lacework-global-147

AWS VPC endpoints should not be exposed

Description

When creating a VPC endpoint, the default policy choice is 'full access' for any IAM user or service within the VPC.

{

  "Statement": [

    {

      "Action": "*",

      "Effect": "Allow",

      "Resource": "*",

      "Principal": "*"

    }

  ]

}

Remediation

1. Log in to the AWS Management Console.

2. Select Services.

3. Select VPC.

4. Select Endpoints.

5. Select the Endpoint to edit.

6. Select the Policy tab.

7. Select Edit Policy.

8. Add or update the custom policy, specifying a Principal that does not give access to all users.

9. Select Save.