Does your VPC endpoint allow access to half of the Internet?

Andreas Wittig – 22 Feb 2021

Are you using VPC endpoints to enable private connections between your VPC and AWS services? Drop everything and check the policy attached to your VPC Endpoint for S3. You might have allowed access to half of the Internet - assuming that half of the Internet is hosted on S3 - from your private network accidentally.

Does your VPC endpoint allow access to half of the Internet?

The Problem

By default, a VPC endpoint for S3 allows access to all S3 buckets. So an EC2 instance running in your VPC has access to all S3 buckets worldwide. Not only the S3 buckets you own but also the S3 buckets owned by other AWS customers. For example, anyone with access to your VPC could copy data from your systems to S3 buckets owned by someone else. Of course, the other way round - downloading data from S3 aka. half of the Internet - is possible as well.

A VPC endpoint allows access to any S3 bucket by default.

S3 Security Guide

Protect your S3 buckets!

Follow four simple rules to avoid data leaking from S3. Download our S3 Security Guide!

The Solution

By attaching an endpoint policy to your VPC endpoint for S3, you can restrict the usage of the endpoint to certain S3 buckets. I came up with the following endpoint policy recently, which allows access to all S3 buckets owned by your AWS account. In my opinion, a good tradeoff limiting access and configuration overhead.

Make sure to replace 111111111111 with your AWS account ID.

{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"s3:ResourceAccount": "111111111111"
}
}
}
]
}

Warning: In case you need to access S3 buckets from your VPC that you do not own, you need to extend the endpoint policy. That’s example the case for S3 buckets offered by AWS.

That’s it. Don’t forget, details are important!

Tags: aws vpc security s3
Andreas Wittig

Andreas Wittig

I'm an independent consultant, technical writer, and programming founder. All these activities have to do with AWS. I'm writing this blog and all other projects together with my brother Michael.

In 2009, we joined the same company as software developers. Three years later, we were looking for a way to deploy our software—an online banking platform—in an agile way. We got excited about the possibilities in the cloud and the DevOps movement. It’s no wonder we ended up migrating the whole infrastructure of Tullius Walden Bank to AWS. This was a first in the finance industry, at least in Germany! Since 2015, we have accelerated the cloud journeys of startups, mid-sized companies, and enterprises. We have penned books like Amazon Web Services in Action and Rapid Docker on AWS, we regularly update our blog, and we are contributing to the Open Source community. Besides running a 2-headed consultancy, we are entrepreneurs building Software-as-a-Service products.

We are available for projects.

Feedback? Questions? Drop me a line: Email, Twitter, LinkedIn.

Briefcase icon
Hire me