{"id":2382,"date":"2025-03-24T08:47:32","date_gmt":"2025-03-23T23:47:32","guid":{"rendered":"https:\/\/dexall.co.jp\/articles\/?p=2382"},"modified":"2025-03-24T08:47:55","modified_gmt":"2025-03-23T23:47:55","slug":"%e3%80%90%e4%bf%9d%e5%ad%98%e7%89%88%e3%80%91aws-cli%e3%81%a7mfa%e8%aa%8d%e8%a8%bc%e3%82%92%e5%b0%8e%e5%85%a5%e3%81%99%e3%82%8b%e6%96%b9%e6%b3%95%e3%81%a8%e8%87%aa%e5%8b%95%e5%8c%96%e3%83%86%e3%82%af","status":"publish","type":"post","link":"https:\/\/dexall.co.jp\/articles\/?p=2382","title":{"rendered":"\u3010\u4fdd\u5b58\u7248\u3011AWS CLI\u3067MFA\u8a8d\u8a3c\u3092\u5c0e\u5165\u3059\u308b\u65b9\u6cd5\u3068\u81ea\u52d5\u5316\u30c6\u30af\u30cb\u30c3\u30af\u5b8c\u5168\u30ac\u30a4\u30c92024"},"content":{"rendered":"\n<div class=\"toc\"><br \/>\n<b>Warning<\/b>:  Undefined array key \"is_admin\" in <b>\/home\/xs392991\/dexall.co.jp\/public_html\/articles\/wp-content\/themes\/sango-theme\/library\/gutenberg\/dist\/classes\/Toc.php<\/b> on line <b>116<\/b><br \/>\n<br \/>\n<b>Warning<\/b>:  Undefined array key \"is_category_top\" in <b>\/home\/xs392991\/dexall.co.jp\/public_html\/articles\/wp-content\/themes\/sango-theme\/library\/gutenberg\/dist\/classes\/Toc.php<\/b> on line <b>121<\/b><br \/>\n<br \/>\n<b>Warning<\/b>:  Undefined array key \"is_top\" in <b>\/home\/xs392991\/dexall.co.jp\/public_html\/articles\/wp-content\/themes\/sango-theme\/library\/gutenberg\/dist\/classes\/Toc.php<\/b> on line <b>128<\/b><br \/>\n    <div id=\"toc_container\" class=\"sgb-toc--bullets js-smooth-scroll\" data-dialog-title=\"\u76ee\u6b21\">\n      <p class=\"toc_title\">\u76ee\u6b21 <\/p>\n      <ul class=\"toc_list\">  <li class=\"first\">    <a href=\"#i-0\">AWS CLI\u3067\u306eMFA\u8a8d\u8a3c\u304c\u5fc5\u8981\u306a\u7406\u7531<\/a>    <ul class=\"menu_level_1\">      <li class=\"first\">        <a href=\"#i-1\">\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u306e80%\u304c\u30a2\u30af\u30bb\u30b9\u30ad\u30fc\u95a2\u9023\u3068\u3044\u3046\u4e8b\u5b9f<\/a>      <\/li>      <li class=\"last\">        <a href=\"#i-2\">MFA\u5c0e\u5165\u3067\u5f97\u3089\u308c\u308b3\u3064\u306e\u91cd\u8981\u306a\u30e1\u30ea\u30c3\u30c8<\/a>      <\/li>    <\/ul>  <\/li>  <li>    <a href=\"#i-3\">AWS CLI\u3067\u306eMFA\u8a8d\u8a3c\u8a2d\u5b9a\u624b\u9806<\/a>    <ul class=\"menu_level_1\">      <li class=\"first\">        <a href=\"#i-4\">IAM\u30e6\u30fc\u30b6\u30fc\u3078\u306eMFA\u30c7\u30d0\u30a4\u30b9\u306e\u767b\u9332\u65b9\u6cd5<\/a>      <\/li>      <li>        <a href=\"#i-5\">aws configure\u7d4c\u7531\u3067\u306eMFA\u8a2d\u5b9a\u65b9\u6cd5<\/a>      <\/li>      <li class=\"last\">        <a href=\"#i-6\">\u74b0\u5883\u5909\u6570\u3092\u4f7f\u7528\u3057\u305fMFA\u30c8\u30fc\u30af\u30f3\u7ba1\u7406\u30c6\u30af\u30cb\u30c3\u30af<\/a>      <\/li>    <\/ul>  <\/li>  <li>    <a href=\"#i-7\">AWS CLI MFA\u904b\u7528\u306e\u30d9\u30b9\u30c8\u30d7\u30e9\u30af\u30c6\u30a3\u30b9<\/a>    <ul class=\"menu_level_1\">      <li class=\"first\">        <a href=\"#i-8\">\u30bb\u30c3\u30b7\u30e7\u30f3\u30c8\u30fc\u30af\u30f3\u3092\u4f7f\u7528\u3057\u305f\u52b9\u7387\u7684\u306aMFA\u8a8d\u8a3c<\/a>      <\/li>      <li>        <a href=\"#i-9\">\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u5207\u308a\u66ff\u3048\u306b\u3088\u308b\u67d4\u8edf\u306aMFA\u7ba1\u7406<\/a>      <\/li>      <li class=\"last\">        <a href=\"#i-10\">\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u306b\u3088\u308bMFA\u8a8d\u8a3c\u306e\u81ea\u52d5\u5316<\/a>      <\/li>    <\/ul>  <\/li>  <li>    <a href=\"#i-11\">AWS CLI MFA\u306e\u30c8\u30e9\u30d6\u30eb\u30b7\u30e5\u30fc\u30c6\u30a3\u30f3\u30b0<\/a>    <ul class=\"menu_level_1\">      <li class=\"first\">        <a href=\"#i-12\">\u3088\u304f\u3042\u308b\u8a8d\u8a3c\u30a8\u30e9\u30fc\u3068\u305d\u306e\u89e3\u6c7a\u65b9\u6cd5<\/a>      <\/li>      <li>        <a href=\"#i-13\">MFA\u30c8\u30fc\u30af\u30f3\u6709\u52b9\u671f\u9650\u5207\u308c\u306e\u5bfe\u51e6\u6cd5<\/a>      <\/li>      <li class=\"last\">        <a href=\"#i-14\">CI\/CD\u74b0\u5883\u3067\u306eMFA\u904b\u7528\u30ce\u30a6\u30cf\u30a6<\/a>      <\/li>    <\/ul>  <\/li>  <li class=\"last\">    <a href=\"#i-15\">AWS CLI MFA\u306e\u5fdc\u7528\u7684\u306a\u4f7f\u3044\u65b9<\/a>    <ul class=\"menu_level_1\">      <li class=\"first\">        <a href=\"#i-16\">\u8907\u6570AWS\u30a2\u30ab\u30a6\u30f3\u30c8\u3067\u306eMFA\u8a8d\u8a3c\u7ba1\u7406<\/a>      <\/li>      <li>        <a href=\"#i-17\">AWS SDK\u3068MFA\u8a8d\u8a3c\u306e\u9023\u643a\u65b9\u6cd5<\/a>      <\/li>      <li class=\"last\">        <a href=\"#i-18\">\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u76e3\u67fb\u306b\u5bfe\u5fdc\u3057\u305fMFA\u30ed\u30b0\u7ba1\u7406<\/a>      <\/li>    <\/ul>  <\/li><\/ul>\n      <a href=\"#\" class=\"sgb-toc-button js-toc-button\" rel=\"nofollow\" data-open-dialog=\"true\"><i class=\"fa fa-list\"><\/i><span class=\"sgb-toc-button__text\">\u76ee\u6b21\u3078<\/span><\/a>\n    <\/div><\/div><h2 class=\"wp-block-heading\" id=\"i-0\">AWS CLI\u3067\u306eMFA\u8a8d\u8a3c\u304c\u5fc5\u8981\u306a\u7406\u7531<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"i-1\">\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u306e80%\u304c\u30a2\u30af\u30bb\u30b9\u30ad\u30fc\u95a2\u9023\u3068\u3044\u3046\u4e8b\u5b9f<\/h3>\n\n\n\n<p>AWS\u74b0\u5883\u306b\u304a\u3051\u308b\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u306e\u5b9f\u306b80%\u4ee5\u4e0a\u304c\u3001\u30a2\u30af\u30bb\u30b9\u30ad\u30fc\u306e\u6f0f\u6d29\u3084\u4e0d\u9069\u5207\u306a\u7ba1\u7406\u306b\u8d77\u56e0\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u6570\u5b57\u306f\u3001AWS Security Hub \u306e\u7d71\u8a08\u30c7\u30fc\u30bf\u304c\u793a\u3059\u885d\u6483\u7684\u306a\u4e8b\u5b9f\u3067\u3059\u3002<\/p>\n\n\n\n<p>\u7279\u306b\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u72b6\u6cc1\u3067\u3001\u30a2\u30af\u30bb\u30b9\u30ad\u30fc\u306f\u5371\u967a\u306b\u3055\u3089\u3055\u308c\u3084\u3059\u304f\u306a\u3063\u3066\u3044\u307e\u3059\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>GitHub\u306a\u3069\u306e\u30d1\u30d6\u30ea\u30c3\u30af\u30ea\u30dd\u30b8\u30c8\u30ea\u3078\u306e\u8aa4\u30b3\u30df\u30c3\u30c8<\/li>\n\n\n\n<li>\u958b\u767a\u74b0\u5883\u3067\u306e\u5e73\u6587\u3067\u306e\u4fdd\u5b58<\/li>\n\n\n\n<li>\u9000\u8077\u8005\u306e\u30a2\u30af\u30bb\u30b9\u30ad\u30fc\u306e\u672a\u5931\u52b9<\/li>\n\n\n\n<li>\u5171\u6709\u30a2\u30ab\u30a6\u30f3\u30c8\u3067\u306e\u7ba1\u7406\u4e0d\u5099<\/li>\n<\/ul>\n\n\n\n<p>\u5b9f\u969b\u306e\u4e8b\u4f8b\u3068\u3057\u3066\u30012024\u5e74\u521d\u982d\u306b\u306f\u5927\u624b\u30c6\u30af\u30ce\u30ed\u30b8\u30fc\u4f01\u696d\u3067AWS CLI\u306e\u30a2\u30af\u30bb\u30b9\u30ad\u30fc\u304c\u6d41\u51fa\u3057\u3001\u6570\u6642\u9593\u3067\u6570\u767e\u4e07\u5186\u76f8\u5f53\u306e\u4e0d\u6b63\u5229\u7528\u304c\u767a\u751f\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u4e8b\u4ef6\u3067\u306f\u3001MFA\u8a8d\u8a3c\u304c\u6709\u52b9\u306b\u306a\u3063\u3066\u3044\u308c\u3070\u9632\u3052\u305f\u53ef\u80fd\u6027\u304c\u9ad8\u3044\u3068\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"i-2\">MFA\u5c0e\u5165\u3067\u5f97\u3089\u308c\u308b3\u3064\u306e\u91cd\u8981\u306a\u30e1\u30ea\u30c3\u30c8<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u30a2\u30af\u30bb\u30b9\u30ad\u30fc\u6f0f\u6d29\u6642\u306e\u8ffd\u52a0\u9632\u5fa1\u5c64<\/strong><\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u30a2\u30af\u30bb\u30b9\u30ad\u30fc\u304c\u6f0f\u6d29\u3057\u3066\u3082\u3001MFA\u30c8\u30fc\u30af\u30f3\u304c\u306a\u3044\u9650\u308a\u4f7f\u7528\u4e0d\u53ef\u80fd<\/li>\n\n\n\n<li>\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u306e\u691c\u77e5\u307e\u3067\u306e\u6642\u9593\u7684\u4f59\u88d5\u3092\u78ba\u4fdd<\/li>\n\n\n\n<li>\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u767a\u751f\u6642\u306e\u88ab\u5bb3\u3092\u6700\u5c0f\u9650\u306b\u6291\u5236<\/li>\n<\/ul>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u8981\u4ef6\u3078\u306e\u9069\u5408<\/strong><\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SOC2\u3084ISO27001\u306a\u3069\u306e\u8a8d\u8a3c\u53d6\u5f97\u8981\u4ef6\u3092\u30af\u30ea\u30a2<\/li>\n\n\n\n<li>\u91d1\u878d\u6a5f\u95a2\u3084\u30d8\u30eb\u30b9\u30b1\u30a2\u696d\u754c\u306e\u53b3\u683c\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u57fa\u6e96\u306b\u5bfe\u5fdc<\/li>\n\n\n\n<li>\u76e3\u67fb\u6642\u306e\u8a3c\u8de1\u3068\u3057\u3066\u6d3b\u7528\u53ef\u80fd<\/li>\n<\/ul>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u7d44\u7e54\u5168\u4f53\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30ec\u30d9\u30eb\u5411\u4e0a<\/strong><\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30dd\u30ea\u30b7\u30fc\u306e\u7d71\u4e00\u7684\u306a\u9069\u7528\u304c\u53ef\u80fd<\/li>\n\n\n\n<li>\u30a2\u30af\u30bb\u30b9\u7ba1\u7406\u306e\u53ef\u8996\u5316\u3068\u76e3\u8996\u306e\u52b9\u7387\u5316<\/li>\n\n\n\n<li>\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u30ec\u30b9\u30dd\u30f3\u30b9\u306e\u8fc5\u901f\u5316<\/li>\n<\/ul>\n\n\n\n<p>AWS CLI\u3067\u306eMFA\u8a8d\u8a3c\u306f\u3001\u5358\u306a\u308b\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u65bd\u7b56\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002\u4ee5\u4e0b\u306e\u89b3\u70b9\u304b\u3089\u3082\u3001\u73fe\u4ee3\u306e\u30af\u30e9\u30a6\u30c9\u904b\u7528\u306b\u304a\u3044\u3066\u5fc5\u9808\u306e\u8981\u7d20\u3068\u306a\u3063\u3066\u3044\u307e\u3059\uff1a<\/p>\n\n\n<div id=\"id-ac76d24a-49c2-4ae9-85f7-a0d36cfc14cc\">\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u89b3\u70b9<\/th><th>MFA\u5c0e\u5165\u524d<\/th><th>MFA\u5c0e\u5165\u5f8c<\/th><\/tr><\/thead><tbody><tr><td>\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30ec\u30d9\u30eb<\/td><td>\u5358\u4e00\u8981\u7d20\u8a8d\u8a3c\u306e\u307f<\/td><td>\u8907\u6570\u8981\u7d20\u306b\u3088\u308b\u591a\u5c64\u9632\u5fa1<\/td><\/tr><tr><td>\u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9<\/td><td>\u57fa\u672c\u8981\u4ef6\u306e\u307f\u5bfe\u5fdc<\/td><td>\u9ad8\u5ea6\u306a\u8981\u4ef6\u306b\u3082\u5bfe\u5fdc\u53ef\u80fd<\/td><\/tr><tr><td>\u904b\u7528\u8ca0\u8377<\/td><td>\u500b\u5225\u5bfe\u5fdc\u304c\u5fc5\u8981<\/td><td>\u7d71\u4e00\u7684\u306a\u7ba1\u7406\u304c\u53ef\u80fd<\/td><\/tr><tr><td>\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u5bfe\u5fdc<\/td><td>\u4e8b\u5f8c\u5bfe\u5fdc\u4e2d\u5fc3<\/td><td>\u4e88\u9632\u3068\u65e9\u671f\u767a\u898b\u304c\u53ef\u80fd<\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div>\n\n\n<p>\u3053\u306e\u3088\u3046\u306b\u3001AWS CLI\u3067\u306eMFA\u8a8d\u8a3c\u5c0e\u5165\u306f\u3001\u73fe\u4ee3\u306e\u30af\u30e9\u30a6\u30c9\u74b0\u5883\u306b\u304a\u3044\u3066\u4e0d\u53ef\u6b20\u306a\u9078\u629e\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002\u6b21\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u306f\u3001\u5177\u4f53\u7684\u306a\u8a2d\u5b9a\u624b\u9806\u306b\u3064\u3044\u3066\u89e3\u8aac\u3057\u3066\u3044\u304d\u307e\u3059\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"i-3\">AWS CLI\u3067\u306eMFA\u8a8d\u8a3c\u8a2d\u5b9a\u624b\u9806<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"i-4\">IAM\u30e6\u30fc\u30b6\u30fc\u3078\u306eMFA\u30c7\u30d0\u30a4\u30b9\u306e\u767b\u9332\u65b9\u6cd5<\/h3>\n\n\n\n<p>AWS CLI\u3067MFA\u8a8d\u8a3c\u3092\u4f7f\u7528\u3059\u308b\u305f\u3081\u306e\u7b2c\u4e00\u6b69\u306f\u3001IAM\u30e6\u30fc\u30b6\u30fc\u3078\u306eMFA\u30c7\u30d0\u30a4\u30b9\u306e\u767b\u9332\u3067\u3059\u3002\u4ee5\u4e0b\u306e\u624b\u9806\u3067\u8a2d\u5b9a\u3092\u884c\u3044\u307e\u3059\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>MFA\u30c7\u30d0\u30a4\u30b9\u306e\u4f5c\u6210<\/strong><\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># \u4eee\u60f3MFA\u30c7\u30d0\u30a4\u30b9\u3092\u4f5c\u6210\naws iam create-virtual-mfa-device \\\n    --virtual-mfa-device-name MyMFADevice \\\n    --outfile QRCode.png \\\n    --bootstrap-method QRCodePNG<\/pre>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>MFA\u30c7\u30d0\u30a4\u30b9\u306eIAM\u30e6\u30fc\u30b6\u30fc\u3078\u306e\u95a2\u9023\u4ed8\u3051<\/strong><\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># Google Authenticator\u306a\u3069\u306eMFA\u30a2\u30d7\u30ea\u3067\u8868\u793a\u3055\u308c\u305f\u9023\u7d9a\u3059\u308b2\u3064\u306e\u8a8d\u8a3c\u30b3\u30fc\u30c9\u3092\u4f7f\u7528\naws iam enable-mfa-device \\\n    --user-name your-username \\\n    --serial-number arn:aws:iam::123456789012:mfa\/MyMFADevice \\\n    --authentication-code1 123456 \\\n    --authentication-code2 789012<\/pre>\n\n\n\n<p>\u3053\u306e\u64cd\u4f5c\u306b\u3088\u308a\u3001QR\u30b3\u30fc\u30c9\u304c\u751f\u6210\u3055\u308c\u3001\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u306eGoogle Authenticator\u306a\u3069\u306eMFA\u30a2\u30d7\u30ea\u3067\u8aad\u307f\u53d6\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"i-5\">aws configure\u7d4c\u7531\u3067\u306eMFA\u8a2d\u5b9a\u65b9\u6cd5<\/h3>\n\n\n\n<p>MFA\u30c7\u30d0\u30a4\u30b9\u3092\u767b\u9332\u3057\u305f\u5f8c\u3001AWS CLI\u306e\u8a2d\u5b9a\u3092\u884c\u3044\u307e\u3059\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u57fa\u672c\u7684\u306a\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u8a2d\u5b9a<\/strong><\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># \u901a\u5e38\u306e\u30a2\u30af\u30bb\u30b9\u30ad\u30fc\u8a2d\u5b9a\naws configure\nAWS Access Key ID [None]: AKIAXXXXXXXXXXXXXXXX\nAWS Secret Access Key [None]: your-secret-key\nDefault region name [None]: ap-northeast-1\nDefault output format [None]: json<\/pre>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>MFA\u7528\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u306e\u4f5c\u6210<\/strong><\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># ~\/.aws\/config\u30d5\u30a1\u30a4\u30eb\u306b\u4ee5\u4e0b\u3092\u8ffd\u52a0<\/pre>\n\n\n[profile mfa]\n\n\n\n<p>source_profile = default mfa_serial = arn:aws:iam::123456789012:mfa\/MyMFADevice<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"i-6\">\u74b0\u5883\u5909\u6570\u3092\u4f7f\u7528\u3057\u305fMFA\u30c8\u30fc\u30af\u30f3\u7ba1\u7406\u30c6\u30af\u30cb\u30c3\u30af<\/h3>\n\n\n\n<p>MFA\u30c8\u30fc\u30af\u30f3\u3092\u52b9\u7387\u7684\u306b\u7ba1\u7406\u3059\u308b\u305f\u3081\u3001\u74b0\u5883\u5909\u6570\u3092\u6d3b\u7528\u3057\u307e\u3059\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u30bb\u30c3\u30b7\u30e7\u30f3\u30c8\u30fc\u30af\u30f3\u306e\u53d6\u5f97<\/strong><\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># MFA\u30c8\u30fc\u30af\u30f3\u3092\u4f7f\u7528\u3057\u3066\u30bb\u30c3\u30b7\u30e7\u30f3\u30c8\u30fc\u30af\u30f3\u3092\u53d6\u5f97\naws sts get-session-token \\\n    --serial-number arn:aws:iam::123456789012:mfa\/MyMFADevice \\\n    --token-code 123456<\/pre>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>\u74b0\u5883\u5909\u6570\u306e\u8a2d\u5b9a<\/strong><\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># \u53d6\u5f97\u3057\u305f\u30bb\u30c3\u30b7\u30e7\u30f3\u30c8\u30fc\u30af\u30f3\u3092\u74b0\u5883\u5909\u6570\u306b\u8a2d\u5b9a\nexport AWS_ACCESS_KEY_ID=\"ASIAXXXXXXXXXXXXXXXX\"\nexport AWS_SECRET_ACCESS_KEY=\"temporary-secret-key\"\nexport AWS_SESSION_TOKEN=\"temporary-session-token\"<\/pre>\n\n\n\n<p>\u3053\u308c\u3089\u306e\u8a2d\u5b9a\u3092<code>.bashrc<\/code>\u3084<code>.zshrc<\/code>\u306b\u8ffd\u52a0\u3059\u308b\u3053\u3068\u3067\u3001\u74b0\u5883\u5909\u6570\u306e\u6c38\u7d9a\u5316\u3082\u53ef\u80fd\u3067\u3059\uff1a<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># MFA\u8a8d\u8a3c\u7528\u306e\u95a2\u6570\u3092\u5b9a\u7fa9\nfunction aws-mfa() {\n    if [ $# -ne 1 ]; then\n        echo \"Usage: aws-mfa &lt;MFA-TOKEN&gt;\"\n        return 1\n    fi\n\n    # \u30bb\u30c3\u30b7\u30e7\u30f3\u30c8\u30fc\u30af\u30f3\u306e\u53d6\u5f97\u3068\u74b0\u5883\u5909\u6570\u306e\u8a2d\u5b9a\u3092\u81ea\u52d5\u5316\n    local token_output=$(aws sts get-session-token \\\n        --serial-number arn:aws:iam::123456789012:mfa\/MyMFADevice \\\n        --token-code $1)\n\n    export AWS_ACCESS_KEY_ID=$(echo $token_output | jq -r .Credentials.AccessKeyId)\n    export AWS_SECRET_ACCESS_KEY=$(echo $token_output | jq -r .Credentials.SecretAccessKey)\n    export AWS_SESSION_TOKEN=$(echo $token_output | jq -r .Credentials.SessionToken)\n\n    echo \"MFA\u8a8d\u8a3c\u304c\u5b8c\u4e86\u3057\u307e\u3057\u305f\u3002\u30bb\u30c3\u30b7\u30e7\u30f3\u306f12\u6642\u9593\u6709\u52b9\u3067\u3059\u3002\"\n}<\/pre>\n\n\n\n<p>\u8a2d\u5b9a\u6642\u306e\u6ce8\u610f\u70b9\uff1a<\/p>\n\n\n<div id=\"id-0403b691-b756-463c-bd29-e9b94f036c39\">\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u9805\u76ee<\/th><th>\u78ba\u8a8d\u30dd\u30a4\u30f3\u30c8<\/th><th>\u5bfe\u51e6\u65b9\u6cd5<\/th><\/tr><\/thead><tbody><tr><td>MFA\u30c7\u30d0\u30a4\u30b9ARN<\/td><td>\u6b63\u78ba\u306a\u30a2\u30ab\u30a6\u30f3\u30c8ID\u3068\u30c7\u30d0\u30a4\u30b9\u540d<\/td><td>AWS Console \u3067\u78ba\u8a8d<\/td><\/tr><tr><td>\u30a2\u30af\u30bb\u30b9\u6a29\u9650<\/td><td>\u5fc5\u8981\u6700\u5c0f\u9650\u306e\u6a29\u9650\u8a2d\u5b9a<\/td><td>IAM\u30dd\u30ea\u30b7\u30fc\u3092\u898b\u76f4\u3057<\/td><\/tr><tr><td>\u30c8\u30fc\u30af\u30f3\u6709\u52b9\u671f\u9650<\/td><td>\u30c7\u30d5\u30a9\u30eb\u30c812\u6642\u9593<\/td><td>\u5fc5\u8981\u306b\u5fdc\u3058\u3066\u8abf\u6574<\/td><\/tr><tr><td>\u74b0\u5883\u5909\u6570\u306e\u7af6\u5408<\/td><td>\u4ed6\u306eAWS\u8a2d\u5b9a\u3068\u306e\u5e72\u6e09<\/td><td>\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u5206\u96e2<\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div>\n\n\n<p>\u3053\u308c\u3089\u306e\u8a2d\u5b9a\u304c\u5b8c\u4e86\u3059\u308b\u3068\u3001AWS CLI\u30b3\u30de\u30f3\u30c9\u306e\u5b9f\u884c\u6642\u306b\u81ea\u52d5\u7684\u306bMFA\u8a8d\u8a3c\u304c\u8981\u6c42\u3055\u308c\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002\u6b21\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u306f\u3001\u3053\u306e\u8a2d\u5b9a\u3092\u57fa\u306b\u3057\u305f\u52b9\u7387\u7684\u306a\u904b\u7528\u65b9\u6cd5\u306b\u3064\u3044\u3066\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"i-7\">AWS CLI MFA\u904b\u7528\u306e\u30d9\u30b9\u30c8\u30d7\u30e9\u30af\u30c6\u30a3\u30b9<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"i-8\">\u30bb\u30c3\u30b7\u30e7\u30f3\u30c8\u30fc\u30af\u30f3\u3092\u4f7f\u7528\u3057\u305f\u52b9\u7387\u7684\u306aMFA\u8a8d\u8a3c<\/h3>\n\n\n\n<p>\u30bb\u30c3\u30b7\u30e7\u30f3\u30c8\u30fc\u30af\u30f3\u3092\u6d3b\u7528\u3059\u308b\u3053\u3068\u3067\u3001MFA\u8a8d\u8a3c\u306e\u983b\u5ea6\u3092\u9069\u5207\u306b\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u3057\u306a\u304c\u3089\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u3092\u7dad\u6301\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n\n\n\n<p><strong>1. \u30bb\u30c3\u30b7\u30e7\u30f3\u30c8\u30fc\u30af\u30f3\u53d6\u5f97\u306e\u81ea\u52d5\u5316\u30b9\u30af\u30ea\u30d7\u30c8<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/usr\/bin\/env python3\nimport boto3\nimport json\nimport os\nimport argparse\nfrom datetime import datetime, timezone\n\ndef get_session_token(mfa_token, device_arn):\n    \"\"\"\u30bb\u30c3\u30b7\u30e7\u30f3\u30c8\u30fc\u30af\u30f3\u3092\u53d6\u5f97\u3057\u3001\u74b0\u5883\u5909\u6570\u7528\u306e\u5f62\u5f0f\u3067\u51fa\u529b\"\"\"\n    try:\n        sts_client = boto3.client('sts')\n        response = sts_client.get_session_token(\n            SerialNumber=device_arn,\n            TokenCode=mfa_token,\n            DurationSeconds=43200  # 12\u6642\u9593\n        )\n\n        # \u8a8d\u8a3c\u60c5\u5831\u3092\u74b0\u5883\u5909\u6570\u5f62\u5f0f\u3067\u51fa\u529b\n        creds = response['Credentials']\n        print(f\"export AWS_ACCESS_KEY_ID={creds['AccessKeyId']}\")\n        print(f\"export AWS_SECRET_ACCESS_KEY={creds['SecretAccessKey']}\")\n        print(f\"export AWS_SESSION_TOKEN={creds['SessionToken']}\")\n        print(f\"# Token expires at: {creds['Expiration']}\")\n\n    except Exception as e:\n        print(f\"Error: {str(e)}\", file=sys.stderr)\n        sys.exit(1)\n\nif __name__ == \"__main__\":\n    parser = argparse.ArgumentParser(description='AWS MFA\u30bb\u30c3\u30b7\u30e7\u30f3\u30c8\u30fc\u30af\u30f3\u53d6\u5f97')\n    parser.add_argument('token', help='MFA\u30c8\u30fc\u30af\u30f3\u30b3\u30fc\u30c9')\n    parser.add_argument('--device', help='MFA\u30c7\u30d0\u30a4\u30b9ARN',\n                      default=os.getenv('AWS_MFA_DEVICE_ARN'))\n    args = parser.parse_args()\n\n    get_session_token(args.token, args.device)<\/pre>\n\n\n\n<p><strong>\u4f7f\u7528\u65b9\u6cd5\uff1a<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># \u30b9\u30af\u30ea\u30d7\u30c8\u3092\u5b9f\u884c\u3057\u3066\u30b7\u30a7\u30eb\u306b\u74b0\u5883\u5909\u6570\u3092\u8a2d\u5b9a\n$ eval $(.\/get_session_token.py 123456)<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"i-9\">\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u5207\u308a\u66ff\u3048\u306b\u3088\u308b\u67d4\u8edf\u306aMFA\u7ba1\u7406<\/h3>\n\n\n\n<p>\u8907\u6570\u306e\u74b0\u5883\u3084\u6a29\u9650\u30ec\u30d9\u30eb\u3092\u4f7f\u3044\u5206\u3051\u308b\u5834\u5408\u3001AWS\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u3092\u6d3b\u7528\u3057\u305f\u7ba1\u7406\u304c\u52b9\u679c\u7684\u3067\u3059\u3002<\/p>\n\n\n\n<p><strong>1. \u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u8a2d\u5b9a\u4f8b<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># ~\/.aws\/config<\/pre>\n\n\n[profile dev-mfa]\n\n\n\n<p>source_profile = default mfa_serial = arn:aws:iam::123456789012:mfa\/DevMFADevice region = ap-northeast-1<\/p>\n\n\n[profile prod-mfa]\n\n\n\n<p>source_profile = default mfa_serial = arn:aws:iam::123456789012:mfa\/ProdMFADevice region = ap-northeast-1 role_arn = arn:aws:iam::987654321098:role\/ProductionAccess<\/p>\n\n\n\n<p><strong>2. \u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u5207\u308a\u66ff\u3048\u7528\u306e\u30b7\u30a7\u30eb\u95a2\u6570<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># ~\/.bashrc \u307e\u305f\u306f ~\/.zshrc \u306b\u8ffd\u52a0\nfunction aws-profile() {\n    if [ $# -ne 1 ]; then\n        echo \"Current AWS_PROFILE: $AWS_PROFILE\"\n        aws configure list-profiles\n        return 0\n    }\n\n    export AWS_PROFILE=$1\n    echo \"Switched to AWS Profile: $AWS_PROFILE\"\n\n    # \u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u304cMFA\u3092\u5fc5\u8981\u3068\u3059\u308b\u5834\u5408\u306e\u8b66\u544a\n    if aws configure get mfa_serial --profile $1 &gt; \/dev\/null 2&gt;&amp;1; then\n        echo \"\u6ce8\u610f: \u3053\u306e\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u306fMFA\u8a8d\u8a3c\u304c\u5fc5\u8981\u3067\u3059\"\n    fi\n}<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"i-10\">\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u306b\u3088\u308bMFA\u8a8d\u8a3c\u306e\u81ea\u52d5\u5316<\/h3>\n\n\n\n<p>\u65e5\u5e38\u7684\u306a\u904b\u7528\u3092\u52b9\u7387\u5316\u3059\u308b\u305f\u3081\u306e\u81ea\u52d5\u5316\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u5b9f\u88c5\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<p><strong>1. MFA\u8a8d\u8a3c\u7d71\u5408\u30b9\u30af\u30ea\u30d7\u30c8<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/bin\/bash\n\n# MFA\u8a8d\u8a3c\u306e\u72b6\u614b\u7ba1\u7406\nMFA_STATUS_FILE=\"$HOME\/.aws\/mfa_status\"\nMFA_TOKEN_CACHE=\"$HOME\/.aws\/token_cache\"\n\ncheck_mfa_expiry() {\n    if [ -f \"$MFA_STATUS_FILE\" ]; then\n        expiry=$(cat \"$MFA_STATUS_FILE\")\n        current=$(date +%s)\n        if [ $current -lt $expiry ]; then\n            return 0  # \u6709\u52b9\n        fi\n    fi\n    return 1  # \u671f\u9650\u5207\u308c\u307e\u305f\u306f\u672a\u8a8d\u8a3c\n}\n\nrefresh_mfa_token() {\n    local token_code=$1\n    local mfa_arn=$(aws configure get mfa_serial)\n\n    # \u30bb\u30c3\u30b7\u30e7\u30f3\u30c8\u30fc\u30af\u30f3\u306e\u53d6\u5f97\n    aws sts get-session-token \\\n        --serial-number $mfa_arn \\\n        --token-code $token_code \\\n        --duration-seconds 43200 &gt; \"$MFA_TOKEN_CACHE\"\n\n    # \u6709\u52b9\u671f\u9650\u306e\u4fdd\u5b58\n    expiry=$(date -d \"+12 hours\" +%s)\n    echo $expiry &gt; \"$MFA_STATUS_FILE\"\n\n    # \u74b0\u5883\u5909\u6570\u306e\u8a2d\u5b9a\n    export AWS_ACCESS_KEY_ID=$(jq -r .Credentials.AccessKeyId \"$MFA_TOKEN_CACHE\")\n    export AWS_SECRET_ACCESS_KEY=$(jq -r .Credentials.SecretAccessKey \"$MFA_TOKEN_CACHE\")\n    export AWS_SESSION_TOKEN=$(jq -r .Credentials.SessionToken \"$MFA_TOKEN_CACHE\")\n}<\/pre>\n\n\n\n<p>\u52b9\u7387\u7684\u306aMFA\u904b\u7528\u306e\u305f\u3081\u306e\u30d9\u30b9\u30c8\u30d7\u30e9\u30af\u30c6\u30a3\u30b9\u4e00\u89a7\uff1a<\/p>\n\n\n<div id=\"id-bba7c9a1-768d-4718-9db7-820832366598\">\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u30ab\u30c6\u30b4\u30ea<\/th><th>\u30d9\u30b9\u30c8\u30d7\u30e9\u30af\u30c6\u30a3\u30b9<\/th><th>\u5b9f\u88c5\u65b9\u6cd5<\/th><\/tr><\/thead><tbody><tr><td>\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3<\/td><td>\u30c8\u30fc\u30af\u30f3\u306e\u6709\u52b9\u671f\u9650\u7ba1\u7406<\/td><td>\u30b9\u30c6\u30fc\u30bf\u30b9\u30d5\u30a1\u30a4\u30eb\u3067\u306e\u8ffd\u8de1<\/td><\/tr><tr><td>\u5229\u4fbf\u6027<\/td><td>\u81ea\u52d5\u66f4\u65b0\u306e\u5b9f\u88c5<\/td><td>\u30b9\u30af\u30ea\u30d7\u30c8\u306b\u3088\u308b\u5b9a\u671f\u78ba\u8a8d<\/td><\/tr><tr><td>\u76e3\u67fb\u5bfe\u5fdc<\/td><td>\u8a8d\u8a3c\u30ed\u30b0\u306e\u4fdd\u6301<\/td><td>CloudWatch\u30ed\u30b0\u3078\u306e\u51fa\u529b<\/td><\/tr><tr><td>\u6a29\u9650\u7ba1\u7406<\/td><td>\u6700\u5c0f\u6a29\u9650\u306e\u539f\u5247<\/td><td>IAM\u30dd\u30ea\u30b7\u30fc\u306e\u7d30\u5206\u5316<\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div>\n\n\n<p>\u3053\u308c\u3089\u306e\u5b9f\u88c5\u306b\u3088\u308a\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u3092\u7dad\u6301\u3057\u306a\u304c\u3089\u3001\u958b\u767a\u8005\u306e\u751f\u7523\u6027\u3092\u6700\u5927\u5316\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u6b21\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u306f\u3001\u3053\u308c\u3089\u306e\u8a2d\u5b9a\u306b\u95a2\u9023\u3059\u308b\u4e00\u822c\u7684\u306a\u30c8\u30e9\u30d6\u30eb\u30b7\u30e5\u30fc\u30c6\u30a3\u30f3\u30b0\u306b\u3064\u3044\u3066\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"i-11\">AWS CLI MFA\u306e\u30c8\u30e9\u30d6\u30eb\u30b7\u30e5\u30fc\u30c6\u30a3\u30f3\u30b0<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"i-12\">\u3088\u304f\u3042\u308b\u8a8d\u8a3c\u30a8\u30e9\u30fc\u3068\u305d\u306e\u89e3\u6c7a\u65b9\u6cd5<\/h3>\n\n\n\n<p>AWS CLI\u4f7f\u7528\u6642\u306eMFA\u95a2\u9023\u30a8\u30e9\u30fc\u306b\u306f\u7279\u5fb4\u7684\u306a\u30d1\u30bf\u30fc\u30f3\u304c\u3042\u308a\u307e\u3059\u3002\u4ee5\u4e0b\u306b\u4e3b\u8981\u306a\u30a8\u30e9\u30fc\u3068\u305d\u306e\u89e3\u6c7a\u65b9\u6cd5\u3092\u793a\u3057\u307e\u3059\uff1a<\/p>\n\n\n\n<p><strong>1. InvalidClientTokenId \u30a8\u30e9\u30fc<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: \nThe security token included in the request is invalid<\/pre>\n\n\n\n<p>\u89e3\u6c7a\u624b\u9806\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u30a2\u30af\u30bb\u30b9\u30ad\u30fc\u306e\u6709\u52b9\u6027\u78ba\u8a8d<\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># \u30a2\u30af\u30bb\u30b9\u30ad\u30fc\u306e\u4e00\u89a7\u8868\u793a\naws iam list-access-keys --user-name your-username<\/pre>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>\u74b0\u5883\u5909\u6570\u306e\u78ba\u8a8d<\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># \u73fe\u5728\u306e\u8a8d\u8a3c\u60c5\u5831\u3092\u78ba\u8a8d\naws configure list<\/pre>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>\u30c8\u30fc\u30af\u30f3\u306e\u30af\u30ea\u30a2<\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">unset AWS_SESSION_TOKEN\nunset AWS_ACCESS_KEY_ID\nunset AWS_SECRET_ACCESS_KEY<\/pre>\n\n\n\n<p><strong>2. AccessDenied \u30a8\u30e9\u30fc<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">An error occurred (AccessDenied) when calling the GetSessionToken operation: \nMultiFactorAuthentication failed with invalid MFA one time pass code.<\/pre>\n\n\n\n<p>\u30c8\u30e9\u30d6\u30eb\u30b7\u30e5\u30fc\u30c6\u30a3\u30f3\u30b0\u30c1\u30a7\u30c3\u30af\u30ea\u30b9\u30c8\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MFA\u30c8\u30fc\u30af\u30f3\u306e\u6709\u52b9\u671f\u9650\u78ba\u8a8d<\/li>\n\n\n\n<li>\u30c7\u30d0\u30a4\u30b9\u306e\u6642\u523b\u540c\u671f\u72b6\u614b\u78ba\u8a8d<\/li>\n\n\n\n<li>IAM\u30e6\u30fc\u30b6\u30fc\u306eMFA\u8a2d\u5b9a\u78ba\u8a8d<\/li>\n<\/ul>\n\n\n\n<p>\u89e3\u6c7a\u306e\u305f\u3081\u306e\u30c7\u30d0\u30c3\u30b0\u30b9\u30af\u30ea\u30d7\u30c8\uff1a<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/usr\/bin\/env python3\nimport boto3\nimport json\nfrom botocore.exceptions import ClientError\n\ndef debug_mfa_setup():\n    \"\"\"MFA\u8a2d\u5b9a\u306e\u30c7\u30d0\u30c3\u30b0\u60c5\u5831\u3092\u53ce\u96c6\"\"\"\n    try:\n        iam = boto3.client('iam')\n\n        # IAM\u30e6\u30fc\u30b6\u30fc\u60c5\u5831\u306e\u53d6\u5f97\n        user = iam.get_user()\n        username = user['User']['UserName']\n\n        # MFA\u30c7\u30d0\u30a4\u30b9\u306e\u78ba\u8a8d\n        mfa_devices = iam.list_mfa_devices(UserName=username)\n\n        print(\"=== MFA Debug Information ===\")\n        print(f\"User: {username}\")\n        print(f\"MFA Devices: {json.dumps(mfa_devices, indent=2)}\")\n\n        # \u30a2\u30af\u30bb\u30b9\u6a29\u9650\u306e\u78ba\u8a8d\n        try:\n            iam.get_account_summary()\n            print(\"IAM\u6a29\u9650: OK\")\n        except ClientError as e:\n            print(f\"IAM\u6a29\u9650\u30a8\u30e9\u30fc: {e}\")\n\n    except Exception as e:\n        print(f\"\u30c7\u30d0\u30c3\u30b0\u4e2d\u306b\u30a8\u30e9\u30fc\u304c\u767a\u751f: {str(e)}\")\n\nif __name__ == \"__main__\":\n    debug_mfa_setup()<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"i-13\">MFA\u30c8\u30fc\u30af\u30f3\u6709\u52b9\u671f\u9650\u5207\u308c\u306e\u5bfe\u51e6\u6cd5<\/h3>\n\n\n\n<p>\u30c8\u30fc\u30af\u30f3\u6709\u52b9\u671f\u9650\u5207\u308c\u306f\u6700\u3082\u4e00\u822c\u7684\u306a\u554f\u984c\u306e\u4e00\u3064\u3067\u3059\u3002\u4ee5\u4e0b\u306e\u5bfe\u51e6\u65b9\u6cd5\u3092\u5b9f\u88c5\u3059\u308b\u3053\u3068\u3067\u3001\u30b9\u30e0\u30fc\u30ba\u306a\u904b\u7528\u304c\u53ef\u80fd\u306b\u306a\u308a\u307e\u3059\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u6709\u52b9\u671f\u9650\u76e3\u8996\u30b9\u30af\u30ea\u30d7\u30c8<\/strong><\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/bin\/bash\n\n# \u30c8\u30fc\u30af\u30f3\u6709\u52b9\u671f\u9650\u76e3\u8996\ncheck_token_expiry() {\n    local token_file=\"$HOME\/.aws\/token_expiry\"\n\n    if [ ! -f \"$token_file\" ]; then\n        echo \"\u30c8\u30fc\u30af\u30f3\u60c5\u5831\u304c\u898b\u3064\u304b\u308a\u307e\u305b\u3093\"\n        return 1\n    }\n\n    local expiry=$(cat \"$token_file\")\n    local current=$(date +%s)\n    local remaining=$((expiry - current))\n\n    if [ $remaining -le 0 ]; then\n        echo \"\u30c8\u30fc\u30af\u30f3\u306f\u671f\u9650\u5207\u308c\u3067\u3059\"\n        return 1\n    else\n        echo \"\u6b8b\u308a\u6709\u52b9\u6642\u9593: $(($remaining \/ 60))\u5206\"\n\n        # 1\u6642\u9593\u3092\u5207\u3063\u305f\u5834\u5408\u306f\u8b66\u544a\n        if [ $remaining -le 3600 ]; then\n            echo \"\u8b66\u544a: \u30c8\u30fc\u30af\u30f3\u306e\u6709\u52b9\u671f\u9650\u304c\u8fd1\u3065\u3044\u3066\u3044\u307e\u3059\"\n        fi\n    fi\n}<\/pre>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>\u81ea\u52d5\u66f4\u65b0\u306e\u5b9f\u88c5<\/strong><\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">import boto3\nimport time\nfrom datetime import datetime, timedelta\n\ndef auto_refresh_token(mfa_serial, get_token_callback):\n    \"\"\"\u30c8\u30fc\u30af\u30f3\u306e\u81ea\u52d5\u66f4\u65b0\u3092\u884c\u3046\"\"\"\n    while True:\n        try:\n            # \u73fe\u5728\u306e\u30c8\u30fc\u30af\u30f3\u60c5\u5831\u3092\u53d6\u5f97\n            sts = boto3.client('sts')\n            credentials = sts.get_caller_identity()\n\n            # \u30c8\u30fc\u30af\u30f3\u306e\u6709\u52b9\u671f\u9650\u3092\u78ba\u8a8d\n            token_expiry = datetime.now() + timedelta(hours=11)\n\n            # \u6709\u52b9\u671f\u9650\u304c1\u6642\u9593\u4ee5\u5185\u306e\u5834\u5408\u306f\u66f4\u65b0\n            if token_expiry - datetime.now() &lt;= timedelta(hours=1):\n                token = get_token_callback()  # MFA\u30c8\u30fc\u30af\u30f3\u306e\u53d6\u5f97\n                refresh_session_token(mfa_serial, token)\n\n            time.sleep(300)  # 5\u5206\u9593\u9694\u3067\u30c1\u30a7\u30c3\u30af\n\n        except Exception as e:\n            print(f\"\u30c8\u30fc\u30af\u30f3\u66f4\u65b0\u4e2d\u306b\u30a8\u30e9\u30fc\u304c\u767a\u751f: {str(e)}\")\n            time.sleep(60)  # \u30a8\u30e9\u30fc\u6642\u306f1\u5206\u5f85\u6a5f<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"i-14\">CI\/CD\u74b0\u5883\u3067\u306eMFA\u904b\u7528\u30ce\u30a6\u30cf\u30a6<\/h3>\n\n\n\n<p>CI\/CD\u74b0\u5883\u3067\u306eMFA\u904b\u7528\u306b\u306f\u7279\u5225\u306a\u8003\u616e\u304c\u5fc5\u8981\u3067\u3059\uff1a<\/p>\n\n\n<div id=\"id-3770eb74-4d32-4ca6-a782-55b6df007f96\">\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u8ab2\u984c<\/th><th>\u89e3\u6c7a\u65b9\u6cd5<\/th><th>\u5b9f\u88c5\u4f8b<\/th><\/tr><\/thead><tbody><tr><td>\u81ea\u52d5\u5316\u3068\u306e\u4e21\u7acb<\/td><td>\u9577\u671f\u30c8\u30fc\u30af\u30f3\u306e\u4f7f\u7528<\/td><td>assume-role\u4f7f\u7528<\/td><\/tr><tr><td>\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u7dad\u6301<\/td><td>\u6a29\u9650\u306e\u6700\u5c0f\u5316<\/td><td>\u5c02\u7528IAM\u30ed\u30fc\u30eb\u4f5c\u6210<\/td><\/tr><tr><td>\u30c8\u30fc\u30af\u30f3\u7ba1\u7406<\/td><td>\u30b7\u30fc\u30af\u30ec\u30c3\u30c8\u7ba1\u7406<\/td><td>AWS Secrets Manager\u5229\u7528<\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div>\n\n\n<p>CI\/CD\u74b0\u5883\u3067\u306e\u5b9f\u88c5\u4f8b\uff1a<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># GitHub Actions workflow\u4f8b\nname: AWS Deployment with MFA\non:\n  push:\n    branches: [ main ]\n\njobs:\n  deploy:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions\/checkout@v2\n\n      - name: Configure AWS Credentials\n        uses: aws-actions\/configure-aws-credentials@v1\n        with:\n          role-to-assume: arn:aws:iam::123456789012:role\/DeploymentRole\n          aws-region: ap-northeast-1\n\n      # \u30c7\u30d7\u30ed\u30a4\u30e1\u30f3\u30c8\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u5b9f\u884c\n      - name: Deploy\n        run: |\n          # assume-role\u3092\u4f7f\u7528\u3057\u305f\u8a8d\u8a3c\n          CREDENTIALS=$(aws sts assume-role \\\n            --role-arn ${{ secrets.DEPLOYMENT_ROLE_ARN }} \\\n            --role-session-name GithubActionsDeployment)\n\n          # \u8a8d\u8a3c\u60c5\u5831\u306e\u8a2d\u5b9a\n          export AWS_ACCESS_KEY_ID=$(echo $CREDENTIALS | jq -r .Credentials.AccessKeyId)\n          export AWS_SECRET_ACCESS_KEY=$(echo $CREDENTIALS | jq -r .Credentials.SecretAccessKey)\n          export AWS_SESSION_TOKEN=$(echo $CREDENTIALS | jq -r .Credentials.SessionToken)<\/pre>\n\n\n\n<p>\u3053\u308c\u3089\u306e\u30c8\u30e9\u30d6\u30eb\u30b7\u30e5\u30fc\u30c6\u30a3\u30f3\u30b0\u624b\u6cd5\u3068\u904b\u7528\u30ce\u30a6\u30cf\u30a6\u3092\u6d3b\u7528\u3059\u308b\u3053\u3068\u3067\u3001MFA\u8a8d\u8a3c\u306b\u95a2\u3059\u308b\u554f\u984c\u3092\u52b9\u7387\u7684\u306b\u89e3\u6c7a\u3067\u304d\u307e\u3059\u3002\u6b21\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u306f\u3001\u3088\u308a\u9ad8\u5ea6\u306aMFA\u904b\u7528\u30c6\u30af\u30cb\u30c3\u30af\u306b\u3064\u3044\u3066\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"i-15\">AWS CLI MFA\u306e\u5fdc\u7528\u7684\u306a\u4f7f\u3044\u65b9<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"i-16\">\u8907\u6570AWS\u30a2\u30ab\u30a6\u30f3\u30c8\u3067\u306eMFA\u8a8d\u8a3c\u7ba1\u7406<\/h3>\n\n\n\n<p>\u5927\u898f\u6a21\u306a\u7d44\u7e54\u3067\u306f\u3001\u8907\u6570\u306eAWS\u30a2\u30ab\u30a6\u30f3\u30c8\u3092\u6a2a\u65ad\u7684\u306b\u7ba1\u7406\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002\u4ee5\u4e0b\u306b\u3001\u52b9\u7387\u7684\u306a\u7ba1\u7406\u65b9\u6cd5\u3092\u793a\u3057\u307e\u3059\uff1a<\/p>\n\n\n\n<p><strong>1. \u30af\u30ed\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8\u30ed\u30fc\u30eb\u627f\u8a8d\u306e\u81ea\u52d5\u5316<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/usr\/bin\/env python3\nimport boto3\nimport json\nimport argparse\nfrom concurrent.futures import ThreadPoolExecutor\n\nclass CrossAccountMFAManager:\n    def __init__(self, source_profile):\n        self.source_session = boto3.Session(profile_name=source_profile)\n        self.assumed_roles = {}\n\n    def assume_role_with_mfa(self, account_id, role_name, mfa_token):\n        \"\"\"\n        MFA\u8a8d\u8a3c\u4ed8\u304d\u3067\u30af\u30ed\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8\u306e\u30ed\u30fc\u30eb\u3092\u5f15\u304d\u53d7\u3051\u308b\n        \"\"\"\n        try:\n            sts = self.source_session.client('sts')\n            role_arn = f'arn:aws:iam::{account_id}:role\/{role_name}'\n            mfa_serial = self.source_session.client('iam').list_mfa_devices()['MFADevices'][0]['SerialNumber']\n\n            response = sts.assume_role(\n                RoleArn=role_arn,\n                RoleSessionName=f'CrossAccount-{account_id}',\n                SerialNumber=mfa_serial,\n                TokenCode=mfa_token,\n                DurationSeconds=3600\n            )\n\n            self.assumed_roles[account_id] = response['Credentials']\n            return True\n\n        except Exception as e:\n            print(f\"Error assuming role in account {account_id}: {str(e)}\")\n            return False\n\n    def execute_across_accounts(self, command_func):\n        \"\"\"\n        \u5168\u30a2\u30ab\u30a6\u30f3\u30c8\u3067\u7279\u5b9a\u306e\u64cd\u4f5c\u3092\u5b9f\u884c\n        \"\"\"\n        results = {}\n        for account_id, credentials in self.assumed_roles.items():\n            session = boto3.Session(\n                aws_access_key_id=credentials['AccessKeyId'],\n                aws_secret_access_key=credentials['SecretAccessKey'],\n                aws_session_token=credentials['SessionToken']\n            )\n            results[account_id] = command_func(session)\n        return results<\/pre>\n\n\n\n<p>\u4f7f\u7528\u4f8b\uff1a<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># \u30de\u30cd\u30fc\u30b8\u30e3\u30fc\u306e\u521d\u671f\u5316\nmanager = CrossAccountMFAManager('source-profile')\n\n# \u8907\u6570\u30a2\u30ab\u30a6\u30f3\u30c8\u3067\u306e\u30ed\u30fc\u30eb\u627f\u8a8d\naccounts = ['111111111111', '222222222222', '333333333333']\nmfa_token = input('Enter MFA token: ')\n\nfor account in accounts:\n    manager.assume_role_with_mfa(account, 'CrossAccountAdminRole', mfa_token)\n\n# \u5168\u30a2\u30ab\u30a6\u30f3\u30c8\u3067\u306e\u64cd\u4f5c\u5b9f\u884c\ndef check_security_groups(session):\n    ec2 = session.client('ec2')\n    return ec2.describe_security_groups()\n\nresults = manager.execute_across_accounts(check_security_groups)<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"i-17\">AWS SDK\u3068MFA\u8a8d\u8a3c\u306e\u9023\u643a\u65b9\u6cd5<\/h3>\n\n\n\n<p>\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304b\u3089AWS SDK\u3092\u4f7f\u7528\u3059\u308b\u969b\u306eMFA\u8a8d\u8a3c\u306e\u5b9f\u88c5\u65b9\u6cd5\u3067\u3059\uff1a<\/p>\n\n\n\n<p><strong>1. \u30ab\u30b9\u30bf\u30e0\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u30d7\u30ed\u30d0\u30a4\u30c0\u30fc\u306e\u5b9f\u88c5<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">from botocore.credentials import CredentialProvider\nfrom botocore.exceptions import CredentialRetrievalError\nimport json\nimport os\n\nclass MFACredentialProvider(CredentialProvider):\n    def __init__(self, mfa_serial, token_provider):\n        self._mfa_serial = mfa_serial\n        self._token_provider = token_provider\n\n    def load(self):\n        try:\n            # \u30ad\u30e3\u30c3\u30b7\u30e5\u3055\u308c\u305f\u30c8\u30fc\u30af\u30f3\u306e\u78ba\u8a8d\n            cached_creds = self._load_cached_credentials()\n            if cached_creds and not self._is_expired(cached_creds):\n                return cached_creds\n\n            # \u65b0\u898f\u30c8\u30fc\u30af\u30f3\u306e\u53d6\u5f97\n            mfa_token = self._token_provider()\n            sts = boto3.client('sts')\n\n            response = sts.get_session_token(\n                SerialNumber=self._mfa_serial,\n                TokenCode=mfa_token\n            )\n\n            # \u8a8d\u8a3c\u60c5\u5831\u306e\u30ad\u30e3\u30c3\u30b7\u30e5\n            self._cache_credentials(response['Credentials'])\n            return response['Credentials']\n\n        except Exception as e:\n            raise CredentialRetrievalError(provider=self.METHOD,\n                                         error_msg=str(e))\n\n    def _load_cached_credentials(self):\n        cache_file = os.path.expanduser('~\/.aws\/mfa_cache.json')\n        if os.path.exists(cache_file):\n            with open(cache_file, 'r') as f:\n                return json.load(f)\n        return None<\/pre>\n\n\n\n<p><strong>2. SDK\u3067\u306e\u4f7f\u7528\u4f8b<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># \u30ab\u30b9\u30bf\u30e0\u30d7\u30ed\u30d0\u30a4\u30c0\u30fc\u306e\u8a2d\u5b9a\ndef token_provider():\n    \"\"\"MFA\u30c8\u30fc\u30af\u30f3\u3092\u53d6\u5f97\u3059\u308b\u95a2\u6570\"\"\"\n    return input('Enter MFA token: ')\n\nsession = boto3.Session(\n    credential_provider=MFACredentialProvider(\n        mfa_serial='arn:aws:iam::123456789012:mfa\/MyMFADevice',\n        token_provider=token_provider\n    )\n)<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"i-18\">\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u76e3\u67fb\u306b\u5bfe\u5fdc\u3057\u305fMFA\u30ed\u30b0\u7ba1\u7406<\/h3>\n\n\n\n<p>\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u76e3\u67fb\u3084\u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u8981\u4ef6\u306b\u5bfe\u5fdc\u3059\u308b\u305f\u3081\u306e\u30ed\u30b0\u7ba1\u7406\u30b7\u30b9\u30c6\u30e0\u306e\u5b9f\u88c5\uff1a<\/p>\n\n\n\n<p><strong>1. \u5305\u62ec\u7684\u306aMFA\u76e3\u67fb\u30ed\u30b0\u30b7\u30b9\u30c6\u30e0<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">import boto3\nimport logging\nfrom datetime import datetime, timezone\nimport json\n\nclass MFAActivityAuditor:\n    def __init__(self, log_group_name):\n        self.logs = boto3.client('logs')\n        self.log_group_name = log_group_name\n        self.setup_logging()\n\n    def setup_logging(self):\n        \"\"\"CloudWatchLogs\u306e\u8a2d\u5b9a\"\"\"\n        try:\n            self.logs.create_log_group(logGroupName=self.log_group_name)\n        except self.logs.exceptions.ResourceAlreadyExistsException:\n            pass\n\n        self.log_stream_name = datetime.now().strftime('%Y\/%m\/%d\/mfa-audit')\n        try:\n            self.logs.create_log_stream(\n                logGroupName=self.log_group_name,\n                logStreamName=self.log_stream_name\n            )\n        except self.logs.exceptions.ResourceAlreadyExistsException:\n            pass\n\n    def log_mfa_activity(self, user_arn, action, status, details=None):\n        \"\"\"MFA\u95a2\u9023\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306e\u30ed\u30b0\u8a18\u9332\"\"\"\n        timestamp = int(datetime.now().timestamp() * 1000)\n\n        log_event = {\n            'timestamp': timestamp,\n            'user_arn': user_arn,\n            'action': action,\n            'status': status,\n            'source_ip': self._get_client_ip(),\n            'details': details or {}\n        }\n\n        self.logs.put_log_events(\n            logGroupName=self.log_group_name,\n            logStreamName=self.log_stream_name,\n            logEvents=[{\n                'timestamp': timestamp,\n                'message': json.dumps(log_event)\n            }]\n        )<\/pre>\n\n\n\n<p>\u76e3\u67fb\u8981\u4ef6\u306b\u5bfe\u5fdc\u3059\u308b\u305f\u3081\u306e\u30ed\u30b0\u5206\u6790\u30af\u30a8\u30ea\u4f8b\uff1a<\/p>\n\n\n<div id=\"id-14a8c0ed-74a9-4a69-8ef4-c35e22aa6b07\">\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u76e3\u67fb\u76ee\u7684<\/th><th>CloudWatch Logs Insights \u30af\u30a8\u30ea<\/th><\/tr><\/thead><tbody><tr><td>MFA\u5931\u6557\u306e\u691c\u51fa<\/td><td><code>fields @timestamp, user_arn, source_ip | filter status = \"failed\"<\/code><\/td><\/tr><tr><td>\u30a2\u30af\u30bb\u30b9\u30d1\u30bf\u30fc\u30f3\u5206\u6790<\/td><td><code>stats count(*) by user_arn, action | sort count(*) desc<\/code><\/td><\/tr><tr><td>\u7570\u5e38\u691c\u77e5<\/td><td><code>filter @message like \"failed\" | stats count(*) as failures by user_arn, bin(30m)<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div>\n\n\n<p><strong>2. \u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u30ec\u30dd\u30fc\u30c8\u751f\u6210<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">def generate_mfa_compliance_report(start_time, end_time):\n    \"\"\"MFA\u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u30ec\u30dd\u30fc\u30c8\u306e\u751f\u6210\"\"\"\n    query = f\"\"\"\n    fields @timestamp, @message\n    | filter @timestamp between {start_time} and {end_time}\n    | parse @message \"user_arn\" as user_arn\n    | stats\n        count(*) as total_attempts,\n        count_if(status='success') as successful_attempts,\n        count_if(status='failed') as failed_attempts\n        by user_arn\n    | sort by total_attempts desc\n    \"\"\"\n\n    response = logs.start_query(\n        logGroupName=log_group_name,\n        startTime=start_time,\n        endTime=end_time,\n        queryString=query\n    )\n\n    # \u30af\u30a8\u30ea\u7d50\u679c\u306e\u53d6\u5f97\u3068\u89e3\u6790\n    query_results = wait_for_query_completion(response['queryId'])\n\n    return format_compliance_report(query_results)<\/pre>\n\n\n\n<p>\u3053\u308c\u3089\u306e\u5fdc\u7528\u7684\u306a\u5b9f\u88c5\u306b\u3088\u308a\u3001\u30a8\u30f3\u30bf\u30fc\u30d7\u30e9\u30a4\u30ba\u30ec\u30d9\u30eb\u3067\u306eAWS CLI MFA\u904b\u7528\u304c\u53ef\u80fd\u306b\u306a\u308a\u307e\u3059\u3002\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u3001\u76e3\u67fb\u5bfe\u5fdc\u3001\u904b\u7528\u52b9\u7387\u5316\u306e\u5168\u3066\u3092\u6e80\u305f\u3059\u7dcf\u5408\u7684\u306a\u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3\u3068\u3057\u3066\u6d3b\u7528\u3067\u304d\u307e\u3059\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Warning: Undefined array key &#8220;is_admin&#8221; in \/home\/xs392991\/dexall.co.jp\/public_html\/articles\/wp-content\/themes\/ &#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":{"0":"post-2382","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-aws","7":"nothumb"},"_links":{"self":[{"href":"https:\/\/dexall.co.jp\/articles\/index.php?rest_route=\/wp\/v2\/posts\/2382","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dexall.co.jp\/articles\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dexall.co.jp\/articles\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dexall.co.jp\/articles\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dexall.co.jp\/articles\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2382"}],"version-history":[{"count":2,"href":"https:\/\/dexall.co.jp\/articles\/index.php?rest_route=\/wp\/v2\/posts\/2382\/revisions"}],"predecessor-version":[{"id":2384,"href":"https:\/\/dexall.co.jp\/articles\/index.php?rest_route=\/wp\/v2\/posts\/2382\/revisions\/2384"}],"wp:attachment":[{"href":"https:\/\/dexall.co.jp\/articles\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2382"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dexall.co.jp\/articles\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2382"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dexall.co.jp\/articles\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2382"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}