec2:DescribePlacementGroups",
"ec2:DescribePrefixLists",
"ec2:DescribeRegions",
"ec2:DescribeReserved*",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshot*",
"ec2:DescribeSpot*",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolume*",
"ec2:DescribeVpc*",
"ec2:DescribeVpnGateways",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecs:List*",
"ecs:Describe*",
"elasticache:Describe*",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:ListAvailableSolutionStacks",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticfilesystem:DescribeFileSystems",
"elasticmapreduce:List*",
"elastictranscoder:List*",
"es:DescribeElasticsearchDomain",
"es:DescribeElasticsearchDomains",
"es:ListDomainNames",
"events:ListRuleNamesByTarget",
"events:ListRules",
"events:ListTargetsByRule",
"firehose:List*",
"firehose:DescribeDeliveryStream",
"gamelift:List*",
"glacier:List*",
"greengrass:List*",
"iam:List*",
"iam:GetAccountSummary",
"iam:GetLoginProfile",
"importexport:ListJobs",
"inspector:List*",
"iot:List*",
"kinesis:ListStreams",
"kinesisanalytics:ListApplications",
"kms:ListKeys",
"lambda:List*",
"lex:GetBotAliases",
"lex:GetBotChannelAssociations",
"lex:GetBots",
"lex:GetBotVersions",
"lex:GetIntents",
"lex:GetIntentVersions",
"lex:GetSlotTypes",
"lex:GetSlotTypeVersions",
"lex:GetUtterancesView",
"lightsail:GetBlueprints",
"lightsail:GetBundles",
"lightsail:GetInstances",
"lightsail:GetInstanceSnapshots",
"lightsail:GetKeyPair",
"lightsail:GetRegions",
"lightsail:GetStaticIps",
"lightsail:IsVpcPeered",
"logs:Describe*",
"machinelearning:Describe*",
"mobilehub:ListAvailableFeatures",
"mobilehub:ListAvailableRegions",
"mobilehub:ListProjects",
"opsworks:Describe*",
"opsworks-cm:Describe*",
"organizations:List*",
"mobiletargeting:GetApplicationSettings",
"mobiletargeting:GetCampaigns",
"mobiletargeting:GetImportJobs",
"mobiletargeting:GetSegments",
"polly:Describe*",
"polly:List*",
"rds:Describe*",
"redshift:DescribeClusters",
"redshift:DescribeEvents",
"redshift:ViewQueriesInConsole",
"route53:List*",
"route53:Get*",
"route53domains:List*",
"route53resolver:Get*",
"route53resolver:List*",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"sagemaker:Describe*",
"sagemaker:List*",
"sdb:List*",
"servicecatalog:List*",
"ses:List*",
"shield:List*",
"states:ListActivities",
"states:ListStateMachines",
"sns:List*",
"sqs:ListQueues",
"ssm:ListAssociations",
"ssm:ListDocuments",
"storagegateway:ListGateways",
"storagegateway:ListLocalDisks",
"storagegateway:ListVolumeRecoveryPoints",
"storagegateway:ListVolumes",
"swf:List*",
"trustedadvisor:Describe*",
"waf:List*",
"waf-regional:List*",
"wafv2:List*",
"workdocs:DescribeAvailableDirectories",
"workdocs:DescribeInstances",
"workmail:Describe*",
"workspaces:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
おわりに
かなり長文になってしまいましたが、つまづきやすい箇所は網羅できたかなと思います。にしてもIAMは複雑ですなぁ。
以上、現場よりDA事業本部春田(@haru_ta_kumi2)でした。
