EC2 instance should not have a highly-privileged IAM role attached to it

ec2

Description

This rule ensures that none of your EC2 instances is attached to a highly-privileged instance role.

Rationale

EC2 instance roles are the recommended method to grant applications running on an EC2 instance privileges to access the AWS API. However, an EC2 instance attached to a privileged IAM role is considered risky, since an attacker compromising the instance can compromise your whole AWS account.

Remediation

EC2 instances typically do not require privileged IAM roles. It is recommended to reduce the permissions attached to the instance role. You can use AWS Access Advisor to identify effective permissions used by your instances, and use AWS IAM Access Analyzer to generate an IAM policy based on past CloudTrail events.