This plugin ensures Amazon VPC endpoints are not publicly exposed.
Risk Level: High
Description
This plugin ensures Amazon VPC endpoints are not publicly exposed via policies. VPC endpoints are often accessed by various AWS services for proper functioning of the cloud architecture. To avoid malicious requests made to the services contained in the VPC, it must not be exposed to the public.
About the Service
Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.
Impact
Various services reside in a Virtual Private Cloud (VPC). Exposing VPC endpoints to the public can allow unsigned requests to be made to the network interface. This can be a security threat to the services in the VPC as the attacker can exploit the vulnerability of any service inside the VPC.
Steps to Reproduce
Using AWS Console-
- Log In to your AWS Console.
- Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in.
- Move to the Endpoints in the Virtual Private Cloud section from the left navigation pane.
- You will find a list of Endpoints available. If the endpoint type is “gateway”, the vulnerability does not exist. Select the one you wish to examine by clicking on the checkbox next to it.
- Move to the Policy tab.
- If the Effect element is set to “Allow” and the Principal element has “*”, the VPC endpoint is exposed to the public.
- Repeat steps 4 to 6 for all the VPC Endpoints you want to investigate.
Steps for Remediation
Update VPC endpoint access policy in order to stop any unsigned requests:
- Log In to your AWS Console.
- Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in.
- Move to the Endpoints in the Virtual Private Cloud section from the left navigation pane.
- You will find a list of Endpoints available. Select the vulnerable endpoint by clicking on the checkbox next to it.
- Move to the Policy tab.
- Click on the Edit Policy button. Copy the previous policy.
- Choose the Custom option. Paste the existing policy in the editor.
- Now modify the Principal element of the policy by adding the ARN of the IAM users who can access the VPC and removing “*”.
- Repeat steps 4 to 8 for all the vulnerable VPC Endpoints.