Ensure that the VPC Endpoint status is Available state

A VPC endpoint enables you to create a private connection between your VPC and another AWS service without requiring access over the Internet, through a NAT device, a VPN connection, or AWS Direct Connect. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. The endpoint connection must be in the Available state. If the endpoint connection is in the Pending or Rejected state, any connection sent to the Network Load Balancer from the interface endpoint times out.

Risk Level: High
Cloud Entity: Amazon VPC Endpoints
CloudGuard Rule ID: D9.AWS.NET.55
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

VpcEndpoint should have state='Available'

REMEDIATION

From Portal:

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Endpoints.
  3. Select the specific endpoint you want to verify.
  4. Under Details section, ensure the Status is 'Available'

From Command Line:
Use following command to verify the VPC endpoint state as available.

aws ec2 describe-vpc-endpoints

References:

  1. https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html
  2. https://aws.amazon.com/premiumsupport/knowledge-center/instance-vpc-troubleshoot/
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-vpc-endpoints.html

Amazon VPC Endpoints

A VPC endpoint enables private connections between your VPC and supported AWS services and VPC endpoint services powered by AWS PrivateLink. AWS PrivateLink is a technology that enables you to privately access services by using private IP addresses. Traffic between your VPC and the other service does not leave the Amazon network. A VPC endpoint does not require an internet gateway, virtual private gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • CloudGuard AWS All Rules Ruleset