Description:
A Virtual private cloud(VPC) is the logically isolated section of the AWS cloud where AWS resources are in a virtual network that you define. Using own IP address range to control the virtual networking environment, create subnets and configure the route tables and network gateways. It provides the facility to use IPv4 and IPv6 which are secure and easy to access.
A VPC endpoint allows to connect privately through VPC to supported AWS services and VPC endpoint services by private link without requiring an internet gateway, NAT device, VPN connection, It is a virtual device. This component allows communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.
AWS PrivateLink is a technology that enables you to privately access services by using private IP addresses.
Rationale:
VPC endpoints are virtual devices that are horizontally scaled, redundant, and highly available VPC components. It allows communication between instances in your VPC and services without imposing availability risks.
This policy checks whether Service Endpoint for the service provided in the rule parameter is created for each Amazon VPC. The rule returns NON_COMPLIANT if an Amazon VPC doesn't have a VPC endpoint created for the service.
Impact:
It enables you to privately access your AWS services from your own Amazon Virtual Private Cloud(VPC). Using the VPC endpoints no need for VPC resources to traverse the internet to reach a particular service. It protects the data from being unnecessarily exposed to the internet it helps to secure the network traffic.
Default Value:
By default, the VPC endpoint is not enabled or not created.
Pre-Requisite:
For creating the VPC the policy must be valid in JSON format. If this parameter is not specified, we can attach a default policy that allows full access to the service.
Before creating a VPC endpoint make sure you have a vpc with multiple subnets
You must have security groups
Remediation:
Test Plan:
Go to AWS Management Console
Go to the VPC dashboard at https://console.aws.amazon.com/vpc
In the left navigation pane click on Endpoints
If there is no endpoint created in VPC for any services it means the endpoint is not enabled.
Using AWS CLI:
To describe your VPC endpoints
aws ec2 describe-vpc-endpoints
--region us-east-1
--filters Name=vpc-id,Values=vpc-xxxyyyzz
--query 'VpcEndpoints'
Implementation Steps:
Go to AWS Management Console
Go to the VPC dashboard at https://console.aws.amazon.com/vpc
In the left navigation pane click on Endpoints
Click on Create Endpoint to create
Select AWS services to enable to securely connect with VPC
Select VPC and choose multiple subnets as required and you can enable DNS name for your endpoint and select security group
Click on create endpoint
Using AWS CLI:
To create an interface endpoint
aws ec2 create-vpc-endpoint \
--vpc-id vpc-1a2b3c4d \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.us-east-1.cloudtrail \
--subnet-id subnet-7b16de0c \
--security-group-id sg-1a2b3c4d \
--tag-specifications ResourceType=vpc-endpoint,Tags=[{Key=service,Value=cludtrail}]
Backout Plan:
Go to AWS Management Console
Go to the VPC dashboard at https://console.aws.amazon.com/vpc
In the left navigation pane, click on Endpoints and choose endpoint to remove
Click on the action button and then click on the delete endpoint
Click on the yes, delete button to confirm
Using AWS CLI:
To delete an endpoint
aws ec2 delete-vpc-endpoints --region <region> --vpc-endpoint-ids <vpc-id>