Logo of Trend Micro

VPC Endpoint Exposed

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: VPC-005

Identify any fully accessible VPC endpoints and update their access policy in order to stop any unsigned requests made to the supported services and resources.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When the Principal element value is set to "*" within the access policy, the VPC endpoint allows full access to any IAM user or service within the VPC using credentials from any AWS accounts. Allowing access in this manner is considered bad practice and can lead to security issues.

Audit

To determine if your AWS VPC endpoints allow full access, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under Virtual Private Cloud section, click Endpoints.

04 Select the VPC endpoint that you want to examine.

05 Click the Actions dropdown button from the dashboard top menu and select Edit Policy to check the endpoint policy.

06 In the Edit Policy dialog box, inside the Policy section, verify the set of permissions (policy) defined for the selected VPC endpoint. If the access policy is currently set to Full Access:

Edit Policy

the selected VPC endpoint is exposed to everyone. Also, if the endpoint policy is set to Custom but the Principal element does not promote a certain AWS account or IAM user, e.g. "Principal": { "AWS": "*" }, and the policy is not using any Condition clauses to filter the access, the selected Amazon VPC endpoint is fully exposed.

07 Repeat steps no. 4 - 6 to determine if other VPC endpoints created in the current region are fully accessible.

08 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run describe-vpc-endpoints command (OSX/Linux/UNIX) to retrieve the list with the IDs of all VPC endpoints available in the selected region: 

aws ec2 describe-vpc-endpoints
    --region us-east-1
    --output table
    --query 'VpcEndpoints[*].VpcEndpointId'

02 The command output should return the requested IDs: 

----------------------
|DescribeVpcEndpoints|
+--------------------+
|   vpce-cb85b502    |
|   vpce-6f20a5c6    |
+--------------------+

03 Run describe-vpc-endpoints command (OSX/Linux/UNIX) to list the selected VPC endpoint policy using its ID as identifier and custom query filters for the output: 

aws ec2 describe-vpc-endpoints
    --region us-east-1
    --vpc-endpoint-ids vpce-cb85b502
    --query 'VpcEndpoints[*].PolicyDocument'

04 The command output should return the VPC endpoint policy document in JSON format: 

{
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal": "*"
        }
    ]
}

If the "Principal" element value is set to "*" or { "AWS": "*" } and the policy statement is not using any Condition clauses to filter the access (as shown in the example above), the selected AWS VPC endpoint is fully accessible.

05 Repeat step no. 3 and 4 to determine the exposure of other VPC endpoints available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To restrict access to your Amazon VPC endpoints, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under Virtual Private Cloud section, click Endpoints.

04 Select the VPC endpoint that you want to reconfigure (see Audit section part I to identify the right resource).

05 Click the Actions dropdown button from the dashboard top menu and select Edit Policy to update the endpoint policy.

06 Inside the Edit Policy dialog box, select Custom and update the current access policy by performing one of the following actions:

  1. Replace the "Everyone" grantee (i.e. '*' or { "AWS": "*" }) from the Principal element value with an AWS account ID (e.g. '123456789012'), an AWS account ARN (e.g. 'arn:aws:iam::123456789012:root') or an IAM user ARN (e.g. 'arn:aws:iam::123456789012:user/vpce-manager').
  2. Add a Condition clause to the existing policy statement to filter the endpoint access to specific entities.

07 Click Save Policy to apply the policy changes.

08 Repeat steps no. 4 - 7 to update the access policy for other AWS VPC endpoints available in the current region in order to restrict the access as required.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 First, define the necessary access policy for the selected Amazon VPC endpoint and save it in a JSON file named vpce-secure-access-policy.json. You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build your custom access policies. The following example describes a policy document that grants access to an AWS IAM user identified by the ARN 'arn:aws:iam::123456789012:user/vpce-manager' to perform any actions on the service(s) supported by the selected VPC endpoint: 

{
  "Id": "VPCESecureAccessPolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "*",
      "Effect": "Allow",
      "Resource": "*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:user/vpce-manager"
        ]
      }
    }
  ]
}

02 Run modify-vpc-endpoint command (OSX/Linux/UNIX) using the ID of the VPC endpoint that you want to reconfigure (see Audit section part II to identify the right VPC resource) to replace the existing access policy with the one defined at the previous step, i.e. vpce-secure-access-policy.json: 

aws ec2 modify-vpc-endpoint
    --region us-east-1
    --vpc-endpoint-id vpce-cb85b502
    --policy-document file://vpce-secure-access-policy.json

03 The command output should return true which means that the request has succeeded: 

{
    "Return": true
}

04 Repeat steps no. 1 - 3 to update the access policy for other VPC endpoints created in the current region in order to restrict the endpoint access based on your requirements.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 4 to perform the entire process for other regions.

References

Publication date Jan 7, 2017

Related VPC rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

VPC Endpoint Exposed

Risk level: Medium