Ensure IAM Instance Roles Rule
This rule ensures IAM instance roles are used for AWS resource access from instances.
| Rule | Ensure IAM instance roles are used for AWS resource access from instances |
| Framework | cis_v130 |
| Severity | ✔ High |
Ensure IAM Instance Roles are Used for AWS Resource Access from Instances (CIS_v1.3.0)
Using IAM instance roles for AWS resource access from instances ensures that you are following the principle of least privilege and not using individual user credentials or hard-coded keys on EC2 instances, which can be a security risk. This is aligned with the recommendation from the Center for Internet Security (CIS) AWS Foundations Benchmark.
Understanding IAM Instance Roles
IAM instance roles are a secure and efficient way to grant EC2 instances the necessary permissions to access other AWS resources. Instance roles are attached to the EC2 instances and contain policies that define the permissions.
Benefits of Using Instance Roles
- Security: Instance roles use temporary credentials that are automatically rotated by AWS.
- Management: Easier to manage permissions for multiple instances.
- Auditing: Better integration with AWS CloudTrail for auditing resource access.
Troubleshooting Steps
If an instance role is not working as expected, follow these troubleshooting steps:
- 1.Verify the role is attached to the instance.
- 2.Check the instance role's permissions policies.
- 3.Make sure no explicit deny policies are blocking access.
- 4.Confirm the instance's metadata is accessible.
- 5.Use AWS CLI or AWS Management Console to test the role's access.
Necessary AWS CLI Commands
To audit and remediate non-compliance with this rule, use the following AWS CLI commands:
List EC2 Instances Without an IAM Role
aws ec2 describe-instances --query 'Reservations[*].Instances[*].{ID:InstanceId,IAMRole:IamInstanceProfile}' --output text
Attach an IAM Role to an Instance
- 1.Create an instance profile if it doesn't exist:
aws iam create-instance-profile --instance-profile-name my-instance-profile
- 1.Add the appropriate role to the instance profile:
aws iam add-role-to-instance-profile --instance-profile-name my-instance-profile --role-name my-iam-role
- 1.Attach the instance profile to the EC2 instance:
aws ec2 associate-iam-instance-profile --instance-id i-1234567890abcdef0 --iam-instance-profile Name=my-instance-profile
Updating an IAM Policy
If the instance role does not have the right permissions, update the policy:
aws iam put-role-policy --role-name my-iam-role --policy-name my-policy-name --policy-document file://my-policy.json
Step by Step Guide for Remediation
- 1.Identify EC2 instances without IAM roles: Use the AWS CLI command provided to list all instances and identify those without roles.
- 2.Create an IAM Role and Policy: If necessary, create a new IAM role and policy that includes the permissions required for your instances to access specific AWS resources.
- 3.Attach the IAM Role to Instances: Use the AWS CLI commands listed above to attach the newly created IAM role to your EC2 instances.
- 4.Test the IAM Role: Ensure the role is working correctly by accessing the required AWS resources from the instance.
- 5.Review and Audit: Regularly audit IAM roles and attached policies to ensure they continue to meet the necessary permissions without over-provisioning.
By following this detailed description, you will bolster your cloud security posture, adhere to the CIS AWS Foundations Benchmark, and avoid common security issues related to hard-coded or statically assigned credentials. Implementing these best practices will contribute positively to your SEO by showing your organization's commitment to security and compliance.