Profile Applicability:
 • Level 2

Description:

IAM roles for EC2 instances allow instances to securely access AWS resources and perform actions on behalf of the user. Proper configuration of IAM roles is essential to ensure that EC2 instances have the minimum required permissions and adhere to the principle of least privilege. This ensures that only authorized actions can be performed by instances and that sensitive resources remain protected.

Rationale:

By using IAM roles with EC2 instances, you provide a secure method for instances to authenticate with AWS services without embedding credentials on the instance. Properly configured roles enforce least privilege and ensure that EC2 instances only have the permissions necessary to perform their intended tasks. This reduces the attack surface by limiting access to only necessary resources and actions.

Impact:

Pros:

  • Secure, temporary credentials are automatically managed by AWS for EC2 instances

  • Enables secure access to AWS services without embedding keys in instances

  • Follows the principle of least privilege, improving security posture

  • Simplifies management of instance permissions

Cons:

  • Misconfigured IAM roles can inadvertently grant excessive permissions, increasing the risk of security breaches

  • May introduce complexity in managing IAM roles across a large number of EC2 instances

Default Value:

By default, EC2 instances do not have any IAM roles attached. Roles must be explicitly attached during instance creation or afterward.

Pre-requisites:

  • IAM permissions to create and assign IAM roles

  • Understanding of the EC2 instance's needs and the services it will access

  • Defined IAM roles and policies for EC2 instance use

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to EC2 > Instances

  3. Verify that all EC2 instances are assigned the appropriate IAM roles

  4. Check that IAM roles are configured with the least privilege principle, only allowing necessary permissions for the instance’s function

  5. Ensure that there are no hardcoded credentials or excessive permissions attached to the EC2 instances

Using AWS CLI:

Describe the EC2 instance to check its IAM role:

aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[*].Instances[*].IamInstanceProfile"

Describe the IAM role attached to the instance:

aws iam get-role --role-name <role-name>

Verify the policies attached to the IAM role:

aws iam list-attached-role-policies --role-name <role-name>

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to EC2 > Instances

  3. Select Launch Instance or choose an existing instance

  4. In the Configure Instance Details section, locate IAM role and select the appropriate IAM role for the instance

    • Ensure the IAM role has only the necessary permissions required by the instance

  5. Complete the rest of the instance configuration and launch the instance

  6. For an existing instance, select the instance, click Actions > Security > Modify IAM Role, and attach the appropriate role

Using AWS CLI:

Create an IAM role with necessary permissions (for example, access to S3 and EC2 instances):

aws iam create-role --role-name EC2S3AccessRole --assume-role-policy-document file://trust-policy.json

 The trust-policy.json file should include the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Attach policies to the IAM role (e.g., S3 access policy):

aws iam attach-role-policy --role-name EC2S3AccessRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Launch the EC2 instance with the attached IAM role:

aws ec2 run-instances \
  --image-id <ami-id> \
  --instance-type <instance-type> \
  --iam-instance-profile Name=EC2S3AccessRole

For an existing EC2 instance, associate an IAM role:

aws ec2 associate-iam-instance-profile --instance-id <instance-id> --iam-instance-profile Name=EC2S3AccessRole

Backout Plan:

Using AWS Console:

  1. Navigate to EC2 > Instances

  2. Select the EC2 instance and stop it

  3. Detach the IAM role from the instance by clicking Actions > Security > Modify IAM Role

  4. Select None to detach the IAM role

  5. Restart the instance

Using AWS CLI:

Detach the IAM role from the EC2 instance:

aws ec2 disassociate-iam-instance-profile --instance-id <instance-id>

If necessary, delete the IAM role:

aws iam delete-role --role-name EC2S3AccessRole

References: