VPCe Examples

vpce-examples.md

Allowed - Management

{ 
   "eventVersion":"1.11", 
   "userIdentity":{ 
      "type":"AssumedRole", 
      "principalId":"AROAREDACTEDREDACTED:user@domain.com", 
      "arn":"arn:aws:sts::012345678910:assumed-role/admin/user@domain.com", 
      "accountId":"012345678910", 
      "accessKeyId":"ASIAREDACTEDREDACTED", 
      "sessionContext":{ 
         "sessionIssuer":{ 
            "type":"Role", 
            "principalId":"AROAREDACTEDREDACTED", 
            "arn":"arn:aws:iam::012345678910:role/admin", 
            "accountId":"012345678910", 
            "userName":"admin" 
         },
         "attributes":{ 
            "creationDate":"2025-02-26T16:08:09Z", 
            "mfaAuthenticated":"false" 
         } 
      } 
   }, 
   "eventTime":"2025-02-26T16:41:35Z", 
   "eventSource":"s3.amazonaws.com", 
   "eventName":"ListBuckets", 
   "awsRegion":"us-east-1", 
   "sourceIPAddress":"10.0.141.54", 
   "requestID":"QAJAREDACTED", 
   "eventID":"33980b64-2ce1-471d-856c-376497e887bb", 
   "eventType":"AwsVpceEvent", 
   "recipientAccountId":"012345678910", 
   "sharedEventID":"735fbea7-a934-43f7-a926-355589c59007", 
   "vpcEndpointId":"vpce-03y53r4ukkkuygzg0", 
   "vpcEndpointAccountId":"012345678910", 
   "eventCategory":"NetworkActivity" 
} 

Allowed - Data

{ 
   "eventVersion":"1.11", 
   "userIdentity":{ 
      "type":"AssumedRole", 
      "principalId":"AROAREDACTEDREDACTED:user@domain.com", 
      "arn":"arn:aws:sts::012345678910:assumed-role/admin/user@domain.com", 
      "accountId":"012345678910", 
      "accessKeyId":"ASIAREDACTEDREDACTED",
      "sessionContext":{ 
         "sessionIssuer":{ 
            "type":"Role", 
            "principalId":"AROAREDACTEDREDACTED", 
            "arn":"arn:aws:iam::012345678910:role/admin", 
            "accountId":"012345678910", 
            "userName":"admin" 
         }, 
         "attributes":{ 
            "creationDate":"2025-02-26T16:08:09Z", 
            "mfaAuthenticated":"false" 
         } 
      } 
   }, 
   "eventTime":"2025-02-26T16:53:27Z", 
   "eventSource":"s3.amazonaws.com", 
   "eventName":"PutObject", 
   "awsRegion":"us-east-1", 
   "sourceIPAddress":"10.0.141.54", 
   "requestID":"4FSFREDACTED", 
   "eventID":"33980b64-2ce1-471d-856c-376497e887bb ", 
   "resources":[ 
      { 
         "type":"AWS::S3::Object", 
         "ARN":"arn:aws:s3:::test-bucket-vpce-logs/test.txt" 
      }, 
      { 
         "accountId":"012345678910", 
         "type":"AWS::S3::Bucket", 
         "ARN":"arn:aws:s3:::test-bucket-vpce-logs" 
      } 
   ], 
   "eventType":"AwsVpceEvent", 
   "recipientAccountId":"012345678910", 
   "sharedEventID":"dc10751c-f982-4990-b2a8-f8c08894bd01", 
   "vpcEndpointId":"vpce-03y53r4ukkkuygzg0", 
   "vpcEndpointAccountId":"012345678910", 
   "eventCategory":"NetworkActivity"
} 

Denied - Management Plane

{
   "eventVersion":"1.11",
   "userIdentity":{
      "type":"AssumedRole",
      "principalId":"AROAREDACTEDREDACTED:user@domain.com",
      "arn":"arn:aws:sts::012345678910:assumed-role/admin/user@domain.com",
      "accountId":"012345678910",
      "accessKeyId":"ASIAREDACTEDREDACTED",
      "sessionContext":{
         "sessionIssuer":{
            "type":"Role",
            "principalId":"AROAREDACTEDREDACTED",
            "arn":"arn:aws:iam::012345678910:role/admin",
            "accountId":"012345678910",
            "userName":"admin"
         },
         "attributes":{
            "creationDate":"2025-02-27T08:05:42Z",
            "mfaAuthenticated":"false"
         }
      }
   },
   "eventTime":"2025-02-27T08:34:53Z",
   "eventSource":"s3.amazonaws.com",
   "eventName":"ListObjects",
   "awsRegion":"us-east-1",
   "sourceIPAddress":"10.0.134.231",
   "errorCode":"VpceAccessDenied",
   "errorMessage":"The request was denied due to a VPC endpoint policy",
   "requestID":"HSGCREDACTED",
   "eventID":"33980b64-2ce1-471d-856c-376497e887bb",
   "resources":[
      {
         "type":"AWS::S3::Object",
         "ARNPrefix":"arn:aws:s3:::test-bucket-vpce-logs/"
      },
      {
         "accountId":"012345678910",
         "type":"AWS::S3::Bucket",
         "ARN":"arn:aws:s3:::test-bucket-vpce-logs"
      }
   ],
   "eventType":"AwsVpceEvent",
   "recipientAccountId":"012345678910",
   "sharedEventID":"fd9f56de-c77c-471b-8466-60dc3a42aada",
   "vpcEndpointId":"vpce-03y53r4ukkkuygzg0",
   "vpcEndpointAccountId":"012345678910",
   "eventCategory":"NetworkActivity"
}

Denied - Data Plane

{
   "eventVersion":"1.11",
   "userIdentity":{
      "type":"AssumedRole",
      "principalId":"AROAREDACTEDREDACTED:user@domain.com",
      "arn":"arn:aws:sts::012345678910:assumed-role/admin/user@domain.com",
      "accountId":"012345678910",
      "accessKeyId":"ASIAREDACTEDREDACTED",
      "sessionContext":{
         "sessionIssuer":{
            "type":"Role",
            "principalId":"AROAREDACTEDREDACTED",
            "arn":"arn:aws:iam::012345678910:role/admin",
            "accountId":"012345678910",
            "userName":"admin"
         },
         "attributes":{
            "creationDate":"2025-02-27T08:05:42Z",
            "mfaAuthenticated":"false"
         }
      }
   },
   "eventTime":"2025-02-27T08:35:20Z",
   "eventSource":"s3.amazonaws.com",
   "eventName":"PutObject",
   "awsRegion":"us-east-1",
   "sourceIPAddress":"10.0.134.231",
   "errorCode":"VpceAccessDenied",
   "errorMessage":"The request was denied due to a VPC endpoint policy",
   "requestID":"M55NREDACTED",
   "eventID":"33980b64-2ce1-471d-856c-376497e887bb",
   "resources":[
      {
         "type":"AWS::S3::Object",
         "ARN":"arn:aws:s3:::test-bucket-vpce-logs/test-fail.txt"
      },
      {
         "accountId":"012345678910",
         "type":"AWS::S3::Bucket",
         "ARN":"arn:aws:s3:::test-bucket-vpce-logs"
      }
   ],
   "eventType":"AwsVpceEvent",
   "recipientAccountId":"012345678910",
   "sharedEventID":"282cc95e-20a2-4058-9a16-21c9855b7663",
   "vpcEndpointId":"vpce-03y53r4ukkkuygzg0",
   "vpcEndpointAccountId":"012345678910",
   "eventCategory":"NetworkActivity"
}

Resource Policy - Denied

{
   "eventVersion":"1.11",
   "userIdentity":{
      "type":"AssumedRole",
      "principalId":"AROAREDACTEDREDACTED:user@domain.com",
      "arn":"arn:aws:sts::012345678910:assumed-role/admin/user@domain.com",
      "accountId":"012345678910",
      "accessKeyId":"ASIAREDACTEDREDACTED",
      "sessionContext":{
         "sessionIssuer":{
            "type":"Role",
            "principalId":"AROAREDACTEDREDACTED",
            "arn":"arn:aws:iam::012345678910:role/admin",
            "accountId":"012345678910",
            "userName":"admin"
         },
         "attributes":{
            "creationDate":"2025-02-28T09:51:13Z",
            "mfaAuthenticated":"false"
         }
      }
   },
   "eventTime":"2025-02-28T10:19:10Z",
   "eventSource":"s3.amazonaws.com",
   "eventName":"PutObject",
   "awsRegion":"us-east-1",
   "sourceIPAddress":"10.0.140.225",
   "errorCode":"AccessDenied",
   "errorMessage":"User: arn:aws:sts::012345678910:assumed-role/admin/user@domain.com is not authorized to perform: s3:PutObject on resource: \"arn:aws:s3:::test-bucket-vpce-logs/deny-resource.txt\" with an explicit deny in a resource-based policy",
   "requestID":"A6NH7NRA3M1SMYYJ",
   "eventID":"33980b64-2ce1-471d-856c-376497e887bb",
   "resources":[
      {
         "type":"AWS::S3::Object",
         "ARN":"arn:aws:s3:::test-bucket-vpce-logs/deny-resource.txt"
      },
      {
         "accountId":"012345678910",
         "type":"AWS::S3::Bucket",
         "ARN":"arn:aws:s3:::test-bucket-vpce-logs"
      }
   ],
   "eventType":"AwsVpceEvent",
   "recipientAccountId":"012345678910",
   "sharedEventID":"a4ba0dcf-7179-4df9-a720-651716ea7e53",
   "vpcEndpointId":"vpce-03y53r4ukkkuygzg0",
   "vpcEndpointAccountId":"012345678910",
   "eventCategory":"NetworkActivity"
}

External principal denied from making call through VPC Endpoint with restrictive policy. This should be alerted on as a potential attacker, especially if the account ID is unknown.

{
  "eventVersion": "1.11",
  "userIdentity": {
    "type": "AWSAccount",
    "principalId": "AIDAEXAMPLE",
    "accountId": "666666666666"
  },
  "eventTime": "2025-03-10T20:57:20Z",
  "eventSource": "secretsmanager.amazonaws.com",
  "eventName": "ListSecrets",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "10.0.0.10",
  "errorCode": "VpceAccessDenied",
  "errorMessage": "The request was denied due to a VPC endpoint policy",
  "requestID": "3122f4fa-0000-0000-0000-000000000000",
  "eventID": "21a582cb-0000-0000-0000-000000000000",
  "eventType": "AwsVpceEvent",
  "recipientAccountId": "012345678910",
  "sharedEventID": "426b822b-0000-0000-0000-000000000000",
  "vpcEndpointId": "vpce-00000000000000000",
  "vpcEndpointAccountId": "012345678910",
  "eventCategory": "NetworkActivity"
}