Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: EC2 Instances Should Have IAM Profile Attached

This rule ensures that all EC2 instances have an IAM profile attached for secure access control.

RuleEC2 instances should have IAM profile attached
FrameworkNIST 800-171 Revision 2
Severity
Medium

Rule Description

EC2 instances should have an IAM (Identity and Access Management) profile attached to adhere to the security guidelines provided by NIST (National Institute of Standards and Technology) 800-171 Revision 2. This policy is important to ensure the correct access controls are in place, minimizing the risk of unauthorized access to sensitive data and resources.

Troubleshooting Steps

If an EC2 instance does not have an IAM profile attached, follow these troubleshooting steps to remediate the issue:

  1. 1.

    Identify the EC2 instance(s) without an IAM profile:

    • Navigate to the EC2 Dashboard in the AWS Management Console.
    • Select "Instances" from the left-hand menu.
    • Filter or search for instances without an IAM profile.
  2. 2.

    Verify IAM permissions:

    • Ensure you have the necessary IAM permissions to attach an IAM profile to EC2 instances.
    • Required permissions: "iam:PassRole" for the IAM profile, and "ec2:ModifyInstanceAttribute" for EC2 instance modifications.
  3. 3.

    Create an IAM role and profile:

    • Go to the IAM Dashboard in the AWS Management Console.
    • Navigate to "Roles" and click on "Create role".
    • Select the service that will use the role ("EC2") and click "Next: Permissions".
    • Attach the appropriate policies based on the NIST 800-171 Revision 2 requirements.
    • Review the role details and click "Next: Tags" to add any necessary tags (optional).
    • Provide a meaningful name for the role and click "Next: Review".
    • Review the role details and click "Create role".
  4. 4.

    Attach the IAM profile to EC2 instance(s):

    • Go back to the EC2 Dashboard and select the instance(s) without an IAM profile.
    • Click on "Actions" and choose "Instance Settings", then "Attach/Replace IAM Role".
    • Select the newly created IAM role from the drop-down menu and click "Apply".
  5. 5.

    Verify the IAM profile attachment:

    • Refresh the EC2 instance details and verify that the IAM profile has been successfully attached.

Necessary Codes

If you prefer to use AWS CLI, here are the necessary codes for creating an IAM profile and attaching it to an EC2 instance:

  1. 1.
    Create an IAM role:
aws iam create-role --role-name <role_name> --assume-role-policy-document file://trust-policy.json --description "<role_description>"
  1. 1.
    Attach policies to the IAM role:
aws iam attach-role-policy --role-name <role_name> --policy-arn <policy_arn>

Repeat this step for each required policy.

  1. 1.
    Create an IAM instance profile and add the IAM role to it:
aws iam create-instance-profile --instance-profile-name <profile_name>
aws iam add-role-to-instance-profile --instance-profile-name <profile_name> --role-name <role_name>
  1. 1.
    Attach the IAM profile to EC2 instance(s):
aws ec2 associate-iam-instance-profile --instance-id <instance_id> --iam-instance-profile Name=<profile_name>

Step-by-Step Guide for Remediation

Follow each step below to remediate the EC2 instances that don't have an IAM profile attached, based on the given policy:

  1. 1.

    Log in to the AWS Management Console and navigate to the EC2 Dashboard.

  2. 2.

    Identify the EC2 instance(s) without an IAM profile.

  3. 3.

    Make sure you have the necessary IAM permissions to attach an IAM profile to EC2 instances.

  4. 4.

    Go to the IAM Dashboard and create an IAM role for EC2 instances. Assign the appropriate policies based on the NIST 800-171 Revision 2 requirements.

  5. 5.

    Once the IAM role is created, go back to the EC2 Dashboard and select the instances without an IAM profile.

  6. 6.

    Click on "Actions", then "Instance Settings", and choose "Attach/Replace IAM Role".

  7. 7.

    Select the newly created IAM role from the drop-down menu and click "Apply".

  8. 8.

    Verify that the IAM profile has been successfully attached by refreshing the EC2 instance details.

By following these steps, you will ensure that all EC2 instances have an IAM profile attached, meeting the requirements outlined by NIST 800-171 Revision 2.

Is your System Free of Underlying Vulnerabilities?
Find Out Now