Amazon EC2

App-Tier/Web-Tier EC2 Instance IAM Role Without Policy

This plugin ensures IAM roles attached with App-Tier or Web-Tier EC2 instances have IAM policies attached

Risk Level: Medium

Description

This plugin ensures IAM roles attached with App-Tier or Web-Tier EC2 instances have IAM policies attached. In order to access AWS services, the IAM roles attached to EC2 instances should have proper permissions.

Configuration Parameters


Tier Tag Keys: This parameter specifies comma-separated tag keys to indicate App-Tier and Web-Tier EC2 instances. An issue is generated when the instances with the specified tags have the vulnerability.

By default, the value is empty. Therefore, it will not generate any vulnerability alert.

About the Service

Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.

Impact

In absence of an IAM role attached to the instance, the instance can only be accessed by using the Access key to run an application on the EC2 server. The access keys are prone to get exposed. With IAM roles it can be avoided to share long-term credentials and protect your instances against unauthorized access. The IAM role should have policies that specify the necessary permissions needed by the EC2 instance to access other AWS services.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Move to the Instances in the Instances section from the left navigation pane.
  4. From the list of instances, choose one by clicking on its Instance ID.
  5. Move to the Tags tab. If there exists a tag for a tiered instance, then continue with further steps.
  6. Check the IAM Role. Click on the IAM role and get redirected to the IAM console.
  7. In the Permissions Tab, find if the policy is attached or not. If there are zero policies attached, the vulnerability exists.
  8. Repeat steps for all the instances you want to investigate.

Steps for Remediation

Modify EC2 instances to attach IAM roles with required IAM policies.

  1. Log In to your AWS Console.
  2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Move to the Instances in the Instances section from the left navigation pane.
  4. From the list of instances, choose the vulnerable instance by clicking on its Instance ID.
  5. Check the IAM Role. Click on the IAM role and get redirected to the IAM console.
  6. In the Permissions tab, click on Attach Policies.
  7. Click on the checkbox next to the policies you wish to attach. Click on Attach policy to save the changes.
  8. Repeat the steps for all the vulnerable instances.