We had a scan done recently of our AWS infrastructure, and one of the high risk level items that we need to address is to
Identify any fully accessible VPC endpoints and update their access policy in order to stop any unsigned requests made to the supported services and resources
The resource that was identified was given to us as arn:aws:ec2:us-east-1:12345678901:vpc-endpoint/vpce-987654321098765
(actual numbers have been changed to protect the innocent). However, in looking through both my VPC and EC2 consoles, I am unable to find the items with those ARNs anywhere.
My questions:
- How can I identify the resource (we have a number of EC2 instances) that is referenced?
- In regards to limiting to signed requests, is that handled via a policy, or something like a route table? I don't see anywhere to assign a policy, as is done in IAM. Am I missing something?
On a side note, I have been sort of thrust into this role, so my learning curve is pretty vertical at this point in time.