Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Access AWS Resource Groups using an interface endpoint (AWS PrivateLink)

PDF
RSS
Focus mode
Access AWS Resource Groups using an interface endpoint (AWS PrivateLink) - AWS Resource Groups
ConsiderationsCreate an interface endpointCreate an endpoint policy

You can use AWS PrivateLink to create a private connection between your VPC and AWS Resource Groups. You can access Resource Groups as if it were in your VPC, without the use of an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to access Resource Groups.

You establish this private connection by creating an interface endpoint, powered by AWS PrivateLink. We create an endpoint network interface in each subnet that you enable for the interface endpoint. These are requester-managed network interfaces that serve as the entry point for traffic destined for Resource Groups.

For more information, see Access AWS services through AWS PrivateLink in the AWS PrivateLink Guide.

Considerations for Resource Groups

Before you set up an interface endpoint for Resource Groups, review Considerations in the AWS PrivateLink Guide.

Resource Groups supports making calls to all of its API actions through the interface endpoint.

Create an interface endpoint for Resource Groups

You can create an interface endpoint for Resource Groups using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Create an interface endpoint in the AWS PrivateLink Guide.

Create an interface endpoint for Resource Groups using the following service name:

com.amazonaws.region.resource-groups

If you enable private DNS for the interface endpoint, you can make API requests to Resource Groups using its default Regional DNS name. For example, resource-groups.us-east-1.amazonaws.com.

Create an endpoint policy for your interface endpoint

An endpoint policy is an IAM resource that you can attach to an interface endpoint. The default endpoint policy allows full access to Resource Groups through the interface endpoint. To control the access allowed to Resource Groups from your VPC, attach a custom endpoint policy to the interface endpoint.

An endpoint policy specifies the following information:

  • The principals that can perform actions (AWS accounts, IAM users, and IAM roles).

  • The actions that can be performed.

  • The resources on which the actions can be performed.

For more information, see Control access to services using endpoint policies in the AWS PrivateLink Guide.

Example: VPC endpoint policy for Resource Groups actions

The following is an example of a custom endpoint policy. When you attach this policy to your interface endpoint, it grants access to the listed Resource Groups actions for all principals on all resources.

{
   "Statement": [
      {
         "Principal": "*",
         "Effect": "Allow",
         "Action": [
            "resource-groups:CreateGroup",
            "resource-groups:GetAccountSettings",
            "resource-groups:GetGroupQuery"
         ],
         "Resource":"*"
      }
   ]
}

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.