Instance IAM Role

Quick Info

Plugin TitleInstance IAM Role
DescriptionEnsures EC2 instances are using an IAM role instead of hard-coded AWS credentials
More InfoIAM roles should be assigned to all instances to enable them to access AWS resources. Using an IAM role is more secure than hard-coding AWS access keys into application code.
AWS Link
Recommended ActionAttach an IAM role to the EC2 instance

Detailed Remediation Steps

  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for EC2.
  3. Scroll down the left navigation panel and choose “Instances”. <img src="/resources/aws/ec2/instance-iam-role/step3.png)
  4. Select the “EC2 Instance” that needs to be verified and scroll down and click on the “Description” tab.
  5. On the “Description” tab scroll down and check for “IAM role” attribute value. If no value has assigned then the selected “EC2 Instance” has no “IAM role” assigned.
  6. Repeat steps number 2 - 5 to cross check other “EC2 Instances” in the selected AWS region.
  7. Navigate to “IAM” dashboard using the “Services” option.
  8. Scroll down the left panel and choose “Roles”.
  9. On the “Roles” page click on the “Create Role” button to create a new “IAM role”.
  10. On the “Create Role” page choose the “AWS service”, choose “EC2” and click on the “Next,Permission” button at the bottom.
  11. On a “Attach permissions policies” page search for “AmazonEC2FullAccess” policy from the “Filter policies” search bar which provides full access to all AWS EC2 services and resources. Click on the “Next:Tags” button to continue.
  12. On the “Add tags” provide a “Key” and “value” which can help to organize, track, or control access for the selected “IAM role”. Click on the “Next:Review” button to continue the process.
  13. Provide a “Role name” and click on the “Create role” button to create the selected “IAM role”.
  14. Navigate to “EC2” dashboard and select the “EC2 Instance” on which we need to attach the “IAM role”.
  15. Click on the “Actions” button at the top to create an “Amazon Machine Image” of the selected “EC2 Instance”. Click on the “Image” option under “Actions” dropdown menu and click on the “Create Image”.
  16. On the “Create Image” dialog box provide a “Image Name” and “Image Description”. Click on the “Create Image” button at the bottom to create the “Amazon Machine Image” of the selected “EC2 Instance”.
  17. Once the “Amazon Machine Image” is ready click on the “Launch” button to create a new “EC2 Instance” from the image created.
  18. On the “Configure Instance Details” page scroll down and choose the newly created “IAM role” from the dropdown menu and click on the “Review and Launch” button to create a new “EC2 Instance” with “IAM role” attached.
  19. Once the new “EC2 Instance” is deployed and working fine, terminate the older “EC2 Instance”.