Check provider logo

VPC endpoints ensure private connectivity for all Bedrock APIs

bedrock_vpc_endpoints_configured

Severitymedium
Servicebedrock
by Prowler
internet-exposedtrust-boundariesgen-ai

Amazon VPCs are evaluated for interface VPC endpoints to all Bedrock services: bedrock, bedrock-runtime, bedrock-agent, bedrock-agent-runtime, and bedrock-mantle (OpenAI-compatible API). Only endpoints in available state are considered. Their presence indicates private Bedrock API connectivity over AWS PrivateLink within the VPC.

Risk

Without private Bedrock endpoints, control plane and runtime API traffic exits the VPC via IGW or NAT Gateway. This expands exposure to network path threats (e.g., DNS hijack, MITM), weakens egress isolation, and adds an internet dependency for Bedrock API access, reducing availability if NAT or edge paths fail.

Run this check with Prowler CLI

prowler aws --checks bedrock_vpc_endpoints_configured

Run in Prowler Cloud

Recommendation

Use interface VPC endpoints for all Bedrock services (bedrock, bedrock-runtime, bedrock-agent, bedrock-agent-runtime, bedrock-mantle) in each VPC that requires Bedrock API access.

  • Enable private DNS to keep calls on the AWS network
  • Apply restrictive endpoint policies (least privilege)
  • Reduce reliance on public egress and layer controls for defense in depth

Remediation

CLI

aws ec2 create-vpc-endpoint --vpc-id <VPC_ID> --service-name com.amazonaws.<REGION>.bedrock-runtime --vpc-endpoint-type Interface --subnet-ids <SUBNET_ID> && aws ec2 create-vpc-endpoint --vpc-id <VPC_ID> --service-name com.amazonaws.<REGION>.bedrock --vpc-endpoint-type Interface --subnet-ids <SUBNET_ID> && aws ec2 create-vpc-endpoint --vpc-id <VPC_ID> --service-name com.amazonaws.<REGION>.bedrock-agent --vpc-endpoint-type Interface --subnet-ids <SUBNET_ID> && aws ec2 create-vpc-endpoint --vpc-id <VPC_ID> --service-name com.amazonaws.<REGION>.bedrock-agent-runtime --vpc-endpoint-type Interface --subnet-ids <SUBNET_ID> && aws ec2 create-vpc-endpoint --vpc-id <VPC_ID> --service-name com.amazonaws.<REGION>.bedrock-mantle --vpc-endpoint-type Interface --subnet-ids <SUBNET_ID>

Native IaC
Terraform
Other
  1. In the AWS console, go to VPC > Endpoints
  2. Click Create endpoint
  3. For Service category, choose AWS services and select com.amazonaws.<region>.bedrock
  4. Select your VPC and at least one subnet
  5. Click Create endpoint
  6. Repeat steps 2-5 for com.amazonaws.<region>.bedrock-runtime, com.amazonaws.<region>.bedrock-agent, com.amazonaws.<region>.bedrock-agent-runtime, and com.amazonaws.<region>.bedrock-mantle

Source Code

Resource Type

AwsEc2VpcEndpointService

References

Related To

  • vpc_endpoint_for_ec2_enabled