Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 2.17 Ensure IAM instance roles are used for AWS resource access from instances

Description

AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. "AWS Access" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.

Remediation

From Console:

  1. Sign in to the AWS Management Console and navigate to the EC2 dashboard at https://console.aws.amazon.com/ec2/.
  2. In the left navigation panel, choose Instances.
  3. Select the EC2 instance you want to modify.
  4. Click Actions.
  5. Click Security.
  6. Click Modify IAM role.
  7. Click Create new IAM role if a new IAM role is required.
  8. Select the IAM role you want to attach to your instance in the IAM role dropdown.
  9. Click Update IAM role.
  10. Repeat steps 3 to 9 for each EC2 instance in your AWS account that requires an IAM role to be attached.

From Command Line:

  1. Run the describe-instances command to list all EC2 instance IDs in the selected AWS region:
aws ec2 describe-instances --region <region-name> --query 'Reservations[*].Instances[*].InstanceId'
  1. Run the associate-iam-instance-profile command to attach an instance profile (which is attached to an IAM role) to the EC2 instance:
aws ec2 associate-iam-instance-profile --region <region-name> --instance-id <Instance-ID> --iam-instance-profile Name="Instance-Profile-Name"
  1. Run the describe-instances command again for the recently modified EC2 instance. The command output should return the instance profile ARN and ID:
aws ec2 describe-instances --region <region-name> --instance-id <Instance-ID> --query 'Reservations[*].Instances[*].IamInstanceProfile'
  1. Repeat steps 2 and 3 for each EC2 instance in your AWS account that requires an IAM role to be attached.

Default Value:

By default, EC2 instances are launched without an IAM role attached. Applications running on the instance must use embedded credentials or manually assigned access keys unless an instance role is explicitly configured.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v600_2_17

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v600_2_17 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when iam_instance_profile_arn is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when iam_instance_profile_arn is not null then title || ' uses IAM role for access.'
    else title || ' does not use IAM role for access.'
  end as reason
  
  , region, account_id
from
  aws_ec2_instance;

Tags

category = Compliance
cis = true
cis_item_id = 2.17
cis_level = 2
cis_section_id = 2
cis_type = automated
cis_version = v6.0.0
plugin = aws
service = AWS/IAM