Public AWS EC2 with Over-Permissive IAM Role

Description:

AWS EC2 instances can be granted permissions to AWS services and resources using IAM roles. If a publicly accessible EC2 instance is assigned an overly permissive IAM role, it introduces a significant risk. Malicious actors might exploit the permissions granted to the instance to gain unauthorized access to sensitive AWS resources. Overly broad permissions, especially those without proper resource constraints or actions limitations, can expose a range of AWS services to potential attacks.


Remediation:

1. Refine IAM Role Policies:

AWS Management Console:
  • Navigate to the IAM Dashboard.
  • In the navigation pane, select Roles.
  • Identify and click on the IAM role linked to the public EC2 instance.
  • Under the Permissions tab, review the attached policies.
  • Modify permissions that are too broad, especially statements with "Resource": "*" and overly inclusive "Action" arrays.
AWS CLI:

To list roles and their associated policies:

aws iam list-roles
aws iam list-role-policies --role-name [ROLE_NAME]
aws iam get-role-policy --role-name [ROLE_NAME] --policy-name [POLICY_NAME]

To adjust or replace policies, use aws iam put-role-policy or aws iam update-assume-role-policy.

2. Audit and Review:

Regularly conduct audits of IAM roles and their attached permissions. Tools such as AWS Config, AWS Security Hub, or third-party security solutions can aid in this.

Terraform:

In your Terraform configurations, ensure you adhere to the principle of least privilege when defining IAM roles:

resource "aws_iam_role_policy" "example" {
  # ... other configurations ...

  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Action   = ["s3:ListBucket"],
        Effect   = "Allow",
        Resource = "arn:aws:s3:::specific-bucket"
      }
      # ... Other refined permissions ...
    ]
  })
}

Recommendation:

Always employ the principle of least privilege when determining IAM role permissions. For EC2 instances that are exposed to the public, extra caution should be exercised to prevent assigning expansive permissions. It's beneficial to frequently review and adjust IAM permissions, ensuring they are as restrictive as necessary, and using AWS native tools or third-party solutions for auditing and monitoring.