Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Running EC2 Instances Should Not Use Key Pairs

This rule ensures EC2 instances do not use key pairs for better security measures.

RuleRunning EC2 Instances should not use key pairs
FrameworkAWS Foundational Security Best Practices
Severity
High

Rule Description:

The rule states that running EC2 instances should not use key pairs. This is in line with AWS Foundational Security Best Practices, which recommend against using key pairs for EC2 instances. Key pairs are used for SSH authentication to securely access EC2 instances. However, using key pairs can introduce potential security risks if not properly managed or when multiple users require access to the instances.

Remediation:

To remediate this issue and comply with the best practices, you should follow the steps below:

Step 1: Create an IAM Role

  1. 1.

    Open the AWS Management Console and navigate to the IAM service.

  2. 2.

    Click on "Roles" in the left-hand sidebar.

  3. 3.

    Click on "Create role" to begin creating a new role.

  4. 4.

    Select the service that will use this role. In this case, select "EC2" as the service.

  5. 5.

    Click on "Next: Permissions" to proceed.

  6. 6.

    Attach the appropriate policies for your EC2 instances based on your requirements.

  7. 7.

    Click on "Next: Tags" to proceed (optional).

  8. 8.

    Add any relevant tags to the role (if needed).

  9. 9.

    Click on "Next: Review" to continue.

  10. 10.

    Provide a name and description for the role.

  11. 11.

    Click on "Create role" to generate the new IAM role.

Step 2: Assign IAM Role to EC2 Instance

  1. 1.

    Open the EC2 service in the AWS Management Console.

  2. 2.

    Select the EC2 instance that should use the IAM role.

  3. 3.

    Right-click on the instance and choose "Instance Settings" > "Attach/Replace IAM Role".

  4. 4.

    Select the appropriate IAM role you created in Step 1.

  5. 5.

    Click on "Apply" to assign the IAM role to the EC2 instance.

Step 3: Verify IAM Role Assignment

  1. 1.

    SSH into the EC2 instance using an existing key pair or another appropriate method.

  2. 2.

    Execute the command below to verify the IAM role assignment:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

If the response is empty or returns an error, the IAM role has been successfully assigned.

Troubleshooting Steps (If Key Pair is Used):

If investigation reveals that EC2 instances are still using key pairs instead of IAM roles, follow the steps below to troubleshoot:

  1. 1.

    Check the EC2 instance launch configuration and verify that no key pair is selected or assigned.

  2. 2.

    Ensure that the instance is not running in a VPC with a default security group that allows SSH access via key pairs.

  3. 3.

    If there is a specific security group assigned to the instance, review the inbound rules and ensure that SSH access is not open using a key pair.

  4. 4.

    If the instance is launched by AWS Elastic Beanstalk, ensure that the environment configuration has not specified a key pair for SSH access.

  5. 5.

    If the issue persists, consider reviewing any instance lifecycle hooks or Auto Scaling Group launch configuration settings that may be overriding the desired configuration.

Note:

Before making any changes to the EC2 instances, ensure that you have appropriate backups in place and test the new configuration thoroughly to avoid any disruption to your applications or services.

Is your System Free of Underlying Vulnerabilities?
Find Out Now