Ensure that all your AWS VPC endpoints are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account access. Prior to running this rule by the Cloud Conformity engine you need to provide the friendly accounts identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012) or AWS account ARNs (e.g. arn:aws:iam::123456789012:root).
This rule can help you with the following compliance standards:
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using overly permissive policies that allow unknown cross account access to your Amazon VPC endpoints can lead to data exposure, data loss and/or unexpected charges on your AWS bill.
To determine if there are AWS VPC endpoints that allow unknown cross account access, perform the following:
Remediation / Resolution
To update your Amazon VPC endpoints policy in order to allow cross account access only from trusted entities, perform the following:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
VPC Endpoint Cross Account Access
Risk level: Medium