iCompaas Support

Profile Applicability:

• Level 1

Description:

This control ensures that internet-facing Amazon EC2 instances (those with a public IP address or assigned to a public subnet) are not directly associated with Instance Profiles (IAM Roles) unless absolutely necessary. Instance Profiles provide AWS credentials to EC2 instances, which can be misused if the instance is exposed to the internet, potentially leading to credential theft or privilege escalation.

Rationale:

An internet-facing EC2 instance with an attached Instance Profile increases the risk of credential compromise through attacks such as server-side request forgery (SSRF) or exploitation of misconfigured web applications. Once the instance metadata is exposed, attackers can retrieve temporary AWS credentials to access other AWS services. Regularly auditing and restricting instance profiles to private or internal instances ensures credentials are protected and aligns with best practices for least privilege and defense in depth under frameworks such as CIS, SOC 2, and ISO 27001.

Impact:

• Positive Impact: Strengthens overall AWS security by preventing public exposure of IAM credentials and minimizing risks of lateral movement or privilege misuse.

• Negative Impact: Applications on internet-facing instances that legitimately need temporary credentials must use secure access mechanisms or scoped-down IAM roles.

Default Value:

By default, EC2 instances can be launched with or without an Instance Profile. There is no automatic restriction preventing public instances from having roles attached.

Pre-Requisite:

• IAM permissions required: ec2:DescribeInstances, ec2:DescribeIamInstanceProfileAssociations, and iam:ListInstanceProfiles.

• Understanding of network design (VPC, public/private subnet classification).

Remediation:

Test Plan 

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to EC2 → Instances.

3. Review each instance to identify:

   • Instances with a Public IPv4 address (indicating internet exposure).

   • Instances that have an IAM role listed under the IAM role column.

4. For each internet-facing instance, verify if it truly requires the assigned Instance Profile.

5. If an unnecessary or overly privileged role is attached, the instance is non-compliant.

Implementation Plan 

Using AWS Console:

1. Navigate to EC2 → Instances.

2. Select the identified internet-facing instance.

3. Under the Description tab, note the IAM role currently attached.

4. Evaluate whether the instance requires AWS credentials.

   • If not required, detach the Instance Profile:

     1. Choose Actions → Security → Modify IAM role → Detach IAM role.

   • If required, replace the attached role with one having least privilege permissions limited to essential services only.

5. Review the instance’s security group and network interface settings to ensure it is not unintentionally exposed via open inbound ports.

Backout Plan:

Using AWS Console:

1. If application functionality is impacted after detaching the IAM role, reattach the role with limited permissions temporarily.

2. Review and reconfigure the application to use secure IAM access patterns (e.g., through AWS Systems Manager Session Manager, PrivateLink, or Service-Linked Roles) before permanently restricting role access.

References:

• Amazon EC2 Instance Metadata and User Data Security Best Practices

• AWS IAM Roles for Amazon EC2 Documentation

• AWS Security Best Practices Whitepaper