Ensure that the IAM roles associated with your web-tier EC2 instances are using IAM policies to grant the necessary permissions to the web applications installed on these instances. The IAM policies must follow the principle of least privilege and provide the web-tier IAM roles the minimum level of access to the AWS services used by the applications. This conformity rule assumes that all AWS resources provisioned inside your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Web applications that run on EC2 instances do usually need access to other AWS services such as S3, CloudWatch, etc. The required permissions to access other AWS services need to be explicitly defined within the policies attached to the IAM roles associated with the web-tier EC2 instances as by default, IAM roles have no access to AWS services. To provide the permissions required by your web applications you need to create the necessary IAM access policies and make sure that these policies implement the principle of least privilege by defining a minimum level of access to AWS services.
Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
Audit
To determine if the IAM roles associated with your web-tier EC2 instances are using IAM access policies, perform the following actions:
Remediation / Resolution
To define and attach IAM policies to the IAM roles associated with your web-tier EC2 instances and implement the principle of least privilege (i.e. provide the minimal set of actions required to perform successfully the desired tasks), perform the following actions:
Note: As example, this conformity rule will demonstrate how to implement an IAM role policy that allows a web-tier EC2 instance to publish log data to AWS CloudWatch through CloudWatch Logs agent.References
- AWS Documentation
- Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances
- Quick Start: Install and Configure the CloudWatch Logs Agent on a Running EC2 Linux Instance
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-instances
- describe-tags
- iam
- list-attached-role-policies
- list-role-policies
- attach-role-policy
- put-role-policy