Receive alerts for interface endpoint events
You can create a notification to receive alerts for specific events related to your interface endpoint. For example, you can receive an email when a connection request is accepted or rejected.
Create an SNS notification
Use the following procedure to create an Amazon SNS topic for the notifications and subscribe to the topic.
To create a notification for an interface endpoint using the console
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Endpoints.
-
Select the interface endpoint.
-
From the Notifications tab, choose Create notification.
-
For Notification ARN, choose the ARN for the SNS topic that you created.
-
To subscribe to an event, select it from Events.
-
Connect – The service consumer created the interface endpoint. This sends a connection request to the service provider.
-
Accept – The service provider accepted the connection request.
-
Reject – The service provider rejected the connection request.
-
Delete – The service consumer deleted the interface endpoint.
-
-
Choose Create notification.
To create a notification for an interface endpoint using the command line
-
New-EC2VpcEndpointConnectionNotification (Tools for Windows PowerShell)
Add an access policy
Add an access policy to the Amazon SNS topic that allows AWS PrivateLink to publish
notifications on your behalf, such as the following. For more information, see How
do I edit my Amazon SNS topic's access policy?aws:SourceArn
and
aws:SourceAccount
global condition keys to protect against the confused deputy problem.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vpce.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:
region
:account-id
:topic-name
", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:ec2:region
:account-id
:vpc-endpoint/endpoint-id
" }, "StringEquals": { "aws:SourceAccount": "account-id
" } } } ] }
Add a key policy
If you're using encrypted SNS topics, the resource policy for the KMS key must trust AWS PrivateLink to call AWS KMS API operations. The following is an example key policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vpce.amazonaws.com" }, "Action": [ "kms:GenerateDataKey*", "kms:Decrypt" ], "Resource": "arn:aws:kms:
region
:account-id
:key/key-id
", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:ec2:region
:account-id
:vpc-endpoint/endpoint-id
" }, "StringEquals": { "aws:SourceAccount": "account-id
" } } } ] }