[BUG][OTHER] ASEA VPC Endpoints not protected #1234
Description
- Accelerator Version: v1.5.10
- Install Type: Upgrade
- Upgrade from version: 1.2.6
- Which State did the Main State Machine Fail in: N/A
Endpoint does not have the accelerator tags as expected. They are not protected.
In the PBMMAccel-Guardrails-Part-1 SCP, these are suppose to be protected by tag but the section NET1. Only the action "ec2:DeleteVpcEndpoints" is protected, it's possible modify the VPC Endpoint without an eleveted role with the prefix (PBMM or ASEA depending on the environment).
SCP segment
SCP with the deny on Endpoint : PBMMAccel-Guardrails-Part-1
Section NET1 in our SCP :
{
"Sid": "NET1",
"Effect": "Deny",
"Action": [
"ec2:DeleteNatGateway",
"ec2:DeleteTransitGatewayRoute",
"ec2:DeleteTransitGatewayRouteTable",
"ec2:DeleteTransitGatewayVpcAttachment",
"ec2:DeleteVpc",
"ec2:DeleteVpcEndpoints",
"ec2:DeleteVpcPeering*",
"ec2:DeleteVpnConnection",
"ec2:DeleteVpnG*",
"ec2:DetachVpnG*",
"ec2:DeleteCustomerGateway",
"ec2:DeleteDhcpOptions",
"ec2:DeleteInternetGateway",
"ec2:DeleteRouteTable",
"ec2:DeleteSubnet",
"ec2:DeleteRoute",
"ec2:DetachInternetGateway",
"ec2:DisassociateRouteTable"
],
"Resource": "",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Accelerator": "PBMM"
},
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/PBMMAccel-",
"arn:aws:iam:::role/PBMMOps-",
"arn:aws:iam:::role//AWSReservedSSO_PBMMOps-"
]
}
}
},
Steps To Reproduce
- Go into the network account. In VPC Service, go to Endpoints. Check the tag section for any endpoint, there is no accelerator tag.
For VPC Spoke, go in the workload account with VPC Spoke. See the Endpoints (for S3 and Dynamo) in VPC service. Check the tag section for any endpoint, there is no accelerator tag. - Modify the VPC Endpoint. Example : Adding or removing tag without any elevated role works.
Expected behavior
The accelerator tag should be added to the VPC Endpoints.
The action to modify the VPN Endpoint should be blocked in the SCP.