AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

[EC2.10] Service endpoint for Amazon EC2 needs to be created for each VPC.

0

Question regarding Security Hub [EC2.10] This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service.

What if no EC2 instances are created? When it's an all-lambda environment, for example. An EC2 endpoint for VPCs in all regions incurs costs, even though it is not used. This requirement does not really make sense. Can I just disable it?

Thanks.

주제
네트워킹 및 콘텐츠 전송보안, 신원 및 규정 준수AWS Well-Architected 프레임워크
태그
아마존 VPCAWS 보안 허브AWS 프라이빗 링크보안
언어
English
AWS-User-8416516
질문됨 2년 전1517회 조회
1개 답변
0
수락된 답변

You can Suppress those findings in Security Hub. Note though that an EC2 Interface Endpoint is for all EC2 API actions, which covers more than just EC2 instance actions - it includes VPC and VPN actions for example. So you might benefit from an EC2 Interface Endpoint anyway.

As you say, Interface Endpoints incur costs and they can mount up massively across a lot of VPCs and services. In that case you can share them across VPCs - see https://www.linkedin.com/pulse/how-share-interface-vpc-endpoints-across-aws-accounts-steve-kinsman . But if you do that, you'll still find you get the Security Hub finding in all accounts other than where the EC2 Interface Endpoint was created, so you'll still need to Suppress!

전문가
skinsman
답변함 2년 전
  • AWS-User-8416516
    2년 전

    Thank you! I'll suppress the findings in Security Hub, but thanks also for the pointer to your article, which - whether I'll use it or not - provides some very good insight into some VPC intricacies, very helpful!

  • Ely_K
    2년 전

    You can suppress or fully disable. If you suppress, you will still incur charges for the findings generated.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠