VPC endpoint services should have acceptance required enabled

When acceptance_required is disabled, any AWS principal with endpoint creation permissions can create a VPC endpoint and immediately establish a private connection to your service. There's no gate, no review, no notification that a new consumer connected.

Explicit acceptance gives the service owner control over every consumer before granting network-level connectivity. For services that expose sensitive data or internal APIs, an unintended consumer can exfiltrate data or abuse capacity with nothing in the connection flow to indicate the access was unintended.

Retrofit consideration

Enabling acceptance_required on an existing endpoint service doesn't disconnect already-accepted endpoints, but any connections currently in pending state will require manual acceptance going forward. Run aws ec2 describe-vpc-endpoint-connections before enabling to audit who's already connected.

Implementation

Choose the approach that matches how you manage Terraform.

Terraform resources

Use AWS provider resources directly. See docs for the resources involved: aws_vpc_endpoint_service.

resource "aws_vpc_endpoint_service" "this" {
  network_load_balancer_arns = ["arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/example/1234567890123456"]

  acceptance_required = true
}

What this control checks

The control checks that aws_vpc_endpoint_service has acceptance_required = true. When set, any endpoint attempting to connect enters pendingAcceptance and must be explicitly approved via aws_vpc_endpoint_connection_accepter or the console before the connection becomes active. A value of false or an omitted argument fails. Every aws_vpc_endpoint_service in the configuration must include acceptance_required = true to pass.

Common pitfalls

Default value is false
Omit acceptance_required from the resource block and Terraform deploys without complaint, but the control fails and your service is open to any principal with endpoint creation permissions. The default is false, so the attribute must be explicitly set to true.
Allowed principals do not replace acceptance
Allowed principals and accepted connections are two separate gates. aws_vpc_endpoint_service_allowed_principal controls who can request a connection; acceptance_required = true controls whether those requests are automatically let through. Even an allowed principal's connection sits in pendingAcceptance until explicitly accepted.
Automated acceptance requires a separate resource
To automate the acceptance step in Terraform, add aws_vpc_endpoint_connection_accepter to the configuration. Without it, endpoints sit in pendingAcceptance indefinitely and terraform apply may time out waiting for the connection to activate.
Existing connections unaffected by toggle
Flipping acceptance_required to true on a running service won't disconnect existing consumers. Before enabling it, run aws ec2 describe-vpc-endpoint-connections to confirm only intended accounts are already connected. Any pending connections at the time of the change will require manual acceptance.

Audit evidence

An auditor expects aws ec2 describe-vpc-endpoint-service-configurations output showing AcceptanceRequired: true for every endpoint service in scope. AWS Config can evaluate this with a custom or managed rule checking the acceptanceRequired property. Console screenshots of the VPC Endpoint Services page showing the "Acceptance required" column as "Yes" are also valid.

CloudTrail logs for ModifyVpcEndpointServiceConfiguration and AcceptVpcEndpointConnections show that acceptance workflows are enforced and that connection approvals are tracked over time.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

Compliance.tf Control: vpc_endpoint_service_acceptance_required_enabled
Checkov Check: CKV_AWS_123
Powerpipe Control: aws_compliance.control.vpc_endpoint_service_acceptance_required_enabled

Last reviewed: 2026-03-09