Data protection

Internet Facing EC2 Instance with Broad S3 Access

Risk Level

Hazardous (3)

Platform(s)
Compliance Frameworks

Description

The internet-facing asset {AwsEc2Instance} ({AwsEc2Instance.InstanceId}) was found to have broad access to S3 via its Instance Profile ({AwsEc2Instance.InstanceProfile}). Access is considered too broad if the instance is given permissions to all S3 Actions (s3:*) or all S3 Resources (arn:aws:s3:::*).
  • Recommended Mitigation

    Limit the instance's access to S3 by granting it specific action permissions and defining the specific resources it should have access to. This can be achieved by revising the instance's IAM Instance Profile - {AwsEc2Instance.InstanceProfile}. ## Remediation --- >1. Sign in to the AWS Management Console, open the **[EC2 console](https://console.aws.amazon.com/ec2)**, and then choose **Instances**. >2. Choose the desired EC2 instance. >3. Choose **Actions**, **Security**, and then choose **Modify IAM role**. >4. In the **Choose IAM role** dropdown list, choose instance profile, with more specific action permissions and resources, that you want to attach. >5. Choose **Save**.