EC2 Instance Has No IAM Role

Query id: f914357d-8386-4d56-9ba6-456e5723f9a6
Query name: EC2 Instance Has No IAM Role
Platform: CloudFormation
Severity: Medium
Category: Access Control
URL: Github
Description¶

Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.
Documentation
Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file
Positive test num. 2 - json file
Positive test num. 3 - yaml file
/span>
Resources: NoIAM: Type: AWS::EC2::Instance class="w">    Properties: InstanceType: Ref: InstanceType ImageId: Fn::FindInMap: - AMIs - Ref: AWS::Region - Name KeyName: Ref: KeyName Tags: - Key: Name Value: Test IAM_Missing: Type: AWS::EC2::Instance Properties: InstanceType: Ref: InstanceType ImageId: Fn::FindInMap: - AMIs - Ref: AWS::Region - Name KeyName: Ref: KeyName class="w">      IamInstanceProfile: Ref: NonExistantProfile SecurityGroupIds: - Ref: SSHAccessSG Tags: - Key: Name Value: Test IAMNoRoles: Type: AWS::EC2::Instance Properties: InstanceType: Ref: InstanceType ImageId: Fn::FindInMap: - AMIs - Ref: AWS::Region - Name KeyName: Ref: KeyName IamInstanceProfile: Ref: NoRolesProfile Tags: - Key: Name Value: Test NoRolesProfile: Type: AWS::IAM::InstanceProfile class="w">    Properties: Path: "/" /span>{ "Resources": { "NoIAM": { "Type": "AWS::EC2::Instance", class="w">      "Properties": { "InstanceType": { "Ref": "InstanceType" }, "ImageId": { "Fn::FindInMap": [ "AMIs", { "Ref": "AWS::Region" }, "Name" ] }, "KeyName": { "Ref": "KeyName" }, "Tags": [ { "Key": "Name", "Value": "Test" } ] } }, "IAM_Missing": { "Type": "AWS::EC2::Instance", "Properties": { "InstanceType": { "Ref": "InstanceType" }, "ImageId": { "Fn::FindInMap": [ "AMIs", { "Ref": "AWS::Region" }, "Name" ] }, "KeyName": { "Ref": "KeyName" }, class="w">        "IamInstanceProfile": { "Ref": "NoProfile" }, "SecurityGroupIds": [ { "Ref": "SSHAccessSG" } ], "Tags": [ { "Key": "Name", "Value": "Test" } ] } }, "IAMNoRoles": { "Type": "AWS::EC2::Instance", "Properties": { "InstanceType": { "Ref": "InstanceType" }, "ImageId": { "Fn::FindInMap": [ "AMIs", { "Ref": "AWS::Region" }, "Name" ] }, "KeyName": { "Ref": "KeyName" }, "IamInstanceProfile": { "Ref": "NoRolesProfile" }, "Tags": [ { "Key": "Name", "Value": "Test" } ] } }, "NoRolesProfile": { "Type": "AWS::IAM::InstanceProfile", class="w">      "Properties": { "Path": "/" } } } } /span>Resources: NoIAM: Type: AWS::EC2::Instance class="w">    Properties: InstanceType: Ref: InstanceType ImageId: Fn::FindInMap: - AMIs - Ref: AWS::Region - Name KeyName: Ref: KeyName Tags: - Key: Name Value: Test IAM_Missing: Type: AWS::EC2::Instance Properties: InstanceType: Ref: InstanceType ImageId: Fn::FindInMap: - AMIs - Ref: AWS::Region - Name KeyName: Ref: KeyName class="w">      IamInstanceProfile: NonExistantProfile SecurityGroupIds: - Ref: SSHAccessSG Tags: - Key: Name Value: Test IAMNoRoles: Type: AWS::EC2::Instance Properties: InstanceType: Ref: InstanceType ImageId: Fn::FindInMap: - AMIs - Ref: AWS::Region - Name KeyName: Ref: KeyName IamInstanceProfile: NoRolesProfile Tags: - Key: Name Value: Test NoRolesProfile: Type: AWS::IAM::InstanceProfile class="w">    Properties: Path: "/"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileResources:
  Test:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType:
        Ref: InstanceType
      ImageId:
        Fn::FindInMap:
        - AMIs
        - Ref: AWS::Region
        - Name
      KeyName:
        Ref: KeyName
      IamInstanceProfile:
        Ref: ListS3BucketsInstanceProfile
      SecurityGroupIds:
      - Ref: SSHAccessSG
      Tags:
      - Key: Name
        Value: Test
  ListS3BucketsInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
      - Ref: ListS3BucketsRole
  ListS3BucketsRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ec2.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"

Negative test num. 2 - json file{
  "Resources": {
    "Test": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "InstanceType": {
          "Ref": "InstanceType"
        },
        "ImageId": {
          "Fn::FindInMap": [
            "AMIs",
            {
              "Ref": "AWS::Region"
            },
            "Name"
          ]
        },
        "KeyName": {
          "Ref": "KeyName"
        },
        "IamInstanceProfile": {
          "Ref": "ListS3BucketsInstanceProfile"
        },
        "SecurityGroupIds": [
          {
            "Ref": "SSHAccessSG"
          }
        ],
        "Tags": [
          {
            "Key": "Name",
            "Value": "Test"
          }
        ]
      }
    },
    "ListS3BucketsInstanceProfile": {
      "Properties": {
        "Path": "/",
        "Roles": [
          {
            "Ref": "ListS3BucketsRole"
          }
        ]
      },
      "Type": "AWS::IAM::InstanceProfile"
    },
    "ListS3BucketsRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "ec2.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/"
      }
    }
  }
}