AWS announces Block Public Access for Amazon Virtual Private Cloud
Today, AWS announced Virtual Private Cloud (VPC) Block Public Access (BPA), a new centralized declarative control that enables network and security administrators to authoritatively block Internet traffic for their VPCs. VPC BPA supersedes any other setting and ensures your VPC resources are protected from unfettered Internet access in compliance with your organizations security and governance policy.
Amazon VPC allows customers to launch AWS resources in a logically isolated virtual network. Often times customers have thousands of AWS accounts and VPCs that are owned by multiple business units or application developer teams. Central administrators have the critical responsibility to ensure that resources in their VPCs are accessible to the public Internet in a highly controlled fashion. VPC BPA offers a single declarative control that allows admins to easily block Internet access to VPCs via the Internet Gateway or the Egress-only Internet Gateway and ensures that there is no unintended public exposure to their AWS resources regardless of their routing and security configuration. Admins can apply BPA across all or select VPCs in their account, block bi-directional or ingress-only Internet connectivity and exclude select subnets for resources that need Internet access. VPC BPA is integrated with AWS Network Access Analyzer and VPC Flow Logs to support impact analysis, provide advanced visibility and help customers meet audit and compliance requirements.
VPC BPA is available in all AWS Regions where Amazon VPC is offered. There is no additional charge for using this feature. For additional information, visit the Amazon VPC documentation and blog post.