Profile Applicability

  • Level 1

Description:

IAM instance roles allow EC2 instances to securely access AWS resources, such as S3 buckets, DynamoDB tables, and other services, without needing hard-coded credentials. By assigning IAM roles to EC2 instances, the instances can use temporary security credentials to access resources, ensuring that credentials are not exposed or compromised.

This practice eliminates the need to store AWS access keys or secret keys within the EC2 instance, providing a more secure way to manage permissions and access to resources. Ensuring that IAM instance roles are used for AWS resource access from EC2 instances is a fundamental security best practice to prevent accidental exposure of credentials and to enhance the security posture of your environment.

Rationale:

Using IAM instance roles to manage EC2 access to AWS resources provides:

  • Security: Prevents the need to hard-code AWS credentials into EC2 instances, reducing the risk of credential exposure.

  • Simplicity: Simplifies access management by using IAM roles instead of managing access keys and secret keys manually.

  • Temporary credentials: IAM roles provide temporary security credentials that are automatically rotated, further reducing the risk of key exposure.

  • Compliance: Helps meet regulatory and security standards by ensuring that credentials are not stored in EC2 instances and are managed securely.

Without IAM instance roles, hard-coded access keys may be exposed, leading to potential security risks and non-compliance with best practices.

Impact:

Failure to use IAM instance roles for resource access can result in:

  • Exposed credentials: Hard-coded AWS access keys may be exposed in application code or EC2 instance metadata.

  • Increased security risks: Storing access keys directly on EC2 instances increases the attack surface and the potential for unauthorized access to AWS resources.

  • Non-compliance: Failing to use instance roles may violate security best practices and regulatory compliance requirements.

By using IAM instance roles, organizations can ensure secure access to AWS resources while adhering to the principle of least privilege.

Default Value:

By default, EC2 instances do not have IAM roles attached, meaning they will not automatically have permissions to access AWS resources unless an IAM role is explicitly assigned.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • iam:AttachRolePolicy

    • iam:ListRoles

    • iam:PassRole

  • EC2 instances must be configured to use IAM roles for accessing AWS resources

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the EC2 Console.

  2. Check the IAM role assigned to the EC2 instances in the Instances section under Instance details.

  3. Ensure that the EC2 instances have an IAM role assigned with the necessary permissions to access required AWS resources.

  4. If no role is assigned or an inappropriate role is assigned, modify the instance settings to assign the correct IAM role.

Using AWS CLI:

aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[*].Instances[*].IamInstanceProfile" --output table

To verify the IAM role assigned to an instance:

aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[*].Instances[*].IamInstanceProfile.Arn" --output table


Implementation Plan:

Using AWS Console:

  1. Assign an IAM role to an EC2 instance:

    • Go to the EC2 Console.

    • Select the EC2 instance you wish to modify.

    • Under Actions, select Security, then Modify IAM Role.

    • Choose an appropriate IAM role from the drop-down menu and click Update IAM role.

  2. Verify the role assignment:

    • Ensure that the IAM role is listed under Instance details in the EC2 instance settings.

Using AWS CLI:

  1. Assign an IAM role to an EC2 instance:

aws ec2 associate-iam-instance-profile --instance-id <instance-id> --iam-instance-profile Name=<role-name>

  1. Verify the IAM role:

aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[*].Instances[*].IamInstanceProfile.Arn" --output table

Backout Plan:

Using AWS Console:

  1. If assigning the IAM role causes issues with resource access:

    • Go to the EC2 Console.

    • Select the EC2 instance and remove the IAM role by selecting Actions, then Security, and Modify IAM Role.

    • Choose None and save the changes.

  2. Review the IAM role's permissions if access to specific resources is denied, and adjust permissions accordingly.

Using AWS CLI:

  1. Remove the IAM role from the EC2 instance:

aws ec2 disassociate-iam-instance-profile --instance-id <instance-id>

  1. Stop or restart the instance if necessary to apply changes:

aws ec2 stop-instances --instance-ids <instance-id>

aws ec2 start-instances --instance-ids <instance-id>

  1. Reassign the correct IAM role once issues are resolved:

aws ec2 associate-iam-instance-profile --instance-id <instance-id> --iam-instance-profile Name=<role-name>

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services