lacework-global-147

Exposed AWS Virtual Private Cloud (VPC) endpoints

Description

When creating a VPC endpoint, the default policy choice is 'full access' for any Identity and Access Management (IAM) user or service within the VPC.

{

  "Statement": [

    {

      "Action": "*",

      "Effect": "Allow",

      "Resource": "*",

      "Principal": "*"

    }

  ]

}

Remediation

1. Log in to the AWS Management Console.

2. Select Services.

3. Select VPC.

4. Select Endpoints.

5. Select the Endpoint to edit.

6. Select the Policy tab.

7. Select Edit Policy.

8. Add or update the custom policy, specifying a Principal that does not give access to all users.

9. Select Save.