Ensure AWS EC2 Instances use IAM Roles to control access

Applications running on EC2 instances frequently access additional AWS services and must be granted permissions to make API calls. The recommended approach for granting EC2-based applications AWS permissions is with an IAM role for EC2 because this eliminates the need to distribute and rotate long-term credentials on EC2 instances. When creating IAM roles, associate least-privilege IAM policies that restrict access to the specific API calls the application requires.

Risk Level: Low
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.CFT.IAM.08
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

AWS_EC2_Instance should have IamInstanceProfile

REMEDIATION

From CFT
Set AWS::EC2::Instance IamInstanceProfile property

References

  1. https://aws.amazon.com/premiumsupport/knowledge-center/assign-iam-role-ec2-instance/

Amazon EC2 Instance

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Compliance Frameworks

  • AWS CloudFormation ruleset