CloudWiki
Rules
Medium

Connections towards S3 should be via VPC endpoint

Security & Compliance
Description

Connections towards Amazon S3 should be made via VPC endpoint to enhance security and improve network performance. A VPC endpoint enables you to privately access S3 from within your Amazon Virtual Private Cloud (VPC) without using an Internet Gateway or NAT device. This makes the transfer of data more secure, as it does not traverse the public internet, and can also reduce data transfer costs. Additionally, VPC endpoints can help to improve network performance by reducing latency and increasing throughput. Therefore, using VPC endpoints is a best practice when working with S3 within a VPC.

Remediation

To ensure that connections towards Amazon S3 are made via VPC endpoint, you can follow these remediation steps:

  1. Create a VPC endpoint for Amazon S3 within your VPC: This involves creating a VPC endpoint in your VPC that allows your instances to privately access S3 without traversing the public internet.
  2. Update your security groups: Update the security groups associated with your instances to allow traffic to flow to and from the S3 VPC endpoint.
  3. Restrict public internet access: To ensure that all traffic flows through the VPC endpoint, you should restrict access to S3 via the public internet by removing any bucket policies or ACLs that allow public access to your S3 buckets.
  4. Test your configuration: After completing the above steps, test your configuration to ensure that your instances can access S3 through the VPC endpoint without any issues.
  5. Monitor your configuration: Continuously monitor your VPC endpoint and S3 access logs to identify any unauthorized access attempts or unusual activity.

By following these steps, you can ensure that connections towards S3 are made via VPC endpoint, thereby enhancing security and improving network performance.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.