Ensure IAM instance roles are used for AWS resource access from instances
Applications running on EC2 instances frequently access additional AWS services and must be granted permissions to make API calls. The recommended approach for granting EC2-based applications AWS permissions is with an IAM role for EC2 because this eliminates the need to distribute and rotate long-term credentials on EC2 instances. When creating IAM roles, associate least-privilege IAM policies that restrict access to the specific API calls the application requires.
Risk Level: Low
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.IAM.54
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
Instance should not have profileArn isEmpty()
REMEDIATION
From Portal
Steps 1 is to create new rule
- Navigate to the AWS console IAM dashboard.
- In the navigation pane, select Roles, Create new role.
- Under 'Select the service that will use this role' select EC2, then 'Next:Permissions.'
- On the Attach permissions policies page, select an AWS managed policy that grants your instance access to the resources that they need, then 'Next:Tags.'
- Add tags (optional), the select 'Next:Review.'
- On the Create role and Review page, type a name for the role and Select Create role.
Note: Following steps are used to attach or replace IAM role for Ec2 instances:
- Navigate to the AWS console EC2 dashboard.
- Select Running Instances.
- Select the instance you want to modify.
- Click on security tab and ensure instance role is added there. Attach/Replace IAM Role in case needed.
- On the Attach/Replace IAM Role page, under the IAM role pull down menu, select the role created in the IAM steps above.
References
Amazon EC2 Instance
Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.
Compliance Frameworks
- AWS CIS Foundations v. 1.1.0
- AWS CIS Foundations v. 1.2.0
- AWS CIS Foundations v. 1.3.0
- AWS CIS Foundations v. 1.4.0
- AWS CIS Foundations v. 1.5.0
- AWS CIS Foundations v. 2.0.0
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS NIST 800-53 Rev 5
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago