Ensure that your web-tier Auto Scaling Group (ASG) launch configurations are using IAM roles to delegate access to the web applications running within your ASGs, applications that don't normally have access to AWS resources. This conformity rule assumes that all AWS resources provisioned for your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
The web applications installed on your EC2 instances need authentication credentials to sign their API requests in order to access AWS services. An IAM role (also known as instance profile) attached to an instance that was launched inside a web-tier Auto Scaling Group (ASG) can provide the necessary credentials for this type of access. The required IAM role can be attached to the EC2 instances within an ASG through a launch configuration, which is a template that an Auto Scaling Group uses to launch web-tier EC2 instances. Make sure that your web-tier ASG launch configuration specifies an IAM role within its template configuration so that all EC2 instances can be associated with a role/instance profile during the launch process.
Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
To determine if your web-tier ASG are using launch configurations with IAM roles attached, perform the following actions:
Remediation / Resolution
To assign an IAM role/instance profile to the EC2 instances launched within your web-tier ASG, you must re-create the ASG launch configuration and configure it with a reference to a new IAM role. To create the required IAM role and set up a new launch configuration template, perform the following actions:
- AWS Documentation
- Using IAM Roles
- Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances
- Using Instance Profiles
- Permissions for the IAM Role Assigned to AWS Config
- Auto Scaling Groups
- Launch Configurations
- Creating a Launch Configuration
- CIS Amazon Web Services Foundations
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
IAM Roles for Web-Tier ASG Launch Configurations
Risk level: Medium