Amazon Macie and interface VPC endpoints (AWS PrivateLink)
If you use Amazon Virtual Private Cloud (Amazon VPC) to host your AWS resources, you can establish a private connection between your VPC and Amazon Macie. Amazon VPC is an AWS service that you can use to launch AWS resources in a virtual network that you define. With a VPC, you have control over your network settings, such as the IP address range, subnets, route tables, and network gateways.
To connect your VPC to Macie, you create an interface VPC endpoint for
Macie. Interface endpoints are powered by AWS PrivateLink
Each interface endpoint is represented by one or more elastic network interfaces in your subnets. For more information, see AWS PrivateLink and VPC endpoints in the Amazon VPC User Guide.
Considerations for Amazon Macie VPC endpoints
Amazon Macie supports VPC endpoints in all the AWS Regions where it's currently available except the Asia Pacific (Osaka) Region. For a list of Regions where Macie is currently available, see Amazon Macie endpoints and quotas in the Amazon Web Services General Reference. In addition, Macie supports making calls to all of its API actions from a VPC.
Before you create an interface VPC endpoint for Macie, consider doing the same for other AWS services that provide VPC support and integrate with Macie, such as Amazon EventBridge and AWS Security Hub. Otherwise, Macie and those services won't be able to use Amazon VPC endpoints for the integration. For information about services that support VPC endpoints, see AWS services that integrate with AWS PrivateLink in the Amazon VPC User Guide.
For additional considerations, see Interface endpoint properties and limitations in the Amazon VPC User Guide.
Note that VPC endpoint policies are not supported for Macie. By default, full access to Macie is allowed through the endpoint. For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.
Creating an interface VPC endpoint for Amazon Macie
You can create a VPC endpoint for the Amazon Macie service by using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Create an interface endpoint in the Amazon VPC User Guide.
When you create a VPC endpoint for Macie, use the following service name:
-
com.amazonaws.
region
.macie2
Where region
is the Region code for the applicable
AWS Region.
If you enable private DNS for the endpoint, you can make API requests to Macie using its
default DNS name for the Region, for example, macie2.us-east-1.amazonaws.com
for the US East (N. Virginia) Region.
For more information, see Access a service through an interface endpoint in the Amazon VPC User Guide.