Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · EC2

EC2.58: VPC is missing an Incident Manager Contacts endpoint

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub EC2.58 check?

EC2.58 fails any in-use VPC missing an interface endpoint for the Incident Manager Contacts service (com.amazonaws.<region>.ssm-contacts). It enumerates VPCs with running ENIs and checks for the matching endpoint in the available state.

Why does EC2.58 matter?

When workloads call the Incident Manager Contacts API without the endpoint, the traffic leaves the VPC through the NAT Gateway and traverses the public internet rather than the AWS backbone. That adds NAT data-processing charges and an unnecessary internet hop for control-plane traffic that PrivateLink can serve privately — and for regulated workloads, routing managed-service calls over the internet is an audit gap that needs written justification.

How do I fix EC2.58?

  1. Inventory VPCs lacking the ssm-contacts endpoint with describe-vpc-endpoints, skipping default VPCs with no real workloads.
  2. Create the endpoint multi-AZ with --private-dns-enabled so existing SDK calls reroute transparently.
  3. Confirm the service hostname now resolves to the endpoint's private IPs from inside the VPC.
  4. Enable the AWS Config rule vpc-interface-endpoint-enabled covering ssm-contacts so a new VPC without it is flagged on creation.

Remediation script · bash

# Move the highest-impact case first: an RDS instance in a public subnet group.
aws rds create-db-subnet-group \
  --db-subnet-group-name prod-db-subnets-private \
  --db-subnet-group-description "Private subnets only - no IGW route" \
  --subnet-ids subnet-0aa11bb22cc33dd44 subnet-0ee55ff66aa77bb88

aws rds modify-db-instance \
  --db-instance-identifier prod-payments-db \
  --db-subnet-group-name prod-db-subnets-private \
  --apply-immediately

# Provide a private path before moving compute, so it can still reach AWS services.
# A free S3 gateway endpoint, or a narrow interface endpoint instead of a NAT gateway.
aws ec2 create-vpc-endpoint --vpc-id vpc-0a1b2c3d \
  --vpc-endpoint-type Interface \
  --service-name com.amazonaws.us-east-1.ssm \
  --subnet-ids subnet-0aa11 subnet-0bb22 \
  --security-group-ids sg-0ccfn33 --private-dns-enabled

# Force Redshift bulk traffic through the VPC (confirm an S3 gateway endpoint exists first).
aws redshift modify-cluster \
  --cluster-identifier analytics-prod --enhanced-vpc-routing

Full walkthrough (console steps, edge cases and verification) in the lesson Move resources into private networks (VPC isolation).

Is EC2.58 a false positive?

Contacts traffic is low-volume and often sits below the NAT cost crossover, so a documented decision not to provision this endpoint on a low-use VPC can be legitimate — record it as a suppression rather than treating the finding as a defect.

Full lesson Move resources into private networks (VPC isolation) Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for EC2 controls ↗ Check your own account for EC2.58 →
Part of the learning path Tighten your databases

More EC2 controls

  • EC2.1 An EBS snapshot is publicly restorable by any account
  • EC2.2 Default security groups still allow traffic
  • EC2.3 Attached EBS volumes are not encrypted at rest
  • EC2.4 Long-stopped instances are abandoned attack surface
  • EC2.6 No VPC flow logs, so there is no network audit trail
  • EC2.7 New EBS volumes are not encrypted by default
  • EC2.8 IMDSv1 lets an SSRF steal instance credentials
  • EC2.9 Instances are directly reachable on public IPv4
  • EC2.10 EC2 API traffic leaves the VPC over the internet
  • EC2.13 SSH (port 22) is open to the entire internet
  • EC2.14 RDP (port 3389) is open to the entire internet
  • EC2.15 Subnets auto-assign public IPs to new instances