æ¬ããã°ã¯ 2026 幎 6 æ 24 æ¥ã«å
¬éããã AWS Blog â Restrict AWS Management Console access to expected networks with sign-in resource-based policies and RCPs â ã翻蚳ãããã®ã§ãã Amazon Web Services (AWS) 㯠2026 幎 6 æ 16 æ¥ã«ã ãªãœãŒã¹ããŒã¹ããªã·ãŒ ãš ãªãœãŒã¹ã³ã³ãããŒã«ããªã·ãŒ (RCP) ã AWS ãµã€ã³ã€ã³ ã§ãµããŒãããããšãçºè¡šããŸããããªãœãŒã¹ããŒã¹ããªã·ãŒãš RCP ã䜿çšãããšã AWS ãããžã¡ã³ãã³ã³ãœãŒã« ãžã®ãµã€ã³ã€ã³ãš aws login CLI ã»ãã·ã§ã³ãžã®ã¢ã¯ã»ã¹ããæ³å®ãããããã¯ãŒã¯ããªã³ãã¬ãã¹ã®ããŒã¿ã»ã³ã¿ãŒãããã¯ãŒã¯ãããã³ã客æ§ã® Amazon Virtual Private Cloud (Amazon VPC) ããã®ãªã¯ãšã¹ãã«å¶éã§ããŸãã ãµã€ã³ã€ã³ã®ãªãœãŒã¹ããŒã¹ããªã·ãŒãš RCP ã¯ãããã€ãã®ã»ãã¥ãªãã£ç®æšã«å¯Ÿå¿ããŸããå
·äœçã«ã¯ãã³ã³ãœãŒã«ãµã€ã³ã€ã³ãäŒæ¥ãããã¯ãŒã¯ã«å¶éããããšãã³ã³ãœãŒã«ã«ãµã€ã³ã€ã³ã§ããããªã³ã·ãã«ãéå®ããããšããã㊠AWS Organizations ã®çµç¹å
šäœã«ããã£ãŠäžè²«ãã ãããã¯ãŒã¯å¢çå¶åŸ¡ ãé©çšããããšã§ãã ãã®èšäºã§ã¯ãäžè¬çãªãŠãŒã¹ã±ãŒã¹ãåãäžããŸããèŠå¶ã³ã³ãã©ã€ã¢ã³ã¹ã®ããã«ãããéèãµãŒãã¹äŒæ¥ãã³ã³ãœãŒã«ã¢ã¯ã»ã¹ãäŒæ¥ãããã¯ãŒã¯ã«å¶éãããšããã±ãŒã¹ã§ããåäžã¢ã«ãŠã³ãã«å¯ŸããŠãµã€ã³ã€ã³ã®ãªãœãŒã¹ããŒã¹ããªã·ãŒã䜿çšããŠãããå®è£
ããæ¹æ³ã AWS CloudTrail ã§å¶åŸ¡ãæ€èšŒããæ¹æ³ããããŠãããã®ããªã·ãŒã AWS Management Console Private Access ãããåºç¯ãª AWS ããŒã¿å¢çãã¬ãŒã ã¯ãŒã¯ ãšã©ã®ããã«çµ±åããããã説æããŸãã ã³ã³ãœãŒã«ãµã€ã³ã€ã³ã¢ã¯ã»ã¹ãäŒæ¥ãããã¯ãŒã¯ã«å¶éãã ããéèãµãŒãã¹äŒæ¥ãã AWS ãããžã¡ã³ãã³ã³ãœãŒã« ãžã®ãµã€ã³ã€ã³ãäŒæ¥ãããã¯ãŒã¯ããè¡ãããšãæ±ããŠãããšããŸãããã®äŒæ¥ã«ã¯æ¬¡ã®èŠä»¶ããããŸãã ãŠãŒã¶ãŒã¯ãäŒæ¥ VPNããªãã£ã¹ãããã¯ãŒã¯ããŸãã¯ã客æ§ã® VPC ããã®ã¿ã³ã³ãœãŒã«ã«ãµã€ã³ã€ã³ãã å人ãããã¯ãŒã¯ãå
¬è¡ Wi-Fiããã®ä»ã®æ³å®å€ã®å Žæããã®ãµã€ã³ã€ã³è©Šè¡ã¯æåŠããªããã°ãªããªã ããã¯ã¢ãŠããé²ããããæå®ããããªã³ã·ãã«ã¯ã©ã®ãããã¯ãŒã¯ããã§ãã¢ã¯ã»ã¹ãä¿æã§ããããã«ãã ã³ã³ãã©ã€ã¢ã³ã¹ã®èšŒè·¡ãšããŠããã¹ãŠã®ãµã€ã³ã€ã³è©Šè¡ (èš±å¯ããã³æåŠ) ã CloudTrail ã«èšé²ããªããã°ãªããªã 以äžã®ã¹ãããã§ã¯ãåäžã¢ã«ãŠã³ãã§ãããã®èŠä»¶ãé©çšãããªãœãŒã¹ããŒã¹ããªã·ãŒãäœæããæ¹æ³ã玹ä»ããŸãã åææ¡ä»¶ AWS Command Line Interface (AWS CLI) ãææ°ããŒãžã§ã³ã§ã€ã³ã¹ããŒã«ãããèšå®ãããŠããããš ãµã€ã³ã€ã³ã®ãªãœãŒã¹ããªã·ãŒã管çããæš©éãAWS ãããŒãžãããªã·ãŒã® AWSSignInResourcePolicyManagement ãã¢ã¿ããããããåããªã³ã·ãã«ã«æ¬¡ã®ã¢ã¯ã·ã§ã³ãžã®æš©éãä»äžããŸãã ãªãœãŒã¹èš±å¯ã¹ããŒãã¡ã³ãã®ç®¡ç: signin:PutResourcePermissionStatement , signin:DeleteResourcePermissionStatement , signin:ListResourcePermissionStatements , signin:GetResourcePolicy. ã³ã³ãœãŒã«èªå¯ã®ç®¡ç: signin:PutConsoleAuthorizationConfiguration , signin:GetConsoleAuthorizationConfiguration , signin:DeleteConsoleAuthorizationConfiguration ç¹å®ã®äŒæ¥ãããã¯ãŒã¯: IP CIDR ç¯å²ãŸã㯠VPC ID é€å€ããæå®ããªã³ã·ãã«ã® Amazon ãªãœãŒã¹ããŒã (ARN)ãããã«ããããããã¯ãŒã¯æ¡ä»¶ãå€ãã£ãŠãã¢ã¯ã»ã¹ãä¿æã§ããŸã 泚: AWS ãµã€ã³ã€ã³ã¢ã¯ã·ã§ã³ã®å®å
šãªãªã¹ãã«ã€ããŠã¯ããµãŒãã¹èªå¯ãªãã¡ã¬ã³ã¹ã® AWS Signin ã®ã¢ã¯ã·ã§ã³ããªãœãŒã¹ãããã³æ¡ä»¶ã㌠ãåç
§ããŠãã ããã ã¹ããã 1: ãªãœãŒã¹èš±å¯ã¹ããŒãã¡ã³ããäœæãã ã»ãšãã©ã®ãªãœãŒã¹ããŒã¹ããªã·ãŒã§ã¯ãäœæè
ãããªã·ãŒããã¥ã¡ã³ãå
šäœ (JSON ã¹ããŒãã¡ã³ã) ãå
¥åããå¿
èŠããããŸãããµã€ã³ã€ã³ã®ãªãœãŒã¹èš±å¯ã¹ããŒãã¡ã³ãã¯ç°ãªããŸãããã©ã¡ãŒã¿ãæå®ãããšãAWS ãµã€ã³ã€ã³ãããªã·ãŒãçæããŸãã æ¬¡ã®ã³ãã³ãã§ã¯ãäŒæ¥ IP ç¯å²ãVPCãé€å€ããªã³ã·ãã«ããã©ã¡ãŒã¿ãšããŠæå®ããŸããAWS ãµã€ã³ã€ã³ã¯ãããã®ãã©ã¡ãŒã¿ã䜿çšããŠãã³ã³ãœãŒã«ãµã€ã³ã€ã³ããããã®ãããã¯ãŒã¯ã«å¶éãã€ã€ãé€å€ããªã³ã·ãã«ãã©ã®ãããã¯ãŒã¯ããã§ããµã€ã³ã€ã³ã§ããããã«ããããªã·ãŒãçæããŸããã客æ§ãå¶åŸ¡ããã®ã¯ãã©ã¡ãŒã¿ã®å€ã§ãããããªã·ãŒã®æ§é ã§ã¯ãããŸãããçæãããããªã·ãŒã¯ã get-resource-policy ã³ãã³ãã§ãã€ã§ã確èªã§ããŸãã æ³š: ãªãœãŒã¹èš±å¯ã¹ããŒãã¡ã³ãã¯ãã¹ããã 2 ã§ã³ã³ãœãŒã«èªå¯ãæå¹ã«ãããŸã§å¹æãçºæ®ããŸããããã®ããã广ãçºçããåã«å®å
šãªããªã·ãŒã確èªã§ããŸãããªããæžãèŸŒã¿æäœã¯ us-east-1 ã察象ã«ããå¿
èŠããããŸãã ãªãœãŒã¹èš±å¯ã¹ããŒãã¡ã³ããäœæããã«ã¯ãæ¬¡ã®æé ãå®è¡ããŸãã 1. ã¿ãŒããã«ãéããææ°ã® AWS CLI ãã€ã³ã¹ããŒã«ãããŠããããšã確èªããŸãã 2. 次ã®ã³ãã³ããå®è¡ãããã¬ãŒã¹ãã«ããŒå€ <my-vpc> ã <my-vpc-region> ã <my-corporate-cidr> ã <excluded-IAM-principal-arn> ããã客æ§ã®å
·äœçãªèšå®ã«çœ®ãæããŸãã aws signin put-resource-permission-statement \ --source-vpc <my-vpc> \ --requested-region <my-vpc-region> \ --source-ip <my-corporate-cidr> \ --excluded-principal <excluded-IAM-principal-arn> \ --region us-east-1 3. åºåã« statementId ãããããšã確èªããŠãã³ãã³ããæåãããæ€èšŒããŸãã åºåäŸ: { "statementId":"b2HfHli9qCF1P4eGNll13CrZtusXlcPxxVBqz2aYLjlAcWtWQHP6Hg0" } 4. get-resource-policy ã³ãã³ããå®è¡ããŠãå®å
šãªãªãœãŒã¹ããŒã¹ããªã·ãŒã確èªããŸãã aws signin get-resource-policy åºåäŸ: { "signinResourceBasedPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "DENY", "Principal": {"AWS": "*"}, "Action": ["signin:Authenticate"], "Resource": "*", "Condition": { "ArnNotEquals": {"signin:PrincipalArn": ["<excluded-IAM-principal-arn>"]}, "NotIpAddress": {"aws:SourceIp": ["<my-corporate-cidr>"]}, "StringEquals": {"aws:ResourceAccount": ["<account-id>"]}, "StringNotEquals": {"aws:SourceVpc": ["<my-vpc>"]} } }, { "Effect": "DENY", "Principal": {"AWS": "*"}, "Action": ["signin:CreateOAuth2Token", "signin:AuthorizeOAuth2Access"], "Resource": "*", "Condition": { "ArnNotEquals": {"aws:PrincipalArn": ["<excluded-IAM-principal-arn>"]}, "NotIpAddress": {"aws:SourceIp": ["<my-corporate-cidr>"]}, "StringEquals": {"aws:ResourceAccount": ["<account-id>"]}, "StringNotEquals": {"aws:SourceVpc": ["<my-vpc>"]} } }, { "Effect": "DENY", "Principal": {"AWS": "*"}, "Action": ["signin:Authenticate"], "Resource": "*", "Condition": { "ArnNotEquals": {"signin:PrincipalArn": ["<excluded-IAM-principal-arn>"]}, "StringEquals": {"aws:SourceVpc": ["<my-vpc>"]}, "StringNotEquals": {"aws:RequestedRegion": ["<my-vpc-region>"]} } }, { "Effect": "DENY", "Principal": {"AWS": "*"}, "Action": ["signin:CreateOAuth2Token", "signin:AuthorizeOAuth2Access"], "Resource": "*", "Condition": { "ArnNotEquals": {"aws:PrincipalArn": ["<excluded-IAM-principal-arn>"]}, "StringEquals": {"aws:SourceVpc": ["<my-vpc>"]}, "StringNotEquals": {"aws:RequestedRegion": ["<my-vpc-region>"]} } } ] } } çæãããããªã·ãŒã«ã¯ 4 ã€ã®ã¹ããŒãã¡ã³ããå«ãŸãã2 ã€ã®ãã¢ã«ã°ã«ãŒãåãããŠããŸããæåã®ãã¢ã¯ãããã¯ãŒã¯ãœãŒã¹ã«ãã£ãŠã¢ã¯ã»ã¹ãå¶éããäŒæ¥ IP ç¯å² (<my-corporate-cidr>) ãŸã㯠VPC (<my-vpc>) ã®å€éšãããªã¯ãšã¹ããè¡ãããªã³ã·ãã«ãæåŠããŸãã2 çªç®ã®ãã¢ã¯ãVPC ãã¿ãŒã²ããã«ã§ãã AWS ãªãŒãžã§ã³ãå¶éãã <my-vpc> ããçºä¿¡ããããªã¯ãšã¹ããã <my-vpc-region> ã«åãããããã®ã§ãªãéãæåŠããŸãããã®ãªãŒãžã§ã³ãžã®ãã€ã³ãã£ã³ã°ãå¿
èŠãªã®ã¯ãVPC ID ãåäžãªãŒãžã§ã³å
ã§ã®ã¿äžæã§ããããã§ãã AWS ãµã€ã³ã€ã³ã¯ãããã®ããªã·ãŒã 2 ã€ã®ãã§ãŒãºãã€ãŸãèªèšŒåãšèªèšŒåŸã§è©äŸ¡ããŸããèªèšŒåŸã®è©äŸ¡ã¯ãã³ã³ãœãŒã«ã»ãã·ã§ã³ãæ°ããèªèšŒæ
å ±ããªã¯ãšã¹ããããã³ã«ç¹°ãè¿ãããŸããåãã¢ã®äžã§ã1 ã€ã®ã¹ããŒãã¡ã³ãã¯èªèšŒåãã§ãŒãºãã«ããŒãããã 1 ã€ã¯èªèšŒåŸãã§ãŒãºãã«ããŒããŸãã èªèšŒåã®ã¹ããŒãã¡ã³ã㯠signin:Authenticate ã¢ã¯ã·ã§ã³ãè©äŸ¡ããŸãããã®ãã§ãŒãºã§ã¯ããªã³ã·ãã«ããŸã èªèšŒãããŠããªããããã¹ããŒãã¡ã³ã㯠signin:PrincipalArn æ¡ä»¶ããŒã䜿çšããŠé€å€ããªã³ã·ãã«ãå
é€ããŸãããã®ããŒã¯ãã¹ãŠã®ããªã³ã·ãã«ã¿ã€ã (ã«ãŒããŠãŒã¶ãŒã AWS Identity and Access Management (IAM) ãŠãŒã¶ãŒããã§ãã¬ãŒã·ã§ã³ãŠãŒã¶ãŒãããŒã«) ããµããŒãããŸãã èªèšŒåŸã®ã¹ããŒãã¡ã³ã㯠signin:AuthorizeOAuth2Access ããã³ signin:CreateOAuth2Token ã¢ã¯ã·ã§ã³ãè©äŸ¡ããŸããAWS ãµã€ã³ã€ã³ã¯ãã³ã³ãœãŒã«ã»ãã·ã§ã³ã確ç«ããããŒã¯ã³ãçºè¡ããèªèšŒåŸã«ããããã®ã¢ã¯ã·ã§ã³ãè©äŸ¡ããŸãããããã®ã¢ã¯ã·ã§ã³ã¯ signin:PrincipalArn ããŒããµããŒãããŸããã代ããã«ãèªèšŒæžã¿ã®ããªã³ã·ãã«ã«è§£æ±ºããã aws:PrincipalArn ã䜿çšããŸãã aws:ResourceAccount ã®å€ã¯åä¿¡åŽã®ã¢ã«ãŠã³ã ID ã§ããAWS ãµã€ã³ã€ã³ãåŒã³åºãå
ã®èªèšŒæ
å ±ããèªåçã«ååŸãããããã客æ§ãèªåã§èšå®ããå¿
èŠã¯ãããŸããããµããŒããããã¢ã¯ã·ã§ã³ãšæ¡ä»¶ããŒã®å®å
šãªãªã¹ã (åãã§ãŒãºãšåããªã³ã·ãã«ã¿ã€ãã«ã©ã®ããŒãé©çšãããããå«ã) ã«ã€ããŠã¯ã Controlling console access with resource-based policies and resource control policies ããã³ AWS Sign-In condition keys reference ãåç
§ããŠãã ããã ã¹ããã 2: ã¢ã«ãŠã³ãã®ãµã€ã³ã€ã³ããªã·ãŒé©çšãæå¹ã«ãã ãã®ã¹ãããã§ã¯ãã¹ããã 1 ã§äœæããããªã·ãŒã®é©çšãæå¹ã«ããŸãããã®ã¹ããããå®è¡ãããŸã§ãã¹ããã 1 ã§äœæãããªãœãŒã¹èš±å¯ã¹ããŒãã¡ã³ãã¯å¹æãçºæ®ããŸããã 5. 次ã®ã³ãã³ãã䜿çšããŠããµã€ã³ã€ã³ããªã·ãŒã®é©çšãæå¹ã«ããŸãã aws signin put-console-authorization-configuration \ --target-id <account-id> \ --region us-east-1 6. åºåã« "consoleAuthorizationEnabled": true ãããããšã確èªããŠãã³ãã³ããæåãããæ€èšŒããŸãã åºåäŸ: { "Output": { "consoleAuthorizationEnabled": true, "scope": "ACCOUNT", "targetId": "<account-id>" } } 7. 以äžã®ããã« get-console-authorization-configuration ã³ãã³ããå®è¡ããŠãèšå®ãæ€èšŒããããšãã§ããŸãã aws signin get-console-authorization-configuration \ --target-id <account-id> \ --region us-east-1 8. é©çšãç¡å¹ã«ãããåå¥ã®ã¹ããŒãã¡ã³ããåé€ãããããã«ã¯ã delete-console-authorization-configuration ãŸã㯠delete-resource-permission-statement ã䜿çšããŸãã詳现ã«ã€ããŠã¯ã AWS ãµã€ã³ã€ã³ ãŠãŒã¶ãŒã¬ã€ã ã® Controlling console access with resource-based policies and resource control policies ãåç
§ããŠãã ããã å®è£
ã®æ€èšŒ é©çšãæå¹ã«ãªã£ãã®ã§ããµã€ã³ã€ã³è©Šè¡ã¯ãªãœãŒã¹ããŒã¹ããªã·ãŒã«ç
§ãããŠè©äŸ¡ãããŸããããŸããŸãªãããã¯ãŒã¯æ¡ä»¶ãããµã€ã³ã€ã³ããã¹ãããŠãåäœãæ€èšŒããŸãããã ã·ããªãª 1: äŒæ¥ãããã¯ãŒã¯ããã®èš±å¯ããããµã€ã³ã€ã³ èš±å¯ãããäŒæ¥ IP ç¯å²ãŸã㯠VPC ãããµã€ã³ã€ã³ããããªã³ã·ãã«ã¯ãæ£åžžã«ãµã€ã³ã€ã³ã§ããŸãã CloudTrail ã€ãã³ã ã«ã¯ ConsoleLogin:Success ã衚瀺ãããŸãã ã³ã³ãœãŒã«ãµã€ã³ã€ã³æåæã® CloudTrail ã€ãã³ã詳现ã®äŸ: { "userIdentity": { "type": "AssumedRole", "principalId": "AROAEXAMPLEID:Dev1", "arn": "arn:aws:sts::123456789123:assumed-role/Developer/Dev1", "accountId": "123456789123" }, "eventTime": "2026-06-09T19:20:38Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.100", "responseElements": { "ConsoleLogin": "Success" }, "eventID": "dd004e78-6447-4f56-8d2d-a795da66f598", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "123456789123", "eventCategory": "Management" } ã·ããªãª 2: æ³å®å€ã®ãããã¯ãŒã¯ããã®æåŠããããµã€ã³ã€ã³ èš±å¯ããã IP ã¢ãã¬ã¹ç¯å²ããŸãã¯ãœãŒã¹ VPC ã«ã¢ã¿ããããã VPC ãšã³ããã€ã³ã以å€ã®ãããã¯ãŒã¯ãããµã€ã³ã€ã³ããããªã³ã·ãã«ã¯ãããã¯ãããŸããCloudTrail ã€ãã³ãã«ã¯ ConsoleLogin: Failure ã衚瀺ãããæåŠã®åå ãšãªã£ãããªã·ãŒãç¹å®ãããšã©ãŒã¡ãã»ãŒãžãå«ãŸããŸãã ã³ã³ãœãŒã«ãµã€ã³ã€ã³å€±ææã® CloudTrail ã€ãã³ã詳现ã®äŸ: { "userIdentity": { "type": "IAMUser", "accountId": "123456789123", "accessKeyId": "", "userName": "Dev1" }, "eventTime": "2026-06-09T19:20:38Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "198.51.100.76", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36", "errorCode": "AccessDenied", "errorMessage": "Authorization denied because of a resource-based policy", "requestParameters": null, "responseElements": { "ConsoleLogin": "Failure" }, "eventID": "d88a7543-ae89-4186-b1b6-d3116413f2ee", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "123456789123", "eventCategory": "Management" } ãšã©ãŒã¡ãã»ãŒãžãã£ãŒã«ãã«ã¯ãæåŠã®åå ãšãªã£ãããªã·ãŒã¿ã€ãã衚瀺ãããŸãã "Authorization denied because of a resource-based policy" (ãªãœãŒã¹ããŒã¹ããªã·ãŒã«ããèªå¯ãæåŠãããŸãã)ã RCP ã«ããå€§èŠæš¡å±é äžèšã®ã¹ãããã§ã¯ããµã€ã³ã€ã³ã®ãªãœãŒã¹ããŒã¹ããªã·ãŒãåäžã¢ã«ãŠã³ãã«é©çšããŸãã倿°ã®ã¢ã«ãŠã³ãã管çããçµç¹ã«ãšã£ãŠã¯ãRCP ãããåªããæ¹æ³ã§ããRCP 㯠AWS Organizations ã®çµç¹ãOUããŸãã¯ã¢ã«ãŠã³ãã¬ãã«ã§ã¢ã¿ããã§ãã察象ç¯å²å
ã®ãã¹ãŠã®ã¢ã«ãŠã³ãã«èªåçã«é©çšãããŸããRCP ã®äŸã«ã€ããŠã¯ã ãã¡ã ãåç
§ããŠãã ããã RCP ã«ãã£ãŠã³ã³ãœãŒã«ãžã®ãµã€ã³ã€ã³ãæåŠãããå Žåããšã©ãŒã¡ãã»ãŒãžãã£ãŒã«ãã«ã¯æåŠã "Authorization denied because of a resource control policy" (ãªãœãŒã¹ã³ã³ãããŒã«ããªã·ãŒã«ããèªå¯ãæåŠãããŸãã) ãšè¡šç€ºãããŸãã Console Private Access ãšããŒã¿å¢çã«ããæ¡åŒµ äœæãããµã€ã³ã€ã³ã®ãªãœãŒã¹ããŒã¹ããªã·ãŒã¯ãã©ã®ãããã¯ãŒã¯ãã客æ§ã®ã¢ã«ãŠã³ãã®ãµã€ã³ã€ã³ãããŒã«å°éã§ããããå¶åŸ¡ããŸãã AWS Management Console Private Access ã¯è£å®çãªå¶åŸ¡ã远å ããŸããå
·äœçã«ã¯ãã客æ§ã®ãããã¯ãŒã¯å
ãããã³ã³ãœãŒã«ã¢ã¯ã»ã¹ãæ¢ç¥ã® AWS ã¢ã«ãŠã³ãã®ã»ããã«éå®ããæ³å®å€ã® AWS ã¢ã«ãŠã³ããžã®ãµã€ã³ã€ã³ãé²ããŸãã ãããã®æ©èœãçµã¿åãããããšã§ãã³ã³ãœãŒã«ã¢ã¯ã»ã¹ã®ããŒã¿å¢çã®åœ¢æã«åœ¹ç«ã¡ãŸãã ãããã¯ãŒã¯å¢ç: ãµã€ã³ã€ã³ã®ãªãœãŒã¹ããŒã¹ããªã·ãŒãš RCP ã¯ãã³ã³ãœãŒã«ãµã€ã³ã€ã³ãæ³å®ãããããã¯ãŒã¯ (äŒæ¥ IP ç¯å²ãVPC) ã«å¶éããŸã ã¢ã€ãã³ãã£ãã£å¢ç: ãµã€ã³ã€ã³ã®ãªãœãŒã¹ããŒã¹ããªã·ãŒãš RCP ã¯ãä¿¡é Œã§ããã¢ã€ãã³ãã£ãã£ã®ã¿ãã³ã³ãœãŒã«ã«ãµã€ã³ã€ã³ã§ããããšãä¿èšŒããŸããã³ã³ãœãŒã« VPC ãšã³ããã€ã³ãããªã·ãŒãšãµã€ã³ã€ã³ VPC ãšã³ããã€ã³ãããªã·ãŒã¯ãä¿¡é Œã§ããã¢ã€ãã³ãã£ãã£ã®ã¿ãã客æ§ã® VPC ããã³ã³ãœãŒã«ã䜿çšã§ããããšãä¿èšŒããŸã ãªãœãŒã¹å¢ç: ãµã€ã³ã€ã³ VPC ãšã³ããã€ã³ãããªã·ãŒãšã³ã³ãœãŒã« VPC ãšã³ããã€ã³ãããªã·ãŒã¯ãã客æ§ã®ãããã¯ãŒã¯ããã©ã® AWS ã¢ã«ãŠã³ãã«å°éã§ããããå¶éããŸã ãã®èšäºã®å¶åŸ¡ã¯ã³ã³ãœãŒã«ã¢ã¯ã»ã¹ã«çŠç¹ãåœãŠãŠããŸãããããã®å¢çãä»ã® AWS ãµãŒãã¹ãããåºç¯ãªå®è£
ã·ããªãªã«æ¡åŒµããã«ã¯ã Data perimeter policy examples ãªããžããªãš Data Perimeters Blog Post Series ãåç
§ããŠãã ããã ãŸãšã ãµã€ã³ã€ã³ã®ãªãœãŒã¹ããŒã¹ããªã·ãŒãš RCP ã䜿çšããããšã§ãAWS ãããžã¡ã³ãã³ã³ãœãŒã«ãžã®ã¢ã¯ã»ã¹ãæ³å®ãããããã¯ãŒã¯ã«å¶éã§ããŸãããããã®å¶åŸ¡ã¯ããã¹ãŠã® AWS åçšãªãŒãžã§ã³ã§è¿œå æéãªãã§å©çšã§ããŸãã 䜿ãå§ããã«ã¯ã AWS ãµã€ã³ã€ã³ ãŠãŒã¶ãŒã¬ã€ã ãåç
§ããŠãã ãããçµç¹å
šäœã§ã®é©çšã«ã€ããŠã¯ãAWS Organizations ãŠãŒã¶ãŒã¬ã€ãã® Resource control policies ãåç
§ããŠãã ããã Swara Gandhi Swara Gandhi ã¯ãAWS Identity Solutions ããŒã ã®ã·ãã¢ãœãªã¥ãŒã·ã§ã³ã¢ãŒããã¯ãã§ããå®å
šã§ã¹ã±ãŒã©ãã«ãªãšã³ãããŒãšã³ãã®ã¢ã€ãã³ãã£ãã£ãœãªã¥ãŒã·ã§ã³ã®æ§ç¯ã«åãçµãã§ããŸããã¢ã€ãã³ãã£ãã£ãã»ãã¥ãªãã£ãã¯ã©ãŠãã«é¢ããããããããšã«æ
ç±ã泚ãã§ããŸãã Rishi Tripathy Rishi ã¯ãAWS Identity and Access Management (IAM) ããŒã ã®ããªã³ã·ãã«ãããã¯ããããŒãžã£ãŒã§ããäŒæ¥ãå€§èŠæš¡ã« AWS ç°å¢ãä¿è·ããã®ã«åœ¹ç«ã€ã¢ã¯ã»ã¹å¶åŸ¡ã¡ã«ããºã ã«çŠç¹ãåœãŠãŠããŸããå°å
¥ãç°¡åã§èª€èšå®ãã«ããã»ãã¥ãªãã£ããªããã£ãã®æ§ç¯ã«æ
ç±ã泚ãã§ããŸãã æ¬ããã°ã¯ Security Solutions Architect ã® äžå³¶ ç« å ã翻蚳ããŸããã