Ensure IAM instance roles are used for AWS resource access from instances

1.19 Identity and Access Management (AWS CIS Benchmark).

Description

AWS access from within AWS instances can be done either by:

  1. Encoding AWS keys into AWS API calls, or
  2. Assigning the instance to a role that has an appropriate permissions policy for the required access.

"AWS Access" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.

IAM roles can only be associated at the launch of an instance. To remediate an instance and add it to a role, you must create a new instance.

If the instance has no external dependencies on its current private IP or if public addresses are elastic IPs, via the AWS Management Console:

Establish that IAM instance roles are used for AWS resource access from instances via the AWS Management Console

Step 1. In AWS IAM, create a new role. Assign a permissions policy if the needed permissions are already known.

Step 2. In the AWS console, launch a new instance with identical settings to the existing instance, and ensure that the newly created role is selected.

Step 3. Shut down both the existing instance and the new instance.

Step 4. Detach disks from both instances.

Step 5. Attach the existing instance disks to the new instance.

Step 6. Boot the new instance and you should have the same machine, but with the associated role.

Note 1: If your environment has dependencies on a dynamically assigned PRIVATE IP address, you can create an AMI from the existing instance and destroy the old one. Then, when launching from the AMI, manually assign the previous private IP address.

Note 2: If your environment has dependencies on a dynamically assigned PUBLIC IP address, there is no way to ensure the address is retained and assign it an instance role. Dependencies on dynamically assigned public IP addresses are a bad practice. If possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.