Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

EC2 Instance Using IAM Roles

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-021

Use IAM roles (i.e., instance profiles) instead of IAM access keys to appropriately grant access permissions to any application that perform AWS API requests running on your Amazon EC2 instances. With IAM roles you can avoid sharing long-term credentials and protect your EC2 instances against unauthorized access.

This rule can help you with the following compliance standards:

  • CISAWSF
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using IAM roles over IAM access keys to sign AWS API requests has multiple benefits. For example, once enabled and configured, you or your administrators don't have to manage credentials anymore as the credentials provided by the IAM roles are temporary and rotated automatically behind the scenes. You can use a single role for multiple Amazon EC2 instances within your stack, manage its access policies in one place, and allow policies to propagate automatically to all instances. You can also restrict which role a IAM user can assign to an EC2 instance during the launch process in order to stop the user from trying to gain elevated access (i.e., overly permissive privileges).

Audit

To determine if your Amazon EC2 instances are using IAM roles to sign AWS API requests, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to examine.

05 Choose the Details tab from the console split panel to access the instance configuration information.

06 In the Instance summary section, check the IAM Role configuration attribute value. If the IAM Role attribute does not have a value, the selected Amazon EC2 instance is not associated with an IAM role (instance profile).

07 Repeat steps no. 4 – 6 for each Amazon EC2 instance available within the current AWS cloud region.

08 Change the AWS cloud region from the top navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom output filters to list the IDs of the Amazon EC2 instances provisioned in the selected AWS cloud region: 

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested EC2 instance identifiers (IDs): 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
+-----------------------+

03 Run describe-instances command (OSX/Linux/UNIX) with the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom output filters to determine whether the selected EC2 instance is configured with an IAM role (instance profile): 

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-01234abcd1234abcd
	--query 'Reservations[*].Instances[*].IamInstanceProfile.Arn[]'

04 The command output should return the Amazon Resource Name (ARN) of the associated IAM role: 

[]

If the describe-instances command output returns an empty array (i.e., []), as shown in the example above, the selected Amazon EC2 instance is not associated with an IAM role (instance profile).

05 Repeat steps no. 3 and 4 for each Amazon EC2 instance available in the selected AWS cloud region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To attach IAM roles to your existing Amazon EC2 instances, you must configure your EC2 instances with instance profiles. To implement secure, role-based access for your Amazon EC2 instances, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Amazon EC2 Instance with IAM role",
	"Resources": {
		"IAMRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"RoleName": "cc-ec2-manager",
				"Description": "IAM role to provide full access to Amazon EC2",
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
							"Service": [
								"ec2.amazonaws.com"
							]
							},
							"Action": [
							"sts:AssumeRole"
							]
						}
					]
				},
				"ManagedPolicyArns": [
					"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
				],
				"Path": "/"
			}
		},
		"EC2InstanceProfile": {
			"Type": "AWS::IAM::InstanceProfile",
			"Properties": {
				"InstanceProfileName": "EC2ManagerRole",
				"Path": "/",
				"Roles": [
					{
						"Ref": "IAMRole"
					}
				]
			}
		},
		"AWSEC2Instance": {
			"Type": "AWS::EC2::Instance",
			"Properties": {
				"ImageId": "ami-0abcd1234abcd1234",
				"InstanceType": "t3.micro",
				"KeyName": "ssh-key",
				"SubnetId": "subnet-abcd1234",
				"SecurityGroupIds": [
					"sg-01234abcd1234abcd"
				],
				"IamInstanceProfile": {
					"Ref": "EC2InstanceProfile"
				}
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Amazon EC2 Instance with IAM role
	Resources:
		IAMRole:
		Type: AWS::IAM::Role
		Properties:
			RoleName: cc-ec2-manager
			Description: IAM role to provide full access to Amazon EC2
			AssumeRolePolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Principal:
				Service:
				- ec2.amazonaws.com
				Action:
				- sts:AssumeRole
			ManagedPolicyArns:
			- arn:aws:iam::aws:policy/AmazonEC2FullAccess
			Path: "/"
		EC2InstanceProfile:
		Type: AWS::IAM::InstanceProfile
		Properties:
			InstanceProfileName: EC2ManagerRole
			Path: "/"
			Roles:
			- Ref: IAMRole
		AWSEC2Instance:
		Type: AWS::EC2::Instance
		Properties:
			ImageId: ami-0abcd1234abcd1234
			InstanceType: t3.micro
			KeyName: ssh-key
			SubnetId: subnet-abcd1234
			SecurityGroupIds:
			- sg-01234abcd1234abcd
			IamInstanceProfile:
			Ref: EC2InstanceProfile

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_iam_role" "instance-role" {
	name = "iam-role"
	path = "/"
	managed_policy_arns = [ "arn:aws:iam::aws:policy/AmazonEC2FullAccess" ]

	assume_role_policy = <<EOF
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": "sts:AssumeRole",
			"Principal": {
				"Service": "ec2.amazonaws.com"
			},
			"Effect": "Allow"
		}
	]
}
EOF
}

resource "aws_iam_instance_profile" "instance-profile" {
	name = "ec2-instance-profile"
	role = "${aws_iam_role.instance-role.name}"
}

resource "aws_instance" "aws-ec2-instance" {

	ami = "ami-0abcd1234abcd1234"
	instance_type = "t3.micro"
	key_name = "ssh-key"
	subnet_id = "subnet-abcd1234"
	vpc_security_group_ids = [ "sg-01234abcd1234abcd" ]
	iam_instance_profile = "${aws_iam_instance_profile.instance-profile.name}"

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Identity and Access Management (IAM) console available at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, under Access management, choose Roles.

04 Choose Create role from top-right menu and perform the following actions to create the IAM role that allows your EC2 instance to call AWS services on your behalf:

  1. For Step 1 Select trusted entity:
    1. For Trusted entity type, choose AWS service.
    2. For Use case, select EC2 from the Service or use case dropdown list, and choose EC2 - Allows EC2 instances to call AWS services on your behalf option.
    3. Choose Next to continue the setup process.
  2. For Step 2 Add permissions:
    1. For Permissions policies, select the customer-managed and/or AWS-managed policies that you want to attach to your new IAM role. Use the Search box to locate your permissions policies.
    2. (Optional) For Set permissions boundary - optional, set a permissions boundary to control the maximum permissions that the new IAM role can have.
    3. Choose Next to continue the setup.
  3. For Step 3 Name, review, and create:
    1. For Role details, provide a unique name and a short description (optional) for your new IAM role.
    2. For Step 1: Select trusted entities, review the trust policy created for your role.
    3. For Step 2: Add permissions, review the permissions policies attached to your role.
    4. (Optional) For Step 3: Add tags, use the Add new tag button to create and apply tags to your IAM role. Tags can be used to organize, track, or control access for your AWS resources.
    5. Choose Create role to create your new IAM role (instance profile).

05 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

06 In the left navigation panel, under Instances, choose Instances.

07 Select the Amazon EC2 instance that you want to configure.

08 Choose Actions, select Security, and choose Modify IAM role.

09 Select the name of the IAM role created in step no. 4 from the IAM role dropdown list and choose Update IAM role to attach the selected role (instance profile) to your Amazon EC2 instance.

10 Repeat steps no. 2 – 9 for each Amazon EC2 instance that you want to configure, available within the current AWS cloud region.

11 Change the AWS cloud region from the top navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Define the trust relationship policy for your new IAM role. Paste the following policy document to a JSON file named cc-iam-role-trust-policy.json: 

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
			"Service": "ec2.amazonaws.com"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

02 Run create-role command (OSX/Linux/UNIX) to create the IAM role that allows your Amazon EC2 instance to call AWS services on your behalf using the trust relationship policy defined in the previous step: 

aws iam create-role
	--role-name cc-ec2-manager
	--assume-role-policy-document file://cc-iam-role-trust-policy.json

03 The command output should return the information available for the new IAM role: 

{
	"Role": {
		"AssumeRolePolicyDocument": {
			"Version": "2012-10-17",
			"Statement": [
				{
					"Action": "sts:AssumeRole",
					"Effect": "Allow",
					"Principal": {
						"Service": "ec2.amazonaws.com"
					}
				}
			]
		},
		"RoleId": "AAAABBBBCCCCDDDDEEEE",
		"CreateDate": "2025-06-29T10:00:00Z",
		"RoleName": "cc-ec2-manager",
		"Path": "/",
		"Arn": "arn:aws:iam::123456789012:role/cc-ec2-manager"
	}
}

04 Run attach-role-policy command (OSX/Linux/UNIX) to attach an AWS-managed policy to the newly created IAM role. Use the --policy-arn command parameter to specify the ARN of the AWS-managed policy that you want to attach to your IAM role. In the following example, the "AmazonEC2FullAccess" managed policy provides full access to Amazon EC2 via AWS Management Console (the command does not produce an output): 

aws iam attach-role-policy
	--role-name cc-ec2-manager
	--policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess

05 Now it's time to create the instance profile. An instance profile acts as a container for the IAM role, which is then attached to your EC2 instance during launch or configuration. Run create-instance-profile command (OSX/Linux/UNIX) to create your new instance profile: 

aws iam create-instance-profile
	--region us-east-1
	--instance-profile-name cc-ec2-instance-profile

06 The command output should return the information for the new instance profile: 

{
	"InstanceProfile": {
		"InstanceProfileId": "ABCDABCDABCDABCDABCDA",
		"Roles": [],
		"CreateDate": "2025-06-29T11:00:00.000Z",
		"InstanceProfileName": "cc-ec2-instance-profile",
		"Path": "/",
		"Arn": "arn:aws:iam::123456789012:instance-profile/cc-ec2-instance-profile"
	}
}

07 Run add-role-to-instance-profile command (OSX/Linux/UNIX) to integrate the IAM role created in step no. 2 with the instance profile created in step no. 5 (the command does not produce an output): 

aws iam add-role-to-instance-profile
	--role-name cc-ec2-manager
	--instance-profile-name cc-ec2-instance-profile

08 Perform associate-iam-instance-profile command (OSX/Linux/UNIX) to attach the specified IAM role (instance profile) to your Amazon EC2 instance. Use the --iam-instance-profile command parameter to specify the name of the instance profile created in step no. 5: 

aws ec2 associate-iam-instance-profile
	--region us-east-1
	--instance-id i-01234abcd1234abcd
	--iam-instance-profile Name=cc-ec2-instance-profile

09 The command output should return the configuration information resulted from the instance profile association: 

{
	"IamInstanceProfileAssociation": {
		"AssociationId": "iip-assoc-0abcd1234abcd1234",
		"InstanceId": "i-01234abcd1234abcd",
		"IamInstanceProfile": {
			"Arn": "arn:aws:iam::123456789012:instance-profile/cc-ec2-instance-profile",
			"Id": "ABCDABCDABCDABCDABCDA"
		},
		"State": "associating"
	}
}

10 Repeat steps no. 1 – 9 for each Amazon EC2 instance that you want to configure, available in the selected AWS cloud region.

11 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Jun 9, 2016

Related EC2 rules