Don’t Forget About AWS VPC Endpoint Policies

AWS VPC Endpoint Policy Overview And Advice For Support And Troubleshooting

VPC Endpoints

VPC Endpoints allow access to AWS Services within an AWS VPC without traversing the public internet. This is more performant, reliable and secure.

VPC Endpoint Policies

A VPC endpoint policy is an IAM resource policy that you attach to a VPC endpoint. It determines which principals can use the VPC endpoint to access the endpoint service. The default VPC endpoint policy allows all actions by all principals on all resources over the VPC endpoint.

AWS PrivateLink concepts

Troubleshooting and Support

When working in Cloud Infrastructure Support rotations a fairly common class of problem that comes up is where a user is able to use a certain AWS service in one context. For example, locally. But then when they are trying to use the service via a workload or some automation tool that is cloud-hosted they are unable to.

The networking seems good and the permissions seem to be equivalent but there is still something missing somewhere. Error codes and messages are not always as clear as we would like them to be. It’s important to remember VPC Endpoint Policies in this situation as another thing to check.

Example Policy

An example policy which will restrict S3 access to a single bucket potato in the VPC where this endpoint is attached.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::potato"
    }
  ]
}

Control access to services using endpoint policies

Policies and permissions in IAM