1
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

AWS認証を社内のActive Direcoryと連携

Last updated at Posted at 2019-07-25

v0.7

ミッション

  • 社内Active DirecoryをAWS VPCと接続し、AWSマルチアカウント間の認証に利用する。
  • 社員の部署移動、退職時に社内AD設定変更のみで権限管理ができる。

社内 Domain Controler

AWS VPC

  • カスタマーゲートウェイ: 社内VPNと接続 AWSから社内サーバのプライベートIPに接続できる。
  • 社内VPN設定などは割愛

AWS Directory Service

  • Type: AD Connector

  • ID: d-xxxxxx

  • Connected directory

    • domain: acme.local
    • NetBIOS name: acme-dc
  • Access URL: acme-dc-aws3.awsapps.com

  • On-premises DNS Address: 192.168.1.2(社内DC)

  • Size: Small

  • Availability zones: ap-northeast-1b, ap-northeast-1c: vpc-xxxxxx

    • Subnets: subnet-xxxxxx1, subnet-xxxxxx2
  • AD Connector IP addresses: 10.0.3.xxx, 10.0.1.xxx

  • Connector account username: aws-ad-connector

  • アクセス: https://acme-dc-aws.awsapps.com/console

  • ADのグループとroleをマッチング

    • Enabled apps & services -> AWS Console Access
  • AWSカウント間のリンク方法は既存roleと同様

  • セッションタイムアウト調整: MAX12時間
    https://docs.aws.amazon.com/ja_jp/directoryservice/latest/admin-guide/ms_ad_management_console_access.html#console_session

    1. In the AWS Directory Service console navigation pane, choose Directories.
    2. On the Directories page, choose your directory ID.
    3. On the Directory details page, select the Application management tab.
    4. Under the AWS apps & services section, choose AWS
    5. Management Console.
    6. In the Manage Access to AWS Resource dialog box, choose Continue.
    7. In the Assign users and groups to IAM roles page, under Set login session length, edit the numbered value, and then choose Save.

IAM Role AWSアカウント間のスイッチロール

  • 各アカウントにて権限指定のロール作成
    • 例1. devadmin: 管理者グループ
    • 例2. devuser: 開発グループ
  • 信頼関係
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::{123456789}:role/devadmin"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

2019-10-23 18.45.19 ap-northeast-1.console.aws.amazon.com afc0edefee91.png

#メモ
だいぶ楽になった・・・

1
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
1
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?