0

We had a scan done recently of our AWS infrastructure, and one of the high risk level items that we need to address is to

Identify any fully accessible VPC endpoints and update their access policy in order to stop any unsigned requests made to the supported services and resources

The resource that was identified was given to us as arn:aws:ec2:us-east-1:12345678901:vpc-endpoint/vpce-987654321098765 (actual numbers have been changed to protect the innocent). However, in looking through both my VPC and EC2 consoles, I am unable to find the items with those ARNs anywhere.

My questions:

  1. How can I identify the resource (we have a number of EC2 instances) that is referenced?
  2. In regards to limiting to signed requests, is that handled via a policy, or something like a route table? I don't see anywhere to assign a policy, as is done in IAM. Am I missing something?

On a side note, I have been sort of thrust into this role, so my learning curve is pretty vertical at this point in time.

2

1 Answer 1

1
  1. How to view the resource: VPC -> Endpoints, make sure that you are in us-east-1 region.

  2. How to remedy that depends on what service is the endpoint for. Check the service name, it may be something like com.amazonaws.us-east-1.s3. When you find it you'll click on it and then select the Policy tab. You can specify the custom policy there.

However it looks like an overkill. You'll have to keep updating the Policy for every new service that will want to use the endpoint.

But I'm not surprised, security audits requirements often don't make sense.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .