EC2 IAM Roles Should Be Used
More Info:
IAM Roles/Instance profiles should be used instead of IAM Access Keys to appropriately grant access permissions to any application that perform AWS API requests running on your EC2 instances.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, NIST
Remediation
Using Console
To remediate the misconfiguration “EC2 IAM Roles Should Be Used” for AWS using the AWS console, please follow the below steps:
- Login to your AWS Management Console.
- Navigate to the EC2 dashboard.
- Select the EC2 instance for which you want to remediate the misconfiguration.
- Click on the “Actions” dropdown menu and select “Instance Settings” and then click on “Attach/Replace IAM Role”.
- In the “Attach/Replace IAM Role” window, select the IAM role that you want to attach to the EC2 instance.
- Click on the “Apply” button to attach the selected IAM role to the EC2 instance.
By following the above steps, you have successfully remediated the misconfiguration “EC2 IAM Roles Should Be Used” for AWS. Now the EC2 instance is associated with an IAM role, which provides temporary security credentials to applications that run on the instance. This helps to improve the security of your AWS infrastructure by reducing the risk of unauthorized access to resources.
Using CLI
To remediate the issue of not using EC2 IAM roles in AWS using AWS CLI, follow the below steps:
-
Create an IAM role with the required permissions that the EC2 instance needs. You can create this role using the AWS CLI command “aws iam create-role”.
-
Attach the required policies to the IAM role. You can attach policies using the AWS CLI command “aws iam attach-role-policy”.
-
Launch an EC2 instance and specify the IAM role created in step 1. You can do this using the AWS CLI command “aws ec2 run-instances” with the parameter “—iam-instance-profile”.
-
Verify that the IAM role is being used by the EC2 instance by logging into the instance and running the command “curl http://169.254.169.254/latest/meta-data/iam/info”. This command should return the IAM role ARN.
-
Once verified, you can remove any access keys that were previously used by the EC2 instance. You can do this using the AWS CLI command “aws ec2 delete-key-pair”.
By following these steps, you can remediate the issue of not using EC2 IAM roles in AWS using AWS CLI.
Using Python
To remediate the misconfiguration of not using EC2 IAM roles in AWS, we can use the following steps using Python:
- First, we need to create an IAM role that has the necessary permissions for our EC2 instances. We can do this using the boto3 library in Python. Here’s an example:
import boto3
iam = boto3.client('iam')
response = iam.create_role(
RoleName='EC2-Role',
AssumeRolePolicyDocument={
'Version': '2012-10-17',
'Statement': [
{
'Effect': 'Allow',
'Principal': {
'Service': 'ec2.amazonaws.com'
},
'Action': 'sts:AssumeRole'
}
]
}
)
# Attach necessary policies to the role
iam.attach_role_policy(
RoleName='EC2-Role',
PolicyArn='arn:aws:iam::aws:policy/AmazonS3FullAccess'
)
- Once the IAM role is created, we can assign it to our EC2 instances. We can do this by launching new instances with the
--iam-instance-profileparameter or by modifying existing instances with themodify_instance_attributemethod in theboto3library.
import boto3
ec2 = boto3.client('ec2')
# Launch new instances with IAM role
response = ec2.run_instances(
ImageId='ami-0c55b159cbfafe1f0',
InstanceType='t2.micro',
MinCount=1,
MaxCount=1,
IamInstanceProfile={
'Arn': 'arn:aws:iam::123456789012:instance-profile/EC2-Role'
}
)
# Modify existing instances with IAM role
response = ec2.modify_instance_attribute(
InstanceId='i-0123456789abcdef0',
IamInstanceProfile={
'Arn': 'arn:aws:iam::123456789012:instance-profile/EC2-Role'
}
)
By following these steps, we can remediate the misconfiguration of not using EC2 IAM roles in AWS using Python.