Receive alerts for endpoint service events - Amazon Virtual Private Cloud

Receive alerts for endpoint service events

You can create a notification to receive alerts for specific events related to your endpoint service. For example, you can receive an email when a connection request is accepted or rejected.

Create an SNS notification

Use the following procedure to create an Amazon SNS topic for the notifications and subscribe to the topic.

To create a notification for an endpoint service using the console
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoint services.

  3. Select the endpoint service.

  4. From the Notifications tab, choose Create notification.

  5. For Notification ARN, choose the ARN for the SNS topic that you created.

  6. To subscribe to an event, select it from Events.

    • Connect – The service consumer created the interface endpoint. This sends a connection request to the service provider.

    • Accept – The service provider accepted the connection request.

    • Reject – The service provider rejected the connection request.

    • Delete – The service consumer deleted the interface endpoint.

  7. Choose Create notification.

To create a notification for an endpoint service using the command line

Add an access policy

Add an access policy to the SNS topic that allows AWS PrivateLink to publish notifications on your behalf, such as the following. For more information, see How do I edit my Amazon SNS topic's access policy? Use the aws:SourceArn and aws:SourceAccount global condition keys to protect against the confused deputy problem.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vpce.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:region:account-id:topic-name", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:ec2:region:account-id:vpc-endpoint-service/service-id" }, "StringEquals": { "aws:SourceAccount": "account-id" } } } ] }

Add a key policy

If you're using encrypted SNS topics, the resource policy for the KMS key must trust AWS PrivateLink to call AWS KMS API operations. The following is an example key policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vpce.amazonaws.com" }, "Action": [ "kms:GenerateDataKey*", "kms:Decrypt" ], "Resource": "arn:aws:kms:region:account-id:key/key-id", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:ec2:region:account-id:vpc-endpoint-service/service-id" }, "StringEquals": { "aws:SourceAccount": "account-id" } } } ] }