Ensure that your web-tier Auto Scaling Group (ASG) launch configurations are using IAM roles to delegate access to the web applications running within your ASGs, applications that don't normally have access to AWS resources. This conformity rule assumes that all AWS resources provisioned for your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
The web applications installed on your EC2 instances need authentication credentials to sign their API requests in order to access AWS services. An IAM role (also known as instance profile) attached to an instance that was launched inside a web-tier Auto Scaling Group (ASG) can provide the necessary credentials for this type of access. The required IAM role can be attached to the EC2 instances within an ASG through a launch configuration, which is a template that an Auto Scaling Group uses to launch web-tier EC2 instances. Make sure that your web-tier ASG launch configuration specifies an IAM role within its template configuration so that all EC2 instances can be associated with a role/instance profile during the launch process.
Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
To determine if your web-tier ASG are using launch configurations with IAM roles attached, perform the following actions:
To assign an IAM role/instance profile to the EC2 instances launched within your web-tier ASG, you must re-create the ASG launch configuration and configure it with a reference to a new IAM role. To create the required IAM role and set up a new launch configuration template, perform the following actions: