Skip to main content

Insecure service configuration - EC2

Description

Some EC2 instances have insecure configurations that an attacker can use to access or interrupt critical aplication processes

Impact

Compromise the security of one or several EC2 Instances

Recommendation

Perform a hardening process over all the EC2 instances, by following the recomended best practices

Threat

Internet attacker with access to the AWS console.

Expected Remediation Time

⌚ 45 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: H
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: N
  • Availability: H

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:X
  • Score:
    • Base: 4.9
    • Temporal: 4.4
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

All EC2 instances are securely configured

Resources:
MyLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MyLaunchTemplate
LaunchTemplateData:
IamInstanceProfile:
Arn:
- MyIamInstanceProfile
- Arn
DisableApiTermination: true
ImageId: ami-04d5cc9b88example
InstanceInitiatedShutdownBehavior: terminate
InstanceType: t2.micro
KeyName: MyKeyPair
SecurityGroupIds:
- sg-083cd3bfb8example
MyLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MyLaunchTemplate
LaunchTemplateData:
IamInstanceProfile:
Arn:
- MyIamInstanceProfile
- Arn
DisableApiTermination: true
ImageId: ami-04d5cc9b88example
InstanceInitiatedShutdownBehavior: terminate
InstanceType: t2.micro
KeyName: MyKeyPair
SecurityGroupIds:
- sg-083cd3bfb8example

Non compliant code

The EC2 instance has an insecure configuration, it has the disable api termination set to true

Resources:
MyLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MyLaunchTemplate
LaunchTemplateData:
IamInstanceProfile:
Arn:
- MyIamInstanceProfile
- Arn
DisableApiTermination: true
ImageId: ami-04d5cc9b88example
InstanceInitiatedShutdownBehavior: stop
InstanceType: t2.micro
KeyName: MyKeyPair
SecurityGroupIds:
- sg-083cd3bfb8example

An EC2 instance has the associate_public_ip_address missconfigured

resource "aws_launch_template" "foo" {
name = "foo"
iam_instance_profile {
name = "test"
}
network_interfaces {
associate_public_ip_address = true
}
}

An EC2 instance has the InstanceInitiatedShutdownBehavior missconfigured

MyLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MyLaunchTemplate
LaunchTemplateData:
IamInstanceProfile:
Arn:
- MyIamInstanceProfile
- Arn
DisableApiTermination: true
ImageId: ami-04d5cc9b88example
InstanceInitiatedShutdownBehavior: stop
InstanceType: t2.micro
KeyName: MyKeyPair
SecurityGroupIds:
- sg-083cd3bfb8example

Using the AWS CLI, check if the EC2 instance uses IAM Roles instead of IAM access keys

$ aws ec2 describe-instances
--region us-east-1
--instance-ids {EC2_id}
--query 'Reservations[*].Instances[*].IamInstanceProfile'

If the command output is an empty array, the selected EC2 instance does not have associated IAM Roles, which is considered an insecure service configuration

Requirements

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.