App-Tier/ Web-Tier Launch Configurations Without IAM Roles

This plugin ensures that App-Tier or Web-Tier Auto Scaling launch configuration is configured to use a customer created IAM instance profile.

Risk Level: High

Description

This plugin ensures that App-Tier or Web-Tier Auto Scaling launch configuration is configured to use a customer created IAM instance profile. AWS IAM role attached with the launch configuration ensures that necessary credentials are provided to the Autoscaling group to access AWS services without any blockers.

About the Service

AWS Auto Scaling: As the name suggests, AWS AutoScaling monitors the running resources and if required, increases the scaling capability at the lowest possible costs. AutoScaling is easy to set up and automatically maintains performance of your cloud infrastructure.

Impact

Applications running on EC2 instances require IAM roles to access AWS resources. The IAM instance profile assigned in the Launch configuration allows EC2 instances created by the Auto Scaling Groups to pass the IAM role. In the absence of an IAM instance profile, proper permissions will not be granted to the EC2 instances, disrupting the smooth functioning of the instance application.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon EC2 Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Scroll down and select Auto Scaling Groups under the Auto Scaling section from the left pane.
  4. A list of Auto Scaling Groups will be displayed, select the one you want to investigate (relevant Auto Scaling Group) by clicking on its Launch template/configuration column.
  5. A new window will appear with the Launch Configuration details. Scroll down to the Details section. Verify if the IAM instance profile value is not empty. If it is empty, no IAM roles are configured for the Auto Scaling Group.
  6. Repeat steps 3 to 5 for all the Auto Scaling groups you want to investigate.

Steps for Remediation

Update App-Tier and Web-Tier Auto Scaling launch configuration and attach a customer created App-Tier IAM role.

  1. Log In to your AWS Console.
  2. Open the Amazon EC2 Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Scroll down and select Auto Scaling Groups under the Auto Scaling section from the left pane.
  4. A list of Auto Scaling Groups will be displayed, select the vulnerable launch configuration of the auto scaling group by clicking on its Launch template/configuration column.
  5. A new window will appear with the Launch Configuration details. Click on Copy Launch Configuration from the top right corner of the Details section.
  6. Give a new name to the Launch Configuration. Scroll down to the Additional Configuration section and select an IAM instance profile from the drop down list.
  7. Click on Create Launch Configuration when done.
  8. Now move back to the vulnerable Auto Scaling Group. Select it by clicking on its Name. 
  9. In the Details tab, scroll down to the Launch Configurations section and click on Edit.
  10. Change to the Launch Configuration we have just created from the drop down list. Click on Update when finished.
  11. Repeat steps 3 to 10 for all the vulnerable Auto Scaling groups.