DevOps/Cloud

IAM ๋ฐ CLI

TechRybbit 2024. 1. 11. 16:49

๐Ÿ“Œ IAM ์ด๋ž€?

IAM(Identity & Access Management)๋Š” AWS ์„œ๋น„์Šค์™€ ๋ฆฌ์†Œ์Šค์— ์ ‘๊ทผ์„ ๊ด€๋ฆฌํ•˜๋Š” ๊ธฐ๋Šฅ
 
*IAM ๊ณ„์ •์ด ์„œ๋น„์Šค์— ์ ‘๊ทผํ• ๋•Œ AWS API๋ฅผ ํ†ตํ•ด ์ธ์ฆ๊ณผ ์ธ๊ฐ€ ๊ณผ์ •์„ ๊ฑฐ์นœ๋‹ค.
์ธ์ฆ(authentication): ์‚ฌ์šฉ์ž ๊ณ„์ •์˜ ์•”ํ˜ธ๋‚˜ ์ ‘๊ทผํ‚ค๋กœ ์˜ฌ๋ฐ”๋ฅด๊ฒŒ ์ ‘๊ทผํ–ˆ๋Š”์ง€ ํ™•์ธ
์ธ๊ฐ€(authorization): ์‚ฌ์šฉ์ž์—๊ฒŒ ๊ถŒํ•œ์ด ์žˆ๋Š”์ง€ ํ™•์ธ
 
 

๐Ÿ“Œ IAM ๊ตฌ์„ฑ์š”์†Œ

  • AWS ๋ฃจํŠธ๊ณ„์ •: ๊ณ„์ •์˜ ๋ชจ๋“  ๊ถŒํ•œ์„ ๊ฐ€์ง
  • IAM ์‚ฌ์šฉ์ž: ํŠน์ • ์ž‘์—…์„ ์ˆ˜ํ–‰ํ• ์ˆ˜ ์žˆ๊ฒŒ ์ผ๋ถ€ ๊ถŒํ•œ์„ ๊ฐ€์ง
  • IAM ๊ทธ๋ฃน: IAM ์‚ฌ์šฉ์ž์˜ ๊ทธ๋ฃน, ์‚ฌ์šฉ์ž๋งŒ ๊ทธ๋ฃน์— ํฌํ•จ
  • IAM ์ •์ฑ…(policy): IAM ์‚ฌ์šฉ์ž ๋˜๋Š” IAM ๊ทธ๋ฃน ๊ถŒํ•œ์ด ๊ธฐ๋ก๋˜์žˆ๋Š” JSON ๋ฌธ์„œ
  • IAM ์—ญํ• : IAM ์‚ฌ์šฉ์ž๋‚˜ ๊ทธ๋ฃน์ด ์•„๋‹Œ, AWS ์„œ๋น„์Šค์˜ ๊ถŒํ•œ์„ ๋ถ€์—ฌ → E2C Instance Role
 
 

๐Ÿ“Œ IAM ํŠน์ง•

  • IAM์€ ๊ธ€๋กœ๋ฒŒ ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค.(๋ฆฌ์ „ ์ง€์ •์ด ํ•„์š”์—†์Œ)
  • IAM ์‚ฌ์šฉ์ž๋“ค์€ ๋‹ค์ค‘ ์‚ฌ์šฉ์ž ๊ทธ๋ฃน์— ์†ํ• ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
  • IAM ์‚ฌ์šฉ์ž๋“ค์„ ๊ทธ๋ฃน์— ์†ํ•  ํ•„์š”๋Š” ์—†์Šต๋‹ˆ๋‹ค.
  • IAM ์‚ฌ์šฉ์ž ๊ทธ๋ฃน์€ IAM ์‚ฌ์šฉ์ž๋งŒ ํฌํ•จํ• ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.(๊ทธ๋ฃน์ด ๊ทธ๋ฃน์„ ํฌํ•จํ• ์ˆ˜์—†์Œ)
  • IAM ์‚ฌ์šฉ์ž์—๊ฒŒ๋Š” ์ตœ์†Œํ•œ์˜ ๊ถŒํ•œ๋งŒ ๋ถ€์—ฌํ•ฉ๋‹ˆ๋‹ค.
 

๐Ÿ“Œ IAM ์ •์ฑ…

IAM ์‚ฌ์šฉ์ž ๋˜๋Š” IAM ๊ทธ๋ฃน ๊ถŒํ•œ์ด ๊ธฐ๋ก๋˜์žˆ๋Š” JSON ๋ฌธ์„œ
 
  • ๊ทธ๋ฃน์ •์ฑ…: IAM์ •์ฑ…์ด ๊ทธ๋ฃน์„ ํ†ตํ•ด์„œ IAM ์‚ฌ์šฉ์ž์—๊ฒŒ ์—ฐ๊ฒฐ
  • ์ธ๋ผ์ธ ์ •์ฑ…: IAM์ •์ฑ…์ด IAM ์‚ฌ์šฉ์ž์—๊ฒŒ ์ง์ ‘ ์—ฐ๊ฒฐ
  • IAM ์ •์ฑ…์€ ์‹œ๋“œ, ํšจ๊ณผ, ์›์น™, ์กฐ์น˜, ๋ฆฌ์†Œ์Šค, ์กฐ๊ฑด์œผ๋กœ ๊ตฌ์„ฑ๋ฉ๋‹ˆ๋‹ค.
 
 

IAM ์ •์ฑ… ๊ตฌ์กฐ(์ค‘์š”)

  • version
  • Id(์„ ํƒ)
  • Statement(ํ•„์ˆ˜๊ธฐ์žฌ)
 

๐Ÿ“Œ AWS 3๊ฐ€์ง€ ์ ‘๊ทผ๋ฐฉ๋ฒ•

  • AWS Management Console (protected by password + MFA)
  • AWS Command Line Interface (CLI): protected by access keys
  • AWS Software Developer Kit (SDK) - for code: protected by access keys
 

๐Ÿ“Œ IAM ๋ณด์•ˆ

  • Password Policy
  • MFA(Multi Factor Authentication)
 

๐Ÿ“Œ IAM ๋ณด์•ˆ ๋„๊ตฌ

  • IAM ์ž๊ฒฉ์ฆ๋ช… ๋ณด๊ณ ์„œ (account-level)
  • IAM ์—‘์„ธ์Šค ์–ด๋“œ๋ฐ”์ด์ € (user-level)

 

 

๐Ÿ“Œ IAM ๋ชจ๋ฒ”์‚ฌ๋ก€

  • ํ•œ ์‚ฌ๋žŒ๋‹น ํ•˜๋‚˜์˜ IAM ์‚ฌ์šฉ์ž ์ƒ์„ฑ
  • Don’t use the root account except for AWS account setup
  • AWS ๊ณ„์ • ์ž๊ฒฉ์ฆ๋ช… ๊ณต์œ ํ•˜์ง€ ์•Š๊ธฐ
  • ๋‹ค๋‹จ๊ณ„ ์ธ์ฆ(MFA)์˜ ์‚ฌ์šฉ
  • Create and use Roles for giving permissions to AWS services
  • Use Access Keys for Programmatic Access (CLI / SDK)
  • Audit permissions of your account using IAM Credentials Report & IAM Access Advisor
  • Never share IAM users & Access Keys

 

 
 

์ฐธ๊ณ ์ž๋ฃŒ

  • AWS ๊ต๊ณผ์„œ
  • [udemy] AWS Certified Solutions Architect Associate ์‹œํ—˜ํ•ฉ๊ฒฉ!