MEDIUM IAM · CIS 1.18

EC2 instance IAM roles

Check ID: aws-iam-016

AWS-IAM-016 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if running EC2 instances have IAM instance profiles attached. Without a role, applications must use long-lived access keys instead of temporary role credentials.

Why it matters

EC2 instances without IAM roles force applications to use hardcoded access keys, which are long-lived credentials that must be manually rotated and can be leaked through code repositories, logs, or instance metadata. Instance roles provide temporary credentials (via the Instance Metadata Service) that rotate automatically every 6 hours, require no key management, and are scoped to the specific instance. The 2019 Capital One breach exploited SSRF to steal instance role credentials, but because role credentials are temporary, the exposure window was limited. Without a role, developers often embed permanent access keys in application configs, environment variables, or user data scripts, creating persistent credential exposure. IMDSv2 (required hop limit) further protects instance role credentials from SSRF-based theft.

Common causes

EC2 instances launched manually through the console often skip the IAM role configuration step because it is presented as an optional advanced setting. Legacy applications that predate IAM roles (2012) may still use hardcoded access keys on instances that have never been modernized. Teams that use configuration management tools like Ansible or Chef may embed access keys in the deployment configuration instead of using instance roles.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Create instance profile and attach to instance:
aws iam create-instance-profile --instance-profile-name INSTANCE_ID-profile
aws iam add-role-to-instance-profile --instance-profile-name INSTANCE_ID-profile --role-name YOUR_ROLE
aws ec2 associate-iam-instance-profile --instance-id INSTANCE_ID --iam-instance-profile Name=INSTANCE_ID-profile --region REGION

Remediation: Terraform

resource "aws_iam_instance_profile" "ec2" {
  name = "ec2-profile"
  role = aws_iam_role.ec2.name
}

resource "aws_instance" "this" {
  # ...
  iam_instance_profile = aws_iam_instance_profile.ec2.name
}

Compliance mapping

This check maps to CIS 1.18 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related IAM checks

CRITICAL aws-iam-001

Root account MFA

HIGH aws-iam-002

IAM users MFA

MEDIUM aws-iam-003

Access key rotation

← All checks