Considerations for Amazon Fraud Detector VPC endpoints Creating an interface VPC endpoint for Amazon Fraud Detector Creating a VPC endpoint policy for Amazon Fraud Detector

Amazon Fraud Detector and interface VPC endpoints (AWS PrivateLink)

You can establish a private connection between your VPC and Amazon Fraud Detector by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access Amazon Fraud Detector APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Amazon Fraud Detector APIs. Traffic between your VPC and Amazon Fraud Detector does not leave the Amazon network.

Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.

For more information, see Interface VPC endpoints (AWS PrivateLink) in the Amazon VPC User Guide.

Considerations for Amazon Fraud Detector VPC endpoints

Before you set up an interface VPC endpoint for Amazon Fraud Detector, ensure that you review Interface endpoint properties and limitations in the Amazon VPC User Guide.

Amazon Fraud Detector supports making calls to all of its API actions from your VPC.

VPC endpoint policies are supported for Amazon Fraud Detector. By default, full access to Amazon Fraud Detector is allowed through the endpoint. For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Creating an interface VPC endpoint for Amazon Fraud Detector

You can create a VPC endpoint for the Amazon Fraud Detector service using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

Create a VPC endpoint for Amazon Fraud Detector using the following service name:

com.amazonaws.region.frauddetector

If you enable private DNS for the endpoint, you can make API requests to Amazon Fraud Detector using its default DNS name for the Region, for example, frauddetector.us-east-1.amazonaws.com.

For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy for Amazon Fraud Detector

You can create a policy for interface VPC endpoints for Amazon Fraud Detector to specify the following:

The principal that can perform actions
The actions that can be performed
The resources on which actions can be performed

For more information, see Controlling Access to Services with VPC Endpoints in the Amazon VPC User Guide.

The following example VPC endpoint policy specifies that all users who have access to the VPC interface endpoint are allowed to access the Amazon Fraud Detector detector named my_detector.


{
  "Statement": [
      {
          "Action": "frauddetector:*Detector",
          "Effect": "Allow",
          "Resource": "arn:aws:frauddetector:us-east-1:123456789012:detector/my_detector",
          "Principal": "*"
      }
  ]
}

In this example, the following are denied:

Other Amazon Fraud Detector API actions
Invoking Amazon Fraud Detector GetEventPrediction API

Note

In this example, users can still take other Amazon Fraud Detector API actions from outside the VPC. For information about how to restrict API calls to those from within the VPC, see Amazon Fraud Detector identity-based policies.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Key management

Opting out