AWS EC2 Public Instance with Over-Permissive IAM Role
Description:
Amazon EC2 instances can be associated with AWS Identity and Access Management (IAM) roles to allow applications or services running on the instance to make authorized API requests. When a publicly accessible EC2 instance has an IAM role with overly permissive access (e.g., granting access to all resources), it creates a potential security risk. If this instance becomes compromised, the attacker could leverage the permissions of the IAM role to carry out malicious activities.
Remediation:
1. Review and Restrict IAM Role Policies:
AWS Management Console:
- Navigate to the IAM Dashboard.
- In the navigation pane, select Roles.
- Click on the IAM role attached to the public EC2 instance.
- Under the Permissions tab, review the associated policies.
- Check for overly broad permissions like
"Resource": "*"
and adjust as necessary. - Replace such policies with ones that follow the principle of least privilege.
AWS CLI:
To list roles and associated policies:
aws iam list-roles
aws iam list-role-policies --role-name [ROLE_NAME]
aws iam get-role-policy --role-name [ROLE_NAME] --policy-name [POLICY_NAME]
To replace or modify the policies, use commands like aws iam put-role-policy
.
Terraform:
Ensure that the Terraform configuration for the IAM role attached to the EC2 instance is not overly permissive. Replace wildcard permissions ("*"
) with specific ones:
resource "aws_iam_role_policy" "restrictive_policy" {
name = "restrictive_policy"
role = aws_iam_role.example.id
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Action = [
"s3:ListBucket"
],
Effect = "Allow",
Resource = "arn:aws:s3:::specific-bucket-name"
}
// ... other specific permissions ...
]
})
}
Recommendation:
Always follow the principle of least privilege when granting IAM role permissions, especially for EC2 instances exposed to the public internet. Regularly review IAM roles and their associated permissions, ensuring that public-facing resources don't have overly broad permissions. Consider leveraging tools and services like AWS Config to monitor for non-compliant resources continuously.
Updated about 1 year ago