Step 2: Create VPC endpoints
You can improve the security posture of your managed nodes (including non-EC2 machines in a hybrid and multicloud environment) by configuring AWS Systems Manager to use an interface VPC endpoint in Amazon Virtual Private Cloud (Amazon VPC). By using an interface VPC endpoint (interface endpoint), you can connect to services powered by AWS PrivateLink. AWS PrivateLink is a technology that allows you to privately access Amazon Elastic Compute Cloud (Amazon EC2) and Systems Manager APIs by using private IP addresses.
AWS PrivateLink restricts all network traffic between your managed instances, Systems Manager, and Amazon EC2 to the Amazon network. This means that your managed instances don't have access to the Internet. If you use AWS PrivateLink, you don't need an internet gateway, a NAT device, or a virtual private gateway.
You aren't required to configure AWS PrivateLink, but it's recommended. For more information about AWS PrivateLink and VPC endpoints, see AWS PrivateLink and VPC endpoints.
Note
The alternative to using a VPC endpoint is to allow outbound internet access on your managed instances. In this case, the managed instances must also allow HTTPS (port 443) outbound traffic to the following endpoints:
-
ssm.region.amazonaws.com -
ssmmessages.region.amazonaws.com -
ec2messages.region.amazonaws.com
SSM Agent initiates all connections to the Systems Manager service in the cloud. For this reason, you don't need to configure your firewall to allow inbound traffic to your instances for Systems Manager.
For more information about calls to these endpoints, see Reference: ec2messages, ssmmessages, and other API operations.
About Amazon VPC
You can use Amazon Virtual Private Cloud (Amazon VPC) to define a virtual network in your own logically isolated area within the AWS Cloud, known as a virtual private cloud (VPC). You can launch your AWS resources, such as instances, into your VPC. Your VPC closely resembles a traditional network that you might operate in your own data center, with the benefits of using the scalable infrastructure of AWS. You can configure your VPC; you can select its IP address range, create subnets, and configure route tables, network gateways, and security settings. You can connect instances in your VPC to the internet. You can connect your VPC to your own corporate data center, making the AWS Cloud an extension of your data center. To protect the resources in each subnet, you can use multiple layers of security, including security groups and network access control lists. For more information, see the Amazon VPC User Guide.
Topics
VPC endpoint restrictions and limitations
Before you configure VPC endpoints for Systems Manager, be aware of the following restrictions and limitations.
Cross-Region requests
VPC endpoints don't support cross-Region requests—ensure that you
create your endpoint in the same AWS Region as your bucket. You can find the
location of your bucket by using the Amazon S3 console, or by using the get-bucket-location command. Use a Region-specific Amazon S3 endpoint to
access your bucket; for example,
DOC-EXAMPLE-BUCKET.s3-us-west-2.amazonaws.com--region parameter in your
requests.
VPC peering connections
VPC interface endpoints can be accessed through both intra-Region and inter-Region VPC peering connections. For more information about VPC peering connection requests for VPC interface endpoints, see VPC peering connections (Quotas) in the Amazon Virtual Private Cloud User Guide.
VPC gateway endpoint connections can't be extended out of a VPC. Resources on the other side of a VPC peering connection in your VPC can't use the gateway endpoint to communicate with resources in the gateway endpoint service. For more information about VPC peering connection requests for VPC gateway endpoints, see VPC endpoints (Quotas) in the Amazon Virtual Private Cloud User Guide
Incoming connections
The security group attached to the VPC endpoint must allow incoming connections on port 443 from the private subnet of the managed instance. If incoming connections aren't allowed, then the managed instance can't connect to the SSM and EC2 endpoints.
DNS resolution
If you use a custom DNS server, you must add a conditional forwarder for any
queries to the amazonaws.com domain to the Amazon DNS server for
your VPC.
S3 buckets
Your VPC endpoint policy must allow access to at least the following Amazon S3 buckets:
-
The S3 buckets listed in SSM Agent communications with AWS managed S3 buckets.
-
The S3 buckets used by Patch Manager for patch baseline operations in your AWS Region. These buckets contain the code that is retrieved and run on instances by the patch baseline service. Each AWS Region has its own patch baseline operations buckets from which the code is retrieved when a patch baseline document is run. If the code can't be downloaded, the patch baseline command will fail.
Note
If you use an on-premises firewall and plan to use Patch Manager, that firewall must also allow access to the appropriate patch baseline endpoint.
To provide access to the buckets in your AWS Region, include the following permission in your endpoint policy.
arn:aws:s3:::patch-baseline-snapshot-region/* arn:aws:s3:::aws-ssm-region/*regionrepresents the identifier for an AWS Region supported by AWS Systems Manager, such asus-east-2for the US East (Ohio) Region. For a list of supportedregionvalues, see the Region column in Systems Manager service endpoints in the Amazon Web Services General Reference.See the following example.
arn:aws:s3:::patch-baseline-snapshot-us-east-2/* arn:aws:s3:::aws-ssm-us-east-2/*Note
In the Middle East (Bahrain) Region (me-south-1) only, these buckets use different naming conventions. For this AWS Region only, use the following two buckets instead:
-
patch-baseline-snapshot-me-south-1-uduvl7q8 -
aws-patch-manager-me-south-1-a53fc9dce
-
Amazon CloudWatch Logs
If you don't allow your instances to access the internet, create a VPC endpoint for CloudWatch Logs to use features that send logs to CloudWatch Logs. For more information about creating an endpoint for CloudWatch Logs, see Creating a VPC endpoint for CloudWatch Logs in the Amazon CloudWatch Logs User Guide.
DNS in hybrid and multicloud environment
For information about configuring DNS to work with AWS PrivateLink endpoints in hybrid and multicloud environments, see Private DNS for interface endpoints in the Amazon VPC User Guide. If you want to use your own DNS, you can use Route 53 Resolver. For more information, see Resolving DNS queries between VPCs and your network in the Amazon Route 53 Developer Guide.
Creating VPC endpoints for Systems Manager
Use the following information to create VPC interface and gateway endpoints for AWS Systems Manager. This topic links to procedures in the Amazon VPC User Guide.
To create VPC endpoints for Systems Manager
In the first step of this procedure, you create three required and one
optional interface endpoints for Systems Manager. The
first three endpoints are required for Systems Manager to work in a VPC. The fourth,
com.amazonaws.,
is required only if you're using Session Manager capabilities.region.ssmmessages
In the second step, you create the required gateway endpoint for Systems Manager to access Amazon S3.
Note
region represents the identifier for an AWS Region
supported by AWS Systems Manager, such as us-east-2 for the US East (Ohio) Region. For a list of
supported region values, see the Region column in Systems Manager service endpoints in the
Amazon Web Services General Reference.
-
Follow the steps in Create an interface endpoint to create the following interface endpoints:
-
com.amazonaws.– The endpoint for the Systems Manager service.region.ssm -
com.amazonaws.– Systems Manager uses this endpoint to make calls from SSM Agent to the Systems Manager service.region.ec2messages -
com.amazonaws.– If you're using Systems Manager to create VSS-enabled snapshots, you need to ensure that you have an endpoint to the EC2 service. Without the EC2 endpoint defined, a call to enumerate attached Amazon EBS volumes fails, which causes the Systems Manager command to fail.region.ec2 -
com.amazonaws.– This endpoint is required only if you're connecting to your instances through a secure data channel using Session Manager. For more information, see AWS Systems Manager Session Manager and Reference: ec2messages, ssmmessages, and other API operations.region.ssmmessages -
com.amazonaws.– This endpoint is optional. However, it can be created if you want to use AWS Key Management Service (AWS KMS) encryption for Session Manager or Parameter Store parameters.region.kms -
com.amazonaws.– This endpoint is optional. However, it can be created if you want to use Amazon CloudWatch Logs (CloudWatch Logs) for Session Manager, Run Command, or SSM Agent logs.region.logs
-
-
Follow the steps in Create a gateway endpoint to create the following gateway endpoint for Amazon S3.
-
com.amazonaws.– Systems Manager uses this endpoint to update SSM Agent and to perform patching operations. Systems Manager also uses this endpoint for tasks like uploading output logs you choose to store in S3 buckets, retrieving scripts or other files you store in buckets, and so on. If the security group associated with your instances restricts outbound traffic, you must add a rule to allow traffic to the prefix list for Amazon S3. For more information, see Modify your security group in the AWS PrivateLink Guide.region.s3
For information about the AWS managed S3 buckets that SSM Agent must be able to access, see SSM Agent communications with AWS managed S3 buckets. If you're using a virtual private cloud (VPC) endpoint in your Systems Manager operations, you must provide explicit permission in an EC2 instance profile for Systems Manager, or in a service role for non-EC2 managed nodes in a hybrid and multicloud environment.
-
Create an interface VPC endpoint policy
You can create policies for VPC interface endpoints for AWS Systems Manager in which you can specify:
-
The principal that can perform actions
-
The actions that can be performed
-
The resources that can have actions performed on them
For more information, see Control access to services with VPC endpoints in the Amazon VPC User Guide.
