In that case, Pulumi permissions are too broad IMHO for what it has to do, an enterprise should adhere to least privilege. Likewise, as I wrote in another comment, the egress security groups are unclear to me (why any traffic at all is needed?) and the image consumed should be pinned to a digest. Or better yet, should be coming from a private enterprise registry, ideally with an attestation that can be verified at runtime.
I am not sure ECS Fargate makes sense vs an ec2 instance to run the workload. This setup alone will cost about $30/month assuming half a vCPU per replica with Fargate, plus about $12 for the memory (1GB/task). 2xt2.micro could be run for ~$20 without even considering reservation discounts etc. Obviously the gap will become even larger at scale, which I suppose might be very interesting for an enterprise.
aurelian@lemmy.ml 4 weeks ago
If you want it to stand out don’t automate the compute and networking that’s so standardized these days that anyone can do it, Automated those IAM permissions.
I know that when hiring nothing gets me more excited about a candidate than them understanding how to securely bootstrap an environment.
joegarciar3a3294@lemmy.world 4 weeks ago
it is actually possible to add non-root iam accounts using your root iam account. however, in order to do that, you first have to create an access key for your root user, which is not recommended by aws.
Image
the method is to manually create a non-root user, add an initial iam permission to modify the iam resources, and automate the additional iam permission agregation via script in gitlab-ci.yml