Skip to content
Ask AI about this
Help improve this page

EC2 VPC Block Public Access settings should block internet gateway traffic

VPC Block Public Access is an account-wide kill switch for internet gateway traffic. Without it, any VPC with an internet gateway and a permissive route table can expose resources to the public internet, even if individual security groups and NACLs are correctly configured. A single misconfigured route table entry can bypass all other network controls.

Enabling BPA at the account level enforces a default-deny posture for internet gateway traffic. Engineers must then explicitly create exclusions for VPCs that genuinely require internet access. Public access becomes a deliberate opt-in rather than the absence of a mistake, which dramatically shrinks the blast radius of network misconfigurations.

Retrofit consideration

Enabling VPC BPA on an existing account immediately disrupts all internet gateway traffic across every VPC without pre-configured exclusions. NAT gateways behind IGWs, public-facing ALBs, and any workload relying on direct internet routing will break. Map every VPC with an internet gateway and create exclusions before enabling BPA. There is no automatic rollback.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_vpc_block_public_access_options.

resource "aws_vpc_block_public_access_options" "this" {
  internet_gateway_block_mode = "block-bidirectional"
}

What this control checks

This control validates the aws_vpc_block_public_access_options resource. The internet_gateway_block_mode argument must be set to "block-bidirectional" or "block-ingress". It fails when the value is "off" or when the resource is absent. If a specific mode is required by parameter, only that exact mode passes. VPCs that need internet gateway access require a corresponding aws_vpc_block_public_access_exclusion resource with the appropriate internet_gateway_exclusion_mode and a vpc_id targeting the specific VPC. The BPA options resource is a singleton per account per region, so only one instance should exist per provider alias.

Common pitfalls

  • BPA is regional, not global

    aws_vpc_block_public_access_options applies per region. You must configure this resource in every region where VPCs exist or could be created. Missing a single region leaves that region's VPCs unprotected. Use a multi-region provider pattern or an SCP to restrict VPC creation to governed regions.

  • Exclusion ordering during initial deployment

    BPA changes can take several minutes to propagate, which means enabling BPA and creating exclusions in the same terraform apply may activate the block before exclusions are live. Use depends_on or a phased apply to create aws_vpc_block_public_access_exclusion resources before or alongside the aws_vpc_block_public_access_options resource. Even then, propagation timing is non-deterministic, so a phased deploy is safer than relying on ordering alone.

  • block-ingress still allows egress-initiated return traffic

    Setting internet_gateway_block_mode to "block-ingress" blocks unsolicited inbound traffic through internet gateways but still permits outbound-initiated connections and their return traffic. If your compliance posture requires full isolation, "block-bidirectional" is the only mode that completely prevents internet gateway routing in both directions.

  • NAT gateway traffic routes through internet gateways

    NAT gateways depend on internet gateways for outbound connectivity. Enabling block-bidirectional without an exclusion for the VPC hosting NAT gateways cuts all outbound internet access for private subnets. This surfaces as failed package installs, broken API calls to AWS services without VPC endpoints, and Lambda timeout errors in VPC-attached functions, often with no obvious link back to BPA.

Audit evidence

An auditor expects the output of aws ec2 describe-vpc-block-public-access-options showing InternetGatewayBlockMode as block-bidirectional or block-ingress and State as default-state or update-complete. Exclusions must be documented with business justification. aws ec2 describe-vpc-block-public-access-exclusions lists all VPCs exempted from BPA, and each entry should map to an approved change request or architecture decision record.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: vpc_block_public_access_restrict_internet_gateway_traffic

  • Powerpipe Control: aws_compliance.control.vpc_block_public_access_restrict_internet_gateway_traffic

  • AWS Security Hub Control: EC2.172

Last reviewed: 2026-03-09