- Newest
- Most votes
- Most comments
As outlined, there can be various ways to control the access to a private VPC. In your specific case, it seems it is a typical access control to a VPC endpoint for CloudWatch Services. What you can do is to
-
Specify a VPC endpoint policy for your CLoudWatch Services, for example: { "Statement": [ { "Sid": "PutOnly", "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:role/role-name" }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ] } NOTE: modify further detailed requirements on Action and Resources if necessary.
-
Create a specific IAM role allowing the permission for access the VPC CLoudWatch logs
-
Provision the Limited (EC2) instances you will allow to access the VPC CloudWatch endpoint service.
This is inline with your a. using IAM role approach. You might still need to make sure you have Network layer of rules like Security Group to allow the EC2 instance to flow through besides the endpoint policy.
Relevant content
- Accepted Answerasked 3 years ago
- Accepted Answerasked 5 years ago
- asked 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago