Structuring Accounts For A Common Job Execution Framework

ACM.433 Revisiting the catch-22 of deployments from the root account

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | Application Security | Abstraction

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post I created a common job execution container for running batch jobs.

Creating a Generic Job Execution Container

As I started working on the next script I hit this problem. The job execution role needs to access the SSM parameters so they need to be in the same account where the role was created.

Then I decided the parameters needed to be in the same account as the EC2 execution role so it could pull the list of parameters and secrets, etc. But I forgot about my prior dilemma and was trying to use a role from a different account to execute the job.

In the end, the easiest solution (and least complexity to prevent security misconfigurations…