Track permission changes to AWS IAM deployment user separately.

[adunkman]

We currently have the permissions for the user used in deployment managed through code in this repository.

This means:

• A manual step is required to run this script as an administrator.
• There is a race condition on merging pull requests. When a pull request is merged with a change to these permissions, a deploy is started which will fail. An administrator then needs to update permissions for that user, and then the build needs to be restarted.

From a security perspective, this also means:

• Permission changes are included in large pull requests, which means they may not receive the added scrutiny that changes to permissions should likely undergo.

A fix for this would be to track this user and its permissions in a separate location. We may want to rely on infrastructure which is court-wide to manage these permissions. This would:

• Require this dependency to be specifically stated ("this pull request depends on permissions introduced in X")
• Would separate these changes from larger application changes, giving them the added scrutiny as mentioned above
• Allow them to be run automatically, if desired.

The downside to this approach would be that EF-CMS would need to reference another place to determine how to set up its deployment steps. I think this downside is worth the benefits above.

[adunkman]

https://github.com/18F/aws-admin is a reference.