Manage access to VPC Lattice services - Amazon VPC Lattice

Manage access to VPC Lattice services

VPC Lattice is secure by default because you must be explicit about which services to provide access to and with which VPCs. For multi-account scenarios, you can use AWS Resource Access Manager to share resources across account boundaries. VPC Lattice provides a framework that lets you implement a defense-in-depth strategy at multiple layers of the network.

  • First layer – The service and VPC association with a service network. If a VPC or specific service is not associated with the service network, clients in the VPC do not have access to the service.

  • Second layer – Optional network-level security protections for the service network, such as security groups and network ACLs. By using these, you can allow access to specific groups of resources in a VPC instead of all resources in the VPC.

  • Third layer – Optional VPC Lattice auth policy. You can apply an auth policy to service networks and individual services. Typically, the auth policy on the service network is operated by the network or cloud administrator, and they implement coarse-grained authorization. For example, allowing only authenticated requests from a specific organization in AWS Organizations. For an auth policy at the service level, typically the service owner sets fine-grained controls, which might be more restrictive than the coarse-grained authorization applied at the service network level.

Methods of access control