Policy: AWS > CIS v1 > 1 Identity and Access Management > 1.19 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored) > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

Whether an Instance Is Associated With a Role For instances that are known to perform AWS actions, ensure that they belong to an instance role that has the necessary permissions: 1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings) 2. Open the EC2 Dashboard and choose "Instances" 3. Click the EC2 instance that performs AWS actions, in the lower pane details find "IAM Role" 4. If the Role is blank, the instance is not assigned to one. 5. If the Role is filled in, it does not mean the instance might not also have credentials encoded on it for some activities. Whether an Instance Contains Embedded Credentials On the instance that is known to perform AWS actions, audit all scripts and environment variables to ensure that none of them contain AWS credentials. Whether an Instance Application Contains Embedded Credentials Applications that run on an instance may also have credentials embedded. This is a bad practice, but even worse if the source code is stored in a public code repository such as github. When an application contains credentials can be determined by eliminating all other sources of credentials and if the application can still access AWS resources - it likely contains embedded credentials. Another method is to examine all source code and configuration files of the application.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in AWS > CIS v1 > Maximum Attestation Duration. Set to a blank value to clear the attestation.