Ensure that your app-tier Auto Scaling Group (ASG) launch configurations are using IAM roles to delegate access to the applications running within your ASGs, applications that usually don't have access to AWS resources. This conformity rule assumes that all AWS resources launched within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> is the tag name and <app_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
The applications running on your EC2 instances need authentication credentials to sign their API requests in order to access AWS services. An IAM role attached to an instance that was launched inside an app-tier Auto Scaling Group (ASG) can provide the necessary credentials for this type of access. The required IAM role can be attached to the EC2 instances within an ASG using a launch configuration, which is basically a template that an AWS Auto Scaling Group utilizes to launch EC2 instances. Ensure that your app-tier ASG launch configuration template specifies an IAM role within its configuration so that all EC2 instances can be associated with a role during the launch process.
Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.
To determine if your app-tier ASG are using launch configuration templates that reference IAM roles, perform the following actions:
Remediation / Resolution
To attach an IAM role to the EC2 instances launched within your app-tier ASG, you must re-create their launch configuration and configure it with a reference to a new IAM role. To create the required IAM role/instance profile and set up a new launch configuration template, perform the following:
- AWS Documentation
- Using IAM Roles
- Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances
- Using Instance Profiles
- Permissions for the IAM Role Assigned to AWS Config
- Auto Scaling Groups
- Launch Configurations
- Creating a Launch Configuration
- CIS Amazon Web Services Foundations
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
IAM Roles for App-Tier ASG Launch Configurations
Risk level: Medium