By using AWS re:Post, you agree to the Terms of Use

[EC2.10] Service endpoint for Amazon EC2 needs to be created for each VPC.

0

Question regarding Security Hub [EC2.10] This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service.

What if no EC2 instances are created? When it's an all-lambda environment, for example. An EC2 endpoint for VPCs in all regions incurs costs, even though it is not used. This requirement does not really make sense. Can I just disable it?

Thanks.

1 Answer
0
Accepted Answer

You can Suppress those findings in Security Hub. Note though that an EC2 Interface Endpoint is for all EC2 API actions, which covers more than just EC2 instance actions - it includes VPC and VPN actions for example. So you might benefit from an EC2 Interface Endpoint anyway.

As you say, Interface Endpoints incur costs and they can mount up massively across a lot of VPCs and services. In that case you can share them across VPCs - see https://www.linkedin.com/pulse/how-share-interface-vpc-endpoints-across-aws-accounts-steve-kinsman . But if you do that, you'll still find you get the Security Hub finding in all accounts other than where the EC2 Interface Endpoint was created, so you'll still need to Suppress!

answered 6 months ago
  • Thank you! I'll suppress the findings in Security Hub, but thanks also for the pointer to your article, which - whether I'll use it or not - provides some very good insight into some VPC intricacies, very helpful!

  • You can suppress or fully disable. If you suppress, you will still incur charges for the findings generated.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions