VPC Endpoint Exposed

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under VIRTUAL PRIVATE CLOUD, choose Endpoints.

04 Select the Amazon VPC endpoint that you want to examine.

05 Select the Policy tab from the console bottom panel and choose Edit Policy.

06 On the Edit Policy page, within the Policy section, verify the set of permissions configured for the selected VPC endpoint. If the Policy is set to Full Access, the selected Amazon VPC endpoint is exposed to everyone. Also, if the Policy is set to Custom but the "Principal" element value is set to "*" or { "AWS": "*" }, and the custom policy is not using any "Condition" clauses to filter the access, the selected Amazon VPC endpoint is fully exposed.

07 Repeat steps no. 4 – 6 for other Amazon VPC endpoint available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

01 Run describe-vpc-endpoints command (OSX/Linux/UNIX) with custom query filters to list the ID of each VPC endpoint deployed in the selected AWS region:

aws ec2 describe-vpc-endpoints
  --region us-east-1
  --output table
  --query 'VpcEndpoints[*].VpcEndpointId'

02 The command output should return the requested VPC endpoint ID(s):

----------------------------
|   DescribeVpcEndpoints   |
+--------------------------+
|  vpce-0abcd1234abcd1234  |
|  vpce-01234abcd1234abcd  |
+--------------------------+

03 Run describe-vpc-endpoints command (OSX/Linux/UNIX) using the ID of the VPC endpoint that you want to examine as the identifier parameter and custom query filters to describe the access policy defined for the selected endpoint:

aws ec2 describe-vpc-endpoints
  --region us-east-1
  --vpc-endpoint-ids vpce-0abcd1234abcd1234
  --query 'VpcEndpoints[*].PolicyDocument'

04 The command output should return the VPC endpoint policy document in JSON format:

{
  "Statement": [
      {
          "Action": "*",
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::cc-internal-bucket/*",
          "Principal": "*"
      }
  ]
}

05 Repeat steps no. 3 and 4 for other Amazon VPC endpoint available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Restrict Access via Access Control Policy (Allow Access from Trusted Entities Only)",
  "Resources": {
    "AWSVPCNetwork": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsHostnames": true,
        "EnableDnsSupport": true,
        "InstanceTenancy": "default"
      }
    },
    "S3GatewayEndpoint": {
      "Type": "AWS::EC2::VPCEndpoint",
      "Properties": {
        "VpcId": {
          "Ref": "AWSVPCNetwork"
        },
        "ServiceName": {
          "Fn::Sub": "com.amazonaws.${AWS::Region}.s3"
        },
        "VpcEndpointType": "Gateway",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": [
                  "arn:aws:iam::123456789012:user/cc-s3-manager"
                ]
              },
              "Action": "*",
              "Resource": [
                "arn:aws:s3:::cc-internal-bucket/*"
              ]
            }
          ]
        }
      }
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Restrict Access via Access Control Policy (Allow Access from Trusted
  Entities Only)
Resources:
  AWSVPCNetwork:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsHostnames: true
      EnableDnsSupport: true
      InstanceTenancy: default
  S3GatewayEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref 'AWSVPCNetwork'
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3'
      VpcEndpointType: Gateway
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - arn:aws:iam::123456789012:user/cc-s3-manager
            Action: '*'
            Resource:
              - arn:aws:s3:::cc-internal-bucket/*

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_vpc" "aws-vpc-network" {
  cidr_block = "10.0.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support = true
  instance_tenancy = "default"
}

resource "aws_vpc_endpoint" "s3-gateway-endpoint" {

  vpc_id = aws_vpc.aws-vpc-network.id
  service_name = "com.amazonaws.us-east-1.s3"
  vpc_endpoint_type = "Gateway"

  # Restrict Access via Access Control Policy (Allow Access from Trusted Entities Only)
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": [
            "arn:aws:iam::123456789012:user/cc-s3-manager"
          ]
        },
        "Action": "*",
        "Resource": [
          "arn:aws:s3:::cc-internal-bucket/*"
        ]
      }
    ]
  })

}

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under VIRTUAL PRIVATE CLOUD, choose Endpoints.

04 Select the Amazon VPC endpoint that you want to reconfigure.

05 Select the Policy tab from the console bottom panel and choose Edit Policy.

06 On the Edit Policy page, in the Policy section, select Custom and update the VPC endpoint policy by performing one of the following actions:

1. Replace the "Everyone" grantee (i.e. '*' or { "AWS": "*" }) from the "Principal" element value with an AWS account ID (e.g. 123456789012), an AWS account ARN (e.g. arn:aws:iam::123456789012:root), or an IAM user ARN (e.g. arn:aws:iam::123456789012:user/cc-vpce-manager). Choose Save to apply the policy changes.
2. Add a "Condition" clause to the policy statement to filter the endpoint access to specific, trusted entities. Choose Save to apply the changes.

07 Repeat steps no. 4 – 6 to update the access policy for other VPC endpoints available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

01 Edit your VPC endpoint access policy and restrict access to specific, trusted entities only. Save the updated policy document to a JSON file named cc-vpce-access-policy.json. The following example describes a policy document that grants access to an IAM user identified by the ARN arn:aws:iam::123456789012:user/cc-vpce-manager to perform any actions on the services supported by the selected VPC endpoint:

{
  "Id": "VPCEndpointAccessPolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::cc-internal-bucket/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:user/cc-s3-manager"
        ]
      }
    }
  ]
}

02 Run modify-vpc-endpoint command (OSX/Linux/UNIX) using the ID of the VPC endpoint that you want to reconfigure as the identifier parameter, to replace the existing endpoint policy with the one defined at the previous step, i.e. cc-vpce-access-policy.json:

aws ec2 modify-vpc-endpoint
  --region us-east-1
  --vpc-endpoint-id vpce-0abcd1234abcd1234
  --policy-document file://cc-vpce-access-policy.json

03 The command output should return true if the command request succeeds, otherwise it should return an error:

{
    "Return": true
}

04 Repeat steps no. 1 – 3 to update the access policy for other VPC endpoints available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.