Ensure that your Amazon VPC endpoints are configured to allow access only to trusted (friendly) AWS accounts in order to protect against unauthorized cross-account access. Before running this rule by the Trend Cloud One™ – Conformity engine, the list with the trusted AWS account identifiers must be configured in the rule settings, on your Conformity account console.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using overly permissive policies that allow unknown cross-account access to your Amazon VPC endpoints can lead to data exposure, data loss and/or unexpected charges on your AWS bill.
Audit
To determine if your VPC endpoints allow unauthorized cross-account access, perform the following actions:
Remediation / Resolution
To update your VPC endpoint policy in order to allow cross-account access from trusted AWS entities only, perform the following actions:
References
- AWS Documentation
- Amazon VPC FAQs
- AWS PrivateLink concepts
- Identity and access management for Amazon VPC
- AWS Policy Generator
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-vpc-endpoints
- modify-vpc-endpoint
- CloudFormation Documentation
- AWS::EC2::VPCEndpoint
- Terraform Documentation
- AWS Provider