Amazon Macie and interface VPC endpoints (AWS PrivateLink)

If you use Amazon Virtual Private Cloud (Amazon VPC) to host your AWS resources, you can establish a private connection between your VPC and Amazon Macie. Amazon VPC is an AWS service that you can use to launch AWS resources in a virtual network that you define. With a VPC, you have control over your network settings, such as the IP address range, subnets, route tables, and network gateways.

To connect your VPC to Macie, you create an interface VPC endpoint for Macie. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access Amazon Macie APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Amazon Macie APIs. Traffic between your VPC and Macie doesn't leave the Amazon network.

Each interface endpoint is represented by one or more elastic network interfaces in your subnets. For more information, see Access an AWS service using an interface VPC endpoint in the Amazon VPC User Guide.

Considerations for Amazon Macie VPC endpoints

Amazon Macie supports VPC endpoints in all the AWS Regions where it's currently available except the Asia Pacific (Osaka) and Israel (Tel Aviv) Regions. For a list of Regions where Macie is currently available, see Amazon Macie endpoints and quotas in the AWS General Reference. In addition, Macie supports making calls to all of its API actions from a VPC.

If you create an interface VPC endpoint for Macie, consider doing the same for other AWS services that provide VPC support and integrate with Macie, such as Amazon EventBridge and AWS Security Hub. Macie and those services can then use VPC endpoints for the integration. For example, if you create a VPC endpoint for Macie and a VPC endpoint for Security Hub, Macie can use its VPC endpoint when it publishes findings to Security Hub and Security Hub can use its VPC endpoint when it receives the findings. For information about services that support VPC endpoints, see AWS services that integrate with AWS PrivateLink in the Amazon VPC User Guide.

For additional considerations, see Access an AWS service using an interface VPC endpoint in the Amazon VPC User Guide.

Note that VPC endpoint policies are not supported for Macie. By default, full access to Macie is allowed through the endpoint. For more information, see Identity and access management for VPC endpoints and VPC endpoint services in the Amazon VPC User Guide.

Creating an interface VPC endpoint for Amazon Macie

You can create an interface VPC endpoint for the Amazon Macie service by using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Create a VPC endpoint in the Amazon VPC User Guide.

When you create a VPC endpoint for Macie, use the following service name:

• com.amazonaws.region.macie2

Where region is the Region code for the applicable AWS Region.

If you enable private DNS for the endpoint, you can make API requests to Macie using its default DNS name for the Region, for example, macie2.us-east-1.amazonaws.com for the US East (N. Virginia) Region.

For more information, see Access an AWS service using an interface VPC endpoint in the Amazon VPC User Guide.