Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

VPCs should be configured with an interface endpoint for Systems Manager

0

We are using a NAT Gateway for internet communication and to access AWS Systems Manager. Security Hub recommends that VPCs should be configured with an interface endpoint for Systems Manager. Since this will increase cost, we want to confirm: Is it mandatory to enable the Systems Manager interface endpoint, considering we already have the following endpoints enabled — interface endpoint for com.amazonaws.eu-west-2.ec2 and gateway endpoint for com.amazonaws.eu-west-2.s3?"

Topics
Management & GovernanceNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon VPCAWS Systems ManagerAWS Security Hub
Language
English
asked 10 months ago170 views
1 Answer
1

If this (vpc endpoint vs access via internet) is your choise to make. If you have a requirement to keep traffic off from "internet" then you must have vpc endpoints for AWS services you use. This could be also a resiliency feature, in case you e.g. block public access from your VPC, you could still connect instances when using VPC endpoint. In practice when you connect AWS public endpoints from VPC, I don't think your packets will actually leave from AWS networks, so I wouldn't consider this as "high risk" but more a compliancy feature you either need to have or dont.

S3 endpoint is bit different though. As S3 gateway endpoint don't cost anything (vs interface endpoints) there is no reason why not to use them. If you have a lot of S3 traffic, this will also save you money when traffic doesn't go through NAT gateway.

EXPERT
answered 10 months ago
EXPERT
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content