Ensure that your web-tier EC2 instances are using IAM roles to grant any necessary permissions to the web applications running on these instances as the applications can assume the role applied to their instances. This conformity rule assumes that all AWS resources (including EC2 instances) created within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Web applications that run on EC2 instances need credentials in order to access other AWS services. An IAM role attached to a web-tier instance provides these authentication credentials in a secure way. Multiple benefits are gained when your web-tier applications are using IAM roles to sign their API requests with AWS credentials. For example, you don't have to manage credentials anymore as the authentication details provided by the IAM roles are temporary and rotated automatically behind the scenes. You can also use a single role for multiple EC2 instances within your web tier, manage the role policies in one place and allow these to propagate automatically to all associated instances. And you can easily restrict which role an IAM user can assign to a web-tier EC2 instance during the launch process in order to stop the user from trying to gain elevated privileges.
Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
To determine if your web-tier EC2 instances are using IAM roles to sign Amazon API requests, perform the following actions:
To assign IAM roles to your running web-tier instances, you must re-launch those instances with the desired roles attached. To create the required IAM roles (also known as instance profiles) and attach them to your web-tier EC2 instances, perform the following: