Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Working with AWS Systems Manager Incident Manager and interface VPC endpoints (AWS PrivateLink)

PDF
RSS
Focus mode
Working with AWS Systems Manager Incident Manager and interface VPC endpoints (AWS PrivateLink) - Incident Manager
Considerations for Incident Manager VPC endpointsCreating an interface VPC endpoint for Incident ManagerCreating a VPC endpoint policy for Incident Manager

You can establish a private connection between your VPC and AWS Systems Manager Incident Manager by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink. With AWS PrivateLink, you can privately access Incident Manager API operations without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.. Instances in your VPC don't need public IP addresses to communicate with Incident Manager API operations. Traffic between your VPC and Incident Manager stays within the Amazon network.

Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.

For more information, see Interface VPC endpoints (AWS PrivateLink) in the Amazon VPC User Guide.

Considerations for Incident Manager VPC endpoints

Before you set up an interface VPC endpoint for Incident Manager, ensure that you review Interface endpoint properties and limitations and AWS PrivateLink quotas in the Amazon VPC User Guide.

Incident Manager supports making calls to all of its API actions from your VPC. To use all of Incident Manager, you must create two VPC endpoints: one for ssm-incidents and one for ssm-contacts.

Creating an interface VPC endpoint for Incident Manager

You can create a VPC endpoint for Incident Manager using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

Create a VPC endpoint for Incident Manager using the following service names:

  • com.amazonaws.region.ssm-incidents

  • com.amazonaws.region.ssm-contacts

If you use private DNS for the endpoint, you can make API requests to Incident Manager using its default DNS name for the Region. For example, you can use the names ssm-incidents.us-east-1.amazonaws.com or ssm-contacts.us-east-1.amazonaws.com.

For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy for Incident Manager

You can attach an endpoint policy to your VPC endpoint that controls access to Incident Manager. The policy specifies the following information:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which these actions can be performed.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Example: VPC endpoint policy for Incident Manager actions

The following is an example of an endpoint policy for Incident Manager. When attached to an endpoint, this policy grants access to the listed Incident Manager actions for all principals on all resources.

{
   "Statement":[
      {
         "Principal":"*",
         "Effect":"Allow",
         "Action":[
            "ssm-contacts:ListContacts",
            "ssm-incidents:ListResponsePlans",
            "ssm-incidents:StartIncident"
         ],
         "Resource":"*"
      }
   ]
}

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.