漏洞描述
Ensures VPC endpoints are utilized for secure AWS service connectivity without needing an Internet Gateway, enhancing network security and efficiency.
vpc-endpoints-not-deployed: VPC Endpoints Not Deployed
PoC代码[已公开]
id: vpc-endpoints-not-deployed
info:
name: VPC Endpoints Not Deployed
author: princechaddha
severity: medium
description: |
Ensures VPC endpoints are utilized for secure AWS service connectivity without needing an Internet Gateway, enhancing network security and efficiency.
impact: |
Avoids data exposure and reduces bandwidth use by ensuring AWS traffic remains within the AWS network, without public IP requirements for EC2 instances.
remediation: |
Implement VPC endpoints for supported AWS services to secure and optimize connectivity within your VPC, minimizing external access risks.
reference:
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html
metadata:
max-request: 2
tags: cloud,devops,aws,amazon,vpc,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let VpcIds of iterate(template.VpcId)){
set("vpc", VpcIds)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-vpcs --region $region --query 'Vpcs[*].VpcId' --output json
extractors:
- type: json
name: VpcId
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-vpc-endpoints --region $region --filters Name=vpc-id,Values=$vpc --query 'VpcEndpoints[*].VpcEndpointId'
matchers:
- type: word
words:
- "[]"
extractors:
- type: dsl
dsl:
- '"VPC Endpoints Not Deployed in the VPC network " + vpc'
# digest: 490a0046304402203edd538b4e37cb427dfca2c03d8187bdc1e32f6d9f1a31b46a354aceaadb5d1302203cd03dabc51041551d5f77ab984c38a578a3de71cb100ca85a60cb29f1fca583:922c64590222798bb761d5b6d8e72950