Control: 1.18 Ensure IAM instance roles are used for AWS resource access from instances
Description
AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. "AWS Access" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.
AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.
Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.
Remediation
From Console:
- Sign in to the AWS Management Console and navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
- In the left navigation panel, choose
Instances
. - Select the EC2 instance you want to modify.
- Click
Actions
. - Click
Security
. - Click
Modify IAM role
. - Click
Create new IAM role
if a new IAM role is required. - Select the IAM role you want to attach to your instance in the
IAM role
dropdown. - Click
Update IAM role
. - Repeat steps 3 to 9 for each EC2 instance in your AWS account that requires an IAM role to be attached.
From Command Line:
- Run the
describe-instances
command to list all EC2 instance IDs, available in the selected AWS region:
aws ec2 describe-instances --region <region-name> --query 'Reservations[*].Instances[*].InstanceId'
- Run the
associate-iam-instance-profile
command to attach an instance profile (which is attached to an IAM role) to the EC2 instance:
aws ec2 associate-iam-instance-profile --region <region-name> --instance-id <Instance-ID> --iam-instance-profile Name="Instance-Profile-Name"
- Run the
describe-instances
command again for the recently modified EC2 instance. The command output should return the instance profile ARN and ID:
aws ec2 describe-instances --region <region-name> --instance-id <Instance-ID> --query 'Reservations[*].Instances[*].IamInstanceProfile'
- Repeat steps 1 to 3 for each EC2 instance in your AWS account that requires an IAM role to be attached.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v200_1_18
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v200_1_18 --share
SQL
This control uses a named query:
manual_control