EC2 Instance Has No IAM Role

  • Query id: f914357d-8386-4d56-9ba6-456e5723f9a6
  • Query name: EC2 Instance Has No IAM Role
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Access Control
  • CWE: Ongoing
  • URL: Github

Description

Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  NoIAM:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType:
        Ref: InstanceType
      ImageId:
        Fn::FindInMap:
          - AMIs
          - Ref: AWS::Region
          - Name
      KeyName:
        Ref: KeyName
      Tags:
        - Key: Name
          Value: Test
  IAM_Missing:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType:
        Ref: InstanceType
      ImageId:
        Fn::FindInMap:
          - AMIs
          - Ref: AWS::Region
          - Name
      KeyName:
        Ref: KeyName
      IamInstanceProfile:
        Ref: NonExistantProfile
      SecurityGroupIds:
        - Ref: SSHAccessSG
      Tags:
        - Key: Name
          Value: Test
  IAMNoRoles:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType:
        Ref: InstanceType
      ImageId:
        Fn::FindInMap:
          - AMIs
          - Ref: AWS::Region
          - Name
      KeyName:
        Ref: KeyName
      IamInstanceProfile:
        Ref: NoRolesProfile
      Tags:
        - Key: Name
          Value: Test
  NoRolesProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
Positive test num. 2 - json file
{
  "Resources": {
    "NoIAM": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "InstanceType": {
          "Ref": "InstanceType"
        },
        "ImageId": {
          "Fn::FindInMap": [
            "AMIs",
            {
              "Ref": "AWS::Region"
            },
            "Name"
          ]
        },
        "KeyName": {
          "Ref": "KeyName"
        },
        "Tags": [
          {
            "Key": "Name",
            "Value": "Test"
          }
        ]
      }
    },
    "IAM_Missing": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "InstanceType": {
          "Ref": "InstanceType"
        },
        "ImageId": {
          "Fn::FindInMap": [
            "AMIs",
            {
              "Ref": "AWS::Region"
            },
            "Name"
          ]
        },
        "KeyName": {
          "Ref": "KeyName"
        },
        "IamInstanceProfile": {
          "Ref": "NoProfile"
        },
        "SecurityGroupIds": [
          {
            "Ref": "SSHAccessSG"
          }
        ],
        "Tags": [
          {
            "Key": "Name",
            "Value": "Test"
          }
        ]
      }
    },
    "IAMNoRoles": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "InstanceType": {
          "Ref": "InstanceType"
        },
        "ImageId": {
          "Fn::FindInMap": [
            "AMIs",
            {
              "Ref": "AWS::Region"
            },
            "Name"
          ]
        },
        "KeyName": {
          "Ref": "KeyName"
        },
        "IamInstanceProfile": {
          "Ref": "NoRolesProfile"
        },
        "Tags": [
          {
            "Key": "Name",
            "Value": "Test"
          }
        ]
      }
    },
    "NoRolesProfile": {
      "Type": "AWS::IAM::InstanceProfile",
      "Properties": {
        "Path": "/"
      }
    }
  }
}
Positive test num. 3 - yaml file
Resources:
  NoIAM:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType:
        Ref: InstanceType
      ImageId:
        Fn::FindInMap:
          - AMIs
          - Ref: AWS::Region
          - Name
      KeyName:
        Ref: KeyName
      Tags:
        - Key: Name
          Value: Test
  IAM_Missing:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType:
        Ref: InstanceType
      ImageId:
        Fn::FindInMap:
          - AMIs
          - Ref: AWS::Region
          - Name
      KeyName:
        Ref: KeyName
      IamInstanceProfile: NonExistantProfile
      SecurityGroupIds:
        - Ref: SSHAccessSG
      Tags:
        - Key: Name
          Value: Test
  IAMNoRoles:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType:
        Ref: InstanceType
      ImageId:
        Fn::FindInMap:
          - AMIs
          - Ref: AWS::Region
          - Name
      KeyName:
        Ref: KeyName
      IamInstanceProfile: NoRolesProfile
      Tags:
        - Key: Name
          Value: Test
  NoRolesProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  Test:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType:
        Ref: InstanceType
      ImageId:
        Fn::FindInMap:
        - AMIs
        - Ref: AWS::Region
        - Name
      KeyName:
        Ref: KeyName
      IamInstanceProfile:
        Ref: ListS3BucketsInstanceProfile
      SecurityGroupIds:
      - Ref: SSHAccessSG
      Tags:
      - Key: Name
        Value: Test
  ListS3BucketsInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
      - Ref: ListS3BucketsRole
  ListS3BucketsRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ec2.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"
Negative test num. 2 - json file
{
  "Resources": {
    "Test": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "InstanceType": {
          "Ref": "InstanceType"
        },
        "ImageId": {
          "Fn::FindInMap": [
            "AMIs",
            {
              "Ref": "AWS::Region"
            },
            "Name"
          ]
        },
        "KeyName": {
          "Ref": "KeyName"
        },
        "IamInstanceProfile": {
          "Ref": "ListS3BucketsInstanceProfile"
        },
        "SecurityGroupIds": [
          {
            "Ref": "SSHAccessSG"
          }
        ],
        "Tags": [
          {
            "Key": "Name",
            "Value": "Test"
          }
        ]
      }
    },
    "ListS3BucketsInstanceProfile": {
      "Properties": {
        "Path": "/",
        "Roles": [
          {
            "Ref": "ListS3BucketsRole"
          }
        ]
      },
      "Type": "AWS::IAM::InstanceProfile"
    },
    "ListS3BucketsRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "ec2.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/"
      }
    }
  }
}