Analyzing IAM Roles and Policies for MFA to Run AWS Batch | by Teri Radichel | Cloud Security | Oct, 2023

ACM.329 Converting my Lambda roles over to AWS Batch Roles and other roles and policies required to run AWS Batch

Teri Radichel
Cloud Security

Part of my series on Automating Cybersecurity Metrics. Lambda. Batch Job Security. IAM. Container Security. Deploying a Static Website. The Code.

Free Content on Jobs in Cybersecurity | Sign up for the Email List

In the last post, I rebuilt my container I was using for Lambda to run in AWS Batch. Instead of leveraging the Lambda Runtime Emulator locally, I can just run the container. I also simplified my code structure a bit so it all comes from a jobs folder.

In this post I’m going to analyze the roles and policies I need to run AWS Batch because there’s quite a lot of ground to cover. I’ll create them in an upcoming post. I’m going to look at converting the role and user I created for Lambda, create a new secret for my batch job, but reuse my GitSecrets secret to access GitHub.

In addition, we need to understand the permissions the AWS Batch service has in our account — and I’m not too keen on some of the things in the default service linked role policy.

I’m going to try to reuse the same concept of leveraging MFA for a batch job that I was using with Lambda. That means I need the following:

  • The batch job execution role required by AWS Batch.
  • A user with credentials that can assume a role only with MFA.
  • The assumed role that can leverage GitHub secrets.

AWS Batch requires some additional and separate roles and they will vary based on how you are using AWS Batch.

You can get an overview of the roles and policies needed for AWS Batch here:

Deciding which compute environment to use for AWS…

#Analyzing #IAM #Roles #Policies #MFA #Run #AWS #Batch #Teri #Radichel #Cloud #Security #Oct