Amazon_VPC_23

Ensure that VPC Endpoint policy won't allow all actions

Description

Services with sensitive information are connected to VPC Endpoint. Determine the specific actions needed by the endpoint, and then craft IAM policy with the required permissions.

Remediation

From Portal:
Default policy allows vpc resources full access to the services behind the endpoint. We should limit this policy and follow least privilege guidelines. Perform the following steps in order to set a new VPC Endpoint policy via AWS Console:

1. Sign in to the Amazon VPC console at https://console.aws.amazon.com/vpc/
2. Choose Endpoints from the left VPC navigation panel
3. Choose relevant endpoint and click Actions
4. Edit the policy.

Note: You can use AWS policy generator tool: https://awspolicygen.s3.amazonaws.com/policygen.html

From Command Line:

aws ec2 modify-vpc-endpoint –vpc-endpoint-id Endpoint_ID –policy-document Path_to_JSON_file_with_updated_policy

References:
1. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html
2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-vpc-endpoint.html

Service

VPC

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!