Policy: AWS > CIS v1.4 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances (Manual) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

IAM roles can only be associated at the launch of an instance. To remediate an instance to add it to a role you must create a new instance. If the instance has no external dependencies on its current private ip or public addresses are elastic IPs:

1. In AWS IAM create a new role. Assign a permissions policy if needed permissions are already known.
2. In the AWS console launch a new instance with identical settings to the existing instance, and ensure that the newly created role is selected.
3. Shutdown both the existing instance and the new instance.
4. Detach disks from both instances.
5. Attach the existing instance disks to the new instance.
6. Boot the new instance and you should have the same machine, but with the associated role.

Note: if your environment has dependencies on a dynamically assigned PRIVATE IP address you can create an AMI from the existing instance, destroy the old one and then when launching from the AMI, manually assign the previous private IP address.

Note: if your environment has dependencies on a dynamically assigned PUBLIC IP address there is not a way ensure the address is retained and assign an instance role. Dependencies on dynamically assigned public IP addresses are a bad practice and, if possible, you may wish to rebuild the instance with a new elastic IP address and make the investment to remediate affected systems while assigning the system to a role.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in AWS > CIS v1.4 > Maximum Attestation Duration. Set to a blank value to clear the attestation.