Publicly accessible EC2 instances should not have highly-privileged IAM roles

ec2
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

This rule verifies that publicly accessible EC2 instances are not attached to a highly-privileged, risky instance role.

Rationale

An EC2 instance is publicly accessible if it exists within infrastructure that could provide an access route from the internet for an attacker.

EC2 instance roles are the recommended method to grant applications running on an EC2 instance privileges to access the AWS API. However, an EC2 instance attached to a privileged IAM role is considered risky, since an attacker compromising the instance can compromise your whole AWS account.

Remediation

You can use the AWS Reachability Analyzer to identify the path to your EC2 instance that is allowing it to be accessed via the internet. If possible, don’t open your instance security group to the Internet, or don’t assign it a public IP so it’s only accessible from within the VPC.

EC2 instances typically do not require privileged IAM roles. It is recommended to reduce the permissions attached to the instance role. You can use AWS Access Advisor to identify effective permissions used by your instances, and use AWS IAM Access Analyzer to generate an IAM policy based on past CloudTrail events.

References