AWS EC2 with Over-Permissive IAM Role and IMDSv1 Enabled
Description:
AWS EC2 instances can have associated IAM roles that grant permissions for the EC2 instance to access other AWS services. Over-permissive IAM roles can pose a security risk as they provide broader access than necessary. The Instance Metadata Service (IMDS) provides data about an EC2 instance, and version 1 (IMDSv1) of this service has known vulnerabilities. Specifically, IMDSv1 does not require any session authentication, making it susceptible to Server Side Request Forgery (SSRF) attacks.
Remediation:
1. Restrict IAM Role Permissions:
Limit the permissions granted to EC2 instances to only what's necessary for their operation.
AWS Management Console:
- Navigate to the IAM Dashboard.
- Click on Roles and select the over-permissive role associated with your EC2 instance.
- Under the Permissions tab, modify the attached policies to remove unnecessary permissions or attach more restrictive policies.
AWS CLI:
Detach the over-permissive policy and attach a more restrictive one:
aws iam detach-role-policy --role-name [ROLE_NAME] --policy-arn [OVER_PERMISSIVE_POLICY_ARN]
aws iam attach-role-policy --role-name [ROLE_NAME] --policy-arn [RESTRICTIVE_POLICY_ARN]
2. Enable IMDSv2 on EC2 Instances:
IMDSv2 requires session authentication, making it more secure than IMDSv1.
AWS Management Console:
- Navigate to the EC2 Dashboard.
- Select the instance and click on Actions.
- Navigate to Instance Settings > Edit Metadata.
- Set Metadata Version to "V2" and require tokens.
AWS CLI:
Modify the EC2 instance attribute:
aws ec2 modify-instance-metadata-options --instance-id [INSTANCE_ID] --http-endpoint enabled --http-tokens required
Terraform:
Ensure EC2 instances are launched with IMDSv2 enabled:
resource "aws_instance" "example" {
# ... other configurations ...
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
}
}
Recommendation:
Always adhere to the principle of least privilege when configuring IAM roles for EC2 instances. Ensure that EC2 instances have only the permissions they need to function. Furthermore, always use IMDSv2 for EC2 instances to prevent potential SSRF attacks. Regularly review and update configurations to maintain security best practices.
Updated about 1 year ago