IAM roles attached to instance profiles should not allow broad list actions on S3 buckets

Description

Instance profiles contain trust policies that enable EC2 instances to assume IAM roles. To prevent compromised EC2 instances from being able to effectively survey all S3 buckets and potentially access sensitive data, trust policies attached to instance profiles should not allow broad list actions on S3 buckets, such as ListAllBuckets.

Remediation Steps

AWS Console

• Navigate to IAM.

• Select the role that is associated with an instance profile. You should see an Instance Profile ARN within the role summary.

• Select the attached policy that includes S3 list actions, and ensure that broad list actions (ListBuckets, S3:List*, S3:*) are not included.

AWS CLI

• Ensure that IAM policies attached to IAM roles associated with instance profiles do not include broad S3 list actions:

  • aws iam update-policy --policy-id PolicyID --policy-document file://policy.json

policy.json:

{
    "Version": "2012-10-17",
    "Statement": [
       {
       "Action": "s3:Get*",
       "Effect": "Allow",
       "Resource": "*"
    }
  ]
}

Terraform

• Ensure that IAM policies declared inline with aws_iam_role or aws_iam_role_policy resources, or with a aws_iam_policy that are associated with an aws_iam_instance_profile do not allow broad list actions on S3 buckets.

Example Configuration

resource "aws_iam_role_policy" "example" {
  name  = "my_role_policy"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "s3:Get*"
        Effect = "Allow"
        Resource = "*"
        }
      },
    ]
  })
  # other required fields here
}

Documentation Links

AWS Console and CLI

• Console: Using Instance Profiles with IAM

• CLI: update-assume-role-policy

Terraform

• Resource: aws_iam_role

  • Field: inline_policy.policy

• Resource: aws_iam_role_policy

  • Field: policy

• Resource: aws_iam_policy

  • Field: policy

• Resource: aws_iam_instance_profile