Amazon VPC interface endpoint has subnets in multiple Availability Zones
vpc_endpoint_multi_az_enabled
VPC interface endpoints are evaluated for whether their endpoint network interfaces are placed in multiple subnets, which implies distribution across different Availability Zones. Endpoints present in only one subnet are identified.
Risk
A single-subnet endpoint creates a single-AZ dependency. An AZ outage or routing issue can cut access to the service, reducing availability. Workloads may revert to public endpoints, exposing traffic to the Internet and risking confidentiality through interception or tampering.
prowler aws --checks vpc_endpoint_multi_az_enabled
Recommendation
Place interface endpoints in multiple subnets across distinct AZs to remove single-AZ reliance. Prefer zone-local routing so clients use the nearest endpoint, and combine with private DNS and restrictive security groups to limit exposure-supporting defense in depth and resilient connectivity.
Remediation
aws ec2 modify-vpc-endpoint --vpc-endpoint-id <example_resource_id> --add-subnet-ids <example_subnet_id_2>
- Open the AWS VPC console and go to Endpoints
- Select the interface endpoint
- Click Actions > Manage subnets
- Select an additional subnet in a different Availability Zone
- Click Modify subnets to save
Source Code
Resource Type
AwsEc2VpcEndpointService