Web-Tier EC2 Instance Using IAM Roles

Risk level: Medium (should be achieved)

Rule ID: EC2-069

Ensure that your web-tier EC2 instances are using IAM roles to grant any necessary permissions to the web applications running on these instances as the applications can assume the role applied to their instances. This conformity rule assumes that all AWS resources (including EC2 instances) created within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

This rule can help you with the following compliance standards:

The Center of Internet Security AWS Foundations Benchmark
APRA
MAS

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Web applications that run on EC2 instances need credentials in order to access other AWS services. An IAM role attached to a web-tier instance provides these authentication credentials in a secure way. Multiple benefits are gained when your web-tier applications are using IAM roles to sign their API requests with AWS credentials. For example, you don't have to manage credentials anymore as the authentication details provided by the IAM roles are temporary and rotated automatically behind the scenes. You can also use a single role for multiple EC2 instances within your web tier, manage the role policies in one place and allow these to propagate automatically to all associated instances. And you can easily restrict which role an IAM user can assign to a web-tier EC2 instance during the launch process in order to stop the user from trying to gain elevated privileges.

Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.

Audit

To determine if your web-tier EC2 instances are using IAM roles to sign Amazon API requests, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Web-Tier EC2 Instance Using IAM Roles conformity rule settings and copy the tag set defined for AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under INSTANCES, click Instances.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <web_tier_tag> : <web_tier_tag_value>) and press Enter. This filtering method will return only the EC2 instances tagged for the web tier. If no results are returned, there are no instances tagged within your web tier and the audit process ends here. If the EC2 dashboard lists one or more instances, continue the audit with the next step.

06 Select the web-tier EC2 instance that you want to examine.

07 Select the Description tab from the dashboard bottom panel.

08 In the left column, check the IAM role attribute value. If the attribute has no value assigned, there are no IAM roles associated with the selected web-tier EC2 instance.

09 Repeat steps no. 4 – 8 to check other web-tier EC2 instances, provisioned in the selected region, for associated IAM roles.

10 Change the AWS region from the navigation bar and repeat steps no. 5 – 9 for other regions.

Using AWS CLI

02 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of all EC2 instances currently available in the selected region:

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

03 The command output should return a table with the requested instance identifiers:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234567890abcabc  |
|  i-01234567890aabbcc  |
+-----------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the ID of the EC2 instance that you want to examine as identifier and custom query filters to describe the tags defined for the selected EC2 resource:

aws ec2 describe-tags
	--region us-east-1
	--filters "Name=resource-id,Values=i-01234567890abcabc"
	--query 'Tags[*].{Value:Value, Key:Key}'

05 The command request should return one of the following outputs:

If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified instance is not tagged, therefore the audit process for the selected resource ends here:
```
[]
```
If the command output returns a set of tags that is different than the one copied at step no. 1, as shown in the example below, the verified EC2 instance does not belong to your web tier, therefore the audit process for the selected resource ends here:
```
[
    {
        "Value": "Env",
        "Key": "Development"
    }
]
```
If the describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value>), as shown in the example below, the verified AWS EC2 instance is tagged as a web-tier resource, therefore the audit process continues with the next step:
```
[
    {
        "Key": "<web_tier_tag>",
        "Value": "<web_tier_tag_value>"
    }
]
```

06 Run describe-instances command (OSX/Linux/UNIX) using the ID of the web-tier instance that you want to examine as identifier and custom filtering to determine whether the selected EC2 instance is associated with any IAM roles:

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-01234567890abcabc
	--query 'Reservations[*].Instances[*].IamInstanceProfile[]'

07 The command output should return the metadata (unique ID and ARN) for the IAM role(s) associated with the selected web-tier instance (if applicable):

[]

If the command output returns an empty array (i.e. []), as shown in the example above, there are no IAM roles associated with the selected web-tier EC2 instance, therefore the web applications installed on the instance cannot use dynamic authentication credentials to sign their API requests.

08 Repeat step no. 6 and 7 to verify other web-tier EC2 instances, created within the selected region, for associated IAM roles.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the entire audit process for other regions.

Remediation / Resolution

To assign IAM roles to your running web-tier instances, you must re-launch those instances with the desired roles attached. To create the required IAM roles (also known as instance profiles) and attach them to your web-tier EC2 instances, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click Create role button from the dashboard top menu to create a new IAM role (EC2 instance profile).

05 On Select type of trusted entity panel, select AWS service category and choose EC2 from Choose the service that will use this role list. Click Next: Permissions to continue.

06 On Permissions panel, perform one of the following actions (follow the principle of least privilege when you attach an access policy):

To attach well-defined managed policies (e.g. "AmazonEC2FullAccess"), select one or more policies from the list, then click Next: Review button to continue the setup process.
To attach custom (inline) policies, click Create policy button and run the setup wizard to create a new inline IAM policy, based on your requirements. Once the custom policy is created and selected, click Next: Review button to continue the process.

07 On Review panel, provide a unique name and a description for your new role, then click Create role to finish the IAM role setup.

08 To continue the remediation process, create an Amazon Machine Image (AMI) from your running web-tier instance. To instantiate the necessary AMI, perform the following actions:

Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
In the navigation panel, under INSTANCES, click Instances.
Select the web-tier instance that requires IAM roles for AWS API access (see Audit section part I to identify the right EC2 resource).
Click the Actions dropdown button from the dashboard top menu, select Image and click Create Image.
Inside Create Image dialog box, provide the following information:
- In the Image Name box, enter a name for the new AMI.
- In the Image description box, provide a description that reflects the usage of the EC2 instance selected.
- Leave No reboot option unchecked so that AWS can guarantee the file system integrity for the new AMI.
Click Create Image to submit the request to create the image. Click Close to return to the EC2 dashboard. The AMI build may take few minutes. Once the process is complete, the image status should change from pending to available.

09 Once the AMI is ready, use it to re-launch the selected web-tier instance and attach the IAM role created earlier. To launch the EC2 instance, perform the following:

Click the Launch Instance button from the EC2 dashboard top menu to initiate the process.
On Choose an Amazon Machine Image (AMI) page, choose My AMIs tab then select the AMI created at step no. 8.
On Choose an Instance Type page, select the same instance type used by the source instance, then click Next: Configure Instance Details button.
On Configure Instance Details page, select the newly created role from the IAM role dropdown list and configure any other options available on the page based on your requirements. Click Next: Add Storage and go through the next pages until you reach the Configure Security Group page, without changing any configuration settings.
On Configure Security Groups, choose Select an existing security group and select the security group attached to the source instance. Click the Review and Launch button, review your web-tier instance configuration details and click Launch.
In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the same key pair as the source EC2 instance. Check I acknowledge that I have access to the selected private key file option then click Launch Instances.
Click View Instances to return to the Instances page. The new instance will have the same data and configuration (except the new attached role) as the source EC2 instance.

10 Once you have verified and tested the new web-tier instance, you can transfer the Elastic IP (EIP) from the source EC2 instance to the new instance (if applicable). If the source instance does not have an EIP attached, you will have to update the domain DNS record(s) or any other web application references to switch to the new IP. To transfer the EIP, perform the following actions:

In the navigation panel, under NETWORK & SECURITY, select Elastic IPs.
Select the EIP address attached to the source web-tier instance, click on the Actions dropdown button, then select Disassociate Address.
In the Disassociate Address dialog box, review the details then click Yes, Disassociate.
Select the same address, disassociated in the previous step, click the Actions dropdown button then select Associate Address.
In the Associate Address dialog box, select the new web-tier instance created at step no. 9 from the Instance dropdown list and then click Associate to attach the EIP.

11 Now you can terminate the source EC2 instance in order to stop incurring charges for the resource. To shut down the instance, perform the following:

In the navigation panel, under INSTANCES, select Instances.
Select the web-tier EC2 instance that you want to terminate.
Click the Actions dropdown button from the dashboard top menu, select Instance State and click Terminate.
In the Terminate Instances confirmation box, review the instance details then click Yes, Terminate.

12 Repeat steps no. 8 – 11 to assign IAM roles to other web-tier EC2 instances provisioned in the selected region.

13 Change the AWS region from the navigation bar and repeat steps no. 8 – 12 for other regions.

Using AWS CLI

01 Create the necessary trust relationship (Trusted Entities) policy for the required IAM role. To create the trust relationship policy for the new role, paste the following information into a new policy document named cc-iam-role-trust-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

02 Run create-role command (OSX/Linux/UNIX) to create the AWS IAM role using the trust relationship policy defined at the previous step:

aws iam create-role
	--role-name cc-web-tier-role
	--assume-role-policy-document file://cc-iam-role-trust-policy.json

03 The command output should return the new IAM role metadata:

{
    "Role": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": "ec2.amazonaws.com"
              },
              "Action": "sts:AssumeRole"
            }
          ]
        },
        "RoleId": "AAAABBBBCCCCDDDDEEEE",
        "CreateDate": "2019-03-10T16:31:22.252Z",
        "RoleName": "cc-web-tier-role",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:role/cc-web-tier-role"
    }
}

04 To define the IAM role permissions, based on the policy type used by the role, perform one of the following set of commands (take into account the principle of least privilege when you define or attach an access policy):

To attach managed IAM policies:
- Run attach-role-policy command (OSX/Linux/UNIX) to attach the specified IAM managed policy to the newly created role (the command does not produce an output):
```
aws iam attach-role-policy
	--policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
	--role-name cc-web-tier-role
```

For define and attach inline IAM policies:

To define the inline policy for the IAM role, paste your own custom policy into a new JSON-based policy document named "cc-iam-role-inline-access-policy.json". The following example, provides full access to Amazon EC2 resources (ver. 1):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ec2:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "cloudwatch:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:*",
            "Resource": "*"
        }
    ]
}

Run put-role-policy command (OSX/Linux/UNIX) to attach the inline policy defined at the previous step to the new IAM role (the command does not produce an output):
```
aws iam put-role-policy
	--role-name cc-web-tier-role
	--policy-name iam-role-custom-policy
	--policy-document file://cc-iam-role-inline-access-policy.json
```

05 Create the required IAM instance profile. An instance profile is a container for the IAM role that is attached to the EC2 instance during the launch process. Run create-instance-profile command (OSX/Linux/UNIX) to create the new AWS IAM instance profile:

aws iam create-instance-profile
	--region us-east-1
	--instance-profile-name cc-web-tier-instance-profile

06 The command output should return the newly created instance profile metadata:

{
    "InstanceProfile": {
        "InstanceProfileId": "AAAABBBBCCCCDDDDEEEE",
        "Roles": [],
        "CreateDate": "2018-03-10T15:45:54.600Z",
        "InstanceProfileName": "cc-web-tier-instance-profile",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:instance-profile/cc-web-tier-instance-profile"
    }
}

07 Run add-role-to-instance-profile command (OSX/Linux/UNIX) to integrate the IAM role created at step no. 2 with the IAM instance profile created at step no. 5 (the command does not return an output):

aws iam add-role-to-instance-profile
	--role-name cc-web-tier-role
	--instance-profile-name cc-web-tier-instance-profile

08 Now that the web-tier IAM role is ready for use, run create-image command (OSX/Linux/UNIX) to create an image from the source web-tier EC2 instance (see Audit section part II to identify the right resource). Include --no-reboot command parameter to guarantee the file system integrity for your new AMI:

aws ec2 create-image
	--region us-east-1
	--instance-id i-01234567890abcabc
	--name "AMI for web-tier instance without IAM role(s) attached"
	--description "Web Stack AMI ver. 2.1"
	--no-reboot

09 The command output should return the ID of the new Amazon Machine Image (AMI):

{
    "ImageId": "ami-abcd1234"
}

10 Execute run-instances command (OSX/Linux/UNIX) to launch a new web-tier EC2 instance from the image created at the previous steps. The following command example re-creates a web-tier instance using an AWS AMI with the ID ami-abcd1234 and the IAM instance profile that contains the web-tier IAM role created earlier:

aws ec2 run-instances
	--region us-east-1
	--iam-instance-profile Name=cc-web-tier-instance-profile
	--image-id ami-abcd1234
	--count 1
	--instance-type m3.large
	--key-name cc-ssh-key
	--security-groups cc-web-stack-sg

11 The command output should return the new web-tier instance configuration metadata:

{

    {
            "OwnerId": "123456789012",
            "Instances": [

                    ...

                    "Architecture": "x86_64",
                    "RootDeviceType": "ebs",
                    "IamInstanceProfile": {
                        "Id": "AAAABBBBCCCCDDDDEEEE",
                        "Arn": "arn:aws:iam::123456789012:instance-profile/cc-web-tier-instance-profile"
                    },
                    "RootDeviceName": "/dev/xvda",
                    "VirtualizationType": "hvm",

                    ...

                    "AmiLaunchIndex": 0
                }
            ]
        }
    ]
}

12 Create the required IAM instance profile. An instance profile is a container for the IAM role that is attached to the EC2 instance during the launch process. Run create-instance-profile command (OSX/Linux/UNIX) to create the new AWS IAM instance profile:

aws iam create-instance-profile
	--region us-east-1
	--instance-profile-name cc-web-tier-instance-profile

13 Transfer the Elastic IP from the source EC2 instance to the new web-tier instance in order to reference the new resource. To transfer the Elastic IP, perform the following commands:

Run disassociate-address command (OSX/Linux/UNIX) to detach the Elastic IP (EIP) address from the source EC2 instance:
```
aws ec2 disassociate-address
	--association-id eipassoc-1234abcd
```
Run associate-address command (OSX/Linux/UNIX) to associate the EIP address detached at the previous step with the new web-tier instance:
```
aws ec2 associate-address
	--instance-id i-01234567890aaabbb
	--allocation-id eipalloc-1234abcd
```

14 Once you have verified that your new web-tier EC2 instance is working as expected, you can safely terminate the source instance to stop incurring charges for it. To shut down the source EC2 instance run terminate-instances command (OSX/Linux/UNIX) using the instance ID as identifier:

aws ec2 terminate-instances
	--instance-ids i-01234567890abcabc

15 The command output should return the shutdown request metadata:

{
    "TerminatingInstances": [
        {
            "InstanceId": "i-01234567890abcabc",
            "CurrentState": {
                "Code": 32,
                "Name": "shutting-down"
            },
            "PreviousState": {
                "Code": 16,
                "Name": "running"
            }
        }
    ]
}

16 Repeat steps no. 5 – 15 to assign IAM roles to other web-tier EC2 instances provisioned in the selected region.

17 Change the AWS region by updating the --region command parameter value and repeat steps no. 5 – 15 for other regions.

Publication date Mar 14, 2018

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Web-Tier EC2 Instance Using IAM Roles

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related EC2 rules