Ensure AWS EC2 Instances Use IAM Roles

Description:

IAM roles for EC2 instances allow applications running on the instance to securely make API requests without managing security credentials. When an EC2 instance has an IAM role associated, temporary credentials are automatically provided to the instance, eliminating the need to store AWS access keys on the instance. This practice enhances security by ensuring that AWS credentials are not exposed and are rotated automatically.


Remediation:

1. Create an IAM Role:

AWS Management Console:
  • Navigate to the IAM Dashboard.
  • In the navigation pane, choose Roles, then click Create role.
  • Choose EC2 as the AWS service that will use the role and click Next: Permissions.
  • Attach the necessary policies to the role.
  • Review the permissions and click Next: Tags. Add any desired tags.
  • Name the role, provide a description, and click Create role.
AWS CLI:

Create a role and attach a policy:

aws iam create-role --role-name EC2Role --assume-role-policy-document file://TrustPolicy.json
aws iam attach-role-policy --role-name EC2Role --policy-arn arn:aws:iam::aws:policy/[POLICY_NAME]

Here, TrustPolicy.json contains the trust relationship for EC2 and [POLICY_NAME] should be replaced with the name of the policy you wish to attach.

2. Associate the IAM Role with EC2 Instance:

AWS Management Console:
  • Navigate to the EC2 Dashboard.
  • Select the instance to which you want to attach the IAM role.
  • Click Actions > Instance Settings > Attach/Replace IAM Role.
  • From the drop-down, select the IAM role you created and click Apply.
AWS CLI:

You can't directly associate an IAM role to an already running EC2 instance using the AWS CLI. You'd need to create a new instance or use an instance profile. However, when launching a new EC2 instance, you can specify the IAM role:

aws ec2 run-instances --image-id [AMI_ID] --instance-type [INSTANCE_TYPE] --iam-instance-profile Name=EC2Role

Replace [AMI_ID] and [INSTANCE_TYPE] with the relevant values.

Terraform:

To launch an EC2 instance with an IAM role using Terraform:

resource "aws_iam_instance_profile" "example" {
  name = "example-profile"
  role = aws_iam_role.ec2_role.name
}

resource "aws_iam_role" "ec2_role" {
  name = "EC2Role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Action = "sts:AssumeRole",
        Effect = "Allow",
        Principal = {
          Service = "ec2.amazonaws.com"
        }
      }
    ]
  })
}

resource "aws_instance" "example" {
  # ... other configurations ...

  iam_instance_profile = aws_iam_instance_profile.example.name
}

Recommendation:

Always use IAM roles for EC2 instances instead of storing AWS access keys directly on the instance. This ensures that your AWS credentials are automatically rotated and securely provided to the applications running on the instance. Regularly review and prune permissions associated with IAM roles to adhere to the principle of least privilege.