VPC endpoint policy allows full access to service Affecting VPC service in AWS

Snyk CCSS

General / Policy

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls

Snyk ID SNYK-CC-00228
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

If a VPC endpoint policy is not specified, a default policy is attached that allows full access to the endpoint service. Granting all permissions to all users is a security risk and a violation of the principle of least privilege.

How to fix?

Set the aws_vpc_endpoint policy attribute to a valid policy (Terraform AWS provider v3), or define an aws_vpc_endpoint_policy resource (v4).

Example Configuration

# AWS provider v3
resource "aws_vpc_endpoint" "allowed" {
  vpc_id              = "aws_vpc.main.id"
  service_name        = "com.amazonaws.us-west-2.ec2"
  vpc_endpoint_type   = "Interface"
  policy              = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["ec2:Describe*"],
      "Resource": "*"
    }
  ]
}
POLICY
  private_dns_enabled = true
}

# AWS provider v4
resource "aws_vpc_endpoint" "allowed2" {
  service_name = "dynamodb"
  vpc_id       = aws_vpc.allowed.id
}

resource "aws_vpc_endpoint_policy" "allowed2" {
  vpc_endpoint_id = aws_vpc_endpoint.allowed2.id
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Sid" : "AllowAll",
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : "*"
        },
        "Action" : [
          "dynamodb:*"
        ],
        "Resource" : "*"
      }
    ]
  })
}

Terraform

References

Control access to services using endpoint policies