lacework-global-147
AWS VPC endpoints should not be exposed
Description
When creating a VPC endpoint, the default policy choice is 'full access' for any IAM user or service within the VPC.
{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
}
Remediation
Log in to the AWS Management Console.
Select Services.
Select VPC.
Select Endpoints.
Select the Endpoint to edit.
Select the Policy tab.
Select Edit Policy.
Add or update the custom policy, specifying a Principal that does not give access to all users.
Select Save.