<  Back to rules search

VPC endpoint is not publicly accessible

vpc
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

Secure your VPC endpoint by allowing access to only trusted AWS accounts.

Rationale

VPC endpoints that are publicly accessible are at risk of data exposure, data loss, and unexpected AWS billing charges.

Remediation

From the console

Follow the Add or remove permissions for your endpoint service AWS console docs.

From the command line

  1. Edit your existing Amazon VPC endpoint access policy and replace untrusted AWS identifiers. To create a new policy document, use the AWS policy generator.

    {
      "Id": "insert-vpc-policy-id",
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": "*",
          "Effect": "Allow",
          "Resource": "*",
          "Principal": {
            "AWS": [
              "insert-allowed-arns"
            ]
          }
        }
      ]
    }
    
  2. Run the modify-vpc-endpoint command with your VPC endpoint ID and the updated or new policy document to replace the existing policy.

    aws ec2 modify-vpc-endpoint \
    --region insert-region-here
    --vpc-endpoint-id insert-vpc-endpoint-id \
    --policy-document file://insert-new-vpc-policy-filename.json
    
  3. Repeat steps 1 & 2 for all non-compliant VPC Endpoints in the current region.

  4. Repeat steps 1 & 2 for all non-compliant VPC Endpoints in other regions.