Public AWS EC2 with Over-Permissive IAM Role and IMDSv1 Enabled

Description:

AWS EC2 instances often communicate with other AWS services, which requires assigning IAM roles to grant necessary permissions. If a publicly accessible EC2 instance has an overly permissive IAM role, it poses a significant risk. Unauthorized actors might exploit this instance to access AWS resources. Additionally, if Instance Metadata Service version 1 (IMDSv1) is enabled, there is a potential for "server-side request forgery" attacks, where attackers could extract instance metadata, including IAM credentials.

Remediation:

1. Refine IAM Role Policies:

AWS Management Console:
  • Navigate to the IAM Dashboard.
  • In the navigation pane, select Roles.
  • Click on the IAM role linked to the public EC2 instance.
  • Under the Permissions tab, scrutinize the attached policies.
  • Adjust overly broad permissions, especially those like "Resource": "*".
AWS CLI:

To list roles and their associated policies:

aws iam list-roles
aws iam list-role-policies --role-name [ROLE_NAME]
aws iam get-role-policy --role-name [ROLE_NAME] --policy-name [POLICY_NAME]

To modify or replace policies, utilize aws iam put-role-policy.

2. Upgrade to IMDSv2:

AWS Management Console:
  • Navigate to the EC2 Dashboard.
  • Select the desired instance.
  • Under the Actions dropdown, choose Instance Settings.
  • Click Edit Metadata.
  • Set Metadata version to V2.
AWS CLI:

To modify the metadata options for an EC2 instance:

aws ec2 modify-instance-metadata-options --instance-id [INSTANCE_ID] --http-tokens required
Terraform:

Ensure the Terraform configuration for the EC2 instance specifies the use of IMDSv2:

resource "aws_instance" "example" {
  # ... other configuration ...

  metadata_options {
    http_tokens = "required"
  }
}

Recommendation:

Always follow the principle of least privilege when granting IAM role permissions. For EC2 instances, especially those exposed to the public, avoid assigning overly broad permissions. Transition to IMDSv2 to prevent unauthorized metadata access and potential server-side request forgery attacks. Regular audits using AWS Config or similar tools can help maintain optimal security postures.

Updated 5 months ago