AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
VPC Endpoint Should Be Enabled For DynamoDB
More Info:
A VPC endpoint for DynamoDB enables Amazon EC2 instances in your VPC to use their private IP addresses to access DynamoDB with no exposure to the public internet. Your EC2 instances do not require public IP addresses, and you do not need an internet gateway, a NAT device, or a virtual private gateway in your VPC.
Risk Level
Medium
Address
Security
Compliance Standards
HIPAA
Triage and Remediation
Remediation
To remediate the misconfiguration of VPC Endpoint not being enabled for DynamoDB in AWS, you can follow these steps using the AWS Management Console:
-
Sign in to the AWS Management Console:
- Go to the AWS Management Console (https://aws.amazon.com/console/) and sign in to your AWS account.
-
Navigate to the VPC service:
- In the AWS Management Console, search for “VPC” or locate the VPC service under the “Networking & Content Delivery” section.
-
Create a VPC Endpoint for DynamoDB:
- In the VPC dashboard, click on “Endpoints” in the left-hand menu.
- Click on the “Create Endpoint” button.
- For the service category, select “AWS services”.
- For the service name, select
com.amazonaws.<region>.dynamodb(replace<region>with the AWS region where your DynamoDB table is located). - For the VPC, select the VPC where your resources that need to access DynamoDB are located.
- Select the route table associated with your VPC.
- Choose whether to enable DNS name resolution for the endpoint.
- Click on the “Create endpoint” button.
-
Update Security Group Rules (if necessary):
- If your resources are in a different security group than the DynamoDB endpoint, ensure that the security group rules allow traffic between the two.
-
Verify the Endpoint Configuration:
- Once the endpoint is created, verify that it is in the “available” state.
-
Update the Route Tables (if necessary):
- If the route tables in your VPC are not updated automatically, you may need to add a route to the DynamoDB VPC endpoint in the route tables associated with your subnets.
By following these steps, you will successfully enable a VPC Endpoint for DynamoDB in your AWS environment, ensuring secure and private communication between your VPC resources and DynamoDB.
To remediate the misconfiguration of not having a VPC Endpoint enabled for DynamoDB in AWS using AWS CLI, you can follow these steps:
-
Create a VPC Endpoint for DynamoDB:
Run the following AWS CLI command to create a VPC endpoint for DynamoDB in your VPC. Replace the placeholders
<vpc-id>with your VPC ID and<region>with the AWS region where your VPC is located.aws ec2 create-vpc-endpoint --vpc-id <vpc-id> --service-name com.amazonaws.<region>.dynamodb -
Enable DNS Support and DNS Hostnames for the VPC:
Ensure that your VPC has DNS support and DNS hostnames enabled. Run the following AWS CLI commands to enable them:
aws ec2 modify-vpc-attribute --vpc-id <vpc-id> --enable-dns-support aws ec2 modify-vpc-attribute --vpc-id <vpc-id> --enable-dns-hostnames -
Update Route Tables:
Update the route tables associated with your VPC to route traffic to the DynamoDB VPC endpoint. Run the following AWS CLI command to get the route table IDs associated with your VPC:
aws ec2 describe-route-tables --filters "Name=vpc-id,Values=<vpc-id>" --query "RouteTables[].RouteTableId" --output textFor each route table ID obtained from the above command, run the following AWS CLI command to add a route to the DynamoDB VPC endpoint:
aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block 0.0.0.0/0 --vpc-endpoint-id <vpc-endpoint-id> -
Verify the Configuration:
You can verify that the VPC endpoint for DynamoDB is successfully created and associated with your VPC by running the following AWS CLI command:
aws ec2 describe-vpc-endpoints --filters "Name=vpc-id,Values=<vpc-id>" --query "VpcEndpoints[?ServiceName=='com.amazonaws.<region>.dynamodb']"
By following the above steps and executing the respective AWS CLI commands, you can successfully remediate the misconfiguration of not having a VPC Endpoint enabled for DynamoDB in AWS.
To remediate the misconfiguration of not having a VPC Endpoint enabled for DynamoDB in AWS using Python, you can follow these steps:
- Import the necessary libraries:
import boto3
- Create a boto3 client for EC2 and DynamoDB:
ec2_client = boto3.client('ec2')
dynamodb_client = boto3.client('dynamodb')
- Get the VPC ID where your DynamoDB table is located:
response = dynamodb_client.describe_table(TableName='YOUR_TABLE_NAME')
vpc_id = response['Table']['TableArn'].split(':')[5]
- Create a VPC endpoint for DynamoDB:
response = ec2_client.create_vpc_endpoint(
VpcId=vpc_id,
ServiceName='com.amazonaws.REGION.dynamodb',
RouteTableIds=['YOUR_ROUTE_TABLE_ID'],
PolicyDocument='{"Statement":[{"Action":"*","Effect":"Allow","Resource":"*","Principal":"*"}]}',
SecurityGroupIds=['YOUR_SECURITY_GROUP_ID']
)
Replace REGION, YOUR_TABLE_NAME, YOUR_ROUTE_TABLE_ID, and YOUR_SECURITY_GROUP_ID with your actual values.
- Verify that the VPC endpoint is created successfully:
endpoint_id = response['VpcEndpoint']['VpcEndpointId']
print(f'VPC endpoint {endpoint_id} created successfully for DynamoDB')
By following these steps and executing the Python script, you will be able to remediate the misconfiguration of not having a VPC Endpoint enabled for DynamoDB in AWS.