Logo of Trend Micro

VPC Endpoints In Use

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that Amazon Virtual Private Cloud (VPC) endpoints are being used to allow you to securely connect your VPC to other AWS services and VPC endpoint services without the need of an Internet Gateway (IGW), NAT device, VPN connection or an AWS Direct Connect connection. A VPC endpoint is a virtual device which is horizontally scaled, redundant and highly available, that provides communication between EC2 instances within your Virtual Private Cloud and other supported AWS services without introducing availability risks or bandwidth constraints on your network traffic. The EC2 instances available in your VPC do not require public IP addresses and the traffic between these resources and the supported AWS services does not leave the Amazon Web Services network. There are two types of VPC endpoints that you can use based on the AWS service supported – interface endpoints and gateway endpoints:

  1. Interface endpoints use Elastic Network Interfaces (ENIs) with private IP addresses that are powered by AWS PrivateLink, a highly available and scalable technology that privately connects your VPC to supported AWS services, services hosted by other AWS accounts (also known as VPC endpoint services) and supported AWS Marketplace partner services. Each ENI acts as the entry point for the traffic intended to a specific AWS service. The following services are supported:
    • Amazon API Gateway
    • AWS CloudFormation
    • Amazon CloudWatch
    • Amazon CloudWatch Events
    • Amazon CloudWatch Logs
    • AWS CodeBuild
    • AWS Config
    • Amazon EC2 API
    • AWS Elastic Load Balancing API
    • AWS Key Management Service
    • Amazon Kinesis Data Streams
    • Amazon SageMaker Runtime
    • AWS Secrets Manager
    • AWS Security Token Service
    • AWS Service Catalog
    • Amazon SNS
    • AWS Systems Manager
    • Endpoint services hosted by other AWS accounts
    • Supported AWS Marketplace partner services
    Gateway endpoints are gateways targeted for specific routes within the VPC route tables and used for traffic intended to supported services. The following AWS services are supported:
  • Amazon DynamoDB
  • Amazon S3
Security

VPC endpoints enables you to privately access specific AWS services from your own Amazon Virtual Private Cloud (VPC), without using public IP addresses and without requiring the traffic data to travel across the Internet.

Note: VPC endpoints are only supported within the same AWS region. You cannot use endpoints to connect an AWS service from one region to a VPC in a different region.

Audit

To determine if any VPC endpoints are being used within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 Select the Virtual Private Cloud (VPC) that you want to examine from the Select a VPC dropdown menu.

04 In the navigation panel, under Virtual Private Cloud, click Endpoints.

05 On the Endpoints listing page, check for any VPC endpoints available in the current region. If there are no VPC endpoints listed on this page and the following message is displayed: "You do not have any Endpoints in this region.", there are no Amazon VPC endpoints deployed within the selected AWS region.

06 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-vpcs command (OSX/Linux/UNIX) to list the IDs of all VPC networks available in the current AWS region: 

aws ec2 describe-vpcs
	--region us-east-1
	--output table --query 'Vpcs[*].VpcId'

02 The command output should return a table with the requested ID(s): 

------------------
|  DescribeVpcs  |
+----------------+
|  vpc-aaaabbbb  |
|  vpc-abcdabcd  |
+----------------+

03 Run describe-vpc-endpoints command (OSX/Linux/UNIX) using the ID of the VPC network that you want to examine as identifier and custom query filters to describe the VPC endpoints created within the selected VPC: 

aws ec2 describe-vpc-endpoints
	--region us-east-1
	--filters Name=vpc-id,Values=vpc-aaaabbbb
	--query 'VpcEndpoints'

04 The command output should return the requested information (i.e. VPC endpoint(s) metadata): 

[]

If describe-vpc-endpoints command returns an empty array (i.e. []), as shown in the example above, there are no Amazon VPC endpoints deployed within the selected AWS region.

05 Repeat step no. 3 and 4 to check other Amazon VPCs for endpoints, available in the selected AWS region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 for other regions.

Remediation / Resolution

A VPC endpoint enables you to connect with particular AWS services that are outside your VPC network through a private link. To deploy and configure a VPC endpoint within your AWS account, perform the following actions:

Note: As example, this conformity rule demonstrates how to create an interface VPC endpoint between a Virtual Private Cloud and the Elastic Load Balancing (ELB) service within the US East region. An interface endpoint is an Elastic Network Interface (ENI) that serves as an endpoint for communicating with a specified AWS service (in this case Amazon ELB). You can specify the subnet in which to create the endpoint and the security group(s) to associate with the endpoint network interface.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under Virtual Private Cloud, click Endpoints.

04 Click Create Endpoint button from the dashboard top menu to start the setup process.

05 On Create Endpoint page, perform the following:

  1. From the Service category, choose AWS services to get a list with the supported AWS services in the selected region. Once the supported services list is available, select the AWS service that the new endpoint will connect to, in this case com.amazonaws.us-east-1.elasticloadbalancing.
  2. From VPC dropdown list select the ID of the VPC network in which you want to create your interface endpoint.
  3. Within Subnets configuration section, select the Availability Zones and their associated subnets in which to create the VPC endpoint network interfaces.
  4. For Enable Private DNS Name setting, choose whether or not to associate a private hosted zone with the VPC specified at step b.
  5. For Security group, click Create a new security group link to set up a new security group or use Select security groups button to list the security groups (SGs) available in the current region and select one or more SGs for the new endpoint.
  6. Click Create Endpoint to deploy your new VPC endpoint within the selected AWS region. If successful, the following confirmation message should be displayed: The following VPC Endpoint was created: VPC Endpoint ID <endpoint-id>. Click Close to return to the VPC Endpoints dashboard.

06 If required, repeat step no. 4 and 5 to deploy more interface endpoints within the selected Amazon Virtual Private Cloud.

07 Repeat steps no. 4 – 6 if you need to create new interface VPC endpoints in the selected AWS region.

08 Repeat step no. 5 and 6 if you need to create more Elastic IPs for NAT gateways that you want to deploy inside the selected Virtual Private Cloud (VPC).

09 Change the AWS region from the navigation bar and repeat steps no. 4 – 7 for other regions.

Using AWS CLI

01 Run create-vpc-endpoint command (OSX/Linux/UNIX) to create a new interface VPC endpoint. The following command example creates an interface VPC endpoint between a VPC identified by the ID "vpc-aaaabbbb" and the Elastic Load Balancing (ELB) service within the US East (N. Virginia) region. The endpoint is created in a VPC subnet identified by "subnet-abcd1234", and a security group identified by "sg-012345678aabbccdd" is associated with the endpoint network interface: 

aws ec2 create-vpc-endpoint
	--region us-east-1
	--vpc-id vpc-aaaabbbb
	--vpc-endpoint-type Interface
	--service-name com.amazonaws.us-east-1.elasticloadbalancing
	--subnet-id subnet-abcd1234
	--security-group-id sg-012345678aabbccdd

02 The command output should return the new Amazon VPC endpoint metadata: 

{
    "VpcEndpoint": {
        "VpcId": "vpc-aaaabbbb",
        "NetworkInterfaceIds": [
            "eni-01234abcd1234abcd"
        ],
        "SubnetIds": [
            "subnet-abcd1234"
        ],
        "PrivateDnsEnabled": true,
        "State": "pending",
        "ServiceName": "com.amazonaws.us-east-1.elasticloadbalancing",
        "RouteTableIds": [],
        "Groups": [
            {
                "GroupName": "project5-elb-sg",
                "GroupId": "sg-012345678aabbccdd"
            }
        ],
        "VpcEndpointId": "vpce-0abcdabcdabcdabcd",
        "VpcEndpointType": "Interface",
        "CreationTimestamp": "2018-10-19T15:39:20.942Z",
        "DnsEntries": [
            {
                "HostedZoneId": "AABBCCDDAABBC",
                "DnsName": "elasticloadbalancing.us-east-1.amazonaws.com"
            },
            {
                "HostedZoneId": "AAAABBBBCCCCD",
                "DnsName": "vpce-0abcdabcdabcdabcd-12345678.elasticloadbalancing.us-east-1.vpce.amazonaws.com"
            },
            {
                "HostedZoneId": "AAAABBBBCCCCD",
                "DnsName": "vpce-0abcdabcdabcdabcd-12345678-us-east-1a.elasticloadbalancing.us-east-1.vpce.amazonaws.com"
            }
        ]
    }
}

03 If required, repeat step no. 1 and 2 to deploy more interface endpoints in the selected Amazon VPC.

04 Repeat steps no. 1 – 3 if you need to create new interface VPC endpoints within the selected AWS region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 for other regions.

References

Publication date Nov 5, 2018

Related VPC rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

VPC Endpoints In Use

Risk level: Medium