AWS VPC Endpoint Services VPC Endpoint
Overview
We will test out two things:
- What IAM permission that a consumer needs to create VPC interface endpoint on VPC endpoint services?
- What we can do for DLP?
Lab
Service Producer Account
- Create target group
- Create internal network load balancer
- Create VPC endpoint service (com.amazonaws.vpce.us-east-1.vpce-svc-###)
Permission for Your Endpoint Service
There are three options to grant permission on VPC endpoint services to consumer, these need to be done from produce account:
- For an AWS account (and therefore all principals in the account), the ARN is in the form
arn:aws:iam::aws-account-id:root. - For a specific IAM user, the ARN is in the form
arn:aws:iam::aws-account-id:user/user-name. - For a specific IAM role, the ARN is in the form
arn:aws:iam::aws-account-id:role/role-name.
We test IAM user in this lab.
Service Consumer Account
If you missed last step, consumer account does not have permission to use the endpoint service, you will get error when click “Verify”.
AWS console automatically matches the consumer and producer AZ for you. In producer account VPC, it’s 1a & 1b, the matching AZ in consumer account VPC is 1b & 1c.
VPC Endpoint Policy
VPC endpoint policy is a critical feature to control what service you can access through vpc endpoint. If no control from consumer side, meaning you could push data to any external service if producer on purpose allows anyone to access.
Endpoint service VPC endpoint does not have endpoint policy as shown from console.
Service name com.amazonaws.vpce.region.vpce-svc-### is not listed in AWS doc either. https://docs.aws.amazon.com/vpc/latest/privatelink/integrated-services-vpce-list.html
VPC Endpoint Policy Alternative
Possibly we could add condition key to IAM policy from consumer side to allow access to specific endpoint service or all endpoint service from approved account only.
Condition keys for vpc-endpoint* resource type:
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
ec2:VpceServiceName
ec2:VpceServiceOwner
You can use the ec2:VpceServiceOwner condition key to control what VPC endpoint can be created based on who owns the service (amazon, aws-marketplace, or the account ID).
Below policy allows vpc endpoint on amazon services and on all endpoint services from the specific producer account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:region:account-id:vpc/*",
"arn:aws:ec2:region:account-id:security-group/*",
"arn:aws:ec2:region:account-id:subnet/*",
"arn:aws:ec2:region:account-id:route-table/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:region:account-id:vpc-endpoint/*"
],
"Condition": {
"StringEquals": {
"ec2:VpceServiceOwner": [
"amazon"
]
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:region:account-id:vpc-endpoint/*"
],
"Condition": {
"StringEquals": {
"ec2:VpceServiceOwner": [
"producer-account-id"
]
},
"StringLike": {
"ec2:VpceServiceName": [
"com.amazonaws.vpce.*"
]
}
}
}
]
}Below example policy allows vpc endpoint on amazon services and on only one specific endpoint service from the producer account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:region:account-id:vpc/*",
"arn:aws:ec2:region:account-id:security-group/*",
"arn:aws:ec2:region:account-id:subnet/*",
"arn:aws:ec2:region:account-id:route-table/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:region:account-id:vpc-endpoint/*"
],
"Condition": {
"StringEquals": {
"ec2:VpceServiceOwner": [
"amazon"
]
}
}
}, {
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:region:account-id:vpc-endpoint/*"
],
"Condition": {
"StringEquals": {
"ec2:VpceServiceOwner": [
"producer-account-id"
],
"ec2:VpceServiceName": [
"com.amazonaws.vpce.us-east-1.vpce-svc-###"
]
}
}
}
]
}
Consumer Permission from Local Account
In order to be able to create VPC endpoint, an identity needs ec2:CreateVpcEndpoint permission on following resources: vpc, security-group, subnet, route-table and vpc-endpoint. (vpc* and vpc-endpoint* are required, other resource type is optional)
Example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:us-east-1:account-id:vpc/*",
"arn:aws:ec2:us-east-1:account-id:security-group/*",
"arn:aws:ec2:us-east-1:account-id:subnet/*",
"arn:aws:ec2:us-east-1:account-id:route-table/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:us-east-1:account-id:vpc-endpoint/*"
],
"Condition": {
"StringLike": {
"ec2:VpceServiceName": [
"com.*"
]
}
}
}
]
}