IAM roles attached to instance profiles should not allow broad list actions on S3 buckets

Description

Instance profiles contain trust policies that enable EC2 instances to assume IAM roles. To prevent compromised EC2 instances from being able to effectively survey all S3 buckets and potentially access sensitive data, trust policies attached to instance profiles should not allow broad list actions on S3 buckets, such as ListAllBuckets.

Remediation Steps

AWS Console

  • Navigate to IAM.

  • Select the role that is associated with an instance profile. You should see an Instance Profile ARN within the role summary.

  • Select the attached policy that includes S3 list actions, and ensure that broad list actions (ListBuckets, S3:List*, S3:*) are not included.

AWS CLI

  • Ensure that IAM policies attached to IAM roles associated with instance profiles do not include broad S3 list actions:

    • aws iam update-policy --policy-id PolicyID --policy-document file://policy.json

policy.json:

{
    "Version": "2012-10-17",
    "Statement": [
       {
       "Action": "s3:Get*",
       "Effect": "Allow",
       "Resource": "*"
    }
  ]
}

Terraform

Example Configuration

resource "aws_iam_role_policy" "example" {
  name  = "my_role_policy"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "s3:Get*"
        Effect = "Allow"
        Resource = "*"
        }
      },
    ]
  })
  # other required fields here
}