VPC endpoint service allows only trusted principals or none
vpc_endpoint_services_allowed_principals_trust_boundaries
VPC endpoint services are assessed for their allowed principals, comparing each to a configured set of trusted accounts and identifying any untrusted principals or a wildcard * present in the allowlist.
Risk
Untrusted or wildcard principals can create PrivateLink connections to your service, eroding segmentation. This enables unauthorized data access (confidentiality), abuse of internal APIs (integrity), and excess load on backends (availability).
prowler aws --checks vpc_endpoint_services_allowed_principals_trust_boundaries
Recommendation
Apply least privilege: restrict allowed principals to vetted account IDs and avoid *. Maintain a central trust registry, enforce separation of duties with approval workflows, and review entries regularly. Use defense in depth with strong service authentication and continuous configuration monitoring.
Remediation
- Open the AWS VPC console and go to Endpoint services
- Select the endpoint service (<example_resource_id>)
- Open the Allowed principals tab and click Edit allowed principals
- Remove all entries that are not trusted, including any wildcard (*)
- Optionally leave the list empty (no principals) or keep only trusted account IDs/ARNs
- Save changes
Source Code
Resource Type
AwsEc2VpcEndpointService