How to use PrivateLink with SCP

0

How to deny create endpoint connection with those endpoint services outside organization;

질문됨 2년 전629회 조회
2개 답변
0

PrivateLink is a characteristic of a VPC Endpoint. You could deny they ec2:CreateVpcEndpoint action in your SCP statement but that might be too restrictive for what you need.

Have you looked at adding a deny for ec2:VPCEndpointServicePermissions?

There is also the StartVpcEndpointServicePrivateDnsVerification action.

profile picture
답변함 2년 전
  • This can only control the behavior of the endpoint service, not the endpoint.

0

Hello,

Is there a specific reason you want to use SCP to achieve this?

It can be easily achieved by a native feature of PrivateLink where you explicitly need to allow the external (consumer) account's endpoint to connect to the (provider) account's endpoint service.


Manage permissions:

The combination of permissions and acceptance settings help you control which service consumers (AWS principals) can access your endpoint service. For example, you can grant permissions to specific principals that you trust and automatically accept all connection requests, or you can grant permissions to a wider group of principals and manually accept specific connection requests that you trust.

By default, your endpoint service is not available to service consumers.

You must add permissions that allow specific AWS accounts, IAM users, and IAM roles to create an interface VPC endpoint to connect to your endpoint service. To add permissions for an AWS principal, you need its Amazon Resource Name (ARN).

ARNs for AWS principals

AWS account (includes all principals in the account)

arn:aws:iam::account_id:root

IAM user

arn:aws:iam::account_id:user/user_name

IAM role

arn:aws:iam::account_id:role/role_name

All principals in all AWS accounts

*

Consideration

If you grant everyone permission to access the endpoint service and configure the endpoint service to accept all requests, your load balancer will be public even if it has no public IP address.

Reference: https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permissions

profile pictureAWS
전문가
답변함 2년 전
profile picture
지원 엔지니어
검토됨 2년 전
  • Unauthorized customers can create an endpoint service and grant "*" to users in the organization to implement cross-account data access, which is unbearable for organizations.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인