Ensure IAM instance roles are used for AWS resource access from instances

Home
»
AWS Documentation
»
IAM
»
Ensure IAM instance roles are used for AWS resource access from instances

IAM instance roles are not used for AWS resource access from instances

Description

AWS access from within EC2 instances is facilitated either by embedding AWS keys in API requests or by assigning the instance to an IAM role with an associated permissions policy that grants the necessary access. AWS Access enables interaction with the APIs of AWS services, allowing the management and utilization of AWS resources.

IAM roles help mitigate the risks associated with the sharing and rotation of credentials that can be used outside the AWS environment. If credentials are compromised, they can potentially be leveraged externally, beyond the AWS account they grant access to. In contrast, to exploit role-based permissions, an attacker would need to gain persistent access to a specific instance to exploit the privileges assigned to it.

When credentials are embedded within compiled applications or other difficult-to-update systems, the likelihood of proper credential rotation decreases due to the potential service disruptions caused by updates. Over time, credentials that are not rotated become more susceptible to exposure, as they may be known to an increasing number of individuals, some of whom may no longer be employed by the organization.

Fix -Runtime

To remediate an instance by attaching a role, follow these steps:

Select the instance.
From Actions, press Instance Settings, then Attach/Replace IAM Role.
Select an existing role to attach to the instance, or use the AWS wizard to create a new role.

📘 Notes
If your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance and destroy the old one. Following this, when launching from the AMI, manually assign the previous private IP address.
If your environment has dependencies on a dynamically assigned PUBLIC IP address there is no way to ensure the address is retained and assigned an instance role. Having dependencies on dynamically assigned public IP addresses is bad practice. When possible, rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.