ACM.329 Converting my Lambda roles to AWS Batch roles and other roles and policies required to run AWS Batch
Part of my series on Automation of cybersecurity measures. Lambda. Batch job security. I AM. Container security. Deploy a static website. THE Coded.
Free content on Cybersecurity Jobs | Register at Broadcast list
In the last article, I rebuilt my container that I was using for Lambda to run in AWS Batch. Instead of running the Lambda runtime emulator locally, I can just run the container. I also simplified the structure of my code a bit so that everything comes from one jobs case.
In this article, I will analyze the roles and policies I need to run AWS Batch, because there is a long way to go. I will create them in a future article. I’m going to consider converting the role and user I created for Lambda, creating a new secret for my batch job, but reusing my GitSecrets secret to access GitHub.
Additionally, we need to understand what permissions the AWS Batch service has on our account – and I’m not too interested in some elements of the default service-related role policy.
I’m going to try to reuse the same concept of operating MFA for a batch job that I was using with Lambda. This means I need the following:
- The batch job execution role required by AWS Batch.
- User with credentials who can assume a role only with MFA.
- The assumed role that can exploit GitHub secrets.
AWS Batch requires additional, distinct roles and they vary depending on how you use AWS Batch.
You can get an overview of the roles and policies needed for AWS Batch here: