EC2 setting 'VPC Block Public Access' should be enabled and be enforced by declarative policy

ec2
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

Enabling the EC2 setting ‘VPC Block Public Access’ is an important preventative measure against inadvertent exposure of EC2 instances and other resources within a Virtual Private Cloud (VPC). This setting acts as a centralized control, overriding individual security group or network ACL configurations that might otherwise allow unrestricted public access. By enforcing this boundary, it helps to mitigate the risk of data breaches and unauthorized access stemming from misconfigurations.

For this control to pass, the option ‘Internet gateway block direction’ must be set to block-bidirectional or block-ingress. Exclusions can be configured as necessary for VPCs or subnets that are required to have public access.

Enforcing this EC2 setting using AWS Organizations declarative policies provides an additional layer of protection, as the setting must be configured centrally from the organization management account or a delegated administator account.

Remediation

For guidance on enabling this EC2 setting, refer to the Block public access to VPCs and subnets section of the Amazon Virtual Private Cloud User Guide. For guidance on managing declarative policies, refer to the Declarative policies section of the AWS Organizations User Guide.

PREVIEWING: ida.adjivon/DOCS-11256