Detections
Analytics

6.8 Ensure VPC Endpoints are used for access to AWS Services

Information

Ensure that Amazon VPCs use VPC endpoints (gateway or interface endpoints) for access to AWS services such as Amazon S3 and DynamoDB, so that traffic from workloads to AWS services stays on the Amazon private network instead of traversing the public internet. VPC endpoints provide private connectivity between VPCs and supported AWS services without requiring an internet gateway, NAT gateway, or public IP addresses.

Accessing AWS services over the public internet increases exposure to network-level threats, relies on internet routing, and makes it harder to tightly control egress paths. Using VPC endpoints allows workloads to reach AWS services over the Amazon private network, which reduces reliance on internet gateways and NAT gateways, simplifies egress filtering, and helps enforce data-perimeter and "private-only" patterns for sensitive workloads.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

In this example, we are going to add S3 gateway endpoint and SQS interface endpoint to a VPC. You can follow similar remediation instructions for other services.

 - Create S3 Gateway Endpoint

aws ec2 create-vpc-endpoint \\
 --region REGION \\
 --route-table-ids ROUTE_TABLE_ID \\
 --vpc-id VPC_ID \\
 --service-name com.amazonaws.REGION.s3 \\
 --vpc-endpoint-type Gateway \\
 --query "VpcEndpoint.VpcEndpointId" \\
 --output text
 - Provide values for REGION, ROUTE_TABLE_ID, VPC_ID
 - AWS automatically creates the routes for the AWS service in the route table provided as part of above command.

 - Verify that the gateway routes have been adequately created

aws ec2 describe-route-tables \\
 --region REGION --route-table-ids ROUTE_TABLE_ID \\
 --query "RouteTables[0].Routes[?DestinationPrefixListId=='pl-xxxxxxxx']"
 - Provide values for REGION, ROUTE_TABLE_ID
 - pl-xxxxxxxx : replace with the specific prefix list for S3 in that region

 - Create an SQS Interface Endpoint

aws ec2 create-vpc-endpoint \\
 --vpc-id VPC_ID \\
 --service-name com.amazonaws.REGION.sqs \\
 --vpc-endpoint-type Interface \\
 --subnet-ids PRIVATE_SUBNET_1_ID PRIVATE_SUBNET_2_ID \\
 --security-group-ids SECURITY_GROUP_ID \\
 --vpc-endpoint-policy VPC_ENDPOINT_POLICY \\
 --query "VpcEndpoint.VpcEndpointId" \\
 --output text
 - SECURITY_GROUP_ID: Update security groups for interface endpoint. Ensure the interface endpoint security group allows inbound traffic from your workloads.
 - VPC_ENDPOINT_POLICY: Create a restrictive Endpoint policy to ensure only certain AWS services could be reached and only specific actions can be performed.
 - AWS automatically creates Elastic Network Interfaces (ENIs) for the interface endpoint which allows any traffic from <PRIVATE_SUBNET_1_ID> <PRIVATE_SUBNET_2_ID> intended for SQS to be routed through the Interface Gateway.

 - Test and validate endpoint connectivity from an EC2 instance in a private subnet:

 - Test S3 (gateway endpoint)

aws s3 ls s3://your-test-bucket --region REGION
 - Test SQS (interface endpoint)

aws sqs list-queues --region REGION

Impact:

Enforcing the use of VPC endpoints may require changes to existing network architectures, including creating and managing endpoints in each VPC, updating route tables, adjusting security groups, and potentially removing or tightening some internet/NAT gateway paths. This can introduce additional operational overhead and cost (per-endpoint charges for interface endpoints) and may require updates to IaC templates and deployment pipelines.

See Also

https://workbench.cisecurity.org/benchmarks/24575

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7

Plugin: amazon_aws

Control ID: ce7a6c7d9cb10b2c38359bbcb37b3ea4601b64f4c2ab1a9030c3f62a705aec75