Insecure service configuration - EC2
Description
Some EC2 instances have insecure configurations that an attacker can use to access or interrupt critical aplication processes
Impact
Compromise the security of one or several EC2 Instances
Recommendation
Perform a hardening process over all the EC2 instances, by following the recomended best practices
Threat
Internet attacker with access to the AWS console.
Expected Remediation Time
⌚ 45 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: N
- Attack complexity: L
- Privileges required: H
- User interaction: N
- Scope: U
- Confidentiality: N
- Integrity: N
- Availability: H
Temporal
- Exploit code madurity: P
- Remediation level: O
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:X
- Score:
- Base: 4.9
- Temporal: 4.4
- Severity:
- Base: Medium
- Temporal: Medium
Code Examples
Compliant code
All EC2 instances are securely configured
Resources:
MyLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MyLaunchTemplate
LaunchTemplateData:
IamInstanceProfile:
Arn:
- MyIamInstanceProfile
- Arn
DisableApiTermination: true
ImageId: ami-04d5cc9b88example
InstanceInitiatedShutdownBehavior: terminate
InstanceType: t2.micro
KeyName: MyKeyPair
SecurityGroupIds:
- sg-083cd3bfb8example
MyLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MyLaunchTemplate
LaunchTemplateData:
IamInstanceProfile:
Arn:
- MyIamInstanceProfile
- Arn
DisableApiTermination: true
ImageId: ami-04d5cc9b88example
InstanceInitiatedShutdownBehavior: terminate
InstanceType: t2.micro
KeyName: MyKeyPair
SecurityGroupIds:
- sg-083cd3bfb8example
Non compliant code
The EC2 instance has an insecure configuration, it has the disable api termination set to true
Resources:
MyLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MyLaunchTemplate
LaunchTemplateData:
IamInstanceProfile:
Arn:
- MyIamInstanceProfile
- Arn
DisableApiTermination: true
ImageId: ami-04d5cc9b88example
InstanceInitiatedShutdownBehavior: stop
InstanceType: t2.micro
KeyName: MyKeyPair
SecurityGroupIds:
- sg-083cd3bfb8example
An EC2 instance has the associate_public_ip_address missconfigured
resource "aws_launch_template" "foo" {
name = "foo"
iam_instance_profile {
name = "test"
}
network_interfaces {
associate_public_ip_address = true
}
}
An EC2 instance has the InstanceInitiatedShutdownBehavior missconfigured
MyLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MyLaunchTemplate
LaunchTemplateData:
IamInstanceProfile:
Arn:
- MyIamInstanceProfile
- Arn
DisableApiTermination: true
ImageId: ami-04d5cc9b88example
InstanceInitiatedShutdownBehavior: stop
InstanceType: t2.micro
KeyName: MyKeyPair
SecurityGroupIds:
- sg-083cd3bfb8example
Using the AWS CLI, check if the EC2 instance uses IAM Roles instead of IAM access keys
$ aws ec2 describe-instances
--region us-east-1
--instance-ids {EC2_id}
--query 'Reservations[*].Instances[*].IamInstanceProfile'
If the command output is an empty array, the selected EC2 instance does not have associated IAM Roles, which is considered an insecure service configuration
Requirements
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.