Ensure VPC Endpoint has a name tag

In order to control your VPC environment, all the components should have a meaningful name

Risk Level: Low
Cloud Entity: Amazon VPC Endpoints
CloudGuard Rule ID: D9.AWS.OPE.16
Covered by Spectral: Yes
Category: Networking & Content Delivery


VpcEndpoint should have tags contain [key like '%Name%']


From Portal
Perform the following to set a Name tag to your VPC Endpoint:

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. On the navigation pane, choose VPC Endpoints.
  3. Choose the VPC Endpoint for which to add or edit tags.
  4. Choose the Tags tab in the lower part of the page.
  5. Choose Manage tags.
  6. Choose Add new tag.
  7. Enter a Key and Value for the tag.
  8. Choose Save.

From TF

resource "aws_ec2_tag" "example" {
	resource_id = "VPC_Endpoint_id"
	key         = "Name"
	value       = "tag_value"

From Command Line

aws ec2 create-tags --resources Endpoint_ID --tags tag_name


  1. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html
  2. https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-tags.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag

Amazon VPC Endpoints

A VPC endpoint enables private connections between your VPC and supported AWS services and VPC endpoint services powered by AWS PrivateLink. AWS PrivateLink is a technology that enables you to privately access services by using private IP addresses. Traffic between your VPC and the other service does not leave the Amazon network. A VPC endpoint does not require an internet gateway, virtual private gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset