Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM Roles for App-Tier ASG Launch Configurations

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your app-tier Auto Scaling Group (ASG) launch configurations are using IAM roles to delegate access to the applications running within your ASGs, applications that usually don't have access to AWS resources. This conformity rule assumes that all AWS resources launched within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> is the tag name and <app_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

Reliability

The applications running on your EC2 instances need authentication credentials to sign their API requests in order to access AWS services. An IAM role attached to an instance that was launched inside an app-tier Auto Scaling Group (ASG) can provide the necessary credentials for this type of access. The required IAM role can be attached to the EC2 instances within an ASG using a launch configuration, which is basically a template that an AWS Auto Scaling Group utilizes to launch EC2 instances. Ensure that your app-tier ASG launch configuration template specifies an IAM role within its configuration so that all EC2 instances can be associated with a role during the launch process.

Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.


Audit

To determine if your app-tier ASG are using launch configuration templates that reference IAM roles, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create IAM Roles for App-Tier ASG Launch Configurations conformity rule settings and check the tags defined for all AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.

05 Select the Auto Scaling Group that you want to examine.

06 Select the Tags tab from the dashboard bottom panel.

07 On the Tags panel, search for the tag set identified at step no. 1 (i.e. <app_tier_tag> : <app_tier_tag_value>). If the two tag sets do not match, or the verified resource is not tagged, the selected ASG is not a component of your app tier and the audit process stops here. If the tag sets match, the selected resource is an app-tier Auto Scaling Group and the audit process continues with the next step.

08 Select the Details tab from the dashboard bottom panel and copy the name of the associated launch configuration, listed as value for the Launch Configuration attribute.

09 In the navigation panel, under AUTO SCALING, click Launch Configurations.

10 Paste the value copied at step no. 8 in the Filter launch configurations box and press Enter to return the launch configuration template used by the selected app-tier ASG.

11 Select the launch configuration returned as search result and check the value of the IAM Instance Profile attribute available on the Details panel. If the IAM Instance Profile attribute has no value assigned, there are no IAM roles attached to the EC2 instances launched within the selected app-tier AWS ASG.

12 Repeat steps no. 5 – 11 to check other app-tier ASG launch configurations, provisioned in the selected region, for associated IAM roles.

13 Change the AWS region from the navigation bar and repeat steps no. 5 – 12 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create IAM Roles for App-Tier ASG Launch Configurations conformity rule settings and check the tags defined for AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the names of all Auto Scaling Groups available in the selected AWS region:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--output table
	--query 'AutoScalingGroups[*].AutoScalingGroupName'

03 The command output should return a table with the requested ASG names:

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|    cc-app-tier-asg      |
|    cc-backend-asg       |
+-------------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the ASG that you want to examine as identifier and custom query filters to describe the tags defined for the selected Auto Scaling Group:

aws autoscaling describe-tags
	--region us-east-1
	--filters "Name=auto-scaling-group,Values=cc-app-tier-asg"
	--query 'Tags[*].{Value:Value, Key:Key}'

05 The command request should return one of the following outputs:

  1. If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified ASG is not tagged, therefore the audit process for the selected resource stops here:
    []
    
  2. If the command output returns a set of tags that is different than the one identified at step no. 1, as shown in the example below, the verified Auto Scaling Group does not belong to your app tier, therefore the audit process for the selected resource ends here:
    [
        {
            "Value": "Purpose",
            "Key": "Auto-Scaling"
        }
    ]
    
  3. If the describe-tags command output returns a set of tags that match the one identified at step no. 1 (e.g. <app_tier_tag>:<app_tier_tag_value>), as shown in the example below, the verified Amazon ASG is tagged as an app-tier resource, therefore the audit process continues with the next step:
    [
        {
            "Key": "<app_tier_tag>",
            "Value": "<app_tier_tag_value>"
        }
    ]
    

06 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using custom query filters to return the name of the launch configuration associated with the selected app-tier ASG:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--query 'AutoScalingGroups[*].LaunchConfigurationName'

07 The command output should return the name of the ASG launch configuration:

[
    "cc-app-launch-config"
]

08 Run describe-launch-configurations command (OSX/Linux/UNIX) using the name of the launch configuration returned at the previous step as identifier and custom filtering to determine whether the EC2 instances launched for your app-tier ASG with the selected launch configuration, have any IAM instance profiles (roles) attached:

aws autoscaling describe-launch-configurations
	--region us-east-1
	--launch-configuration-names cc-app-launch-config
	--query "LaunchConfigurations[*].IamInstanceProfile"

09 The command output should return the Amazon Resource Name (ARN) of the IAM role/instance profile referenced by the selected launch configuration (if any):

[]

If the command output returns an empty array (i.e. []), as shown in the example above, there are no IAM instance profiles attached to the EC2 instances launched within the selected app-tier ASG.

10 Repeat steps no. 4 – 9 to check other app-tier ASG launch configurations, available in the selected region, for associated IAM roles/instance profiles.

11 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 10 to perform the entire audit process for other regions.

Remediation / Resolution

To attach an IAM role to the EC2 instances launched within your app-tier ASG, you must re-create their launch configuration and configure it with a reference to a new IAM role. To create the required IAM role/instance profile and set up a new launch configuration template, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click Create role button from the dashboard top menu to create a new IAM role.

05 On Select type of trusted entity panel, select AWS service category and choose EC2 from Choose the service that will use this role list. Click Next: Permissions to continue.

06 On Permissions panel, perform one of the following actions:

  1. To attach AWS managed policies, such as "AmazonEC2FullAccess", select one or more policies from the list, then click Next: Review button to continue the setup process.
  2. To attach inline access policies, click Create policy button and run the setup wizard to create a new IAM policy, based on your requirements. Once the inline policy is created and selected, click Next: Review button to continue the process.
  3. Go through the launch configuration setup wizard until you reach the Review panel without changing any configuration settings.

07 On Review panel, provide a name and a description for your new role, then click Create role to finish the setup.

08 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

09 In the navigation panel, under AUTO SCALING, click Launch Configurations.

10 Select the app-tier ASG launch configuration that you want to re-create (see Audit section part I to identify the right launch configuration template).

11 Click the Actions dropdown button from the dashboard top menu and select Copy launch configuration option.

12 On Copy Launch Configuration from <LAUNCH_CONFIGURATION_NAME> page, within Launch configuration details section, click Edit details to edit the template.

13 Select the name of the IAM role created earlier from the IAM Role dropdown list, then click Skip to review to finish the configuration process.

14 Click Create launch configuration to continue the process. In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the same key pair as the source launch configuration. Click Create launch configuration to make a copy of the specified app-tier ASG launch configuration. Click Close to return to the EC2 dashboard.

15 In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.

16 Select the app-tier ASG that you want to reconfigure (see Audit section part I to identify the right resource).

17 Select the Details tab from the dashboard bottom panel and click Edit to change the group configuration.

18 Select the name of the launch configuration created at step no. 14 from the Launch configuration dropdown list, then click Save to apply the changes. The selected app-tier Auto Scaling Group is now using a launch configuration template that adds the specified IAM role/instance profile to the EC2 instances at launch.

19 Repeat steps no. 9 – 18 to reconfigure other app-tier ASG launch configurations, available in the selected region, to assign IAM roles to EC2 instances launched within the group.

20 Change the AWS region from the navigation bar and repeat steps no. 9 – 19 for other regions.

Using AWS CLI

01 Create the trust relationship policy for the required IAM role. To create the trust relationship policy for the new role, paste the following information into a new policy document named cc-iam-trust-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

02 Run create-role command (OSX/Linux/UNIX) to create the AWS IAM role using the trust relationship policy defined at the previous step:

aws iam create-role
	--role-name cc-app-tier-asg-role
	--assume-role-policy-document file://cc-iam-trust-policy.json

03 The command output should return the new IAM role metadata:

{
    "Role": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": "ec2.amazonaws.com"
              },
              "Action": "sts:AssumeRole"
            }
          ]
        },
        "RoleId": "AAAABBBBCCCCDDDDEEEE",
        "CreateDate": "2018-02-11T10:14:22.252Z",
        "RoleName": "cc-app-tier-asg-role",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:role/cc-app-tier-asg-role"
    }
}

04 To define the IAM role permissions, based on the policy type used by the role, perform one of the following set of commands:

  1. To attach managed IAM policies:
    • Run attach-role-policy command (OSX/Linux/UNIX) to attach the specified IAM managed policy to the newly created role (the command does not produce an output):
      aws iam attach-role-policy
      	--policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
      	--role-name cc-app-tier-asg-role
      
  2. For define and attach inline IAM policies:
    • To define the inline policy for the IAM role, paste your own custom policy into a new JSON-based policy document named "cc-iam-custom-policy.json". The following example, provides full access to Amazon EC2 resources:
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": "ec2:*",
                  "Effect": "Allow",
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": "elasticloadbalancing:*",
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": "cloudwatch:*",
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": "autoscaling:*",
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": "iam:CreateServiceLinkedRole",
                  "Resource": "*",
                  "Condition": {
                      "StringEquals": {
                          "iam:AWSServiceName": [
                              "autoscaling.amazonaws.com",
                              "ec2scheduled.amazonaws.com",
                              "elasticloadbalancing.amazonaws.com",
                              "spot.amazonaws.com",
                              "spotfleet.amazonaws.com"
                          ]
                      }
                  }
              }
          ]
      }
      
    • Run put-role-policy command (OSX/Linux/UNIX) to attach the inline policy defined at the previous step to the new IAM role (the command does not produce an output):
      aws iam put-role-policy
      	--role-name cc-app-tier-asg-role
      	--policy-name iam-custom-policy
      	--policy-document file://cc-iam-custom-policy.json
      

05 Create the IAM instance profile that need to integrate the new IAM role. Run create-instance-profile command (OSX/Linux/UNIX) to create the new IAM instance profile:

aws iam create-instance-profile
	--region us-east-1
	--instance-profile-name cc-asg-instance-profile

06 The command output should return the newly created instance profile metadata:

{
    "InstanceProfile": {
        "InstanceProfileId": "AAAABBBBCCCCDDDDEEEE",
        "Roles": [],
        "CreateDate": "2018-02-16T11:34:52.600Z",
        "InstanceProfileName": "cc-asg-instance-profile",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:instance-profile/cc-asg-instance-profile"
    }
}

07 Run add-role-to-instance-profile command (OSX/Linux/UNIX) to integrate the IAM role created at step no. 2 with the IAM instance profile created at step no. 5 (the command does not return an output):

aws iam add-role-to-instance-profile
	--role-name cc-app-tier-asg-role
	--instance-profile-name cc-asg-instance-profile

08 Run describe-launch-configurations command (OSX/Linux/UNIX) using the name of the app-tier ASG launch configuration that you want to re-create as identifier (see Audit section part II to identify the right resource), to describe its configuration information, details required later when the new launch configuration will be created:

aws autoscaling describe-launch-configurations
	--region us-east-1
	--launch-configuration-names cc-app-launch-config

09 The command output should return the requested details:

{
    "LaunchConfigurations": [
        {
            "BlockDeviceMappings": [
                {
                    "DeviceName": "/dev/xvda",
                    "Ebs": {
                        "DeleteOnTermination": true,
                        "VolumeSize": 100,
                        "VolumeType": "gp2"
                    }
                }
            ],

	      ...

            "KeyName": "cc-ssh-key",
            "SecurityGroups": [
                "sg-1234abcd"
            ],
            "LaunchConfigurationName": "cc-app-launch-config",
            "KernelId": "",
            "RamdiskId": "",
            "ImageId": "ami-1234abcd",
            "InstanceType": "c4.xlarge"
        }
    ]
}

10 Run create-launch-configuration command (OSX/Linux/UNIX) using the configuration metadata returned at the previous step to create a new launch configuration that will replace the one associated with your app-tier Auto Scaling Group. The following command example creates an ASG launch configuration named "cc-app-tier-launch-config", based on an AWS AMI identified by the ID "ami-1234abcd", with an IAM role/instance profile identified by the name "cc-asg-instance-profile" (the command does not produce an output):

aws autoscaling create-launch-configuration
	--region us-east-1
	--launch-configuration-name cc-app-tier-launch-config
	--image-id ami-1234abcd
	--instance-type c4.xlarge
	--key-name cc-ssh-key
	--security-groups sg-1234abcd
	--iam-instance-profile cc-asg-instance-profile
	--block-device-mappings "[{\"DeviceName\": \"/dev/xvda\",\"Ebs\":{\"VolumeSize\":100}}]"

11 Run update-auto-scaling-group command (OSX/Linux/UNIX) to update the configuration for your app-tier Auto Scaling Group, to replace the reference to the existing launch configuration with the new one created at the previous step (the command does not return an output):

aws autoscaling update-auto-scaling-group
	--region us-east-1
	--auto-scaling-group-name cc-app-tier-asg
	--launch-configuration-name cc-app-tier-launch-config

12 Repeat steps no. 8 – 11 to reconfigure other app-tier ASG launch configurations, created in the selected region, to assign IAM roles to EC2 instances launched within the group.

12 Change the AWS region by updating the --region command parameter value and repeat steps no. 8 – 12 to perform the process for other regions.

References

Publication date Apr 1, 2018