AWS IAM Permissions Guardrails

AWS IAM Permissions Guardrails https://aws-samples.github.io/aws-iam-permissions-guardrails/

View project on GitHub

Amazon Elastic Compute Cloud (EC2)

Identifier Guardrail Rationale Remediation References IAM Actions
IAM-EC2-1 Check that the ability to terminate EC2 instances are appropriately scoped or are only assumable to authorized principals. In Production or Production-like environments,no one other than IaC tools should have access to delete resources. Even in development, unintentional termination of EC2 instances can delay project timelines or delivery. If ec2:TerminateInstances has a wildcard resource policy ( Resource *) that isn’t scoped with a condition statement such as ec2:ResourceTag, unauthorized EC2 instances might be inadvertently terminated. For unauthorized principals, either remove ec2:TerminateInstances or appropriately scope with Condition keys. Remove ec2:TerminateIntances for unauthorized principals.   ec2:TerminateInstances
IAM-EC2-2 Check EC2 instances can only run instances with approved Amazon Machine Images (AMIs). For security hardening, vulnerability management, and configuration management purposes, only approved AMIs should be used to launch instances in Production or Production-like environments. Scope ec2:RunInstances resources to approved AMI ids or Use Condition tag with ec2:ResourceTag https://aws.amazon.com/premiumsupport/knowledge-center/restrict-launch-tagged-ami/

https://aws.amazon.com/blogs/aws/amazon-ec2-resource-level-permissions-for-runinstances/

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html#amazonec2-ec2ResourceTag_TagKey

 ec2:RunInstances
IAM-EC2-3 Check that all network modification permissions are granted to authorized roles only, ideally the AWS Account provisioning role. For all environments it is important to maintain and manage authorized network permitters and boundaries. Unauthorized network modifications could expose the network or service to attacks or data exfiltration. These actions are commonly associated with account provisioning rather than daily or frequent usage. Scope the following network infrastructure actions only to the AWS Account provisioning role. https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html

 ec2:AssociateDhcpOptions
ec2:AssociateRouteTable
ec2:AssociateSubnetCidrBlock
ec2:AssociateVpcCidrBlock
ec2:AttachInternetGateway
ec2:AttachVpnGateway
ec2:CreateCustomerGateway
ec2:CreateDhcpOptions
ec2:CreateInstanceExportTask
ec2:CreateInternetGateway
ec2:CreateRoute
ec2:CreateRouteTable
ec2:CreateSubnet
ec2:CreateVpc
ec2:CreateVpcEndpoint
ec2:CreateVpcEndpointServiceConfiguration
ec2:CreateVpcPeeringConnection
ec2:CreateVpnConnection
ec2:CreateVpnConnectionRoute
ec2:CreateVpnGateway
ec2:DeleteCustomerGateway
ec2:DeleteDhcpOptions
ec2:DeleteEgressOnlyInternetGateway
ec2:DeleteInternetGateway
ec2:DeleteNatGateway
ec2:DeleteNetworkAcl
ec2:DeleteNetworkAclEntry
ec2:DeleteRoute
ec2:DeleteRouteTable
ec2:DeleteSubnet
ec2:DeleteVpc
ec2:DeleteVpcEndpointServiceConfigurations
ec2:DeleteVpcEndpoints
ec2:DeleteVpcPeeringConnection
ec2:DeleteVpnConnection
ec2:DeleteVpnConnectionRoute
ec2:DeleteVpnGateway
ec2:DetachInternetGateway
ec2:DetachVpnGateway
ec2:DisableVgwRoutePropagation
ec2:DisassociateRouteTable
ec2:DisassociateSubnetCidrBlock
ec2:DisassociateVpcCidrBlock
ec2:EnableVgwRoutePropagation
ec2:ModifySubnetAttribute
ec2:ModifyVpcAttribute
ec2:ModifyVpcEndpoint
ec2:ModifyVpcEndpointServiceConfiguration
ec2:ModifyVpcEndpointServicePermissions
ec2:ModifyVpcPeeringConnectionOptionsconnection
ec2:ReplaceRoute
ec2:ReplaceRouteTableAssociation
IAM-EC2-4 Check that sensitive more frequently used EC2 actions are appropriately scoped to approprariate roles and resources. These EC2 actions might be more frequently needed, particularly in a development environment. However, these are sensitive EC2 permissions and should be appropriately scoped and for authorized roles only. Secure using IAM condition statements and tags. https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html#amazonec2-policy-keys https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html

 ec2:InstanceSecurityGroup
ec2:AttachVolume
ec2:CopyImage
ec2:CopyFpgaImage
ec2:CreateFpgaImage
ec2:CreateImage
ec2:DeleteFpgaImage
ec2:DeregisterImage
ec2:DisassociateAddress
ec2:DisassociateIamInstanceProfile
ec2:ModifyFpgaImageAttribute
ec2:ModifyImageAttribute
ec2:ReplaceIamInstanceProfileAssociation
IAM-EC2-5 Check that only authorized principals can manage security groups. A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. Security groups act at the instance level, not the subnet level. Thus, security groups are one piece to providing network perimiter protection. For unauthorized principals, remove the permissions to invoke security group IAM actions. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

 ec2:AuthorizeSecurityGroupEgress
ec2:AuthorizeSecurityGroupIngress
ec2:ApplySecurityGroupsToClientVpnTargetNetwork
ec2:CreateSecurityGroup
ec2:DeleteSecurityGroup
ec2:RevokeSecurityGroupEgress
ec2:RevokeSecurityGroupIngress
ec2:UpdateSecurityGroupRuleDescriptionsEgress
ec2:UpdateSecurityGroupRuleDescriptionsIngress
IAM-EC2-6 Check that only authorized principals can manage EC2.       ec2:AcceptReservedInstancesExchangeQuote
ec2:AcceptTransitGatewayPeeringAttachment
ec2:AcceptTransitGatewayVpcAttachment
ec2:AcceptVpcEndpointConnections
ec2:AcceptVpcPeeringConnection
ec2:AdvertiseByoipCidr
ec2:AllocateAddress
ec2:AllocateHosts
ec2:ApplySecurityGroupsToClientVpnTargetNetwork
ec2:AssignIpv6Addresses
ec2:AssignPrivateIpAddresses
ec2:AssociateAddress
ec2:AssociateClientVpnTargetNetwork
ec2:AssociateDhcpOptions
ec2:AssociateIamInstanceProfile
ec2:AssociateRouteTable
ec2:AssociateSubnetCidrBlock
ec2:AssociateTransitGatewayMulticastDomain
ec2:AssociateTransitGatewayRouteTable
ec2:AssociateVpcCidrBlock
ec2:AttachClassicLinkVpc
ec2:AttachInternetGateway
ec2:AttachNetworkInterface
ec2:AttachVolume
ec2:AttachVpnGateway
ec2:AuthorizeClientVpnIngress
ec2:AuthorizeSecurityGroupEgress
ec2:AuthorizeSecurityGroupIngress
ec2:BundleInstance
ec2:CancelBundleTask
ec2:CancelCapacityReservation
ec2:CancelConversionTask
ec2:CancelExportTask
ec2:CancelImportTask
ec2:CancelReservedInstancesListing
ec2:CancelSpotFleetRequests
ec2:CancelSpotInstanceRequests
ec2:ConfirmProductInstance
ec2:CopyFpgaImage
ec2:CopyImage
ec2:CopySnapshot
ec2:CreateCapacityReservation
ec2:CreateClientVpnEndpoint
ec2:CreateClientVpnRoute
ec2:CreateCustomerGateway
ec2:CreateDefaultSubnet
ec2:CreateDefaultVpc
ec2:CreateDhcpOptions
ec2:CreateEgressOnlyInternetGateway
ec2:CreateFleet
ec2:CreateFlowLogs
ec2:CreateFpgaImage
ec2:CreateImage
ec2:CreateInstanceExportTask
ec2:CreateInternetGateway
ec2:CreateKeyPair
ec2:CreateLaunchTemplate
ec2:CreateLaunchTemplateVersion
ec2:CreateLocalGatewayRoute
ec2:CreateLocalGatewayRouteTableVpcAssociation
ec2:CreateNatGateway
ec2:CreateNetworkAcl
ec2:CreateNetworkAclEntry
ec2:CreateNetworkInterface
ec2:CreateNetworkInterfacePermission
ec2:CreatePlacementGroup
ec2:CreateReservedInstancesListing
ec2:CreateRoute
ec2:CreateRouteTable
ec2:CreateSecurityGroup
ec2:CreateSnapshot
ec2:CreateSnapshots
ec2:CreateSpotDatafeedSubscription
ec2:CreateSubnet
ec2:CreateTags
ec2:CreateTrafficMirrorFilter
ec2:CreateTrafficMirrorFilterRule
ec2:CreateTrafficMirrorSession
ec2:CreateTrafficMirrorTarget
ec2:CreateTransitGateway
ec2:CreateTransitGatewayMulticastDomain
ec2:CreateTransitGatewayPeeringAttachment
ec2:CreateTransitGatewayRoute
ec2:CreateTransitGatewayRouteTable
ec2:CreateTransitGatewayVpcAttachment
ec2:CreateVolume
ec2:CreateVpc
ec2:CreateVpcEndpoint
ec2:CreateVpcEndpointConnectionNotification
ec2:CreateVpcEndpointServiceConfiguration
ec2:CreateVpcPeeringConnection
ec2:CreateVpnConnection
ec2:CreateVpnConnectionRoute
ec2:CreateVpnGateway
ec2:DeleteClientVpnEndpoint
ec2:DeleteClientVpnRoute
ec2:DeleteCustomerGateway
ec2:DeleteDhcpOptions
ec2:DeleteEgressOnlyInternetGateway
ec2:DeleteFleets
ec2:DeleteFlowLogs
ec2:DeleteFpgaImage
ec2:DeleteInternetGateway
ec2:DeleteKeyPair
ec2:DeleteLaunchTemplate
ec2:DeleteLaunchTemplateVersions
ec2:DeleteLocalGatewayRoute
ec2:DeleteLocalGatewayRouteTableVpcAssociation
ec2:DeleteNatGateway
ec2:DeleteNetworkAcl
ec2:DeleteNetworkAclEntry
ec2:DeleteNetworkInterface
ec2:DeleteNetworkInterfacePermission
ec2:DeletePlacementGroup
ec2:DeleteRoute
ec2:DeleteRouteTable
ec2:DeleteSecurityGroup
ec2:DeleteSnapshot
ec2:DeleteSpotDatafeedSubscription
ec2:DeleteSubnet
ec2:DeleteTags
ec2:DeleteTrafficMirrorFilter
ec2:DeleteTrafficMirrorFilterRule
ec2:DeleteTrafficMirrorSession
ec2:DeleteTrafficMirrorTarget
ec2:DeleteTransitGateway
ec2:DeleteTransitGatewayMulticastDomain
ec2:DeleteTransitGatewayPeeringAttachment
ec2:DeleteTransitGatewayRoute
ec2:DeleteTransitGatewayRouteTable
ec2:DeleteTransitGatewayVpcAttachment
ec2:DeleteVolume
ec2:DeleteVpc
ec2:DeleteVpcEndpointConnectionNotifications
ec2:DeleteVpcEndpointServiceConfigurations
ec2:DeleteVpcEndpoints
ec2:DeleteVpcPeeringConnection
ec2:DeleteVpnConnection
ec2:DeleteVpnConnectionRoute
ec2:DeleteVpnGateway
ec2:DeprovisionByoipCidr
ec2:DeregisterImage
ec2:DeregisterTransitGatewayMulticastGroupMembers
ec2:DeregisterTransitGatewayMulticastGroupSources
ec2:DetachClassicLinkVpc
ec2:DetachInternetGateway
ec2:DetachNetworkInterface
ec2:DetachVolume
ec2:DetachVpnGateway
ec2:DisableEbsEncryptionByDefault
ec2:DisableFastSnapshotRestores
ec2:DisableTransitGatewayRouteTablePropagation
ec2:DisableVgwRoutePropagation
ec2:DisableVpcClassicLink
ec2:DisableVpcClassicLinkDnsSupport
ec2:DisassociateAddress
ec2:DisassociateClientVpnTargetNetwork
ec2:DisassociateIamInstanceProfile
ec2:DisassociateRouteTable
ec2:DisassociateSubnetCidrBlock
ec2:DisassociateTransitGatewayMulticastDomain
ec2:DisassociateTransitGatewayRouteTable
ec2:DisassociateVpcCidrBlock
ec2:EnableEbsEncryptionByDefault
ec2:EnableFastSnapshotRestores
ec2:EnableTransitGatewayRouteTablePropagation
ec2:EnableVgwRoutePropagation
ec2:EnableVolumeIO
ec2:EnableVpcClassicLink
ec2:EnableVpcClassicLinkDnsSupport
ec2:ExportImage
ec2:ExportTransitGatewayRoutes
ec2:ImportClientVpnClientCertificateRevocationList
ec2:ImportImage
ec2:ImportInstance
ec2:ImportKeyPair
ec2:ImportSnapshot
ec2:ImportVolume
ec2:ModifyCapacityReservation
ec2:ModifyClientVpnEndpoint
ec2:ModifyDefaultCreditSpecification
ec2:ModifyEbsDefaultKmsKeyId
ec2:ModifyFleet
ec2:ModifyFpgaImageAttribute
ec2:ModifyHosts
ec2:ModifyIdFormat
ec2:ModifyIdentityIdFormat
ec2:ModifyImageAttribute
ec2:ModifyInstanceAttribute
ec2:ModifyInstanceCapacityReservationAttributes
ec2:ModifyInstanceCreditSpecification
ec2:ModifyInstanceEventStartTime
ec2:ModifyInstanceMetadataOptions
ec2:ModifyInstancePlacement
ec2:ModifyLaunchTemplate
ec2:ModifyNetworkInterfaceAttribute
ec2:ModifyReservedInstances
ec2:ModifySnapshotAttribute
ec2:ModifySpotFleetRequest
ec2:ModifySubnetAttribute
ec2:ModifyTrafficMirrorFilterNetworkServices
ec2:ModifyTrafficMirrorFilterRule
ec2:ModifyTrafficMirrorSession
ec2:ModifyTransitGatewayVpcAttachment
ec2:ModifyVolume
ec2:ModifyVolumeAttribute
ec2:ModifyVpcAttribute
ec2:ModifyVpcEndpoint
ec2:ModifyVpcEndpointConnectionNotification
ec2:ModifyVpcEndpointServiceConfiguration
ec2:ModifyVpcEndpointServicePermissions
ec2:ModifyVpcPeeringConnectionOptions
ec2:ModifyVpcTenancy
ec2:ModifyVpnConnection
ec2:ModifyVpnTunnelCertificate
ec2:ModifyVpnTunnelOptions
ec2:MonitorInstances
ec2:MoveAddressToVpc
ec2:ProvisionByoipCidr
ec2:PurchaseHostReservation
ec2:PurchaseReservedInstancesOffering
ec2:PurchaseScheduledInstances
ec2:RebootInstances
ec2:RegisterImage
ec2:RegisterTransitGatewayMulticastGroupMembers
ec2:RegisterTransitGatewayMulticastGroupSources
ec2:RejectTransitGatewayPeeringAttachment
ec2:RejectTransitGatewayVpcAttachment
ec2:RejectVpcEndpointConnections
ec2:RejectVpcPeeringConnection
ec2:ReleaseAddress
ec2:ReleaseHosts
ec2:ReplaceIamInstanceProfileAssociation
ec2:ReplaceNetworkAclAssociation
ec2:ReplaceNetworkAclEntry
ec2:ReplaceRoute
ec2:ReplaceRouteTableAssociation
ec2:ReplaceTransitGatewayRoute
ec2:ReportInstanceStatus
ec2:RequestSpotFleet
ec2:RequestSpotInstances
ec2:ResetEbsDefaultKmsKeyId
ec2:ResetFpgaImageAttribute
ec2:ResetImageAttribute
ec2:ResetInstanceAttribute
ec2:ResetNetworkInterfaceAttribute
ec2:ResetSnapshotAttribute
ec2:RestoreAddressToClassic
ec2:RevokeClientVpnIngress
ec2:RevokeSecurityGroupEgress
ec2:RevokeSecurityGroupIngress
ec2:RunInstances
ec2:RunScheduledInstances
ec2:SendDiagnosticInterrupt
ec2:StartInstances
ec2:StartVpcEndpointServicePrivateDnsVerification
ec2:StopInstances
ec2:TerminateClientVpnConnections
ec2:TerminateInstances
ec2:UnassignIpv6Addresses
ec2:UnassignPrivateIpAddresses
ec2:UnmonitorInstances
ec2:UpdateSecurityGroupRuleDescriptionsEgress
ec2:UpdateSecurityGroupRuleDescriptionsIngress
ec2:WithdrawByoipCidr