Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances

Risk Level: High (not acceptable risk)

Rule ID: IAM-064

Ensure that the IAM roles associated with your web-tier EC2 instances are using IAM policies to grant the necessary permissions to the web applications installed on these instances. The IAM policies must follow the principle of least privilege and provide the web-tier IAM roles the minimum level of access to the AWS services used by the applications. This conformity rule assumes that all AWS resources provisioned inside your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Web applications that run on EC2 instances do usually need access to other AWS services such as S3, CloudWatch, etc. The required permissions to access other AWS services need to be explicitly defined within the policies attached to the IAM roles associated with the web-tier EC2 instances as by default, IAM roles have no access to AWS services. To provide the permissions required by your web applications you need to create the necessary IAM access policies and make sure that these policies implement the principle of least privilege by defining a minimum level of access to AWS services.

Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.

Audit

To determine if the IAM roles associated with your web-tier EC2 instances are using IAM access policies, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances conformity rule settings and copy the tag set defined for AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under INSTANCES, click Instances.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <web_tier_tag> : <web_tier_tag_value>) and press Enter. This filtering method will return only the EC2 instances tagged for the web tier. If no results are returned, there are no instances tagged within your web tier and the audit process ends here. If the EC2 dashboard lists one or more instances, continue the audit with the next step.

06 Select the web-tier EC2 instance that you want to examine.

07 Select the Description tab from the dashboard bottom panel.

08 In the left column, check the IAM role attribute value. If the attribute has no value assigned, there are no IAM roles associated with the selected web-tier EC2 instance, therefore you need to follow the instructions available here to create and attach an IAM role. If the IAM role attribute references an existing IAM role, click on the name (link) of the associated role to access the resource configuration details.

09 On the Summary page, select the Permissions tab and check for any access policies (managed and inline) attached to the selected IAM role. If there are no listed policies and the following message is displayed: "This role doesn't have any permissions yet. Get started by attaching one or more policies to this role.", the selected web-tier IAM role does not have any access policies currently attached, therefore the associated web-tier EC2 instance (and any web application running on the instance) cannot call AWS services on your behalf.

10 Repeat steps no. 6 – 9 to check other IAM roles associated with your web-tier EC2 instances, for IAM access policies.

11 Change the AWS region from the navigation bar and repeat steps no. 5 – 10 for other regions.

Using AWS CLI

02 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of all EC2 instances currently available in the selected region:

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

03 The command output should return a table with the requested instance identifiers:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234567890aaaaaa  |
|  i-01234567890bbbbbb  |
|  i-01234567890cccccc  |
+-----------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the ID of the EC2 instance that you want to examine as identifier and custom query filters to describe the tags defined for the selected EC2 resource:

aws ec2 describe-tags
	--region us-east-1
	--filters "Name=resource-id,Values=i-01234567890aaaaaa"
	--query 'Tags[*].{Value:Value, Key:Key}'

05 The command request should return one of the following outputs:

If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified instance is not tagged, therefore the audit process for the selected resource ends here:
```
[]
```
If the command output returns a set of tags that is different than the one copied at step no. 1, as shown in the example below, the verified EC2 instance does not belong to your web tier, therefore the audit process for the selected resource ends here:
```
[
    {
        "Value": "Owner",
        "Key": "Dev Team"
    }
]
```
If the describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value>), as shown in the example below, the verified AWS EC2 instance is tagged as a web-tier resource, therefore the audit process continues with the next step:
```
[
    {
        "Key": "<web_tier_tag>",
        "Value": "<web_tier_tag_value>"
    }
]
```

06 Run describe-instances command (OSX/Linux/UNIX) using the ID of the web-tier instance that you want to examine as identifier and custom filtering to determine whether the selected EC2 instance is associated with any IAM roles:

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-01234567890aaaaaa
	--query 'Reservations[*].Instances[*].IamInstanceProfile[]'

07 The command request should return one of the following outputs:

If the describe-instances command output returns an empty array (i.e. []), as shown in the example below, there are no IAM roles associated with the selected web-tier EC2 instance, therefore you need to follow the instructions available here to create and attach an IAM role.
```
[]
```
If the command output returns the metadata (unique ID and ARN) for the IAM role associated with the selected web-tier instance, as shown in the example below, the verified EC2 instance does have an IAM role attached and the audit process continues with the next step:
```
[
    {
        "Id": "AAAABBBBCCCCDDDDEEEEF",
        "Arn": "arn:aws:iam::123456789012:instance-profile/cc-web-tier-iam-role"
    }
]
```

08 To check for any access policies attached to the IAM role returned at the previous step, based on the policy type used (managed or inline), perform one of the following set of commands:

For managed IAM policies:
- Run list-attached-role-policies command (OSX/Linux/UNIX) using the name of the IAM service role as identifier (extracted from the resource ARN) to list the managed policies attached to the selected IAM role:
```
aws iam list-attached-role-policies
	--role-name cc-web-tier-iam-role
```
- The command output should return the IAM policies metadata:
```
{
    "AttachedPolicies": []
}
```
  If the value set for the "AttachedPolicies" attribute is an empty array, as shown in the example above, the selected web-tier IAM role does not have any managed policies currently attached, therefore the associated web-tier EC2 instance cannot call AWS services on your behalf.
For inline IAM policies:
- Run list-role-policies command (OSX/Linux/UNIX) using the name of the service role as identifier (extracted from the IAM resource ARN) to list the inline policies defined for the selected IAM role:
```
aws iam list-role-policies
	--role-name cc-web-tier-iam-role
```
- The command output should return the inline IAM policies metadata:
```
{
    "PolicyNames": []
}
```
  If the value of the "PolicyNames" attribute is set to an empty array, as shown in the example above, there are no inline policies defined for the selected web-tier IAM role, therefore the associated web-tier EC2 instance cannot make calls to AWS services on your behalf.

09 Repeat steps no. 6 – 8 to check other IAM roles associated with your web-tier EC2 instances, for IAM access policies.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 9 to perform the audit process for other regions.

Remediation / Resolution

To define and attach IAM policies to the IAM roles associated with your web-tier EC2 instances and implement the principle of least privilege (i.e. provide the minimal set of actions required to perform successfully the desired tasks), perform the following actions:

Note: As example, this conformity rule will demonstrate how to implement an IAM role policy that allows a web-tier EC2 instance to publish log data to AWS CloudWatch through CloudWatch Logs agent.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the IAM role that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Permissions tab and perform one of the following actions:

To attach an AWS managed policy, click Attach policy then select an IAM policy from the list. For example, select "CloudWatchAgentServerPolicy" policy, then click Attach policy to assign the policy to your IAM role. The selected IAM access policy provides only the permissions required to use the AWS CloudWatch Logs agent on the web-tier instances, following the principle of least privilege.
To attach a custom (inline) policy, click Add inline policy and run the setup wizard to create a new inline IAM policy based on your requirements, following the principle of least privilege. For example, to define an IAM role policy that allows a web-tier EC2 instance to publish log data to AWS CloudWatch through CloudWatch Logs agent, select the JSON tab and paste the following policy document into the panel box:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogStreams"
    ],
      "Resource": [
        "arn:aws:logs:*:*:*"
    ]
  }
 ]
}
```
Click Review policy to validate the policy then provide a unique name for your inline policy in the Name box. Click Create policy to finish the setup process and attach the new policy to the selected IAM role.

06 Repeat step no. 4 and 5 to define and attach IAM access policies to other IAM roles associated with EC2 instances provisioned within your web tier.

Using AWS CLI

01 To define and attach an IAM role policy, based on the policy type that you want to use, perform one of the following sets of commands:

To attach managed IAM policies:
- Run attach-role-policy command (OSX/Linux/UNIX) using the name of the IAM role that you want to reconfigure (see Audit section part II to identify the right resource), to attach the specified IAM managed policy to the selected web-tier role. The following command example, assign an AWS managed policy identified by the ARN arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy to an IAM role named "cc-web-tier-iam-role". The selected managed policy provides only the permissions required to use the CloudWatch Logs agent on the web-tier EC2 instances, following the principle of least privilege (the command does not produce an output):
```
aws iam attach-role-policy
	--policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
	--role-name cc-web-tier-iam-role
```
For define and attach inline IAM policies:
- To define the inline policy for the web-tier IAM role, paste your own custom policy into a new JSON-based policy document named "cc-iam-role-inline-policy.json". The following IAM policy example, allows a web-tier instance to publish log data to AWS CloudWatch through CloudWatch Logs agent, following the principle of least privilege:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogStreams"
    ],
      "Resource": [
        "arn:aws:logs:*:*:*"
    ]
  }
 ]
}
```
- Run put-role-policy command (OSX/Linux/UNIX) using the name of the IAM role that you want to reconfigure (see Audit section part II to identify the right IAM resource), to attach the inline policy defined at the previous step to the specified web-tier role (the command does not produce an output):
```
aws iam put-role-policy
	--role-name cc-web-tier-iam-role
	--policy-name iam-role-inline-policy
	--policy-document file://cc-iam-role-inline-policy.json
```

02 Repeat step no. 1 to define and attach IAM access policies to other IAM roles associated with web-tier EC2 instances.

References

AWS Command Line Interface (CLI) Documentation
ec2
describe-instances
describe-tags
iam
list-attached-role-policies
list-role-policies
attach-role-policy
put-role-policy

Publication date Mar 14, 2018

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Attach Policy to IAM Roles Associated with Web-Tier EC2 Instances

Risk Level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related IAM rules