<  Back to rules search

VPC endpoint is not publicly accessible

vpc

Classification:

compliance

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Secure your VPC endpoint by allowing access to only trusted AWS accounts.

Rationale

VPC endpoints that are publicly accessible are at risk of data exposure, data loss, and unexpected AWS billing charges.

Remediation

Console

Follow the Add or remove permissions for your endpoint service AWS console docs.

CLI

  1. Edit your existing Amazon VPC endpoint access policy and replace untrusted AWS identifiers. To create a new policy document, use the AWS policy generator.

vpc-access-policy.json

  {
    "Id": "VPCCrossAccountAccessPolicy",
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "*",
        "Effect": "Allow",
        "Resource": "*",
        "Principal": {
          "AWS": [
            "arn:aws:iam::0123456789012:root"
          ]
        }
      }
    ]
  }
  
  1. Run modify-vpc-endpoint with your VPC endpoint ID and the updated or new policy document to replace the existing policy.

modify-vpc-endpoint.sh

  aws ec2 modify-vpc-endpoint
      --vpc-endpoint-id vpce-0a12b345
      --policy-document file://vpc-access-policy.json