Best way to manage access to a VPC Endpoint
A customer has a need for Cloudwatch Logs in a private VPC, but they want to restrict access to this endpoint for authorized hosts only, to prevent accidental confidential information to leak out of the VPC. What's the best way to accomplish this?
a.Instance role: Control access to the VPCe via an Instance Role IAM policy b. VPC Endpoint policy: Can we add ec2-based restrictions to a VPCe policy? c. VPC Endpoint security group: Selectively allow only authorized IP addresses
I would have a preference for an Instance Role solution, because then we can manage access at the logical EC2 level, regardless of assigned IP address.
Are there best practices or better ways to accomplish this goal?
- Newest
- Most votes
- Most comments
As outlined, there can be various ways to control the access to a private VPC. In your specific case, it seems it is a typical access control to a VPC endpoint for CloudWatch Services. What you can do is to
-
Specify a VPC endpoint policy for your CLoudWatch Services, for example: { "Statement": [ { "Sid": "PutOnly", "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:role/role-name" }, "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ] } NOTE: modify further detailed requirements on Action and Resources if necessary.
-
Create a specific IAM role allowing the permission for access the VPC CLoudWatch logs
-
Provision the Limited (EC2) instances you will allow to access the VPC CloudWatch endpoint service.
This is inline with your a. using IAM role approach. You might still need to make sure you have Network layer of rules like Security Group to allow the EC2 instance to flow through besides the endpoint policy.
Relevant content
- Accepted Answerasked 3 years ago
- Accepted Answerasked 5 years ago
- asked 7 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
