Terraform Missing Iam Instance Profile

Description

Detects when an AWS EC2 instance is configured in Terraform without an IAM instance profile. Missing IAM instance profiles on EC2 instances can prevent the instance from securely accessing other AWS services and may require storing credentials directly on the instance, which is a security risk.

Weakness:

333 - Insecure service configuration - EC2

Category: Functionality Abuse

Detection Strategy

• Check Terraform resource definitions for 'aws_instance' resources

• Verify if the 'iam_instance_profile' attribute is missing or undefined for the EC2 instance

• Report a vulnerability if an EC2 instance is found without an associated IAM instance profile

Vulnerable code example

resource "aws_instance" "vulnerable_example" {
  ami           = "ami-123456"  # Basic EC2 instance configuration
  instance_type = "t2.micro"    
  
  root_block_device {
    # Vulnerable: EBS volume encryption not enabled
    encrypted = false  # Explicitly setting encryption to false makes data vulnerable
  }...

✅ Secure code example

resource "aws_instance" "secure_example" {
  ami           = "ami-123456"  # Basic EC2 instance configuration
  instance_type = "t2.micro"    
  
  root_block_device {
    encrypted = true  # Enable encryption for EBS volume to protect data at rest
  }
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.