Skip to main content

πŸ“ AWS EC2 Instance IAM role is not attached 🟒

  • Contextual name: πŸ“ Instance IAM role is not attached 🟒
  • ID: /ce/ca/aws/ec2/instance-iam-role
  • Located in: πŸ“ AWS EC2

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-6c93750d1

Logic​

Description​

Open File

Description​

AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. "AWS Access" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.

Rationale​

AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.

Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.

... see more

Remediation​

Open File

Remediation​

F

From Console​

  1. Sign in to the AWS Management Console and navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
  2. In the left navigation panel, choose Instances.
  3. Select the EC2 instance you want to modify.
  4. Click Actions.
  5. Click Security.
  6. Click Modify IAM role.
  7. Click Create new IAM role if a new IAM role is required.
  8. Select the IAM role you want to attach to your instance in the IAM role dropdown.
  9. Click Update IAM role.
  10. Repeat steps 3 to 9 for each EC2 instance in your AWS account that requires an IAM role to be attached.

From Command Line​

  1. Run the describe-instances command to list all EC2 instance IDs, available in the selected AWS region:
aws ec2 describe-instances --region <region-name> --query 'Reservations[*].Instances[*].InstanceId'
  1. Run the associate-iam-instance-profile command to attach an instance profile (which is attached to an IAM role) to the EC2 instance:
aws ec2 associate-iam-instance-profile --region <region-name> --instance-id <Instance-ID> --iam-instance-profile Name="Instance-Profile-Name"

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 1 Identity and access management controls would ideally ensure access to information assets is only granted where a valid business need exists, and only for as long as access is required. Access is typically granted to users, special purpose system accounts, and information assets such as services and other software.33
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Regulated entities would typically put in place processes to ensure that identities and credentials are issued, managed, verified, revoked and audited for authorised devices, users and software/processes.88
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3436
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 47c segregation of duty controls which prevent personnel from deploying their own software changes to production;55
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό b. access to, and configuration of, information assets is restricted to the minimum required to achieve business objectives. This is typically referred to as the principle of β€˜least privilege’ and aims to reduce the number of attack vectors that can be used to compromise information security;33
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό h. segregation of duties is enforced through appropriate allocation of roles and responsibilities. This reduces the potential for the actions of a single individual to compromise information security;33
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 1.19 Ensure IAM instance roles are used for AWS resource access from instances11
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.18 Ensure IAM instance roles are used for AWS resource access from instances11
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.18 Ensure IAM instance roles are used for AWS resource access from instances11
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.18 Ensure IAM instance roles are used for AWS resource access from instances - Level 2 (Manual)11
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.18 Ensure IAM instance roles are used for AWS resource access from instances - Level 2 (Automated)11
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.18 Ensure IAM instance roles are used for AWS resource access from instances - Level 2 (Automated)11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.18 Ensure IAM instance roles are used for AWS resource access from instances (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.18 Ensure IAM instance roles are used for AWS resource access from instances (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.17 Ensure IAM instance roles are used for AWS resource access from instances (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access43
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(7) Privileged User Accounts (M)(H)67
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3747
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(1) Authorize Access to Security Functions (M)(H)44
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(7) Review of User Privileges (M)(H)22
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61420
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)120
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(7) Privileged User Accounts (M)(H)7
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(1) Authorize Access to Security Functions (M)(H)4
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(7) Review of User Privileges (M)(H)2
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)420
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.2 User access provisioning44
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.3 Segregation of duties22
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1416
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.18 Access rights46
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.2 Privileged access rights77
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.3 Information access restriction1011
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions48
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1922
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions8
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(1) Least Privilege _ Authorize Access to Security Functions22
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-9(4) Protection of Audit Information _ Access by Subset of Privileged Users22