EC2 Instance Has No IAM Role
- Query id: f914357d-8386-4d56-9ba6-456e5723f9a6
- Query name: EC2 Instance Has No IAM Role
- Platform: CloudFormation
- Severity: Medium
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
NoIAM:
Type: AWS::EC2::Instance
Properties:
InstanceType:
Ref: InstanceType
ImageId:
Fn::FindInMap:
- AMIs
- Ref: AWS::Region
- Name
KeyName:
Ref: KeyName
Tags:
- Key: Name
Value: Test
IAM_Missing:
Type: AWS::EC2::Instance
Properties:
InstanceType:
Ref: InstanceType
ImageId:
Fn::FindInMap:
- AMIs
- Ref: AWS::Region
- Name
KeyName:
Ref: KeyName
IamInstanceProfile:
Ref: NonExistantProfile
SecurityGroupIds:
- Ref: SSHAccessSG
Tags:
- Key: Name
Value: Test
IAMNoRoles:
Type: AWS::EC2::Instance
Properties:
InstanceType:
Ref: InstanceType
ImageId:
Fn::FindInMap:
- AMIs
- Ref: AWS::Region
- Name
KeyName:
Ref: KeyName
IamInstanceProfile:
Ref: NoRolesProfile
Tags:
- Key: Name
Value: Test
NoRolesProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Positive test num. 2 - json file
{
"Resources": {
"NoIAM": {
"Type": "AWS::EC2::Instance",
"Properties": {
"InstanceType": {
"Ref": "InstanceType"
},
"ImageId": {
"Fn::FindInMap": [
"AMIs",
{
"Ref": "AWS::Region"
},
"Name"
]
},
"KeyName": {
"Ref": "KeyName"
},
"Tags": [
{
"Key": "Name",
"Value": "Test"
}
]
}
},
"IAM_Missing": {
"Type": "AWS::EC2::Instance",
"Properties": {
"InstanceType": {
"Ref": "InstanceType"
},
"ImageId": {
"Fn::FindInMap": [
"AMIs",
{
"Ref": "AWS::Region"
},
"Name"
]
},
"KeyName": {
"Ref": "KeyName"
},
"IamInstanceProfile": {
"Ref": "NoProfile"
},
"SecurityGroupIds": [
{
"Ref": "SSHAccessSG"
}
],
"Tags": [
{
"Key": "Name",
"Value": "Test"
}
]
}
},
"IAMNoRoles": {
"Type": "AWS::EC2::Instance",
"Properties": {
"InstanceType": {
"Ref": "InstanceType"
},
"ImageId": {
"Fn::FindInMap": [
"AMIs",
{
"Ref": "AWS::Region"
},
"Name"
]
},
"KeyName": {
"Ref": "KeyName"
},
"IamInstanceProfile": {
"Ref": "NoRolesProfile"
},
"Tags": [
{
"Key": "Name",
"Value": "Test"
}
]
}
},
"NoRolesProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/"
}
}
}
}
Positive test num. 3 - yaml file
Resources:
NoIAM:
Type: AWS::EC2::Instance
Properties:
InstanceType:
Ref: InstanceType
ImageId:
Fn::FindInMap:
- AMIs
- Ref: AWS::Region
- Name
KeyName:
Ref: KeyName
Tags:
- Key: Name
Value: Test
IAM_Missing:
Type: AWS::EC2::Instance
Properties:
InstanceType:
Ref: InstanceType
ImageId:
Fn::FindInMap:
- AMIs
- Ref: AWS::Region
- Name
KeyName:
Ref: KeyName
IamInstanceProfile: NonExistantProfile
SecurityGroupIds:
- Ref: SSHAccessSG
Tags:
- Key: Name
Value: Test
IAMNoRoles:
Type: AWS::EC2::Instance
Properties:
InstanceType:
Ref: InstanceType
ImageId:
Fn::FindInMap:
- AMIs
- Ref: AWS::Region
- Name
KeyName:
Ref: KeyName
IamInstanceProfile: NoRolesProfile
Tags:
- Key: Name
Value: Test
NoRolesProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
Test:
Type: AWS::EC2::Instance
Properties:
InstanceType:
Ref: InstanceType
ImageId:
Fn::FindInMap:
- AMIs
- Ref: AWS::Region
- Name
KeyName:
Ref: KeyName
IamInstanceProfile:
Ref: ListS3BucketsInstanceProfile
SecurityGroupIds:
- Ref: SSHAccessSG
Tags:
- Key: Name
Value: Test
ListS3BucketsInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- Ref: ListS3BucketsRole
ListS3BucketsRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Negative test num. 2 - json file
{
"Resources": {
"Test": {
"Type": "AWS::EC2::Instance",
"Properties": {
"InstanceType": {
"Ref": "InstanceType"
},
"ImageId": {
"Fn::FindInMap": [
"AMIs",
{
"Ref": "AWS::Region"
},
"Name"
]
},
"KeyName": {
"Ref": "KeyName"
},
"IamInstanceProfile": {
"Ref": "ListS3BucketsInstanceProfile"
},
"SecurityGroupIds": [
{
"Ref": "SSHAccessSG"
}
],
"Tags": [
{
"Key": "Name",
"Value": "Test"
}
]
}
},
"ListS3BucketsInstanceProfile": {
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "ListS3BucketsRole"
}
]
},
"Type": "AWS::IAM::InstanceProfile"
},
"ListS3BucketsRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/"
}
}
}
}