Profile Applicability: Level 2


Description:

AWS Access means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources. An application that runs on an EC2 instance must include AWS credentials in its AWS API requests. EC2 instances should use IAM roles and instance profiles instead of IAM access keys to perform requests. IAM role is designed to securely make API requests from instances for applications.


Rationale:

AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. 

It also provides security credentials to an application. The application is granted the permissions for the actions and resources that you’ve defined for the role through the security credentials associated with the role. These security credentials are temporary.


Impact:

Passing role information to an EC2 instance at launch, you can limit the risk of access key exposure and help prevent a malicious user from compromising the instance. IAM role to manage temporary credentials for the application that runs on an EC2 instance. When you use a role, you do not have to distribute long-term credentials(such as a user name and password or access keys) to an EC2 instance.

Role credentials are temporary and rotated automatically, so you don’t have to manage credentials and you don’t have to worry about long-term security risks.

IAM roles to delegate access to users, applications, or services that don’t normally have access to your AWS resources.


Default Value:

  1. By default, no role assign in any instances. 

  2. By default, no policy is attached to the role.


Audit:

Perform the following to ensure the  role is configured and it is associated or not:

Via AWS Console

  1.  Log in to AWS Console with Admin access and go to EC2 dashboard at https://console.aws.amazon.com/ec2/.
  2. Under the Instances, section click on Instance in the left navigation pane
  3. Select the EC2 instance which you want to audit.
  4. Select the Description tab from the dashboard bottom panel

    Check the IAM role attribute value. If the attribute has no value assigned, the selected instance has no IAM roles associated. When your applications are used API requests then we strongly recommend you to use the IAM role.

  5. Perform steps 3 and 4 to check other EC2 instance
  6. Change the AWS region from the navigation bar repeat the audit process for other regions.


Via CLI:

Step 1: Run the below command to check all existing EC2 instances currently available in the selected region

aws ec2 describe-instances --region <region> --output table --query ‘Reservation[*].Instances[*].InstanceId’

Step 2: Use the below to check the details of your particular instances you perform for all instance to view the details

aws ec2 describe-instances --region <region> --instance-ids <instance_id> --query ‘Reservation[*].Instances[*].IamInstanceProfile’

Step 3: For Auditing, perform the above commands for other regions.


Remediation:

Pre-Requisite:

  1. Login to AWS console as admin or authorized user

  2. IAM roles can only be associated at the launch of an instance.

  3. To perform the remediation you must create a new instance and then you can attach the role to it 

  4. Below Implementation, Steps is only applicable when no IAM role is created

Implementation Steps:

To Create the role perform the following steps

Step 1: Open the IAM console at https://console.aws.amazon.com/iam/.

Step 2: Click on Roles in the left navigation pane.

Steps 3: Create a new role and select use case as per your requirement and click on the Next: Permission button

Step 4: Select the policy as per your requirement and click on the Next: Tags button

Step 5: Enter the role name in the Role name box and click on Create role button

Steps 6:  Launch a new instance with identical settings to the existing instance and ensure that the newly created role is selected.

Steps 7: Stop both the existing instance and the new instance. 

Steps 8: Detach volumes from both instances 

Step 9:  Attach the old instance’s volume to the new instance.

Steps 10: Boot the new instance and you should have the same machine, but with the associated role.  


Via CLI Command:

Step 1: Open the AWS CLI and call the create-role command to create the IAM role, YourNewRole, based on the trust policy, YourNewRole-Trust-Policy.json.

aws iam create-role --role-name <new_role> --assume-role-policy-document file://new_role-Trust-Policy.json

Step 2: Call the attach-role-policy command to grant this IAM role permission to access resources in your account

aws iam attach-role-policy --role-name <new_role> --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Step 3:Call the create-instance-profile command, followed by the add-role-to-instance-profile command to create the IAM instance profile, YourNewRole-Instance-Profile. The instance profile allows EC2 to pass the IAM role, YourNewRole, to an EC2 instance. To learn more, see Using Instance Profiles.

aws iam create-instance-profile --instance-profile-name NewRole-Instance-Profile

aws iam add-role-to-instance-profile --role-name <new_role> --instance-profile-name NewRole-Instance-Profile

Now attach the IAM role to an existing EC2 instance

Step 4: Call the associate-iam-instance-profile command to attach the instance profile, YourNewRole-Instance-Profile, for the newly created IAM role, YourNewRole, to your EC2 instance, YourInstanceId.

aws ec2 associate-iam-instance-profile --instance-id <instance_id> --iam-instance-profile Name=NewRole-Instance-Profile


Step 5: You can verify that the IAM role is now attached to the instance by calling the describe-iam-instance-profile-association command.

aws ec2 describe-iam-instance-profile-associations

Now, you can update your application to use the IAM role to access AWS resources and delete the long-term keys from your instance.


Backout Plan:

  1. IP address and make the investment to remediate affected systems while assigning the system to a role. Before deleting any instance you need to take a snapshot/backup of the instance

  2.  If your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance, destroy the old one and then when launching from the AMI, manually assign the previous private IP address.

  3. If your environment has dependencies on a dynamically assigned PUBLIC IP address there is no way to ensure the address is retained and assign an instance role. Dependencies on dynamically assigned public IP addresses are bad practice and, if possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.


References:

  1. Using an IAM role to grant permissions to applications running on Amazon EC2 instances - AWS Identity and Access Management 

  2. IAM roles for Amazon EC2 - Amazon Elastic Compute Cloud 

  3. IAM roles - AWS Identity and Access Management 

  4. https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/


CIS Controls:


19 Incident Response and Management 

  • Incident Response and Management