Use IAM Roles/Instance Profiles instead of IAM Access Keys to appropriately grant access permissions to any application that perform AWS API requests running on your EC2 instances. With IAM roles you can avoid sharing long-term credentials and protect your instances against unauthorized access.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using IAM Roles over IAM Access Keys to sign AWS API requests has multiple benefits. For example, once enabled, you or your administrators don't have to manage credentials anymore as the credentials provided by the IAM roles are temporary and rotated automatically behind the scenes. You can use a single role for multiple EC2 instances within your stack, manage its access policies in one place and allow these to propagate automatically to all instances. Also, you can easily restrict which role a IAM user can assign to an EC2 instance during the launch process in order to stop the user from trying to gain elevated (overly permissive) privileges.
To determine if your EC2 instances are using IAM roles to sign AWS API requests, perform the following:
To assign IAM roles to your running EC2 instances, you must re-launch those instances by creating images (AMIs) of the instances then launch new ones from images with the desired roles attached. To implement IAM role based access for existing instances, perform the following: