Open menu
-->

VPC Endpoint Unknown Cross Account Access

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that all your AWS VPC endpoints are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account access. Prior to running this rule by the Cloud Conformity engine you need to provide the friendly accounts identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012) or AWS account ARNs (e.g. arn:aws:iam::123456789012:root).

This rule resolution is part of the Cloud Conformity Security Package

Using overly permissive policies that allow unknown cross account access to your Amazon VPC endpoints can lead to data exposure, data loss and/or unexpected charges on your AWS bill.

Audit

To determine if there are AWS VPC endpoints that allow unknown cross account access, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under Virtual Private Cloud section, click Endpoints.

04 Select the VPC endpoint that you want to examine.

05 Select the Policy tab from the dashboard bottom panel.

06 Inside the VPC endpoint access policy box, identify the AWS account ID e.g.

AWS account ID

or the AWS account ARN (e.g. AWS account ARN), defined as value(s) for the policy Principal element.

07 Sign in to your Cloud Conformity console, access the ≈VPC Endpoint Cross Account Access conformity rule settings and compare the identifier(s) found at the previous step (ID(s)/ARN(s)) against each identifier listed in the rule configuration section. If the identifier found within the access policy does not match any of the trusted account entities listed on your Cloud Conformity console, the cross account access to the selected VPC endpoint is not secured.

08 Repeat steps no. 4 - 7 to verify the access policy of the other VPC endpoints created in the current region for unknown cross account access entities (AWS account IDs/ARNs).

09 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run describe-vpc-endpoints command (OSX/Linux/UNIX) to retrieve the list with the IDs of all VPC endpoints available in the selected region:

aws ec2 describe-vpc-endpoints
    --region us-east-1
    --output table
    --query 'VpcEndpoints[*].VpcEndpointId'

02 The command output should return the requested IDs:

----------------------
|DescribeVpcEndpoints|
+--------------------+
|   vpce-6b67a502    |
|   vpce-ca20a5e6    |
+--------------------+

03 Run again describe-vpc-endpoints command (OSX/Linux/UNIX) to list the selected VPC endpoint policy using its ID as identifier:

aws ec2 describe-vpc-endpoints
    --region us-east-1
    --vpc-endpoint-ids vpce-6b67a502
    --query 'VpcEndpoints[*].PolicyDocument'

04 The command output should return the VPC endpoint policy document in JSON format:

{
  "Id": "VPCECrossAccountAccessPolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "*",
      "Effect": "Allow",
      "Resource": "*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:root"
        ]
      }
    }
  ]
}

05 Identify the AWS account ID or ARN defined as value(s) for the Principal element (highlighted) listed in the access policy returned at the previous step.

06 Log in to your Cloud Conformity console, access the VPC Endpoint Cross Account Access conformity rule settings and compare the identifier(s) found at the previous step (ID(s)/ARN(s)) against each identifier listed in the rule configuration section. If the identifier found within the access policy does not match any of the trusted entities listed on your Cloud Conformity console, the cross account access to the selected VPC endpoint is not secured.

07 Repeat steps no. 3 - 6 to verify the access policy of the other VPC endpoints available in the current region for unknown cross account access entities.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the audit process for other regions.

Remediation / Resolution

To update your Amazon VPC endpoints policy in order to allow cross account access only from trusted entities, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under Virtual Private Cloud section, click Endpoints.

04 Select the VPC endpoint that you want to reconfigure (see Audit section part I to identify the right resource).

05 Click the Actions dropdown button from the dashboard top menu and select Edit Policy to update the endpoint policy.

06 Inside the Edit Policy dialog box, select Custom and update the access policy by replacing the existing (untrusted) AWS identifier(s) defined as the Principal element value(s) with the trusted one(s), defined on your Cloud Conformity console.

07 Click Save Policy to apply the new permissions.

08 Repeat steps no. 4 - 7 to update the access policy for other VPC endpoints available in the current region in order to block requests from any unauthorized AWS accounts.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Edit your Amazon VPC endpoint access policy and replace the untrusted AWS identifier(s) with the trusted one(s) then save the policy in a JSON document (e.g. vpce-cross-account-access-policy.json). You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build your custom access policies. The following example contains a VPC endpoint policy document that allows access to another (friendly) AWS account identified by the ARN arn:aws:iam::501639253142:root to perform actions to any AWS resources supported by the selected endpoint (e.g. Amazon S3 buckets):

{
  "Id": "VPCECrossAccountAccessPolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "*",
      "Effect": "Allow",
      "Resource": "*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::501639253142:root"
        ]
      }
    }
  ]
}

02 Run modify-vpc-endpoint command (OSX/Linux/UNIX) using the ID of the VPC endpoint that you want to reconfigure (see Audit section part II to identify the right VPC resource) to replace the existing access policy with the one defined at the previous step, i.e. vpce-cross-account-access-policy.json:

aws ec2 modify-vpc-endpoint
    --region us-east-1
    --vpc-endpoint-id vpce-6b67a502
    --policy-document file://vpce-cross-account-access-policy.json

03 The command output should return true if the request succeeds, otherwise it should return an error:

{
    "Return": true
}

04 Repeat steps no. 1 - 3 to update the access policy for other VPC endpoints created in the current region in order to block requests from unauthorized cross account entities.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 4 to perform the entire process for other regions.

References

Publication date Jan 7, 2017