Best way to manage access to a VPC Endpoint
A customer has a need for Cloudwatch Logs in a private VPC, but they want to restrict access to this endpoint for authorized hosts only, to prevent accidental confidential information to leak out of the VPC. What's the best way to accomplish this?
a.Instance role: Control access to the VPCe via an Instance Role IAM policy b. VPC Endpoint policy: Can we add ec2-based restrictions to a VPCe policy? c. VPC Endpoint security group: Selectively allow only authorized IP addresses
I would have a preference for an Instance Role solution, because then we can manage access at the logical EC2 level, regardless of assigned IP address.
Are there best practices or better ways to accomplish this goal?
As outlined, there can be various ways to control the access to a private VPC. In your specific case, it seems it is a typical access control to a VPC endpoint for CloudWatch Services. What you can do is to
- Specify a VPC endpoint policy for your CLoudWatch Services, for example:
{ "Statement": [ { "Sid": "PutOnly", "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:role/role-name" }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ] } NOTE: modify further detailed requirements on Action and Resources if necessary.
- Create a specific IAM role allowing the permission for access the VPC CLoudWatch logs
- Provision the Limited (EC2) instances you will allow to access the VPC CloudWatch endpoint service.
This is inline with your a. using IAM role approach. You might still need to make sure you have Network layer of rules like Security Group to allow the EC2 instance to flow through besides the endpoint policy.
Relevant questions
How to setup interface VPC endpoints in a multi tier architecture?
Accepted Answerasked 2 years agoVPC Endpoint access via Lambda isn't filterable by Policy
Accepted Answerasked 2 years agoSQS interface endpoint for cross region access
Accepted Answerasked 2 years agoHow can Ec2 Instance in private subnet access internet via vpc endpoint?
Accepted Answerasked 2 months agoAccessing AWS Cloud Map from a Lambda in a VPC
asked 5 months agoBest way to manage access to a VPC Endpoint
Accepted Answerasked 2 years agoPrivate DNS name for S3 VPC endpoint
asked 7 months agoHow to give a user access only to a specific group of cloudwatch logs
asked 4 months agoVPC Interface Endpoint Limitation on one subnet per Availability Zone for "Enable Private DNS Name"
Accepted Answerasked 5 years agoUnable to use Session Manager on EC2 instances in a private subnet with SSM VPC endpoint
Accepted Answerasked 3 years ago