Ensure AWS VPC endpoints are not exposed

Error: AWS VPC endpoints are exposed

Bridgecrew Policy ID: BC_AWS_NETWORKING_9
Severity: MEDIUM

AWS VPC endpoints are exposed


When creating a VPC endpoint, it is set up with the following policy by default:

 “Version”: “2008-10-17",
 “Statement”: [
   “Effect”: “Allow”,
   “Principal”: “*”,
   “Action”: “*”,
   “Resource”: “*”

This policy allows any resource in the VPC full access to the service behind the endpoint, for example, S3, DynamoDB.

We recommend you limiting this policy and adopting the principle of least privilege access management to reduce the risk of accidental changes and unintended disclosure of highly privileged data.

Fix - Runtime

AWS Console

  1. Login to the AWS Management Console at https://console.aws.amazon.com/.
  2. Navigate to Services > VPC.
  3. Select Endpoints.
  4. Select the Endpoint to be remediated.
  5. Edit the Endpoint policy and limit the principal and/or the actions and/or the resources in the statement.