認可モデルとAWS Policyの整理

認可モデル

• 参考
  • https://dinolai.com/notes/others/authorization-models-acl-dac-mac-rbac-abac.html
  • https://www.imperva.com/learn/data-security/role-based-access-control-rbac/

ACL

• Subject can Action to Object
• イメージ
  • [subject: alice] can [action: create] to [object: article]

Role-Based Access Control

• Subject is a Role which has Permission of Action to Object
• イメージ
  • [role: manager] can [create:article, create:member]
  • [subject: bob] has [role: manager]

Attribute-Based Access Control

• ルールベース（ユーザ属性や環境など）
• Subject who is xxx can Action to Object which is xxx in Environment

AWS

RBAC

• 参考：
  • https://www.slideshare.net/AmazonWebServicesJapan/20150617-aws-blackbeltiam

ABAC

• リソースベースのPolicy
  • IAM Entity（アクセス主体）ではなく、リソースに対してPolicyをアタッチする
  • クロスアカウントのアクセス時に便利
  • https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/id_roles_compare-resource-policies.html
• tagによるABAC
  • https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html