AWS VPC Endpoint Services VPC Endpoint

Overview

  • What IAM permission that a consumer needs to create VPC interface endpoint on VPC endpoint services?
  • What we can do for DLP?

Lab

  • Create target group
  • Create internal network load balancer
  • Create VPC endpoint service (com.amazonaws.vpce.us-east-1.vpce-svc-###)
  • For an AWS account (and therefore all principals in the account), the ARN is in the form arn:aws:iam::aws-account-id:root.
  • For a specific IAM user, the ARN is in the form arn:aws:iam::aws-account-id:user/user-name.
  • For a specific IAM role, the ARN is in the form arn:aws:iam::aws-account-id:role/role-name.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:region:account-id:vpc/*",
"arn:aws:ec2:region:account-id:security-group/*",
"arn:aws:ec2:region:account-id:subnet/*",
"arn:aws:ec2:region:account-id:route-table/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:region:account-id:vpc-endpoint/*"
],
"Condition": {
"StringEquals": {
"ec2:VpceServiceOwner": [
"amazon"
]
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:region:account-id:vpc-endpoint/*"
],
"Condition": {
"StringEquals": {
"ec2:VpceServiceOwner": [
"producer-account-id"
]
},
"StringLike": {
"ec2:VpceServiceName": [
"com.amazonaws.vpce.*"
]
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:region:account-id:vpc/*",
"arn:aws:ec2:region:account-id:security-group/*",
"arn:aws:ec2:region:account-id:subnet/*",
"arn:aws:ec2:region:account-id:route-table/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:region:account-id:vpc-endpoint/*"
],
"Condition": {
"StringEquals": {
"ec2:VpceServiceOwner": [
"amazon"
]
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:region:account-id:vpc-endpoint/*"
],
"Condition": {
"StringEquals": {
"ec2:VpceServiceOwner": [
"producer-account-id"
],
"ec2:VpceServiceName": [
"com.amazonaws.vpce.us-east-1.vpce-svc-###"
]
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:us-east-1:account-id:vpc/*",
"arn:aws:ec2:us-east-1:account-id:security-group/*",
"arn:aws:ec2:us-east-1:account-id:subnet/*",
"arn:aws:ec2:us-east-1:account-id:route-table/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:us-east-1:account-id:vpc-endpoint/*"
],
"Condition": {
"StringLike": {
"ec2:VpceServiceName": [
"com.*"
]
}
}
}
]
}

References

--

--

--

All blogs are strictly personal and do not reflect the views of my employer https://www.linkedin.com/in/ronnie-q-8025987

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Setup Your Own Kubernetes Cluster with K3s

How to Scrape Organic Video Results from Brave Search with Python

Tips For New Software Engineer Hires For Smoother Onboarding

Making Python Integers Iterable

How to connect “Can I use” with Google Analytics to show support by your data

How to scale a sales team and reduce sales churn (ft. Chris De Vylder, CRO @ Sentry.io)

WEEK15|2_“Learning How to Learn”

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cloud Journey

Cloud Journey

All blogs are strictly personal and do not reflect the views of my employer https://www.linkedin.com/in/ronnie-q-8025987

More from Medium

Provision a RDB on AWS using Terraform

AWS VPC Gateway Endpoints and NACLs

How to use AWS Configure in Terraform

Cloud Security Automation (AWS)