Ensure that VPC Endpoint policy does not provide excessive permissions

Services with sensitive information are connected to VPC Endpoint. Determine the specific actions needed by the endpoint, and then craft IAM policy with the required permissions. Disclaimer: Endpoint policies are not supported by all endpoint services. If a service does not support endpoint policies, the endpoint allows full access to the service. For more information, see View endpoint policy support link in reference section

Risk Level: High
Cloud Entity: Amazon VPC Endpoints
CloudGuard Rule ID: D9.AWS.IAM.59
Category: Networking & Content Delivery

GSL LOGIC

VpcEndpoint should not have policy.Statement contain [Effect='Allow' and (Action  = '*'  or Action contain ['%s3:*%']  or Action contain ['%dynamodb:*%'] )]

REMEDIATION

From Portal
Default policy allows vpc resources full access to the services behind the endpoint. We should limit this policy and follow least privilege guidelines. Perform the following steps in order to set a new VPC Endpoint policy via AWS Console:

  1. Sign in to the Amazon VPC console at https://console.aws.amazon.com/vpc/
  2. Choose Endpoints from the left VPC navigation panel
  3. Choose relevant endpoint and click Actions
  4. Edit the policy and limit the principal and/or the actions and/or the resources in the statement.

Note: You can use AWS policy generator tool: https://awspolicygen.s3.amazonaws.com/policygen.html

From Command Line

aws ec2 modify-vpc-endpoint --vpc-endpoint-id Endpoint_ID --policy-document Path_to_JSON_file_with_updated_policy

References

  1. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html
  2. https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html#vpce-endpoint-policy-support
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-vpc-endpoint.html

Amazon VPC Endpoints

A VPC endpoint enables private connections between your VPC and supported AWS services and VPC endpoint services powered by AWS PrivateLink. AWS PrivateLink is a technology that enables you to privately access services by using private IP addresses. Traffic between your VPC and the other service does not leave the Amazon network. A VPC endpoint does not require an internet gateway, virtual private gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5