Identify any fully accessible VPC endpoints and update their access policy in order to stop any unsigned requests made to the supported services and resources.
This rule can help you with the following compliance standards:
- PCI
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When the Principal element value is set to "*" within the access policy, the VPC endpoint allows full access to any IAM user or service within the VPC using credentials from any AWS accounts. Allowing access in this manner is considered bad practice and can lead to security issues.
Audit
To determine if your AWS VPC endpoints allow full access, perform the following:
Remediation / Resolution
To restrict access to your Amazon VPC endpoints, perform the following:
References
- AWS Documentation
- Amazon VPC FAQs
- VPC Endpoints
- Controlling Access to Amazon VPC Resources
- AWS Policy Generator
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-vpc-endpoints
- modify-vpc-endpoint
- AWS Blog(s)
- New – VPC Endpoint for Amazon S3
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
VPC Endpoint Exposed
Risk level: Medium