Create an SNS notification Add an access policy Add a key policy

Receive alerts for interface endpoint events

You can create a notification to receive alerts for specific events related to your interface endpoint. For example, you can receive an email when a connection request is accepted or rejected.

Use the following procedure to create an Amazon SNS topic for the notifications and subscribe to the topic.

To create a notification for an interface endpoint using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Endpoints.
Select the interface endpoint.
From the Notifications tab, choose Create notification.
For Notification ARN, choose the ARN for the SNS topic that you created.
To subscribe to an event, select it from Events.
- Connect – The service consumer created the interface endpoint. This sends a connection request to the service provider.
- Accept – The service provider accepted the connection request.
- Reject – The service provider rejected the connection request.
- Delete – The service consumer deleted the interface endpoint.
Choose Create notification.

To create a notification for an interface endpoint using the command line

create-vpc-endpoint-connection-notification (AWS CLI)
New-EC2VpcEndpointConnectionNotification (Tools for Windows PowerShell)

Add an access policy

Add an access policy to the Amazon SNS topic that allows AWS PrivateLink to publish notifications on your behalf, such as the following. For more information, see How do I edit my Amazon SNS topic's access policy? Use the aws:SourceArn and aws:SourceAccount global condition keys to protect against the confused deputy problem.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "vpce.amazonaws.com"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:region:account-id:topic-name",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:ec2:region:account-id:vpc-endpoint/endpoint-id"
        },
        "StringEquals": {
          "aws:SourceAccount": "account-id"
        }
      }
    }
  ]
}

Add a key policy

If you're using encrypted SNS topics, the resource policy for the KMS key must trust AWS PrivateLink to call AWS KMS API operations. The following is an example key policy.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "vpce.amazonaws.com"
      },
      "Action": [
        "kms:GenerateDataKey*",
        "kms:Decrypt"
      ],
      "Resource": "arn:aws:kms:region:account-id:key/key-id",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:ec2:region:account-id:vpc-endpoint/endpoint-id"
        },
        "StringEquals": {
          "aws:SourceAccount": "account-id"
        }
      }
    }
  ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Configure an interface endpoint

Delete an interface endpoint