Ensure that the IAM roles associated with your app-tier EC2 instances are using IAM policies to assign necessary permissions to the applications installed on these instances. The IAM policies must adhere to the principle of least privilege and provide the app-tier IAM roles the minimum level of access to the AWS services used by the applications. This conformity rule assumes that all AWS resources available in your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> is the tag name and <app_tier_tag_value> the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Applications that run on EC2 instances do usually need access to other AWS services. The required permissions to access other AWS services such as S3, CloudWatch, KMS, need to be explicitly defined within the policies attached to the IAM roles associated with the app-tier EC2 instances as by default, IAM roles have no access to AWS services. To allow the permissions required by your applications you need to create the necessary IAM access policies and make sure that these policies implement the principle of least privilege by using a minimum level of access.
Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.
Audit
To determine if the IAM roles associated with your app-tier EC2 instances are using IAM access policies, perform the following:
Remediation / Resolution
To define and attach access policies to the IAM roles associated with your app-tier EC2 instances and implement the principle of least privilege (i.e. provide the minimal set of actions required to perform successfully the desired tasks), perform the following:
Note: As example, this conformity rule will demonstrate how to implement an IAM role policy that allows an app-tier EC2 instance to publish log data to AWS CloudWatch using CloudWatch Logs agent.References
- AWS Documentation
- Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances
- Quick Start: Install and Configure the CloudWatch Logs Agent on a Running EC2 Linux Instance
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-instances
- describe-tags
- iam
- list-attached-role-policies
- list-role-policies
- attach-role-policy
- put-role-policy