🛡️ AWS VPC is not configured with a VPC Endpoint for Amazon EC2 service🟢

• Contextual name: 🛡️ VPC is not configured with a VPC Endpoint for Amazon EC2 service🟢
• ID: /ce/ca/aws/vpc/no-ec2-vpc-endpoint
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS VPC
  • 🔌 AWS VPC Endpoint - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service

Description

Open File

Description

This policy identifies Amazon VPCs that are not configured with a VPC endpoint for the Amazon EC2 service. A VPC endpoint enables private connectivity between your VPC and supported AWS services without the need for an internet gateway, NAT device, VPN connection, or AWS Direct Connect.

Rationale

Using VPC endpoints for services such as EC2 enhances security by ensuring all traffic between your VPC and the EC2 service remains within the AWS network. This prevents data exposure to the public internet, reducing the risk of interception and external attacks. Additionally, it improves reliability and helps maintain consistent network performance.

Impact

Provisioning VPC endpoints may result in additional costs. Charges apply for each hour an interface VPC endpoint is active in an Availability Zone, as well as per GB of data processed.

Audit

This policy flags an AWS VPC as INCOMPLIANT if it contains at least one EC2 Instance but does not contain an active VPC Endpoint with Endpoint Service ID set to ec2.

... see more

Remediation

Open File

Remediation

From Command Line

Create the VPC Endpoint

aws ec2 create-vpc-endpoint \
    --vpc-id {{vpc-id}} \
    --service-name com.amazonaws.{{region}}.ec2 \
    --subnet-ids {{subnet-id1}} {{subnet-id2}} \
    --security-group-ids {{security-group-id}}

Using CloudFormation

• CloudFormation template (YAML):

AWSTemplateFormatVersion: 2010-09-09
Description: Create EC2 VPC Endpoint

Parameters:
  VpcId:
    Type: String
    Description: The ID of the VPC where the endpoint will be created.
  SubnetIds:
    Type: CommaDelimitedList
    Description: Comma-separated list of subnet IDs for the VPC endpoint.
  SecurityGroupIds:
    Type: CommaDelimitedList
    Description: Comma-separated list of security group IDs to associate with the VPC endpoint.

Resources:
  EC2VpcEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref VpcId
      ServiceName: !Sub "com.amazonaws.${AWS::Region}.ec2"
      SubnetIds: !Ref SubnetIds
      SecurityGroupIds: !Ref SecurityGroupIds

Outputs:
  VpcEndpointId:
    Description: The ID of the created VPC endpoint

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service			1		no data
💼 Cloudaware Framework → 💼 Secure Access			75		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	84		no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	105		no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	63		no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	79		no data
💼 FedRAMP High Security Controls → 💼 AC-21 Information Sharing (M)(H)			19		no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	84		no data
💼 FedRAMP High Security Controls → 💼 SC-7(3) Access Points (M)(H)			19		no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49		no data
💼 FedRAMP High Security Controls → 💼 SC-7(20) Dynamic Isolation and Segregation (H)			20		no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			37		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84		no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			49		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		89		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			63		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		79		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-21 Information Sharing (M)(H)			19		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		68		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(3) Access Points (M)(H)			19		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			180		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181		no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			89		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			133		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	59		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			31		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	123		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	63		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	72		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-21 Information Sharing	2		19		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	93		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(3) Boundary Protection _ Access Points			19		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			49		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			37		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			37		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation			20		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			37		no data