AWS VPC endpoints are exposed
Description
When creating a VPC endpoint, it is set up with the following policy by default:
{
“Version”: “2008-10-17",
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: “*”,
“Action”: “*”,
“Resource”: “*”
}
]
}
This policy allows any resource in the VPC full access to the service behind the endpoint, for example, S3, DynamoDB.
We recommend you limiting this policy and adopting the principle of least privilege access management to reduce the risk of accidental changes and unintended disclosure of highly privileged data.
Fix - Runtime
AWS Console
- Login to the AWS Management Console at https://console.aws.amazon.com/.
- Navigate to Services > VPC.
- Select Endpoints.
- Select the Endpoint to be remediated.
- Edit the Endpoint policy and limit the principal and/or the actions and/or the resources in the statement.