VPC endpoint should restrict public access

문서 > Datadog 보안 > OOTB Rules > VPC endpoint should restrict public access

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

Harden your VPC endpoint by restricting AWS actions that can be invoked through it.

Rationale

VPC endpoints can be hardened by setting a non-default VPC endpoint policy, limiting the AWS actions that can be taken when an AWS service is invoked through this VPC endpoint.

Remediation

From the console

Follow the Add or remove permissions for your endpoint service AWS console docs.

From the command line

Edit your existing Amazon VPC endpoint access policy and replace untrusted AWS identifiers. To create a new policy document, use the AWS policy generator.

{
  "Id": "insert-vpc-policy-id",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "*",
      "Effect": "Allow",
      "Resource": "*",
      "Principal": {
        "AWS": [
          "insert-allowed-arns"
        ]
      }
    }
  ]
}

Run the modify-vpc-endpoint command with your VPC endpoint ID and the updated or new policy document to replace the existing policy.

aws ec2 modify-vpc-endpoint \
--region insert-region-here
--vpc-endpoint-id insert-vpc-endpoint-id \
--policy-document file://insert-new-vpc-policy-filename.json

Repeat steps 1 & 2 for all non-compliant VPC Endpoints in the current region.
Repeat steps 1 & 2 for all non-compliant VPC Endpoints in other regions.