Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

[EC2.10] Service endpoint for Amazon EC2 needs to be created for each VPC.

0

Question regarding Security Hub [EC2.10] This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service.

What if no EC2 instances are created? When it's an all-lambda environment, for example. An EC2 endpoint for VPCs in all regions incurs costs, even though it is not used. This requirement does not really make sense. Can I just disable it?

Thanks.

Argomenti
Networking e distribuzione di contenutiSicurezza, identità e conformitàAWS Well-Architected Framework
Tag
Amazon VPCHub di sicurezza AWSAWS PrivateLinkSicurezza
Lingua
English
AWS-User-8416516
posta 2 anni fa1517 visualizzazioni
1 Risposta
0
Risposta accettata

You can Suppress those findings in Security Hub. Note though that an EC2 Interface Endpoint is for all EC2 API actions, which covers more than just EC2 instance actions - it includes VPC and VPN actions for example. So you might benefit from an EC2 Interface Endpoint anyway.

As you say, Interface Endpoints incur costs and they can mount up massively across a lot of VPCs and services. In that case you can share them across VPCs - see https://www.linkedin.com/pulse/how-share-interface-vpc-endpoints-across-aws-accounts-steve-kinsman . But if you do that, you'll still find you get the Security Hub finding in all accounts other than where the EC2 Interface Endpoint was created, so you'll still need to Suppress!

ESPERTO
skinsman
con risposta 2 anni fa
  • AWS-User-8416516
    2 anni fa

    Thank you! I'll suppress the findings in Security Hub, but thanks also for the pointer to your article, which - whether I'll use it or not - provides some very good insight into some VPC intricacies, very helpful!

  • Ely_K
    2 anni fa

    You can suppress or fully disable. If you suppress, you will still incur charges for the findings generated.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente