I'm writing a custom config rule to determine if there's an network firewall in the VPC. In order to confirm it's being used I was informed I needed to check the route tables.
There's one issue I'm having. When I make a describe_route_tables call it returns the Routes, in the routes it has the "GatewayId:": "Vpce-<number>). The Vpce-<number> is my network firewall attached as a vpcendpoitn in the route table. Indicating that the route is going to my vpcendpoint/network firewall, which is good.
However, it doesn't actually indicate this is a network firewall. If the config rule checks and confirms there's a network firewall in the VPC, it then goes on to check that the network firewall is being used, this could potential return a false positive. In the case where a Network Firewall is attached to the VPC and then there's another endpoint that is NOT a network firewall that also has the prefix vpce.
Is there a way to identify the vpce(network firewall) by the actual eni? Opposed to gateway id? I was thinking if I can call a describe_vpc_endpoints and then return the vpc endpoint Id and see if that matches the gateway id. I'm not sure if this is an option.
Is there any solutions anyone has in mind for this problem?
AWS 官方已更新 1 年前