Ensure that VPC Endpoint policy does not provide excessive permissions
Services with sensitive information are connected to VPC Endpoint. Determine the specific actions needed by the endpoint, and then craft IAM policy with the required permissions. Disclaimer: Endpoint policies are not supported by all endpoint services. If a service does not support endpoint policies, the endpoint allows full access to the service. For more information, see View endpoint policy support link in reference section
Risk Level: High
Cloud Entity: Amazon VPC Endpoints
CloudGuard Rule ID: D9.AWS.IAM.59
Category: Networking & Content Delivery
GSL LOGIC
VpcEndpoint should not have policy.Statement contain [Effect='Allow' and (Action = '*' or Action contain ['%s3:*%'] or Action contain ['%dynamodb:*%'] )]
REMEDIATION
From Portal
Default policy allows vpc resources full access to the services behind the endpoint. We should limit this policy and follow least privilege guidelines. Perform the following steps in order to set a new VPC Endpoint policy via AWS Console:
- Sign in to the Amazon VPC console at https://console.aws.amazon.com/vpc/
- Choose Endpoints from the left VPC navigation panel
- Choose relevant endpoint and click Actions
- Edit the policy and limit the principal and/or the actions and/or the resources in the statement.
Note: You can use AWS policy generator tool: https://awspolicygen.s3.amazonaws.com/policygen.html
From Command Line
aws ec2 modify-vpc-endpoint --vpc-endpoint-id Endpoint_ID --policy-document Path_to_JSON_file_with_updated_policy
References
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html
- https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html#vpce-endpoint-policy-support
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-vpc-endpoint.html
Amazon VPC Endpoints
A VPC endpoint enables private connections between your VPC and supported AWS services and VPC endpoint services powered by AWS PrivateLink. AWS PrivateLink is a technology that enables you to privately access services by using private IP addresses. Traffic between your VPC and the other service does not leave the Amazon network. A VPC endpoint does not require an internet gateway, virtual private gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
Updated over 1 year ago