Find AWS EC2 Instances Not Using IAM Instance Roles
AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access.
AWS IAM roles reduce the risks associated with sharing and rotating credentials that can be used outside of AWS itself. If credentials are compromised, they can be used from outside of the AWS account.
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.
Prerequisites​
This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.
Directions​
-
Execute the following
search
command in Fix Inventory Shell:> search is(aws_ec2_instance) and instance_iam_instance_profile=null
​kind=aws_ec2_instance, ..., region=fixinventory-poweruser
​kind=aws_ec2_instance, ..., account=poweruser-team -
Pipe the
search
command into thedump
command:> search is(aws_ec2_instance) and instance_iam_instance_profile=null | dump
​reported:
​ id: /aws/ec2/123
​ name: some-name
​ ctime: '2022-12-05T22:53:14Z'
​ kind: aws_ec2_instance
​ age: 2mo28dThe command output will list the details of all non-compliant
aws_ec2_instance
resources.
Remediation​
- Create an IAM instance role and attach it to the corresponding EC2 instance.
Please refer to the AWS EC2 documentation for details.