Access Secrets Manager from EC2 without Endpoint

Question

I have a ec2 instance (Elastic Beanstalk) that get secrets from the secret manager. For that to work the ec2 as a role with the permission to access the secret, a security group with https permission with the origin and destination of itself and an endpoint to the secrets manager.

Everything works fine but it doesn't work without the endpoint.

My question is, why do I need the endpoint if the ec2 already has public access to the internet?

Everything works fine but it doesn't work without the endpoint.

My question is, why do I need the endpoint if the ec2 already has public access to the internet?

Answer

An application running inside an EC2 machine can connect to Secrets Manager using either the public endpoints of Secrets Manager (https://docs.aws.amazon.com/general/latest/gr/asm.html) or using a VPC endpoint to Secrets Manager (https://docs.aws.amazon.com/secretsmanager/latest/userguide/vpc-endpoint-overview.html). If using the VPC endpoint, the traffic goes over the AWS network and not over the public internet.

Security groups are stateful firewalls to ensure access only from relevant IPs, CIDRs or other security groups are allowed on the opened ports only. As the name suggests, that's to protect from unauthorized access.

Answer

Thanks for the answer.

I know this. Right now I'm using a VPC endpoint but if I didn't have the endpoint the connection with the secrets manager wouldn't work. Why is that? What is blocking the connection? Is the Internet gateway? Is the router?

I'm using the aws sdk to get the secret.

Access Secrets Manager from EC2 without Endpoint

Contenuto pertinente