This rule ensures that all EC2 instances have an IAM profile attached for secure access control.
Rule | EC2 instances should have IAM profile attached |
Framework | NIST 800-171 Revision 2 |
Severity | ✔ Medium |
Rule Description
EC2 instances should have an IAM (Identity and Access Management) profile attached to adhere to the security guidelines provided by NIST (National Institute of Standards and Technology) 800-171 Revision 2. This policy is important to ensure the correct access controls are in place, minimizing the risk of unauthorized access to sensitive data and resources.
Troubleshooting Steps
If an EC2 instance does not have an IAM profile attached, follow these troubleshooting steps to remediate the issue:
Identify the EC2 instance(s) without an IAM profile:
Verify IAM permissions:
Create an IAM role and profile:
Attach the IAM profile to EC2 instance(s):
Verify the IAM profile attachment:
Necessary Codes
If you prefer to use AWS CLI, here are the necessary codes for creating an IAM profile and attaching it to an EC2 instance:
aws iam create-role --role-name <role_name> --assume-role-policy-document file://trust-policy.json --description "<role_description>"
aws iam attach-role-policy --role-name <role_name> --policy-arn <policy_arn>
Repeat this step for each required policy.
aws iam create-instance-profile --instance-profile-name <profile_name> aws iam add-role-to-instance-profile --instance-profile-name <profile_name> --role-name <role_name>
aws ec2 associate-iam-instance-profile --instance-id <instance_id> --iam-instance-profile Name=<profile_name>
Step-by-Step Guide for Remediation
Follow each step below to remediate the EC2 instances that don't have an IAM profile attached, based on the given policy:
Log in to the AWS Management Console and navigate to the EC2 Dashboard.
Identify the EC2 instance(s) without an IAM profile.
Make sure you have the necessary IAM permissions to attach an IAM profile to EC2 instances.
Go to the IAM Dashboard and create an IAM role for EC2 instances. Assign the appropriate policies based on the NIST 800-171 Revision 2 requirements.
Once the IAM role is created, go back to the EC2 Dashboard and select the instances without an IAM profile.
Click on "Actions", then "Instance Settings", and choose "Attach/Replace IAM Role".
Select the newly created IAM role from the drop-down menu and click "Apply".
Verify that the IAM profile has been successfully attached by refreshing the EC2 instance details.
By following these steps, you will ensure that all EC2 instances have an IAM profile attached, meeting the requirements outlined by NIST 800-171 Revision 2.