Share EC2 Instance Connect endpoint between AWS accounts

Question

I'm configuring EC2 Instance Connect endpoint to access my EC2 instances in private subnets.
I have multiple AWS accounts, subnets are connected via VPC peering.

Can I create a single endpoint in one AWS account, and use it in all other accounts?
The console doesn't see endpoints from another account, and doesn't allow to specify a custom id.
![Enter image description here](/media/postImages/original/IM_XRUid3nSrqXbUPPyyoILQ)

The [blog post](https://aws.amazon.com/blogs/compute/secure-connectivity-from-public-to-private-introducing-ec2-instance-connect-endpoint-june-13-2023/) says:
>  IAM principals using an EIC Endpoint must be part of the same AWS account (either directly or by cross-account role assumption)

How is it intended to work? I'm assuming a role from another account but still need to have access to EC2 instances in the current account. Are there any examples of such a policy?

Answer

To work with multiple AWS accounts, you would typically:

* Set up EC2 Instance Connect in each AWS account separately.
* Use cross-account IAM roles to access EC2 instances in other accounts.
* Grant permission for ec2-instance-connect:SendSSHPublicKey in IAM policies.
* Assume the IAM role from the originating account to connect to instances in the target account.
* The console won't show endpoints from other accounts; access is managed through IAM.

Share EC2 Instance Connect endpoint between AWS accounts

Relevanter Inhalt