This rule ensures IAM instance roles are used for accessing AWS resources.
Rule | Ensure IAM instance roles are used for AWS resource access from instances |
Framework | cis_v140 |
Severity | ✔ Medium |
Ensure IAM Instance Roles Are Used for AWS Resource Access from Instances (CIS_V1.4.0)
Overview
IAM instance roles offer a secure and scalable way to manage the credentials that applications and systems on EC2 instances need to access AWS resources. By using IAM roles for EC2 instances, you can avoid the need to manage static AWS credentials on the instances.
Instance roles are preferred over static credentials as they are assigned to the EC2 instance and provide temporary credentials that automatically expire and are automatically rotated. This removes the risk of long-term fixed credentials being compromised.
Rule Details
Remediation Steps
Creating IAM Roles for EC2
Attaching IAM Role to EC2 Instance
Troubleshooting
If your applications on EC2 instances are unable to access AWS resources after you've assigned an IAM role, check the following:
Necessary CLI Commands
To create an instance profile and role with the AWS CLI, you can use the following commands:
Create a Role
aws iam create-role --role-name my-role --assume-role-policy-document file://my-policy.json
Attach a Policy to the Role
aws iam attach-role-policy --role-name my-role --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
Create an Instance Profile
aws iam create-instance-profile --instance-profile-name my-instance-profile
Add the Role to the Instance Profile
aws iam add-role-to-instance-profile --instance-profile-name my-instance-profile --role-name my-role
Attach the Instance Profile to an EC2 Instance
aws ec2 associate-iam-instance-profile --instance-id i-1234567890abcdef0 --iam-instance-profile Name=my-instance-profile
Conclusion
By following these steps, your application on EC2 instances should be able to securely access other AWS resources using IAM roles instead of static credentials. Ensure that the roles have the minimal necessary permissions following the principle of least privilege, reducing the security risk to your AWS environment.