Receive alerts for interface endpoint events - Amazon Virtual Private Cloud

Receive alerts for interface endpoint events

You can create a notification to receive alerts for specific events related to your interface endpoint. For example, you can receive an email when a connection request is accepted or rejected.

Create an SNS notification

Use the following procedure to create an Amazon SNS topic for the notifications and subscribe to the topic.

To create a notification for an interface endpoint using the console
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints.

  3. Select the interface endpoint.

  4. From the Notifications tab, choose Create notification.

  5. For Notification ARN, choose the ARN for the SNS topic that you created.

  6. To subscribe to an event, select it from Events.

    • Connect – The service consumer created the interface endpoint. This sends a connection request to the service provider.

    • Accept – The service provider accepted the connection request.

    • Reject – The service provider rejected the connection request.

    • Delete – The service consumer deleted the interface endpoint.

  7. Choose Create notification.

To create a notification for an interface endpoint using the command line

Add an access policy

Add an access policy to the Amazon SNS topic that allows AWS PrivateLink to publish notifications on your behalf, such as the following. For more information, see How do I edit my Amazon SNS topic's access policy? Use the aws:SourceArn and aws:SourceAccount global condition keys to protect against the confused deputy problem.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vpce.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:region:account-id:topic-name", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:ec2:region:account-id:vpc-endpoint/endpoint-id" }, "StringEquals": { "aws:SourceAccount": "account-id" } } } ] }

Add a key policy

If you're using encrypted SNS topics, the resource policy for the KMS key must trust AWS PrivateLink to call AWS KMS API operations. The following is an example key policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vpce.amazonaws.com" }, "Action": [ "kms:GenerateDataKey*", "kms:Decrypt" ], "Resource": "arn:aws:kms:region:account-id:key/key-id", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:ec2:region:account-id:vpc-endpoint/endpoint-id" }, "StringEquals": { "aws:SourceAccount": "account-id" } } } ] }