Profile Applicability:
Level 1
Description:
VPC Endpoints are essential for securely accessing AWS services, such as S3 and CodeCommit, without traversing the public internet. By configuring VPC Endpoints for source code access, you can ensure that the communication between your source code repositories (like AWS CodeCommit) and your instances remains private, enhancing security and performance.
Rationale:
Using VPC Endpoints for source code access ensures that:
Data does not traverse the public internet, reducing the exposure of sensitive information.
Communication between services is secure and isolated from external traffic.
Better network performance by avoiding the public internet.
Default Value:
By default, access to services like CodeCommit may use public internet routes. Using VPC Endpoints requires manual configuration to ensure private access.
Impact:
Pros:
Enhanced security by preventing traffic from going over the public internet.
Improved compliance with internal security policies that require private access.
Optimized network performance with lower latency for access to source code repositories.
Cons:
Requires configuration of VPC Endpoints and management of endpoint policies.
May incur additional costs for setting up and maintaining VPC Endpoints.
Remediation:
Test Plan:
Using AWS Console:
Log in to the AWS Console at AWS Console.
Navigate to VPC under Networking & Content Delivery.
In the Endpoints section, check if VPC Endpoints for services like CodeCommit, S3, or any other source code repositories are configured.
If an endpoint is not configured, create a new endpoint:
Click on Create Endpoint.
Select the appropriate service (e.g., com.amazonaws.region.codecommit).
Choose the VPC and subnets where the endpoint should be created.
Attach the necessary security group to allow access to the endpoint.
Once configured, verify that the endpoint is being used for source code access by attempting to access the source code repository from your instances within the VPC.
Using AWS CLI:
Run the following command to list existing VPC Endpoints:
aws ec2 describe-vpc-endpoints
Verify if there is an existing endpoint for the source code service (e.g., CodeCommit or S3).
If no endpoint exists, create one using the following command:
aws ec2 create-vpc-endpoint --vpc-id <vpc-id> --service-name com.amazonaws.region.codecommit --route-table-ids <route-table-id> --subnet-ids <subnet-id> --security-group-ids <security-group-id>
Once created, confirm that the endpoint is in use by accessing the source code repository from the instance within the VPC.
Implementation Plan:
Using AWS Console:
Log in to the AWS Console at AWS Console.
Navigate to VPC and select Endpoints.
Ensure that endpoints for services like CodeCommit or S3 are configured for private access.
If endpoints are not configured, create them by following the steps above.
Verify that your instances within the VPC are using these private endpoints for source code access.
Using AWS CLI:
Create a VPC Endpoint for the source code service using the following command:
aws ec2 create-vpc-endpoint --vpc-id <vpc-id> --service-name com.amazonaws.region.codecommit --route-table-ids <route-table-id> --subnet-ids <subnet-id> --security-group-ids <security-group-id>
Backout Plan:
Using AWS Console:
If issues arise after configuring the endpoint, log in to the AWS Console.
Navigate to VPC and go to Endpoints.
Select the problematic endpoint and delete or modify it to resolve the issue.
Using AWS CLI:
If necessary, delete the VPC endpoint using the following command:
aws ec2 delete-vpc-endpoint --vpc-endpoint-id <endpoint-id>
References:
CIS Controls: