Use the Conformity Knowledge Base AI to help improve your Cloud Posture

VPC Endpoint Cross Account Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VPC-006

Ensure that your Amazon VPC endpoints are configured to allow access only to trusted (friendly) AWS accounts in order to protect against unauthorized cross-account access. Before running this rule by the Trend Cloud One™ – Conformity engine, the list with the trusted AWS account identifiers must be configured in the rule settings, on your Conformity account console.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using overly permissive policies that allow unknown cross-account access to your Amazon VPC endpoints can lead to data exposure, data loss and/or unexpected charges on your AWS bill.


Audit

To determine if your VPC endpoints allow unauthorized cross-account access, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under VIRTUAL PRIVATE CLOUD, choose Endpoints.

04 Select the Amazon VPC endpoint that you want to examine.

05 Select the Policy tab from the console bottom panel and identify the AWS account ID(s) and/or IAM entity ARN(s) configured for cross-account access, listed in the policy document box.

06 Sign in to your Trend Cloud One™ – Conformity account, access VPC Endpoint Cross-Account Access conformity rule settings, and compare the IDs/ARNs identified at the previous step against each AWS account ID/IAM entity ARN defined in the rule configuration section. If one or more IDs/ARNs are not included in the list of trusted AWS identities defined in the conformity rule settings, the cross-account access configuration available for the selected VPC endpoint is not secured.

07 Repeat steps no. 4 – 6 for other Amazon VPC endpoints available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-vpc-endpoints command (OSX/Linux/UNIX) with custom query filters to list the ID of each VPC endpoint deployed in the selected AWS region:

aws ec2 describe-vpc-endpoints
  --region us-east-1
  --output table
  --query 'VpcEndpoints[*].VpcEndpointId'

02 The command output should return the requested VPC endpoint ID(s):

----------------------------
|   DescribeVpcEndpoints   |
+--------------------------+
|  vpce-0abcd1234abcd1234  |
|  vpce-01234abcd1234abcd  |
+--------------------------+

03 Run describe-vpc-endpoints command (OSX/Linux/UNIX) using the ID of the VPC endpoint that you want to examine as the identifier parameter and custom query filters to describe the access policy defined for the selected endpoint:

aws ec2 describe-vpc-endpoints
  --region us-east-1
  --vpc-endpoint-ids vpce-0abcd1234abcd1234
  --query 'VpcEndpoints[*].PolicyDocument'

04 The command output should return the VPC endpoint policy document in JSON format:

{
    "Version": "2012-10-17",
    "Id": "VPCEndpointAccessPolicy",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "123456789012"
            },
            "Action": "*",
            "Resource": "*"
        }
    ]
}

05 Identify the AWS account ID(s) and/or IAM entity ARN(s) configured for cross-account access, defined as value(s) for the "Principal" element value (highlighted), within the access policy returned by the describe-vpc-endpoints command output.

06 Sign in to your Trend Cloud One™ – Conformity account, access VPC Endpoint Cross-Account Access conformity rule settings, and compare the IDs/ARNs identified at the previous step against each AWS account ID/IAM entity ARN defined in the rule configuration section. If one or more IDs/ARNs are not included in the list of trusted AWS identities defined in the conformity rule settings, the cross-account access configuration available for the selected VPC endpoint is not secured.

07 Repeat steps no. 3 – 6 for other Amazon VPC endpoints available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To update your VPC endpoint policy in order to allow cross-account access from trusted AWS entities only, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Allow Cross-Account Access from Trusted AWS Accounts Only",
  "Resources": {
    "AWSVPCNetwork": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsHostnames": true,
        "EnableDnsSupport": true,
        "InstanceTenancy": "default"
      }
    },
    "S3GatewayEndpoint": {
      "Type": "AWS::EC2::VPCEndpoint",
      "Properties": {
        "VpcId": {
          "Ref": "AWSVPCNetwork"
        },
        "ServiceName": {
          "Fn::Sub": "com.amazonaws.${AWS::Region}.s3"
        },
        "VpcEndpointType": "Gateway",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "123412341234"
                },
                "Action": "*",
                "Resource": "arn:aws:s3:::cc-client-bucket/*"
            }
          ]
        }
      }
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Allow Cross-Account Access from Trusted AWS Accounts Only
Resources:
  AWSVPCNetwork:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsHostnames: true
      EnableDnsSupport: true
      InstanceTenancy: default
  S3GatewayEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref 'AWSVPCNetwork'
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3'
      VpcEndpointType: Gateway
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: '123412341234'
            Action: '*'
            Resource: arn:aws:s3:::cc-client-bucket/*

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_vpc" "aws-vpc-network" {
  cidr_block = "10.0.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support = true
  instance_tenancy = "default"
}

resource "aws_vpc_endpoint" "s3-gateway-endpoint" {

  vpc_id = aws_vpc.aws-vpc-network.id
  service_name = "com.amazonaws.us-east-1.s3"
  vpc_endpoint_type = "Gateway"

  # Allow Cross-Account Access from Trusted AWS Accounts Only
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement": [
      {
          "Effect": "Allow",
          "Principal": {
              "AWS": "123412341234"
          },
          "Action": "*",
          "Resource": "arn:aws:s3:::cc-client-bucket/*"
      }
    ]
  })

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under VIRTUAL PRIVATE CLOUD, choose Endpoints.

04 Select the Amazon VPC endpoint that you want to reconfigure.

05 Select the Policy tab from the console bottom panel and choose Edit Policy.

06 On the Edit Policy page, select Custom and update the VPC endpoint policy by replacing the existing (unauthorized) AWS identities defined as values for the "Principal" element with the trusted AWS identities, defined in the conformity rule settings, in your Trend Cloud One™ – Conformity account. Choose Save to apply the changes.

07 Repeat steps no. 4 – 6 to update the access policy for other VPC endpoints available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Edit your VPC endpoint access policy and replace the untrusted AWS identities with the trusted ones, defined in the conformity rule settings, in your Conformity account. Save the updated policy document to a JSON file named vpce-cross-account-access-policy.json. The following example presents a VPC endpoint policy that allows access to another (friendly) AWS account identified by the ID 123412341234 to perform actions to any AWS resources supported by the selected endpoint (such as Amazon S3 buckets):

{
    "Version": "2012-10-17",
    "Id": "VPCEndpointAccessPolicy",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "123412341234"
            },
            "Action": "*",
            "Resource": "*"
        }
    ]
}

02 Run modify-vpc-endpoint command (OSX/Linux/UNIX) using the ID of the VPC endpoint that you want to reconfigure as the identifier parameter, to replace the existing endpoint policy with the one defined at the previous step, i.e. vpce-cross-account-access-policy.json:

aws ec2 modify-vpc-endpoint
  --region us-east-1
  --vpc-endpoint-id vpce-0abcd1234abcd1234
  --policy-document file://vpce-cross-account-access-policy.json

03 The command output should return true if the command request succeeds, otherwise it should return an error:

{
    "Return": true
}

04 Repeat steps no. 1 – 3 to update the access policy for other VPC endpoints available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Jan 7, 2017