Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure IAM Instance Roles for AWS Resource Access

This rule ensures IAM instance roles are used for accessing AWS resources.

RuleEnsure IAM instance roles are used for AWS resource access from instances
Frameworkcis_v140
Severity
Medium

Ensure IAM Instance Roles Are Used for AWS Resource Access from Instances (CIS_V1.4.0)

Overview

IAM instance roles offer a secure and scalable way to manage the credentials that applications and systems on EC2 instances need to access AWS resources. By using IAM roles for EC2 instances, you can avoid the need to manage static AWS credentials on the instances.

Instance roles are preferred over static credentials as they are assigned to the EC2 instance and provide temporary credentials that automatically expire and are automatically rotated. This removes the risk of long-term fixed credentials being compromised.

Rule Details

  • Description: Instances should use IAM roles to allow applications to access other AWS services without storing credentials within the EC2 instances.
  • Rationale: Roles provide an identity to applications that run on your instances to make AWS requests. Roles supply temporary permissions that applications can use when they make calls to other AWS resources.

Remediation Steps

Creating IAM Roles for EC2

  1. 1.
    Navigate to the IAM console at https://console.aws.amazon.com/iam/.
  2. 2.
    In the navigation pane, click on "Roles" then "Create role".
  3. 3.
    Choose the service that will use this role (EC2), and click "Next: Permissions".
  4. 4.
    Attach appropriate policies for the service to interact with other AWS services, then click "Next: Tags".
  5. 5.
    (Optional) Add any tags you wish to establish, and click "Next: Review".
  6. 6.
    Provide a role name and description. Click "Create role".

Attaching IAM Role to EC2 Instance

  1. 1.
    Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. 2.
    In the navigation pane, click on "Instances".
  3. 3.
    Select the instance you want to attach the role to. Then select the "Actions" button, choose "Security", then "Modify IAM Role".
  4. 4.
    In the "IAM role" drop-down, select the role you created and click "Update IAM role".

Troubleshooting

If your applications on EC2 instances are unable to access AWS resources after you've assigned an IAM role, check the following:

  • Role Permissions: Confirm the IAM role has the required permissions for the services it needs to access.
  • Instance Profile: Make sure the IAM role is attached to an instance profile and associated with the EC2 instance.
  • Policy Trust Relationships: Verify the role's trust relationships allow the EC2 service to assume the role.

Necessary CLI Commands

To create an instance profile and role with the AWS CLI, you can use the following commands:

Create a Role

aws iam create-role --role-name my-role --assume-role-policy-document file://my-policy.json

Attach a Policy to the Role

aws iam attach-role-policy --role-name my-role --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Create an Instance Profile

aws iam create-instance-profile --instance-profile-name my-instance-profile

Add the Role to the Instance Profile

aws iam add-role-to-instance-profile --instance-profile-name my-instance-profile --role-name my-role

Attach the Instance Profile to an EC2 Instance

aws ec2 associate-iam-instance-profile --instance-id i-1234567890abcdef0 --iam-instance-profile Name=my-instance-profile

Conclusion

By following these steps, your application on EC2 instances should be able to securely access other AWS resources using IAM roles instead of static credentials. Ensure that the roles have the minimal necessary permissions following the principle of least privilege, reducing the security risk to your AWS environment.

Is your System Free of Underlying Vulnerabilities?
Find Out Now