diff --git a/iam-workshop/README.md b/iam-workshop/README.md index f7f601e..f2828cc 100644 --- a/iam-workshop/README.md +++ b/iam-workshop/README.md @@ -1,4 +1,87 @@ # [IAM Workshop](https://catalog.us-east-1.prod.workshops.aws/workshops/dd23d392-bea4-483c-aefd-f62ed73f936d/en-US) ![overview](./img/overview.png) -tf + +## [IAM 사용자 및 사용자 그룹](https://catalog.us-east-1.prod.workshops.aws/workshops/dd23d392-bea4-483c-aefd-f62ed73f936d/en-US/iam-user-and-user-group) + +### [IAM 사용자(User)](https://catalog.us-east-1.prod.workshops.aws/workshops/dd23d392-bea4-483c-aefd-f62ed73f936d/en-US/iam-user-and-user-group/iam-user) + + +![iam-user](./img/iam-user.png) + +![iam-user-plural](./img/iam-user-plural.png) + +### [IAM 사용자 그룹(User Group)](https://catalog.us-east-1.prod.workshops.aws/workshops/dd23d392-bea4-483c-aefd-f62ed73f936d/en-US/iam-user-and-user-group/iam-user-group) + +![iam-user-group](./img/iam-user-group.png) + +![iam-user-group-plural](./img/iam-user-group-plural.png) + +## [IAM 정책(Policy)](https://catalog.us-east-1.prod.workshops.aws/workshops/dd23d392-bea4-483c-aefd-f62ed73f936d/en-US/iam-policies) + +![iam-policies.png](./img/iam-policies.png) + +권한을 제한하는 정책 (Guardrail) + +1. 조직 SCP 정책 (Organization SCPs) +2. 권한 경계 정책 (Permissions boundaries) +3. 세션 정책 (Session policies) + +권한을 부여하는 정책 (Grant) + +1. 자격증명 기반 정책 (Identity-based policies) + 1. AWS 관리형 정책 (AWS Managed policies): AWS에서 제공하는 글로벌 적용 가능 정책 + 2. 고객 관리형 정책 (Customer Managed policies): 고객이 직접 생성하여 고객 계정에서만 사용 가능한 정책 + 3. 인라인 정책 (In-line policies): 단일 사용자 그룹 역할에 직접 추가하는 정책 (재활용 불가) +2. 리소스 기반 정책 (Resource-based policies) +3. 액세스 제어 리스트 (Access Control Lists, ACLs) + +### [자격증명 기반 정책(Identity-based policies)](https://catalog.us-east-1.prod.workshops.aws/workshops/dd23d392-bea4-483c-aefd-f62ed73f936d/en-US/iam-policies/identity-based-policies) + +[**사용자 권한 추가 (AWS 관리형 정책)**](https://catalog.us-east-1.prod.workshops.aws/workshops/dd23d392-bea4-483c-aefd-f62ed73f936d/en-US/iam-policies/identity-based-policies#(aws-)) + +![aws-managed-policies](./img/aws-managed-policies.png) + +Super-Pro : AmazonEC2ReadOnlyAccess + +![aws-managed-policies-plural](./img/aws-managed-policies-plural.png) + +[**인라인 정책 (In-line policies)**](https://catalog.us-east-1.prod.workshops.aws/workshops/dd23d392-bea4-483c-aefd-f62ed73f936d/en-US/iam-policies/identity-based-policies#(in-line-policies)) + +![inline-policy](./img/inline-policy.png) + +![inline-policy-plural](./img/inline-policy-plural.png) + +[**권한 경계(Permissions boundaries)**](https://catalog.us-east-1.prod.workshops.aws/workshops/dd23d392-bea4-483c-aefd-f62ed73f936d/en-US/iam-policies/permissions-boundaries) + +![permission-boundaries](./img/permission-boundaries.png) + + +![permission-boundaries-plural](./img/permission-boundaries-plural.png) + +[**리소스 기반 정책(Resource-based policies)**](https://catalog.us-east-1.prod.workshops.aws/workshops/dd23d392-bea4-483c-aefd-f62ed73f936d/en-US/iam-policies/resource-based-policies) + +![resource-based-policies](./img/resource-based-policies.png) + +![resource-based-policies-plural](./img/resource-based-policies-plural.png) + +## [IAM 역할(Role)](https://catalog.us-east-1.prod.workshops.aws/workshops/dd23d392-bea4-483c-aefd-f62ed73f936d/en-US/iam-roles) + +주체(Principals): + +- 동일한 AWS 계정의 IAM 사용자 +- 역할과 다른 AWS 계정의 IAM 사용자 +- Amazon Elastic Compute Cloud(Amazon EC2)와 같은 AWS가 제공하는 웹 - 서비스 +- SAML 2.0, OpenID Connect 또는 사용자 지정 구축 자격 증명 브로커와 호환되는 외부 자격 증명 공급자(IdP) 서비스에 의해 인증된 외부 사용자 + +### [역할 전환(Role Switch)](https://catalog.us-east-1.prod.workshops.aws/workshops/dd23d392-bea4-483c-aefd-f62ed73f936d/en-US/iam-roles/role-switch) + +![role-switch](img/role-switch.png) + +![role-switch-plural](img/role-switch-plural.png) + +### [EC2 인스턴스에 Role 부여](https://catalog.us-east-1.prod.workshops.aws/workshops/dd23d392-bea4-483c-aefd-f62ed73f936d/en-US/iam-roles/ec2-instance-assumes-role) + +![ec2-role](img/ec2-role.png) + +![ec2-role-plural](img/ec2-role-plural.png) diff --git a/iam-workshop/img/aws-managed-policies-plural.png b/iam-workshop/img/aws-managed-policies-plural.png new file mode 100644 index 0000000..65f4be2 Binary files /dev/null and b/iam-workshop/img/aws-managed-policies-plural.png differ diff --git a/iam-workshop/img/aws-managed-policies.png b/iam-workshop/img/aws-managed-policies.png new file mode 100644 index 0000000..03f526a Binary files /dev/null and b/iam-workshop/img/aws-managed-policies.png differ diff --git a/iam-workshop/img/ec2-role-plural.png b/iam-workshop/img/ec2-role-plural.png new file mode 100644 index 0000000..54f0e20 Binary files /dev/null and b/iam-workshop/img/ec2-role-plural.png differ diff --git a/iam-workshop/img/ec2-role.png b/iam-workshop/img/ec2-role.png new file mode 100644 index 0000000..9b99f57 Binary files /dev/null and b/iam-workshop/img/ec2-role.png differ diff --git a/iam-workshop/img/iam-policies.png b/iam-workshop/img/iam-policies.png new file mode 100644 index 0000000..26e263b Binary files /dev/null and b/iam-workshop/img/iam-policies.png differ diff --git a/iam-workshop/img/iam-user-group-plural.png b/iam-workshop/img/iam-user-group-plural.png new file mode 100644 index 0000000..96b259f Binary files /dev/null and b/iam-workshop/img/iam-user-group-plural.png differ diff --git a/iam-workshop/img/iam-user-group.png b/iam-workshop/img/iam-user-group.png new file mode 100644 index 0000000..198f62b Binary files /dev/null and b/iam-workshop/img/iam-user-group.png differ diff --git a/iam-workshop/img/iam-user-plural.png b/iam-workshop/img/iam-user-plural.png new file mode 100644 index 0000000..a72ec57 Binary files /dev/null and b/iam-workshop/img/iam-user-plural.png differ diff --git a/iam-workshop/img/iam-user.png b/iam-workshop/img/iam-user.png new file mode 100644 index 0000000..559a1e3 Binary files /dev/null and b/iam-workshop/img/iam-user.png differ diff --git a/iam-workshop/img/inline-policy-plural.png b/iam-workshop/img/inline-policy-plural.png new file mode 100644 index 0000000..233d496 Binary files /dev/null and b/iam-workshop/img/inline-policy-plural.png differ diff --git a/iam-workshop/img/inline-policy.png b/iam-workshop/img/inline-policy.png new file mode 100644 index 0000000..f2169ee Binary files /dev/null and b/iam-workshop/img/inline-policy.png differ diff --git a/iam-workshop/img/permission-boundaries-plural.png b/iam-workshop/img/permission-boundaries-plural.png new file mode 100644 index 0000000..2015ecf Binary files /dev/null and b/iam-workshop/img/permission-boundaries-plural.png differ diff --git a/iam-workshop/img/permission-boundaries.png b/iam-workshop/img/permission-boundaries.png new file mode 100644 index 0000000..b77f055 Binary files /dev/null and b/iam-workshop/img/permission-boundaries.png differ diff --git a/iam-workshop/img/resource-based-policies-plural.png b/iam-workshop/img/resource-based-policies-plural.png new file mode 100644 index 0000000..78959fc Binary files /dev/null and b/iam-workshop/img/resource-based-policies-plural.png differ diff --git a/iam-workshop/img/resource-based-policies.png b/iam-workshop/img/resource-based-policies.png new file mode 100644 index 0000000..5279a90 Binary files /dev/null and b/iam-workshop/img/resource-based-policies.png differ diff --git a/iam-workshop/img/role-switch-plural.png b/iam-workshop/img/role-switch-plural.png new file mode 100644 index 0000000..2d0427f Binary files /dev/null and b/iam-workshop/img/role-switch-plural.png differ diff --git a/iam-workshop/img/role-switch.png b/iam-workshop/img/role-switch.png new file mode 100644 index 0000000..ec409c2 Binary files /dev/null and b/iam-workshop/img/role-switch.png differ diff --git a/iam-workshop/main.tf b/iam-workshop/main.tf index cc20bbe..ba27609 100644 --- a/iam-workshop/main.tf +++ b/iam-workshop/main.tf @@ -5,3 +5,178 @@ terraform { aws = "~> 5.24" } } + +data "aws_caller_identity" "current" {} + +locals { + iam_users = { + Dev-Intern = { + policy_arns = [] + permissions_boundary = "" + }, + Dev-Pro = { + policy_arns = [] + permissions_boundary = "" + }, + Super-Intern = { + policy_arns = [] + permissions_boundary = "arn:aws:iam::aws:policy/AmazonEC2FullAccess" + }, + Super-Pro = { + policy_arns = [ + "arn:aws:iam::aws:policy/AmazonEC2FullAccess" + ] + permissions_boundary = "" + } + } + + # Group + iam_groups = { + Dev = { + users = ["Dev-Intern", "Dev-Pro"] + policy_arns = ["arn:aws:iam::aws:policy/AmazonEC2FullAccess"] + }, + Super = { + users = ["Super-Intern", "Super-Pro"] + policy_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"] + } + } + + s3_bucket_name_prefix = "builders-s3-" + s3_bucket_name = "${local.s3_bucket_name_prefix}${var.s3_bucket_name_suffix}" + + inline_policy_name = "builders-inline" +} + +module "iam_user" { + source = "terraform-aws-modules/iam/aws//modules/iam-user" + version = "~> 5.30" + + for_each = local.iam_users + name = each.key + + create_iam_access_key = false + create_iam_user_login_profile = true + create_user = true + + force_destroy = true + + password_reset_required = false + + policy_arns = each.value.policy_arns + + permissions_boundary = each.value.permissions_boundary +} + +module "iam_group_with_policies" { + source = "terraform-aws-modules/iam/aws//modules/iam-group-with-policies" + + for_each = local.iam_groups + name = each.key + + group_users = each.value.users + + custom_group_policy_arns = each.value.policy_arns + + # IAM 사용자 자신과 그룹에 대한 권한을 제외한 대부분 서비스 권한을 제한 + # https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest/submodules/iam-group-with-policies#input_attach_iam_self_management_policy + attach_iam_self_management_policy = false +} + +# Caveat: 워크샵처럼 Super-Pro IAM 사용자로서 만들지 않음 +# 워크샵에선 Super-Pro 는 AWS Management Console에서 직접 생성 +# Super-Pro 권한으로 만들려면 Acces key 생성을 활성화하고 alias provider로 생성할 수도 있을 것 +# (하지만 그렇게하면 access key를 만들지 않는 워크샵 내용과 달라짐) +module "super_pro_ec2_create" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 5.5" + + name = "Super-Pro-EC2-Create" + + instance_type = "t2.micro" + + create_iam_instance_profile = true + + iam_role_name = "builders-s3-read-only" + iam_role_policies = { + s3_read = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" + } +} + +module "builders_s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "~> 3.15" + + bucket = local.s3_bucket_name + + block_public_acls = false + block_public_policy = false + ignore_public_acls = false + restrict_public_buckets = false + + attach_policy = true + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "Statement1" + Principal = { + AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Dev-Intern" + } + Effect = "Allow" + Action = "s3:*" + Resource = "${module.builders_s3_bucket.s3_bucket_arn}/*" + } + ] + }) +} + +# aws_iam_user_policy 리소스를 사용; 인라인 정책은 모듈이 없다 +resource "aws_iam_user_policy" "builders_inline" { + name = local.inline_policy_name + user = module.iam_user["Dev-Intern"].iam_user_name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "VisualEditor0" + Effect = "Allow" + Action = [ + "s3:ListAllMyBuckets", + "s3:ListBucket" + ] + Resource = "*" + }, + ] + }) +} + +module "iam_assumable_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" + version = "~> 5.30" + + # STSAssumeRole + create_custom_role_trust_policy = true + custom_role_trust_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "AllowAssumeRole" + Effect = "Allow" + Action = "sts:AssumeRole" + Principal = { + AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Dev-Pro" + } + }, + ] + }) + + # 위임 받은 Role + create_role = true + custom_role_policy_arns = [ + "arn:aws:iam::aws:policy/AdministratorAccess" + ] + role_name = "builders-role" + role_requires_mfa = false +} diff --git a/iam-workshop/policy.json b/iam-workshop/policy.json new file mode 100644 index 0000000..7f80922 --- /dev/null +++ b/iam-workshop/policy.json @@ -0,0 +1,14 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "s3:ListAllMyBuckets", + "s3:ListBucket" + ], + "Resource": "*" + } + ] +} diff --git a/iam-workshop/variables.tf b/iam-workshop/variables.tf new file mode 100644 index 0000000..3816812 --- /dev/null +++ b/iam-workshop/variables.tf @@ -0,0 +1,5 @@ +variable "s3_bucket_name_suffix" { + type = string + default = "flavono123" + description = "Your name would be suffix of S3 bucket name" +}