Use IAM Roles/Instance Profiles instead of IAM Access Keys to appropriately grant access permissions to any application that perform AWS API requests running on your EC2 instances. With IAM roles you can avoid sharing long-term credentials and protect your instances against unauthorized access.
This rule can help you with the following compliance standards:
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using IAM Roles over IAM Access Keys to sign AWS API requests has multiple benefits. For example, once enabled, you or your administrators don't have to manage credentials anymore as the credentials provided by the IAM roles are temporary and rotated automatically behind the scenes. You can use a single role for multiple EC2 instances within your stack, manage its access policies in one place and allow these to propagate automatically to all instances. Also, you can easily restrict which role a IAM user can assign to an EC2 instance during the launch process in order to stop the user from trying to gain elevated (overly permissive) privileges.
To determine if your EC2 instances are using IAM roles to sign AWS API requests, perform the following:
Remediation / Resolution
To assign IAM roles to your running EC2 instances, you must re-launch those instances by creating images (AMIs) of the instances then launch new ones from images with the desired roles attached. To implement IAM role based access for existing instances, perform the following:
- AWS Documentation
- Amazon EC2 FAQs
- Using IAM Roles
- Using an IAM Role to Grant Permissions to Applications Running
on Amazon EC2 Instances
- Using Instance Profiles
- Amazon EC2 Full Access Role
- Temporary Security Credentials
- Permissions for the IAM Role Assigned to AWS Config
- AWS Policy Generator
- Elastic IP Addresses
- AWS Command Line Interface (CLI) Documentation
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
EC2 Instance Using IAM Roles
Risk level: Medium