2.2 Ensure IAM Policy for EC2 IAM Roles for App tier is configured


By default, IAM users, groups, and roles have no access to AWS resources.

IAM policies are the means by which privileges are granted to users, groups, or roles defined with AWS Identity Access Management.

An IAM policy is a document that formally states one or more permissions using the following structure:

* Actions: what actions are allowed (each AWS service has its own set of actions)
* Resources: which resources will be affected by the action
* Effect: what effect will be when the subject (user/group/roles) requests access

Policies are documents that are created using JSON. A policy consists of one or more statements, each of which describes one set of permissions.
Ensure IAM policy defines a minimum level of access to AWS services : S3, Cloudwatch, KMS

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Using the Amazon unified command line interface:

* If doesn't exist, create an instance profile for App tier instances:

aws iam create-instance-profile --instance-profile-name <_app_tier_instance_profile_>

* If doesn't exist, create an IAM role for the instance profile:

* Create a trust relationship policy document and save it locally as /tmp/TrustPolicy.json:

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
"Action": "sts:AssumeRole"

* Create the IAM role using the above trust policy:

aws iam create-role --role-name <_app_tier_iam_role_> --assume-role-policy-document file:///tmp/TrustPolicy.json

* Add the IAM role created to the Instance profile:

aws iam add-role-to-instance-profile --role-name <_app_tier_iam_role_> --instance-profile-name <_app_tier_instance_profile_>

* If doesn't exist, create an IAM managed policy for Web tier instances, and note the policy ARN:

aws iam create-policy --policy-name <_iam_policy_name_> --policy-document file://policy

* Attach the IAM policy created to the App tier IAM role:

aws iam attach-role-policy --policy-arn <_iam_policy_arn_> --role-name <_app_tier_iam_role_>

See Also