turbot/steampipe-mod-aws-compliance

Control: Ensure IAM instance roles are used for AWS resource access from instances

Description

AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. "AWS Access" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.ec2_instance_using_iam_instance_role

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.ec2_instance_using_iam_instance_role --share

SQL

This control uses a named query:

select
arn as resource,
case
when iam_instance_profile_arn is not null then 'ok'
else 'alarm'
end as status,
case
when iam_instance_profile_arn is not null then title || ' uses IAM role for access.'
else title || ' does not use IAM role for access.'
end as reason
, region, account_id
from
aws_ec2_instance;

Tags