Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · EC2

EC2.10: EC2 API traffic leaves the VPC over the internet

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub EC2.10 check?

EC2.10 fails for any VPC that hosts EC2 resources but has no interface endpoint for com.amazonaws.<region>.ec2. It checks only for the existence of at least one EC2 service endpoint — it does not verify Private DNS, endpoint policy, or multi-AZ placement.

Why does EC2.10 matter?

Without the endpoint, every SDK call to the EC2 API from a private subnet — autoscalers, tagging Lambdas, drift detection — hairpins out through the NAT Gateway, over the public internet, and back. That is NAT data-processing charges at $0.045/GB plus added latency, and an unnecessary internet path for control-plane traffic that AWS will happily serve privately. PCI DSS and FedRAMP expect managed-service traffic to stay on the private network where feasible.

How do I fix EC2.10?

  1. Identify VPCs hosting EC2 workloads with no EC2 interface endpoint, prioritising the ones with the highest NAT Gateway data-processing bills.
  2. Create the interface endpoint across at least two AZs with --private-dns-enabled so existing code transparently uses it.
  3. Add the Systems Manager trio (ssm, ssmmessages, ec2messages) in the same pass, since EC2 workloads almost always need them too.
  4. Attach a least-privilege endpoint policy (typically ec2:Describe* and ec2:CreateTags only) and add a Config check so new VPCs get the endpoint at build time.

Remediation script · bash

# Move the highest-impact case first: an RDS instance in a public subnet group.
aws rds create-db-subnet-group \
  --db-subnet-group-name prod-db-subnets-private \
  --db-subnet-group-description "Private subnets only - no IGW route" \
  --subnet-ids subnet-0aa11bb22cc33dd44 subnet-0ee55ff66aa77bb88

aws rds modify-db-instance \
  --db-instance-identifier prod-payments-db \
  --db-subnet-group-name prod-db-subnets-private \
  --apply-immediately

# Provide a private path before moving compute, so it can still reach AWS services.
# A free S3 gateway endpoint, or a narrow interface endpoint instead of a NAT gateway.
aws ec2 create-vpc-endpoint --vpc-id vpc-0a1b2c3d \
  --vpc-endpoint-type Interface \
  --service-name com.amazonaws.us-east-1.ssm \
  --subnet-ids subnet-0aa11 subnet-0bb22 \
  --security-group-ids sg-0ccfn33 --private-dns-enabled

# Force Redshift bulk traffic through the VPC (confirm an S3 gateway endpoint exists first).
aws redshift modify-cluster \
  --cluster-identifier analytics-prod --enhanced-vpc-routing

Full walkthrough (console steps, edge cases and verification) in the lesson Move resources into private networks (VPC isolation).

Is EC2.10 a false positive?

A single-AZ endpoint with no policy still passes EC2.10 — the control is a minimum bar, not a quality gate. Passing the control does not mean the endpoint is configured well or that Private DNS is actually rewriting the hostname.

Full lesson Move resources into private networks (VPC isolation) Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for EC2 controls ↗ Check your own account for EC2.10 →
Part of the learning path Tighten your databases

More EC2 controls

  • EC2.1 An EBS snapshot is publicly restorable by any account
  • EC2.2 Default security groups still allow traffic
  • EC2.3 Attached EBS volumes are not encrypted at rest
  • EC2.4 Long-stopped instances are abandoned attack surface
  • EC2.6 No VPC flow logs, so there is no network audit trail
  • EC2.7 New EBS volumes are not encrypted by default
  • EC2.8 IMDSv1 lets an SSRF steal instance credentials
  • EC2.9 Instances are directly reachable on public IPv4
  • EC2.13 SSH (port 22) is open to the entire internet
  • EC2.14 RDP (port 3389) is open to the entire internet
  • EC2.15 Subnets auto-assign public IPs to new instances
  • EC2.17 Instances with multiple ENIs can bridge network boundaries