Identity and access management for VPC endpoints and VPC endpoint services - Amazon Virtual Private Cloud

Identity and access management for VPC endpoints and VPC endpoint services

Use IAM to manage access to VPC endpoints and VPC endpoints services.

Control the use of VPC endpoints

By default, IAM users do not have permission to work with endpoints. You can create an IAM user policy that grants users the permissions to create, modify, describe, and delete endpoints. The following is an example.

{ "Version": "2012-10-17", "Statement":[ { "Effect": "Allow", "Action":"ec2:*VpcEndpoint*", "Resource":"*" } ] }

For information about controlling access to services using VPC endpoints, see Control access to services with VPC endpoints.

Control VPC endpoints creation based on the service owner

You can use the ec2:VpceServiceOwner condition key to control what VPC endpoint can be created based on who owns the service (amazon, aws-marketplace, or the account ID). The following example grants permission to create VPC endpoints with the specified service owner. To use this example, substitute the Region, the account ID, and the service owner.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateVpcEndpoint", "Resource": [ "arn:aws:ec2:region:accountId:vpc/*", "arn:aws:ec2:region:accountId:security-group/*", "arn:aws:ec2:region:accountId:subnet/*", "arn:aws:ec2:region:accountId:route-table/*" ] }, { "Effect": "Allow", "Action": "ec2:CreateVpcEndpoint", "Resource": [ "arn:aws:ec2:region:accountId:vpc-endpoint/*" ], "Condition": { "StringEquals": { "ec2:VpceServiceOwner": [ "amazon" ] } } } ] }

Control the private DNS names that can be specified for VPC endpoint services

You can use the ec2:VpceServicePrivateDnsName condition key to control what VPC endpoint service can be modified or created based on the private DNS name associated with the VPC endpoint service. The following example grants permission to create a VPC endpoint service with the specified private DNS name. To use this example, substitute the Region, the account ID, and the private DNS name.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:ModifyVpcEndpointServiceConfiguration", "ec2:CreateVpcEndpointServiceConfiguration" ], "Resource": [ "arn:aws:ec2:region:accountId:vpc-endpoint-service/*" ], "Condition": { "StringEquals": { "ec2:VpceServicePrivateDnsName": [ "example.com" ] } } } ] }

Control the service names that can be specified for VPC endpoint services

You can use the ec2:VpceServiceName condition key to control what VPC endpoint can be created based on the VPC endpoint service name. The following example grants permission to create a VPC endpoint with the specified service name. To use this example, substitute the Region, the account ID, and the service name.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateVpcEndpoint", "Resource": [ "arn:aws:ec2:region:accountId:vpc/*", "arn:aws:ec2:region:accountId:security-group/*", "arn:aws:ec2:region:accountId:subnet/*", "arn:aws:ec2:region:accountId:route-table/*" ] }, { "Effect": "Allow", "Action": "ec2:CreateVpcEndpoint", "Resource": [ "arn:aws:ec2:region:accountId:vpc-endpoint/*" ], "Condition": { "StringEquals": { "ec2:VpceServiceName": [ "com.amazonaws.region.s3" ] } } } ] }