Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM Roles for Web-Tier ASG Launch Configurations

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your web-tier Auto Scaling Group (ASG) launch configurations are using IAM roles to delegate access to the web applications running within your ASGs, applications that don't normally have access to AWS resources. This conformity rule assumes that all AWS resources provisioned for your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

Security

The web applications installed on your EC2 instances need authentication credentials to sign their API requests in order to access AWS services. An IAM role (also known as instance profile) attached to an instance that was launched inside a web-tier Auto Scaling Group (ASG) can provide the necessary credentials for this type of access. The required IAM role can be attached to the EC2 instances within an ASG through a launch configuration, which is a template that an Auto Scaling Group uses to launch web-tier EC2 instances. Make sure that your web-tier ASG launch configuration specifies an IAM role within its template configuration so that all EC2 instances can be associated with a role/instance profile during the launch process.

Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.


Audit

To determine if your web-tier ASG are using launch configurations with IAM roles attached, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create IAM Roles for Web-Tier ASG Launch Configurations conformity rule settings and identify the tag set defined for all AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.

05 Select the Auto Scaling Group that you want to examine.

06 Select the Tags tab from the dashboard bottom panel.

07 On the Tags panel, search for the tag set identified at step no. 1 (i.e. <web_tier_tag> : <web_tier_tag_value>). If the two tag sets do not match, or the verified resource is not tagged at all, the selected ASG is not a component of your web tier and the audit process ends here. If the tag sets match, the selected resource is a web-tier Auto Scaling Group and the audit process continues with the next step.

08 Select the Details tab from the dashboard bottom panel and copy the name of the associated launch configuration set as value for the Launch Configuration attribute.

09 In the navigation panel, under AUTO SCALING, click Launch Configurations.

10 Paste the value copied at step no. 8 in the Filter launch configurations box and press Enter to return the launch configuration template used by the selected web-tier ASG.

11 Select the launch configuration returned as search result and check the value of the IAM Instance Profile attribute available on the Details tab panel. If the IAM Instance Profile attribute has no value assigned, there are no IAM roles attached to the EC2 instances launched within the selected web-tier AWS ASG.

12 Repeat steps no. 5 – 11 to check other web-tier ASG launch configurations, provisioned in the selected region, for associated IAM roles/instance profiles.

13 Change the AWS region from the navigation bar and repeat steps no. 5 – 12 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create IAM Roles for Web-Tier ASG Launch Configurations conformity rule settings and identify the tag set defined for AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the names of all Auto Scaling Groups available in the selected AWS region:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--output table
	--query 'AutoScalingGroups[*].AutoScalingGroupName'

03 The command output should return a table with the requested ASG names:

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|    cc-web-tier-asg      |
|    cc-internal-asg      |
+-------------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the ASG that you want to examine as identifier and custom query filters to describe the tags defined for the selected Auto Scaling Group:

aws autoscaling describe-tags
	--region us-east-1
	--filters "Name=auto-scaling-group,Values=cc-web-tier-asg"
	--query 'Tags[*].{Value:Value, Key:Key}'

05 The command request should return one of the following outputs:

  1. If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified ASG is not tagged, therefore the audit process for the selected resource ends here:
    []
    
  2. If the command output returns a set of tags that is different than the one identified at step no. 1, as shown in the example below, the verified AWS Auto Scaling Group does not belong to your web tier, therefore the audit process for the selected resource ends here:
    [
        {
            "Value": "Purpose",
            "Key": "Auto-Scaling"
        }
    ]
    
  3. If the describe-tags command output returns a set of tags that match the one identified at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value>), as shown in the example below, the verified AWS ASG is tagged as a web-tier resource, therefore the audit process continues with the next step:
    [
        {
            "Key": "<web_tier_tag>",
            "Value": "<web_tier_tag_value>"
        }
    ]
    

06 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) with custom query filters to return the name of the launch configuration associated with the selected web-tier ASG:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--query 'AutoScalingGroups[*].LaunchConfigurationName'

07 The command output should return the name of the associated launch configuration:

[
    "cc-web-launch-config"
]

08 Run describe-launch-configurations command (OSX/Linux/UNIX) using the name of the launch configuration returned at the previous step as identifier and custom filtering to determine whether the EC2 instances launched within your web-tier ASG with the selected launch configuration, have any IAM roles/instance profiles attached:

aws autoscaling describe-launch-configurations
	--region us-east-1
	--launch-configuration-names cc-web-launch-config
	--query "LaunchConfigurations[*].IamInstanceProfile"

09 The command output should return the Amazon Resource Name (ARN) of the IAM role/instance profile referenced by the selected launch configuration (if applicable):

[]

If the command output returns an empty array (i.e. []), as shown in the example above, there are no IAM instance profiles attached to the EC2 instances launched within the selected web-tier AWS ASG, therefore the web applications installed on those instances are not able to use dynamic authentication credentials to sign their API requests.

10 Repeat steps no. 4 – 9 to check other web-tier ASG launch configurations, available in the selected region, for associated IAM roles/instance profiles.

11 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 10 to perform the audit process for other regions.

Remediation / Resolution

To assign an IAM role/instance profile to the EC2 instances launched within your web-tier ASG, you must re-create the ASG launch configuration and configure it with a reference to a new IAM role. To create the required IAM role and set up a new launch configuration template, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click Create role button from the dashboard top menu to create a new IAM role (EC2 instance profile).

05 On Select type of trusted entity panel, select AWS service category and choose EC2 from Choose the service that will use this role list. Click Next: Permissions to continue.

06 On Permissions panel, perform one of the following actions:

  1. To attach AWS managed (predefined) policies (e.g. "AmazonEC2FullAccess"), select one or more policies from the list, then click Next: Review button to continue the setup process.
  2. To attach inline (custom) access policies, click Create policy button and run the setup wizard to create a new IAM policy, based on your requirements. Once the inline policy is created and selected, click Next: Review button to continue the process.

07 On Review panel, provide a unique name and a description for your new role, then click Create role to finish the IAM role setup.

08 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

09 In the navigation panel, under AUTO SCALING, click Launch Configurations.

10 Select the web-tier ASG launch configuration that you want to re-create (see Audit section part I to identify the right launch configuration template).

11 Click the Actions dropdown button from the dashboard top menu and select Copy launch configuration option.

12 On Copy Launch Configuration from <LAUNCH_CONFIGURATION_NAME> page, within Launch configuration details section, click Edit details to edit the template.

13 Select the name of the IAM role created earlier from the IAM Role dropdown list, then click Skip to review to finish the configuration process.

14 Click Create launch configuration. In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the same key pair as the source launch configuration. Click Create launch configuration to make a copy of the specified web-tier ASG launch configuration. Click Close to return to the EC2 dashboard.

15 In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.

16 Select the web-tier ASG that you want to reconfigure (see Audit section part I to identify the right resource).

17 Select the Details tab from the dashboard bottom panel and click Edit to change the group configuration.

18 Select the name of the launch configuration (copy) created at step no. 14 from the Launch configuration dropdown list, then click Save to apply the changes. The selected web-tier Auto Scaling Group is now using a launch configuration template that assign the specified IAM role/instance profile to the EC2 instances during their launch process.

19 Repeat steps no. 9 – 18 to reconfigure other web-tier ASG launch configurations, provisioned in the selected region, to assign IAM roles to EC2 instances launched within the group.

20 Change the AWS region from the navigation bar and repeat steps no. 9 – 19 for other regions.

Using AWS CLI

01 Create the trust relationship policy for the necessary IAM role. To create the trust relationship policy for the new role, paste the following information into a new policy document named cc-iam-trust-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

02 Run create-role command (OSX/Linux/UNIX) to create the AWS IAM role using the trust relationship policy defined at the previous step:

aws iam create-role
	--role-name cc-web-tier-asg-role
	--assume-role-policy-document file://cc-iam-trust-policy.json

03 The command output should return the new IAM role metadata:

{
    "Role": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": "ec2.amazonaws.com"
              },
              "Action": "sts:AssumeRole"
            }
          ]
        },
        "RoleId": "AAAABBBBCCCCDDDDEEEE",
        "CreateDate": "2018-03-15T13:12:22.252Z",
        "RoleName": "cc-web-tier-asg-role",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:role/cc-web-tier-asg-role"
    }
}

04 To define the IAM role permissions, based on the policy type used by the role, perform one of the following set of commands:

  1. To attach managed IAM policies:
    • Run attach-role-policy command (OSX/Linux/UNIX) to attach the specified IAM managed policy to the newly created role (the command does not produce an output):
      aws iam attach-role-policy
      	--policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
      	--role-name cc-web-tier-asg-role
      
  2. For define and attach inline IAM policies:
    • To define the inline policy for the IAM role, paste your own custom policy into a new JSON-based policy document named "cc-iam-custom-policy.json". The following example, provides full access to Amazon EC2 resources:
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": "ec2:*",
                  "Effect": "Allow",
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": "elasticloadbalancing:*",
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": "cloudwatch:*",
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": "autoscaling:*",
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": "iam:CreateServiceLinkedRole",
                  "Resource": "*",
                  "Condition": {
                      "StringEquals": {
                          "iam:AWSServiceName": [
                              "autoscaling.amazonaws.com",
                              "ec2scheduled.amazonaws.com",
                              "elasticloadbalancing.amazonaws.com",
                              "spot.amazonaws.com",
                              "spotfleet.amazonaws.com"
                          ]
                      }
                  }
              }
          ]
      }
      
    • Run put-role-policy command (OSX/Linux/UNIX) to attach the inline policy defined at the previous step to the new IAM role (the command does not produce an output):
      aws iam put-role-policy
      	--role-name cc-web-tier-asg-role
      	--policy-name iam-custom-policy
      	--policy-document file://cc-iam-custom-policy.json
      
{
    "GroupId": "sg-12345678"
}

05 Create the required IAM instance profile. An instance profile is a container for the IAM role that is attached to the EC2 instance during the launch process. Run create-instance-profile command (OSX/Linux/UNIX) to create the new IAM instance profile:

aws iam create-instance-profile
	--region us-east-1
	--instance-profile-name cc-asg-instance-profile

06 The command output should return the newly created instance profile metadata:

{
    "InstanceProfile": {
        "InstanceProfileId": "AAAABBBBCCCCDDDDEEEE",
        "Roles": [],
        "CreateDate": "2018-03-16T12:35:51.600Z",
        "InstanceProfileName": "cc-asg-instance-profile",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:instance-profile/cc-asg-instance-profile"
    }
}

07 Run add-role-to-instance-profile command (OSX/Linux/UNIX) to integrate the IAM role created at step no. 2 with the IAM instance profile created at step no. 5 (the command does not return an output):

aws iam add-role-to-instance-profile
	--role-name cc-web-tier-asg-role
	--instance-profile-name cc-asg-instance-profile

08 Run describe-launch-configurations command (OSX/Linux/UNIX) using the name of the web-tier ASG launch configuration that you want to re-create as identifier (see Audit section part II to identify the right resource), to describe its configuration details, information required later when the new launch configuration will be created:

aws autoscaling describe-launch-configurations
	--region us-east-1
	--launch-configuration-names cc-web-launch-config

09 The command output should return the requested details:

{
    "LaunchConfigurations": [
        {
            "BlockDeviceMappings": [
                {
                    "DeviceName": "/dev/xvda",
                    "Ebs": {
                        "DeleteOnTermination": true,
                        "VolumeSize": 150,
                        "VolumeType": "gp2"
                    }
                }
            ],

	      ...

            "KeyName": "cc-ssh-key",
            "SecurityGroups": [
                "sg-12345678"
            ],
            "LaunchConfigurationName": "cc-web-launch-config",
            "KernelId": "",
            "RamdiskId": "",
            "ImageId": "ami-abcd1234",
            "InstanceType": "c3.xlarge"
        }
    ]
}

10 Run create-launch-configuration command (OSX/Linux/UNIX) using the configuration metadata returned at the previous step to create a new launch configuration that will replace the one associated with your web-tier Auto Scaling Group. The following CLI command example creates an ASG launch configuration named "cc-web-tier-launch-config", based on an AWS AMI identified by the ID "ami-abcd1234", with an IAM role/instance profile identified by the name "cc-asg-instance-profile" (the command does not produce an output):

aws autoscaling create-launch-configuration
	--region us-east-1
	--launch-configuration-name cc-web-tier-launch-config
	--image-id ami-abcd1234
	--instance-type c3.xlarge
	--key-name cc-ssh-key
	--security-groups sg-12345678
	--iam-instance-profile cc-asg-instance-profile
	--block-device-mappings "[{\"DeviceName\": \"/dev/xvda\",\"Ebs\":{\"VolumeSize\":150}}]"

11 Run update-auto-scaling-group command (OSX/Linux/UNIX) to update the configuration for your web-tier Auto Scaling Group, in order to replace the existing launch configuration with the new one created at the previous step (the command does not return an output):

aws autoscaling update-auto-scaling-group
	--region us-east-1
	--auto-scaling-group-name cc-web-tier-asg
	--launch-configuration-name cc-web-tier-launch-config

12 Repeat steps no. 8 – 11 to reconfigure other web-tier ASG launch configurations, created in the selected region, to assign IAM roles to EC2 instances launched within the group.

13 Change the AWS region by updating the --region command parameter value and repeat steps no. 8 – 12 to perform the process for other regions.

References

Publication date Apr 1, 2018