Ensure that Amazon Virtual Private Cloud (VPC) endpoints are being used to allow you to securely connect your VPC to other AWS services and VPC endpoint services without the need of an Internet Gateway (IGW), NAT device, VPN connection or an AWS Direct Connect connection. A VPC endpoint is a virtual device which is horizontally scaled, redundant and highly available, that provides communication between EC2 instances within your Virtual Private Cloud and other supported AWS services without introducing availability risks or bandwidth constraints on your network traffic. The EC2 instances available in your VPC do not require public IP addresses and the traffic between these resources and the supported AWS services does not leave the Amazon Web Services network. There are two types of VPC endpoints that you can use based on the AWS service supported – interface endpoints and gateway endpoints:
- Interface endpoints use Elastic Network Interfaces (ENIs) with private IP addresses that are powered by AWS PrivateLink, a highly available and scalable technology that privately connects your VPC to supported AWS services, services hosted by other AWS accounts (also known as VPC endpoint services) and supported AWS Marketplace partner services. Each ENI acts as the entry point for the traffic intended to a specific AWS service. The following services are supported:
- Amazon API Gateway
- AWS CloudFormation
- Amazon CloudWatch
- Amazon CloudWatch Events
- Amazon CloudWatch Logs
- AWS CodeBuild
- AWS Config
- Amazon EC2 API
- AWS Elastic Load Balancing API
- AWS Key Management Service
- Amazon Kinesis Data Streams
- Amazon SageMaker Runtime
- AWS Secrets Manager
- AWS Security Token Service
- AWS Service Catalog
- Amazon SNS
- AWS Systems Manager
- Endpoint services hosted by other AWS accounts
- Supported AWS Marketplace partner services
- Gateway endpoints are gateways targeted for specific routes within the VPC route tables and used for traffic intended to supported services. The following AWS services are supported:
- Amazon DynamoDB
- Amazon S3
VPC endpoints enables you to privately access specific AWS services from your own Amazon Virtual Private Cloud (VPC), without using public IP addresses and without requiring the traffic data to travel across the Internet.
Note: VPC endpoints are only supported within the same AWS region. You cannot use endpoints to connect an AWS service from one region to a VPC in a different region.
Audit
To determine if any VPC endpoints are being used within your AWS account, perform the following actions:
Remediation / Resolution
A VPC endpoint enables you to connect with particular AWS services that are outside your VPC network through a private link. To deploy and configure a VPC endpoint within your AWS account, perform the following actions:
Note: As example, this conformity rule demonstrates how to create an interface VPC endpoint between a Virtual Private Cloud and the Elastic Load Balancing (ELB) service within the US East region. An interface endpoint is an Elastic Network Interface (ENI) that serves as an endpoint for communicating with a specified AWS service (in this case Amazon ELB). You can specify the subnet in which to create the endpoint and the security group(s) to associate with the endpoint network interface.References
- AWS Documentation
- Introducing AWS PrivateLink for AWS Services
- What Is Amazon VPC?
- VPC Endpoints
- VPC Endpoint Services (AWS PrivateLink)
- Using DNS with Your VPC
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-vpcs
- describe-vpc-endpoints
- create-vpc-endpoint
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
VPC Endpoints In Use
Risk level: Medium