Structuring Accounts For A Common Job Execution Framework | by Teri Radichel | Cloud Security | Jan, 2024

ACM.433 Revisiting the catch-22 of deployments from the root account

Teri Radichel
Cloud Security


āš™ļø Part of my series on Automating Cybersecurity Metrics. The Code.

šŸ”’ Related Stories: AWS Security | Application Security | Abstraction

šŸ’» Free Content on Jobs in Cybersecurity | āœ‰ļø Sign up for the Email List


In the last post I created a common job execution container for running batch jobs.

As I started working on the next script I hit this problem. The job execution role needs to access the SSM parameters so they need to be in the same account where the role was created.

Then I decided the parameters needed to be in the same account as the EC2 execution role so it could pull the list of parameters and secrets, etc. But I forgot about my prior dilemma and was trying to use a role from a different account to execute the job.

In the end, the easiest solution (and least complexity to prevent security misconfigurations or issues) is to ensure that the EC2 instance, EC2 instance role, parameters, secrets, and job execution role are all in the same account.

That led me to think about in which accounts I wanted that job execution framework to exist.

Components of our Job Execution Framework

Based on the last post here are the components we need to deploy resources using the job execution framework Iā€™m creating.

  • An EC2 instance
  • An EC2 instance role
  • Job configuration SSM Parameters
  • A user that can run jobs with an MFA device
  • Secrets with credentials associated with the user
  • A role that can execute a job

So I will need to deploy the above in any account where I want to run jobs.

#Structuring #Accounts #Common #Job #Execution #Framework #Teri #Radichel #Cloud #Security #Jan