Profile Applicability:

  • Level 1

Description:

Amazon EC2 instances use VPC endpoints to privately connect to AWS services, including the Amazon EC2 service. By using VPC endpoints for Amazon EC2, instances in a VPC can communicate with EC2 without routing traffic over the public internet, improving security and reducing latency. This SOP ensures that EC2 instances are configured to use VPC endpoints created specifically for Amazon EC2 services, ensuring private, secure, and reliable connections.

Rationale:

Using VPC endpoints for Amazon EC2 ensures:

  • Private Connectivity: Communication between EC2 instances and EC2 services is conducted within the VPC without using the public internet.

  • Enhanced Security: Reduces the exposure of EC2 traffic to the internet, minimizing the attack surface.

  • Improved Performance: Eliminates potential network bottlenecks by using private connectivity, resulting in faster data transfer speeds.

  • Compliance: Helps meet security requirements by avoiding public internet access and ensuring traffic is contained within the AWS network.

Impact:

Pros:

  • Security Improvement: Ensures that communication between EC2 instances and EC2 services is conducted over private, secure channels.

  • Cost Efficiency: Reduces internet traffic and associated costs.

  • Reduced Latency: Private connections generally provide lower latency than public internet connections.

  • Compliance: Meets regulatory requirements for securing communication within the AWS environment.

Cons:

  • Configuration Complexity: Requires proper setup and configuration of VPC endpoints, routing, and security groups.

  • Management Overhead: Additional monitoring and management of VPC endpoints and their access control.

Default Value:

By default, EC2 instances do not use VPC endpoints for the Amazon EC2 service. The setup must be configured explicitly during the VPC design and EC2 instance launch process.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeVpcEndpoints

    • ec2:CreateVpcEndpoint

    • ec2:DescribeInstances

  • AWS CLI installed and configured.

  • Basic knowledge of VPC, VPC endpoints, and EC2 service.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to VPC under Services.

  3. Under VPC, select Endpoints and confirm that an endpoint for the EC2 service is listed.

    • The Service Name should include com.amazonaws.<region>.ec2.

  4. Ensure that the VPC endpoint is properly configured to route traffic for EC2 services.

  5. Check that EC2 instances in the VPC are routing traffic for EC2 services through this VPC endpoint by verifying route tables and network interfaces.

    • Verify that there is a route to the VPC endpoint in the route table of the subnets hosting the EC2 instances.

Using AWS CLI:

To check if EC2 is using VPC endpoints for communication, run:

aws ec2 describe-vpc-endpoints --query 'VpcEndpoints[*].{ID:VpcEndpointId,ServiceName:ServiceName}'-

Look for entries that contain com.amazonaws.<region>.ec2 in the ServiceName to confirm that the EC2 service is configured for the VPC endpoint.

To verify which subnets use the endpoint, check the route table associated with your VPC:

aws ec2 describe-route-tables --query 'RouteTables[*].{ID:RouteTableId,Routes:Routes}'

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to VPC.

  3. Under Endpoints, click Create Endpoint.

  4. Select the Service as com.amazonaws.<region>.ec2.

  5. Choose the VPC in which your EC2 instances reside.

  6. Select the subnets where the EC2 instances are located, and associate them with the VPC endpoint.

  7. Create and attach the necessary security groups for controlling access to the VPC endpoint.

  8. Ensure that the route tables are updated automatically to route traffic for EC2 services through the new VPC endpoint.

Using AWS CLI:

To create the VPC endpoint for EC2, run:

aws ec2 create-vpc-endpoint --vpc-id <vpc-id> --service-name com.amazonaws.<region>.ec2 --route-table-ids <route-table-id> --subnet-ids <subnet-id>

To verify the creation of the VPC endpoint and the proper routing configuration:

aws ec2 describe-vpc-endpoints --query 'VpcEndpoints[*].{ID:VpcEndpointId,ServiceName:ServiceName}'

Check that the EC2 instances are routing traffic through the new endpoint by reviewing their route tables:

aws ec2 describe-route-tables --query 'RouteTables[*].{ID:RouteTableId,Routes:Routes}'

Backout Plan:

If enabling VPC endpoint for EC2 causes issues or disruption:

Identify the problematic VPC endpoint and route tables.

Delete the VPC endpoint using the following command:

aws ec2 delete-vpc-endpoint --vpc-endpoint-id <vpc-endpoint-id>

Ensure that the route tables are reverted to their original configuration, ensuring traffic is no longer routed through the deleted endpoint.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.