🛡️ AWS EC2 Instance IAM role is not attached🟢

• Contextual name: 🛡️ Instance IAM role is not attached🟢
• ID: /ce/ca/aws/ec2/instance-iam-role
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS EC2 Instance
  • 🔌 AWS EC2 Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: EC2 Instance Using IAM Roles
• Internal: dec-x-6c93750d

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-6c93750d	1

Description

Open File

Description

AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. "AWS Access" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.

Rationale

AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account they give access to. In contrast, in order to leverage role permissions an attacker would need to gain and maintain access to a specific instance to use the privileges associated with it.

Additionally, if credentials are encoded into compiled applications or other hard to change mechanisms, then they are even more unlikely to be properly rotated due to service disruption risks. As time goes on, credentials that cannot be rotated are more likely to be known by an increasing number of individuals who no longer work for the organization owning the credentials.

... see more

Remediation

Open File

Remediation

F

From Console

1. Sign in to the AWS Management Console and navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
2. In the left navigation panel, choose Instances.
3. Select the EC2 instance you want to modify.
4. Click Actions.
5. Click Security.
6. Click Modify IAM role.
7. Click Create new IAM role if a new IAM role is required.
8. Select the IAM role you want to attach to your instance in the IAM role dropdown.
9. Click Update IAM role.
10. Repeat steps 3 to 9 for each EC2 instance in your AWS account that requires an IAM role to be attached.

From Command Line

1. Run the describe-instances command to list all EC2 instance IDs, available in the selected AWS region:

aws ec2 describe-instances --region <region-name> --query 'Reservations[*].Instances[*].InstanceId'

2. Run the associate-iam-instance-profile command to attach an instance profile (which is attached to an IAM role) to the EC2 instance:

aws ec2 associate-iam-instance-profile --region <region-name> --instance-id <Instance-ID> --iam-instance-profile Name="Instance-Profile-Name"

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 1 Identity and access management controls would ideally ensure access to information assets is only granted where a valid business need exists, and only for as long as access is required. Access is typically granted to users, special purpose system accounts, and information assets such as services and other software.		3	3		no data
💼 APRA CPG 234 → 💼 4 Regulated entities would typically put in place processes to ensure that identities and credentials are issued, managed, verified, revoked and audited for authorised devices, users and software/processes.		8	8		no data
💼 APRA CPG 234 → 💼 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.		35	37		no data
💼 APRA CPG 234 → 💼 47c segregation of duty controls which prevent personnel from deploying their own software changes to production;		5	5		no data
💼 APRA CPG 234 → 💼 b. access to, and configuration of, information assets is restricted to the minimum required to achieve business objectives. This is typically referred to as the principle of ‘least privilege’ and aims to reduce the number of attack vectors that can be used to compromise information security;		3	3		no data
💼 APRA CPG 234 → 💼 h. segregation of duties is enforced through appropriate allocation of roles and responsibilities. This reduces the potential for the actions of a single individual to compromise information security;		3	3		no data
💼 AWS Well-Architected → 💼 COST02-BP04 Implement groups and roles			3		no data
💼 CIS AWS v1.2.0 → 💼 1.19 Ensure IAM instance roles are used for AWS resource access from instances		1	1		no data
💼 CIS AWS v1.3.0 → 💼 1.18 Ensure IAM instance roles are used for AWS resource access from instances		1	1		no data
💼 CIS AWS v1.4.0 → 💼 1.18 Ensure IAM instance roles are used for AWS resource access from instances		1	1		no data
💼 CIS AWS v1.5.0 → 💼 1.18 Ensure IAM instance roles are used for AWS resource access from instances - Level 2 (Manual)		1	1		no data
💼 CIS AWS v2.0.0 → 💼 1.18 Ensure IAM instance roles are used for AWS resource access from instances - Level 2 (Automated)		1	1		no data
💼 CIS AWS v3.0.0 → 💼 1.18 Ensure IAM instance roles are used for AWS resource access from instances - Level 2 (Automated)		1	1		no data
💼 CIS AWS v4.0.0 → 💼 1.18 Ensure IAM instance roles are used for AWS resource access from instances (Automated)			1		no data
💼 CIS AWS v4.0.1 → 💼 1.18 Ensure IAM instance roles are used for AWS resource access from instances (Automated)			1		no data
💼 CIS AWS v5.0.0 → 💼 1.17 Ensure IAM instance roles are used for AWS resource access from instances (Automated)			1		no data
💼 CIS AWS v6.0.0 → 💼 2.17 Ensure IAM instance roles are used for AWS resource access from instances (Automated)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			57		no data
💼 FedRAMP High Security Controls → 💼 AC-2(7) Privileged User Accounts (M)(H)		6	7		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	68		no data
💼 FedRAMP High Security Controls → 💼 AC-6(1) Authorize Access to Security Functions (M)(H)		4	4		no data
💼 FedRAMP High Security Controls → 💼 AC-6(7) Review of User Privileges (M)(H)		2	2		no data
💼 FedRAMP High Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H)	6	14	32		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68		no data
💼 FedRAMP Low Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H)	1		32		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(7) Privileged User Accounts (M)(H)			7		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(1) Authorize Access to Security Functions (M)(H)			4		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(7) Review of User Privileges (M)(H)			2		no data
💼 FedRAMP Moderate Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H)	4		32		no data
💼 ISO/IEC 27001:2013 → 💼 A.9.2.2 User access provisioning		4	4		no data
💼 ISO/IEC 27001:2022 → 💼 5.3 Segregation of duties		2	2		no data
💼 ISO/IEC 27001:2022 → 💼 5.15 Access control		14	31		no data
💼 ISO/IEC 27001:2022 → 💼 5.18 Access rights		4	6		no data
💼 ISO/IEC 27001:2022 → 💼 8.2 Privileged access rights		7	10		no data
💼 ISO/IEC 27001:2022 → 💼 8.3 Information access restriction		10	24		no data
💼 NIST CSF v1.1 → 💼 PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes		19	34		no data
💼 NIST CSF v1.1 → 💼 PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions		4	13		no data
💼 NIST CSF v1.1 → 💼 PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)		19	23		no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization			42		no data
💼 NIST CSF v2.0 → 💼 PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions			13		no data
💼 NIST CSF v2.0 → 💼 PR.AA-03: Users, services, and hardware are authenticated			53		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			116		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(1) Least Privilege _ Authorize Access to Security Functions		2	2		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-9(4) Protection of Audit Information _ Access by Subset of Privileged Users		2	2		no data
💼 SOC 2 → 💼 CC6.3-3 Uses Access Control Structures		1	4		no data