Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Attach Policy to IAM Roles Associated with App-Tier EC2 Instances

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: IAM-060

Ensure that the IAM roles associated with your app-tier EC2 instances are using IAM policies to assign necessary permissions to the applications installed on these instances. The IAM policies must adhere to the principle of least privilege and provide the app-tier IAM roles the minimum level of access to the AWS services used by the applications. This conformity rule assumes that all AWS resources available in your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> is the tag name and <app_tier_tag_value> the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Applications that run on EC2 instances do usually need access to other AWS services. The required permissions to access other AWS services such as S3, CloudWatch, KMS, need to be explicitly defined within the policies attached to the IAM roles associated with the app-tier EC2 instances as by default, IAM roles have no access to AWS services. To allow the permissions required by your applications you need to create the necessary IAM access policies and make sure that these policies implement the principle of least privilege by using a minimum level of access.

Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.

Audit

To determine if the IAM roles associated with your app-tier EC2 instances are using IAM access policies, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Attach Policy to IAM Roles Associated with App-Tier EC2 Instances conformity rule settings and copy the tags defined for AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under INSTANCES, click Instances.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <app_tier_tag> : <app_tier_tag_value>) and press Enter. This filtering procedure will return only the EC2 instances tagged for the app tier. If no results are returned, there are no instances tagged within your app tier and the audit process ends here. If the EC2 dashboard lists one or more instances, continue the audit with the next step.

06 Select the app-tier EC2 instance that you want to examine.

07 Select the Description tab from the dashboard bottom panel.

08 In the left column, check the IAM role attribute value. If the attribute has no value assigned, there are no IAM roles associated with the selected app-tier EC2 instance, therefore you need to follow the instructions provided by this conformity rule to create and attach an IAM role. If the IAM role attribute points to an existing IAM role, click on the name (link) of the associated role to access the resource configuration details.

09 On the Summary page, select the Permissions tab and check for any access policies (managed and inline) attached to the selected IAM role. If there are no policies listed on this page and the following message is displayed: "This role doesn't have any permissions yet. Get started by attaching one or more policies to this role.", the selected app-tier IAM role does not have any access policies currently attached, therefore the associated app-tier EC2 instance (and the applications running on the instance) cannot access the necessary AWS services.

10 Repeat steps no. 6 – 9 to check other IAM roles associated with your app-tier EC2 instances, for IAM access policies.

11 Change the AWS region from the navigation bar and repeat steps no. 5 – 10 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Attach Policy to IAM Roles Associated with App-Tier EC2 Instances conformity rule settings and copy the tags defined for AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of all EC2 instances currently available in the selected region:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

03 The command output should return a table with the requested instance identifiers:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234567890bacbac  |
|  i-01234567890abcabc  |
+-----------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the ID of the EC2 instance that you want to examine as identifier and custom query filters to describe the tags defined for the selected EC2 resource:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws ec2 describe-tags
	--region us-east-1
	--filters "Name=resource-id,Values=i-01234567890bacbac"
	--query 'Tags[*].{Value:Value, Key:Key}'

05 The command request should return one of the following outputs:

  1. If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified instance is not tagged, therefore the audit process for the selected resource ends here:
    123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
    []
  2. If the command output returns a set of tags that is different than the one copied at step no. 1, as shown in the example below, the verified EC2 instance does not belong to your app tier, therefore the audit process for the selected resource ends here:
    123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
    [
    {
        "Value": "Type",
        "Key": "Internet-Facing"
    }
]
  3. If the describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. <app_tier_tag>:<app_tier_tag_value>), as shown in the example below, the verified AWS EC2 instance is tagged as an app-tier resource, therefore the audit process continues with the next step:
    123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
    [
    {
        "Key": "<app_tier_tag>",
        "Value": "<app_tier_tag_value>"
    }
]

06 Run describe-instances command (OSX/Linux/UNIX) using the ID of the app-tier instance that you want to examine as identifier and custom filtering to determine whether the selected EC2 instance is associated with any IAM roles:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-01234567890bacbac
	--query 'Reservations[*].Instances[*].IamInstanceProfile[]'

07 The command request should return one of the following outputs:

  1. If the describe-instances command output returns an empty array (i.e. []), as shown in the example below, there are no IAM roles associated with the selected app-tier EC2 instance, therefore you need to follow the instructions provided by this conformity rule to create and attach an IAM role.
    123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
    []
  2. If the command output returns the metadata (unique ID and ARN) for the IAM role associated with the selected app-tier instance, as shown in the example below, the verified EC2 instance does have an IAM role attached and the audit process continues with the next step:
    123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
    [
    {
        "Id": "AAAABBBBCCCCDDDDEEEEF",
        "Arn": "arn:aws:iam::123456789012:instance-profile/cc-app-tier-iam-role"
    }
]

08 To check for any access policies attached to the IAM role returned at the previous step, based on the policy type used (managed or inline), perform one of the following set of commands:

  1. For managed IAM policies:
    • Run list-attached-role-policies command (OSX/Linux/UNIX) using the name of the IAM service role as identifier (extracted from the resource ARN) to list the managed policies attached to the selected IAM role:
      123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
      aws iam list-attached-role-policies
	--role-name cc-app-tier-iam-role
    • The command output should return the IAM policies metadata:
      123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
      {
    "AttachedPolicies": []
}
    • If the value set for the "AttachedPolicies" attribute is an empty array, as shown in the example above, the selected app-tier IAM role does not have any managed policies attached, therefore the applications running on the app-tier EC2 instance cannot access the necessary AWS services.
  2. For inline IAM policies:
    • Run list-role-policies command (OSX/Linux/UNIX) using the name of the service role as identifier (extracted from the IAM resource ARN) to list the inline policies defined for the selected IAM role:
      123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
      aws iam list-role-policies
	--role-name cc-app-tier-iam-role
    • The command output should return the inline IAM policies metadata:
      123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
      {
    "PolicyNames": []
}

      If the value of the "PolicyNames" attribute is set to an empty array, as shown in the example above, there are no inline policies defined for the selected app-tier IAM role, therefore the applications installed on the app-tier EC2 instance can’t access the necessary AWS services.

09 Repeat steps no. 6 – 8 to check other IAM roles associated with your app-tier EC2 instances, for IAM access policies.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 9 to perform the audit process for other regions.

Remediation / Resolution

To define and attach access policies to the IAM roles associated with your app-tier EC2 instances and implement the principle of least privilege (i.e. provide the minimal set of actions required to perform successfully the desired tasks), perform the following:

Note: As example, this conformity rule will demonstrate how to implement an IAM role policy that allows an app-tier EC2 instance to publish log data to AWS CloudWatch using CloudWatch Logs agent.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the IAM role that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Permissions tab and perform one of the following actions:

  1. To attach an AWS managed policy, click Attach policy then select an IAM policy from the list. For example, select "CloudWatchAgentServerPolicy" policy, then click Attach policy to assign the policy to your IAM role. The selected IAM access policy provides only the permissions required to use the AWS CloudWatch Logs agent on the app-tier instances, following the principle of least privilege.
  2. To attach a custom (inline) policy, click Add inline policy and run the setup wizard to create a new inline IAM policy based on your requirements, following the principle of least privilege. For example, to define an IAM role policy that allows an app-tier EC2 instance to publish log data to AWS CloudWatch through CloudWatch Logs agent, select the JSON tab and paste the following policy document into the panel box:
    123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogStreams"
    ],
      "Resource": [
        "arn:aws:logs:*:*:*"
    ]
  }
 ]
}

    Click Review policy to validate the policy then type a unique name for your inline policy in the Name box. Click Create policy to finish the setup process and attach the new policy to the selected IAM role.

06 Repeat step no. 4 and 5 to define and attach IAM access policies to other IAM roles associated with EC2 instances launched in your app tier.

Using AWS CLI

01 To define and attach an IAM role policy, based on the policy type that you want to use, perform one of the following sets of commands:

  1. To attach managed IAM policies:
    • Run attach-role-policy command (OSX/Linux/UNIX) using the name of the IAM role that you want to reconfigure (see Audit section part II to identify the right resource), to attach the specified IAM managed policy to the selected app-tier role. The following command example, assign an AWS managed policy identified by the ARN arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy to an IAM role named "cc-app-tier-iam-role". The selected managed policy provides only the permissions required to use the CloudWatch Logs agent on the app-tier EC2 instances, following the principle of least privilege (the command does not produce an output):
      123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
      aws iam attach-role-policy
	--policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
	--role-name cc-app-tier-iam-role
  2. For define and attach inline IAM policies:
    • To define the inline policy for the app-tier IAM role, paste your custom policy into a new JSON-based policy document named "cc-iam-role-inline-policy.json". The following IAM policy example, allows an app-tier instance to publish log data to AWS CloudWatch using the CloudWatch Logs agent, following the principle of least privilege:
      123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogStreams"
    ],
      "Resource": [
        "arn:aws:logs:*:*:*"
    ]
  }
 ]
}
    • Run put-role-policy command (OSX/Linux/UNIX) using the name of the IAM role that you want to reconfigure (see Audit section part II to identify the right IAM resource), to attach the inline policy defined at the previous step to the specified app-tier role (the command does not produce an output):
      123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
      aws iam put-role-policy
	--role-name cc-app-tier-iam-role
	--policy-name iam-role-inline-policy
	--policy-document file://cc-iam-role-inline-policy.json

02 Repeat step no. 1 to define and attach IAM access policies to other IAM roles associated with app-tier EC2 instances.

References

Publication date Apr 12, 2018

Related IAM rules