🚓Endpoint Policies

VPCE permite acceso a un servicio en AWS in una region.
Los VPCE no dan accesos a servicios de AWS, el policy implica si hay alguna restriccion o no.
Algunos servicios soportan endpoint policies.
La politica contiene un principal.
Puede contener condiciones.
Se usan comunmente para limitar que puede ser accedido por una VPC privada.

DEMO

Endpoint Policy Example:

{
    "Version":"2012-10-17",
    "Statement":[
    {
        "Effect":"Allow",
        "Principal": "*",
        "Action": "s3:*",
        "Resource":[ 
        "arn:aws:s3:::PRIVATECATSBUCKETNAME/*",
        "arn:aws:s3:::PUBLICCATSBUCKETNAME/*"
        ]
    },
    {
        "Effect" : "Allow",
        "Principal" : "*",
        "Action" : "s3:ListBucket",
        "Resource" : [
        "arn:aws:s3:::PRIVATECATSBUCKETNAME",
        "arn:aws:s3:::PUBLICCATSBUCKETNAME"
        ]
    },
    {
        "Effect" : "Allow",
        "Principal": "*",
        "Action":[
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
        ],
        "Resource" : "*"
    }
    ]
}

Bucket Policy Example:

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
     {
       "Sid": "Access-to-specific-VPCE-only",
       "Principal": "*",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": [
        "arn:aws:s3:::PRIVATECATSBUCKETNAME",
        "arn:aws:s3:::PRIVATECATSBUCKETNAME/*"],
       "Condition": {
         "StringNotEquals": {
           "aws:sourceVpce": "REPLACEME-vpce-1a2b3c4d"
         }
       }
     }
   ]
}

Info About: Control access to services using endpoint policies: https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html

PreviousVPC Endpoints NextAdvance VPC DNS & DNS Endpoints

Last updated 3 years ago