--- title: SQS VPC endpoint without DNS resolution description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SQS VPC endpoint without DNS resolution --- # SQS VPC endpoint without DNS resolution {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-sqs-vpc-endpoint-without-dns-resolution` **Provider:** AWS **Platform:** Terraform **Severity:** Low **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc#enable_dns_support) ### Description{% #description %} When configuring an Amazon SQS VPC Endpoint using Terraform, it is essential to have DNS resolution enabled for the associated VPC by setting `enable_dns_support = true`. If this is not set, such as in the configuration `enable_dns_support = false`, private DNS hostnames are not resolved within the VPC, causing communication failures for instances relying on DNS-based access to AWS services via the endpoint. This can result in application connectivity issues and may force the use of less secure public network routes, increasing the attack surface. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_vpc" "main2" { cidr_block = local.cidr_block enable_dns_support = true enable_dns_hostnames = false } resource "aws_vpc_endpoint" "sqs-vpc-endpoint2" { vpc_id = aws_vpc.main2.id service_name = "com.amazonaws.${local.region}.sqs" vpc_endpoint_type = "Interface" private_dns_enabled = true subnet_ids = [aws_subnet.public-subnet.id] security_group_ids = [aws_security_group.public-internet-sg.id] } ``` ```terraform module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "3.7.0" name = "my-vpc" cidr = "10.0.0.0/16" azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] enable_nat_gateway = true enable_vpn_gateway = true enable_dns_support = true tags = { Terraform = "true" Environment = "dev" } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform locals { region = "us-east-1" cidr_block = "172.16.0.0/16" public_subnet_cidr_block = "172.16.100.0/24" quad_zero_cidr_block = "0.0.0.0/0" } provider "aws" { region = local.region } resource "aws_vpc" "main" { cidr_block = local.cidr_block enable_dns_support = false enable_dns_hostnames = false } resource "aws_subnet" "public-subnet" { vpc_id = aws_vpc.main.id cidr_block = local.public_subnet_cidr_block tags = { Name = "public-subnet" } } resource "aws_route_table" "public-rtb" { vpc_id = aws_vpc.main.id route { cidr_block = local.cidr_block vpc_endpoint_id = aws_vpc_endpoint.sqs-vpc-endpoint.id } route { cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.igw.id } tags = { Name = "public-rtb" } } resource "aws_route_table_association" "public-rtb-assoc" { subnet_id = aws_subnet.public-subnet.id route_table_id = aws_route_table.public-rtb.id } resource "aws_security_group" "public-internet-sg" { name = "public-internet-sg" description = "Allow all local traffic with internet access" vpc_id = aws_vpc.main.id egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = [local.quad_zero_cidr_block] } ingress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = [local.cidr_block] } } data "aws_ami" "ubuntu" { most_recent = true filter { name = "name" values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"] } filter { name = "virtualization-type" values = ["hvm"] } owners = ["099720109477"] # Canonical } resource "aws_instance" "test-ec2-instance" { ami = data.aws_ami.ubuntu.id instance_type = "t2.micro" subnet_id = aws_subnet.public-subnet.id vpc_security_group_ids = [aws_security_group.public-internet-sg.id] } resource "aws_vpc_endpoint" "sqs-vpc-endpoint" { vpc_id = aws_vpc.main.id service_name = "com.amazonaws.${local.region}.sqs" vpc_endpoint_type = "Interface" private_dns_enabled = true subnet_ids = [aws_subnet.public-subnet.id] security_group_ids = [aws_security_group.public-internet-sg.id] } resource "aws_sqs_queue" "test-queue" { name = "test-queue" } resource "aws_internet_gateway" "igw" { vpc_id = aws_vpc.main.id } ``` ```terraform module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "3.7.0" name = "my-vpc" cidr = "10.0.0.0/16" azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] enable_nat_gateway = true enable_vpn_gateway = true enable_dns_support = false tags = { Terraform = "true" Environment = "dev" } } ```