Using SSM Parameters to Define Jobs A User Can Run in an AWS Account | by Teri Radichel | Cloud Security | Jan, 2024

ACM.431 A naming convention to provide a list of jobs a user can execute to deploy resources in an AWS account

Teri Radichel
Cloud Security


⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | Application Security | Abstraction

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List


In the last post I was thinking through the architecture for parameter management.

I want to set up a way to use AWS SSM Parameters for deployments and am going to test out some options.

The idea is that I want to separate the data plane (the description of what to deploy) from the control plane (the application that deploys the resource).

You already get this with CloudFormation to some degree. You specify what to deploy and your CloudFormation template deploys it. You have no control over the deployment engine.

However, there’s a lot of complexity and possible misconfigurations in CloudFormation templates. I always tell clients to avoid security misconfigurations, come up with some approved templates people in an organization can use to quickly deploy new things in a compliant manner without an arduous approval process.

If they want to create something different they can, it just has to go through proper review and testing, whereas they can quickly spin up resources already configured in an approved manner.

So that’s what I’m doing here. I have a container that deploys some core resources in an approved manner based on a configuration a user provides.

The person providing the configuration may not be well versed in all the details of security and that is handled for them. But if they wanted to deploy something different they could propose a new configuration to add to the deployment engine.

#SSM #Parameters #Define #Jobs #User #Run #AWS #Account #Teri #Radichel #Cloud #Security #Jan