Ensure that VPC Endpoint policy won't allow all actions

Services with sensitive information are connected to VPC Endpoint. Determine the specific actions needed by the endpoint, and then craft IAM policy with the required permissions.

Risk Level: High
Cloud Entity: Amazon VPC Endpoints
CloudGuard Rule ID: D9.TF.AWS.IAM.59
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

aws_vpc_endpoint should not have (policy regexMatch /"Effect":\s*"Allow"/i) and (policy regexMatch /Action\":{\"s3:*\"}/i or policy regexMatch /"Action":\s*"*"/i or policy regexMatch /Action\":{\"dynamodb:*\"}/i)

REMEDIATION

Perform the following in order to set a new VPC Endpoint policy:
From Portal

  1. Sign in to the Amazon VPC console at https://console.aws.amazon.com/vpc/
  2. Choose Endpoints
  3. Choose relevant endpoint and click Actions -> Edit policy.

From CLI
aws ec2 modify-vpc-endpoint --vpc-endpoint-id <Endpoint ID> --policy-document <path to JSON file with updated policy>

References
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-vpc-endpoint.html
You can use AWS policy generator tool: https://awspolicygen.s3.amazonaws.com/policygen.html

Amazon VPC Endpoints

A VPC endpoint enables private connections between your VPC and supported AWS services and VPC endpoint services powered by AWS PrivateLink. AWS PrivateLink is a technology that enables you to privately access services by using private IP addresses. Traffic between your VPC and the other service does not leave the Amazon network. A VPC endpoint does not require an internet gateway, virtual private gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service.

Compliance Frameworks

  • Terraform AWS CIS Foundations