Severity : Medium
Description:
...
This control ensures that EC2 instances have a IAM roles associated them. Applications that run on an EC2 instance must include AWS credentials in the AWS API requests. IAM roles for the EC2 instances provides temporary credentials and permission to use AWS services. This provides a secure and manageable mechanism to provides credentials to EC2 instances instead of saving username and password in application. The role policy allows the administrator to update list of services and actions an instances can perform. It is recommended to create a least privilege role to attach to the instance when instances are created.
Remediation Steps:
Perform following to update the custom managed IAM role for instances :
Login to the AWS Management Console at https://console.aws.amazon.com.
Create a Role for instances :
Navigate to IAM console.
In the navigation pane, click Roles.
Choose Create Role to create a service role for instances.
For Select trusted entity, choose AWS service.
Choose the use case for your service.
Select Next.
Depending on the access permission required, Select a AWS Managed Policy or Choose Create Policy.
Set Permissions boundary and choose Use a permissions boundary to control the maximum role permissions.
Choose Next.
Enter Role Name and Description for role.
Select Edit to Add Permission.
Select Review and then Create Role.
Update Instance Profile with the role:
Navigate to EC2 console.
In the navigation pane, Under Instances select Instances.
Select the instance reported.
Select Action , then under Security select Modify IAM Role.
On Modify IAM role, select the role created above from the list of roles.
Choose Save.
Important:
Reference: