# AWS Management Console Private Access
AWS Management Console Private Access is an advanced security feature to control access to the AWS Management Console. Console Private Access is useful when you want to prevent users from signing in to unexpected AWS accounts from within your network. With this feature, you can limit access to the AWS Management Console only to a specified set of known AWS accounts when the traffic originates from within your network. Console Private Access is also useful when you want to ensure that all calls from the AWS Management Console to AWS services originate from within your network and from allowed accounts.
**Topics**
+ [Supported AWS Regions, service consoles, and features for Private Access](supported-regions-consoles.md)
+ [Overview of AWS Management Console Private Access security controls](console-private-access-security-controls.md)
+ [Required VPC endpoints and DNS configuration](required-endpoints-dns-configuration.md)
+ [Implementing service control policies and VPC endpoint policies](implementing-console-private-access-policies.md)
+ [Implementing identity-based policies and other policy types](identity-other-policy-types.md)
+ [Try AWS Management Console Private Access](try-out-private-access.md)
+ [Reference architecture](console-private-access-reference-architectures.md)
# Supported AWS Regions, service consoles, and features for Private Access
AWS Management Console Private Access supports only a subset of Regions and AWS services. Unsupported service consoles will be inactive in the AWS Management Console. In addition, certain AWS Management Console features might be disabled when using AWS Management Console Private Access, for example, the [Default Region](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/select-region.html) selection in Unified Settings.
The following Regions and service consoles are supported.
**Supported Regions**
+ US East (Ohio)
+ US East (N. Virginia)
+ US West (N. California)
+ US West (Oregon)
+ Asia Pacific (Hyderabad)
+ Asia Pacific (Mumbai)
+ Asia Pacific (Seoul)
+ Asia Pacific (Osaka)
+ Asia Pacific (Singapore)
+ Asia Pacific (Sydney)
+ Asia Pacific (Malaysia)
+ Asia Pacific (Thailand)
+ Asia Pacific (Tokyo)
+ Canada (Central)
+ Europe (Frankfurt)
+ Europe (Ireland)
+ Europe (London)
+ Europe (Paris)
+ Europe (Stockholm)
+ South America (São Paulo)
+ Africa (Cape Town)
+ Asia Pacific (Hong Kong)
+ Asia Pacific (Jakarta)
+ Asia Pacific (Melbourne)
+ Canada West (Calgary)
+ Mexico (Central)
+ Europe (Milan)
+ Europe (Spain)
+ Europe (Zurich)
+ Middle East (Bahrain)
+ Middle East (UAE)
+ Israel (Tel Aviv)
**Supported service consoles**
+ Amazon API Gateway
+ AWS App Mesh
+ AWS Application Migration Service
+ AWS Artifact
+ Amazon Athena
+ AWS Audit Manager
+ AWS Auto Scaling
+ AWS Batch
+ AWS Billing Conductor
+ AWS Billing and Cost Management
+ AWS Budgets
+ AWS Certificate Manager
+ AWS Cloud Map
+ AWS CloudFormation
+ Amazon CloudFront
+ AWS CloudTrail
+ Amazon CloudWatch
+ AWS CodeArtifact
+ AWS CodeBuild
+ AWS CodeCommit
+ AWS CodeDeploy
+ Amazon CodeGuru
+ AWS CodePipeline
+ Amazon Comprehend
+ Amazon Comprehend Medical
+ AWS Compute Optimizer
+ AWS Console Home
+ AWS Control Tower
+ Amazon DataZone
+ AWS Database Migration Service
+ AWS DataSync
+ AWS DeepRacer
+ AWS Direct Connect
+ AWS Directory Service
+ Amazon DocumentDB
+ Amazon DynamoDB
+ Amazon EC2
+ Amazon EC2 Global View
+ EC2 Image Builder
+ Amazon EC2 Instance Connect
+ Amazon Elastic Container Registry
+ Amazon Elastic Container Service
+ AWS Elastic Disaster Recovery
+ Amazon Elastic File System
+ Amazon Elastic Kubernetes Service
+ Elastic Load Balancing
+ Amazon ElastiCache
+ Amazon EMR
+ Amazon EventBridge
+ AWS Firewall Manager
+ Amazon GameLift Servers
+ AWS Glue
+ AWS Global Accelerator
+ AWS Glue DataBrew
+ AWS Ground Station
+ Amazon GuardDuty
+ AWS IAM Identity Center
+ AWS Identity and Access Management
+ AWS Identity and Access Management Access Analyzer
+ Amazon Inspector
+ Amazon Kendra
+ AWS Key Management Service
+ Amazon Kinesis
+ Amazon Managed Service for Apache Flink
+ Amazon Data Firehose
+ Amazon Kinesis Data Streams
+ Amazon Kinesis Video Streams
+ AWS Lambda
+ Amazon Lex
+ AWS License Manager
+ Amazon Managed Grafana
+ Amazon Macie
+ Amazon Managed Streaming for Apache Kafka
+ Amazon Managed Workflows for Apache Airflow (MWAA)
+ AWS Migration Hub Strategy Recommendations
+ Amazon MQ
+ Network Access Analyzer
+ AWS Network Firewall
+ AWS Network Manager
+ Amazon OpenSearch Service
+ AWS Organizations
+ AWS Private Certificate Authority
+ Public Health Dashboard
+ Amazon Rekognition
+ Amazon Relational Database Service
+ AWS Resource Access Manager
+ AWS Resource Groups and Tag Editor
+ Amazon Route 53 Resolver
+ Amazon Route 53 Resolver DNS Firewall
+ Amazon S3 on Outposts
+ Amazon SageMaker
+ Amazon SageMaker Runtime
+ Amazon SageMaker AI Synthetic Data
+ AWS Secrets Manager
+ AWS Service Catalog
+ AWS Security Hub CSPM
+ Service Quotas
+ AWS Signer
+ Amazon Simple Email Service
+ Amazon SNS
+ Amazon Simple Queue Service
+ Amazon Simple Storage Service (Amazon S3)
+ AWS SQL Workbench
+ AWS Step Functions
+ AWS Storage Gateway
+ Support
+ AWS Systems Manager
+ Amazon Timestream
+ AWS Transfer Family
+ AWS Trusted Advisor
+ Unified Settings
+ Amazon VPC IP Address Manager
+ Amazon Virtual Private Cloud
+ Amazon WorkSpaces Thin client
# Overview of AWS Management Console Private Access security controls
## Account restrictions on the AWS Management Console from your network
AWS Management Console Private Access is useful in scenarios when you want to limit access to the AWS Management Console from your network only to a specified set of known AWS accounts in your organization. By doing so, you can prevent users from signing in to unexpected AWS accounts from within your network. You can implement these controls using the AWS Management Console VPC endpoint policy. For more information, see [Implementing service control policies and VPC endpoint policies](implementing-console-private-access-policies.md).
## Connectivity from your network to the internet
Internet connectivity from your network is still required to access assets used by the AWS Management Console, such as static content (JavaScript, CSS, images), and all AWS services not enabled by [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html). For a list of the top-level domains used by the AWS Management Console, see [Troubleshooting](troubleshooting.md).
**Note**
Currently, AWS Management Console Private Access doesn't support endpoints such as `status.aws.amazon.com`, `health.aws.amazon.com`, and `docs.aws.amazon.com`. You will need to route these domains to the public internet.
# Required VPC endpoints and DNS configuration
AWS Management Console Private Access requires the following two VPC endpoints per Region. Replace *region* with your own Region information.
1. com.amazonaws.*region*.console for AWS Management Console
1. com.amazonaws.*region*.signin for AWS Sign-In
**Note**
Always provision infrastructure and networking connectivity to the US East (N. Virginia) (us-east-1) Region, regardless of other Regions you use with the AWS Management Console. You can use AWS Transit Gateway to set up connectivity between the US East (N. Virginia) and every other Region. For more information, see [Getting started with transit gateways](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-getting-started.html) in the *Amazon VPC Transit Gateways guide*. You can also use Amazon VPC peering. For more information, see [What is VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) in the *Amazon VPC Peering Guide*. To compare these options, see [Amazon VPC-to-Amazon VPC connectivity options ](https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/amazon-vpc-to-amazon-vpc-connectivity-options.html) in the *Amazon Virtual Private Cloud Connectivity Options whitepaper*.
**Topics**
+ [DNS configuration for AWS Management Console and AWS Sign-In](dns-configuration-console-signin.md)
+ [VPC endpoints and DNS configuration for AWS services in the AWS Management Console](vpc-dns-configuration-aws-services.md)
# DNS configuration for AWS Management Console and AWS Sign-In
To route your network traffic to respective VPC endpoints, configure DNS records in the network from which your users will be accessing the AWS Management Console. These DNS records will direct your users browser traffic toward the VPC endpoints you created.
You can create a single hosted zone. However, endpoints such as `health.aws.amazon.com` and `docs.aws.amazon.com` won't be accessible because they don't have VPC endpoints. You will need to route these domains to the public internet. We recommend that you create two private hosted zones per Region, one for `signin.aws.amazon.com` and one for `console.aws.amazon.com` with the following CNAME records:
+ Sign-In
+ *region*.signin.aws.amazon.com pointing to the AWS Sign-In VPC endpoint in the signin DNS zone where *region* is the desired Region
+ signin.aws.amazon.com pointing to AWS Sign-In VPC endpoint in US East (N. Virginia) (us-east-1)
+ Console
+ *region*.console.aws.amazon.com pointing to the AWS Management Console VPC endpoint in the console DNS zone where *region* is the desired Region
+ \$1.*region*.console.aws.amazon.com pointing to the AWS Management Console VPC endpoint in the console DNS zone where *region* is the desired Region
+ \$1.*region*.console.aws.amazon.com pointing to the AWS Management Console VPC endpoint in the console DNS zone
+ Regionless CNAME records for the US East (N. Virginia) Region only. You always have to set up the US East (N. Virginia) Region.
+ signin.aws.amazon.com pointing to AWS Sign-In VPC endpoint in US East (N. Virginia) (us-east-1)
+ \$1.console.aws.amazon.com pointing to AWS Management Console VPC endpoint in US East (N. Virginia) (us-east-1)
For instructions on creating a CNAME record, see [Working with records](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/rrsets-working-with.html) in the *Amazon Route 53 Developer Guide*.
Some AWS consoles, including Amazon S3, use different patterns for their DNS names. The following are two examples:
+ support.console.aws.amazon.com
+ s3.console.aws.amazon.com
To be able to direct this traffic to your AWS Management Console VPC endpoint, you need to add those names individually. We recommend that you configure routing for all endpoints for a fully private experience. However, this isn't required to use AWS Management Console Private Access.
The following `json` files contain the full list of AWS services and console endpoints to configure per Region. Use the `PrivateIpv4DnsNames` field under the `com.amazonaws.region.console` endpoint for the DNS names.
+ [https://configuration.private-access.console.amazonaws.com/us-east-1.config.json](https://configuration.private-access.console.amazonaws.com/us-east-1.config.json)
+ [https://configuration.private-access.console.amazonaws.com/us-east-2.config.json](https://configuration.private-access.console.amazonaws.com/us-east-2.config.json)
+ [https://configuration.private-access.console.amazonaws.com/us-west-2.config.json](https://configuration.private-access.console.amazonaws.com/us-west-2.config.json)
+ [https://configuration.private-access.console.amazonaws.com/ap-northeast-1.config.json](https://configuration.private-access.console.amazonaws.com/ap-northeast-1.config.json)
+ [https://configuration.private-access.console.amazonaws.com/ap-northeast-2.config.json](https://configuration.private-access.console.amazonaws.com/ap-northeast-2.config.json)
+ [https://configuration.private-access.console.amazonaws.com/ap-southeast-1.config.json](https://configuration.private-access.console.amazonaws.com/ap-southeast-1.config.json)
+ [https://configuration.private-access.console.amazonaws.com/ap-southeast-2.config.json](https://configuration.private-access.console.amazonaws.com/ap-southeast-2.config.json)
+ [https://configuration.private-access.console.amazonaws.com/ap-south-1.config.json](https://configuration.private-access.console.amazonaws.com/ap-south-1.config.json)
+ [https://configuration.private-access.console.amazonaws.com/ap-south-2.config.json](https://configuration.private-access.console.amazonaws.com/ap-south-2.config.json)
+ [https://configuration.private-access.console.amazonaws.com/ca-central-1.config.json](https://configuration.private-access.console.amazonaws.com/ca-central-1.config.json)
+ [https://configuration.private-access.console.amazonaws.com/eu-central-1.config.json]( https://configuration.private-access.console.amazonaws.com/eu-central-1.config.json)
+ [https://configuration.private-access.console.amazonaws.com/eu-west-1.config.json](https://configuration.private-access.console.amazonaws.com/eu-west-1.config.json)
+ [https://configuration.private-access.console.amazonaws.com/eu-west-2.config.json](https://configuration.private-access.console.amazonaws.com/eu-west-2.config.json)
+ [https://configuration.private-access.console.amazonaws.com/il-central-1.config.json](https://configuration.private-access.console.amazonaws.com/il-central-1.config.json)
**Note**
This list is updated each month as we add additional endpoints to the scope of AWS Management Console Private Access. To keep your private hosted zones updated, periodically pull the preceding list of files.
If you use Route 53 to configure your DNS, go to https://console.aws.amazon.com/route53/v2/hostedzones\$1 to verify the DNS setup. For each Private Hosted Zone in Route 53, verify that the following record sets are present.
+ console.aws.amazon.com
+ signin.aws.amazon.com
+ \$1.*region*.console.aws.amazon.com
+ *region*.console.aws.amazon.com
+ \$1.*region*.console.aws.amazon.com
+ signin.aws.amazon.com
+ *region*.signin.aws.amazon.com
+ Additional records present in the previously listed JSON files
# VPC endpoints and DNS configuration for AWS services in the AWS Management Console
The AWS Management Console calls AWS services through a combination of direct browser requests and requests that are proxied by web servers. To direct this traffic to your AWS Management Console VPC endpoint, you must add the VPC endpoint and configure DNS for each dependent AWS service.
The following json files list the AWS PrivateLink supported AWS services that are available for you to use. If a service doesn't integrate with AWS PrivateLink, it isn't included in these files.
+ [https://configuration.private-access.console.amazonaws.com/us-east-1.config.json](https://configuration.private-access.console.amazonaws.com/us-east-1.config.json)
+ [https://configuration.private-access.console.amazonaws.com/us-east-2.config.json](https://configuration.private-access.console.amazonaws.com/us-east-2.config.json)
+ [https://configuration.private-access.console.amazonaws.com/us-west-2.config.json](https://configuration.private-access.console.amazonaws.com/us-west-2.config.json)
+ [https://configuration.private-access.console.amazonaws.com/ap-northeast-1.config.json](https://configuration.private-access.console.amazonaws.com/ap-northeast-1.config.json)
+ [https://configuration.private-access.console.amazonaws.com/ap-northeast-2.config.json](https://configuration.private-access.console.amazonaws.com/ap-northeast-2.config.json)
+ [https://configuration.private-access.console.amazonaws.com/ap-southeast-1.config.json](https://configuration.private-access.console.amazonaws.com/ap-southeast-1.config.json)
+ [https://configuration.private-access.console.amazonaws.com/ap-southeast-2.config.json](https://configuration.private-access.console.amazonaws.com/ap-southeast-2.config.json)
+ [https://configuration.private-access.console.amazonaws.com/ap-south-1.config.json](https://configuration.private-access.console.amazonaws.com/ap-south-1.config.json)
+ [https://configuration.private-access.console.amazonaws.com/ap-south-2.config.json](https://configuration.private-access.console.amazonaws.com/ap-south-2.config.json)
+ [https://configuration.private-access.console.amazonaws.com/ca-central-1.config.json](https://configuration.private-access.console.amazonaws.com/ca-central-1.config.json)
+ [https://configuration.private-access.console.amazonaws.com/eu-central-1.config.json]( https://configuration.private-access.console.amazonaws.com/eu-central-1.config.json)
+ [https://configuration.private-access.console.amazonaws.com/eu-west-1.config.json](https://configuration.private-access.console.amazonaws.com/eu-west-1.config.json)
+ [https://configuration.private-access.console.amazonaws.com/eu-west-2.config.json](https://configuration.private-access.console.amazonaws.com/eu-west-2.config.json)
+ [https://configuration.private-access.console.amazonaws.com/il-central-1.config.json](https://configuration.private-access.console.amazonaws.com/il-central-1.config.json)
Use the `ServiceName` field for the corresponding service’s VPC endpoint to add to your VPC.
**Note**
We update this list each month as we add support for AWS Management Console Private Access to more service consoles. To stay current, periodically pull the preceding list of files and update your VPC endpoints.
# Implementing service control policies and VPC endpoint policies
You can use service control policies (SCPs) and VPC endpoint policies for AWS Management Console Private Access to limit the set of accounts that are allowed to use the AWS Management Console from within your VPC and its connected on-premises networks.
**Topics**
+ [Using AWS Management Console Private Access with AWS Organizations service control policies](private-access-with-SCPs.md)
+ [Allow AWS Management Console use for expected accounts and organizations only (trusted identities)](account-identity.md)
# Using AWS Management Console Private Access with AWS Organizations service control policies
If your AWS organization is using a service control policy (SCP) that allows specific services, you must add `signin:*` to the allowed actions. This permission is needed because signing in to the AWS Management Console over a Private Access VPC endpoint performs an IAM authorization that the SCP blocks without the permission. As an example, the following service control policy allows the Amazon EC2 and CloudWatch services to be used in the organization, including when they are accessed using an AWS Management Console Private Access endpoint.
```
{
"Effect": "Allow",
"Action": [
"signin:*",
"ec2:*",
"cloudwatch:*",
... Other services allowed
},
"Resource": "*"
}
```
For more information about SCPs, see [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
# Allow AWS Management Console use for expected accounts and organizations only (trusted identities)
AWS Management Console and AWS Sign-In support a VPC endpoint policy that specifically controls the identity of the signed-in account.
Unlike other VPC endpoint policies, the policy is evaluated before authentication. As a result, it specifically controls sign-in and use of the authenticated session only, and not any AWS service-specific actions that the session takes. For example, as the session accesses an AWS service console, such as the Amazon EC2 console, these VPC endpoint policies will not be evaluated against the Amazon EC2 actions that are taken to display that page. Rather, you can use the IAM policies associated with the signed-in IAM Principal to control its permission to AWS service actions.
**Note**
VPC endpoint policies for AWS Management Console and SignIn VPC endpoints support only a limited subset of policy formulations. Every `Principal` and `Resource` should be set to `*` and the `Action` should be either `*` or `signin:*`. You control access to VPC endpoints using `aws:PrincipalOrgId` and `aws:PrincipalAccount` condition keys.
The following policies are recommended for both the Console and SignIn VPC endpoints.
This VPC endpoint policy allows sign-in to AWS accounts in the specified AWS organization and blocks sign-in to any other accounts.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgId": "o-xxxxxxxxxxx"
}
}
}
]
}
```
------
This VPC endpoint policy limits sign-in to a list of specific AWS accounts and blocks sign-in to any other accounts.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": [ "111122223333", "222233334444" ]
}
}
}
]
}
```
------
Polices that limit AWS accounts or an organization on the AWS Management Console and Sign-In VPC endpoints are evaluated at the time of sign-in and are periodically re-evaluated for existing sessions.
# Implementing identity-based policies and other policy types
You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. This page describes how policies work when used together with AWS Management Console Private Access.
## Supported AWS global condition context keys
AWS Management Console Private Access does not support `aws:SourceVpce` and `aws:VpcSourceIp` AWS global condition context keys. You can use the `aws:SourceVpc` IAM condition in your policies instead, when using AWS Management Console Private Access.
## How AWS Management Console Private Access works with aws:SourceVpc
This section describes the various network paths that the requests generated by your AWS Management Console can take to AWS services. In general, AWS service consoles are implemented with a mix of direct browser requests and requests that are proxied by the AWS Management Console web servers to AWS services. These implementations are subject to change without notice. If your security requirements include access to AWS services using VPC endpoints, we recommend that you configure VPC endpoints for all of the services that you intend to use from VPC, whether directly or through AWS Management Console Private Access. Furthermore, you must use the `aws:SourceVpc` IAM condition in your policies rather than specific `aws:SourceVpce` values with the AWS Management Console Private Access feature. This section provides details about how the different network paths work.
After a user signs in to the AWS Management Console, they make requests to AWS services through a combination of direct browser requests and requests that are proxied by AWS Management Console web servers to AWS servers. For example, CloudWatch graph data requests are made directly from the browser. Whereas some AWS service console requests, such as Amazon S3, are proxied by the web server to Amazon S3.
For direct browser requests, using AWS Management Console Private Access does not change anything. As before, the request reaches the service through whatever network path the VPC has configured to reach monitoring.region.amazonaws.com. If the VPC is configured with a VPC endpoint for com.amazonaws.region.monitoring, the request will reach CloudWatch through that CloudWatch VPC endpoint. If there is no VPC endpoint for CloudWatch, the request will reach CloudWatch at its public endpoint, by way of an Internet Gateway on the VPC. Requests that arrive at CloudWatch by way of the CloudWatch VPC endpoint will have the IAM conditions `aws:SourceVpc` and `aws:SourceVpce` set to their respective values. Those that reach CloudWatch through its public endpoint will have `aws:SourceIp` set to the source IP address of the request. For more information about these IAM condition keys, see [Global condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpc) in the *IAM User Guide*.
For requests that are proxied by the AWS Management Console web server, such as the request that the Amazon S3 console makes to list your buckets when you visit the Amazon S3 console, the network path is different. These requests aren't initiated from your VPC and therefore don't use the VPC endpoint you may have configured on your VPC for that service. Even if you have a VPC endpoint for Amazon S3 in this case, your session’s request to Amazon S3 to list the buckets doesn't use the Amazon S3 VPC endpoint. However, when you use AWS Management Console Private Access with supported services, these requests (for example, to Amazon S3) will include the `aws:SourceVpc` condition key in their request context. The `aws:SourceVpc` condition key will be set to the VPC ID where your AWS Management Console Private Access endpoints for sign-in and console are deployed. So, if you are using `aws:SourceVpc` restrictions in your identity-based policies, you must add the VPC ID of this VPC that is hosting the AWS Management Console Private Access sign-in and console endpoints. The `aws:SourceVpce` condition will be set to the respective sign-in or console VPC endpoint IDs.
**Note**
If your users require access to service consoles that aren't supported by AWS Management Console Private Access, you must include a list of your expected public network addresses (such as your on-premises network range) using the `aws:SourceIP` condition key in the users' identity-based policies.
## How different network paths are reflected in CloudTrail
Different network paths used by requests generated by your AWS Management Console are reflected in your CloudTrail event history.
For direct browser requests, using AWS Management Console Private Access doesn't change anything. CloudTrail events will include details about the connection, like the VPC endpoint ID that was used to make the service API call.
For requests that are proxied by the AWS Management Console web server, CloudTrail events will not include any VPC related details. However, initial requests to AWS Sign-In that are required to establish the browser session, such as the `AwsConsoleSignIn` event type, will include the AWS Sign-In VPC endpoint ID in the event details.
# Try AWS Management Console Private Access
This section describes how to set up and test AWS Management Console Private Access in a new account.
AWS Management Console Private Access is an advanced security feature and requires prior knowledge about networking and setting up VPCs. This topic describes how you can try out AWS Management Console Private Access without a full scale infrastructure.
**Topics**
+ [Test setup with Amazon EC2](test-console-private-access-EC2.md)
+ [Test setup with Amazon WorkSpaces](test-console-private-access-workspaces.md)
+ [Test VPC setup with IAM policies](test-vpc-with-policies.md)
# Test setup with Amazon EC2
[Amazon Elastic Compute Cloud](https://docs.aws.amazon.com/ec2/?icmpid=docs_homepage_compute) (Amazon EC2), provides scalable computing capacity in the Amazon Web Services cloud. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. In this setup, we use [Fleet Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet.html), a capability of AWS Systems Manager, to connect to an Amazon EC2 Windows instance using the Remote Desktop Protocol (RDP).
This guide demonstrates a test environment to set up and experience an AWS Management Console Private Access connection to Amazon Simple Storage Service from an Amazon EC2 instance. This tutorial uses CloudFormation to create and configure the network setup to be used by Amazon EC2 to visualize this feature.
The following diagram describes the workflow for using Amazon EC2 to access an AWS Management Console Private Access setup. It shows how a user is connected to Amazon S3 using a private endpoint.
![\[The setup configuration for trying out AWS Management Console Private Access using an Amazon EC2.\]](http://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/images/vpce-ec2-how-to-1.png)
Copy the following CloudFormation template and save it to a file that you will use in step three of the *To set up a network* procedure.
**Note**
This CloudFormation template uses configurations that are currently not supported in the Israel (Tel Aviv) Region.
## AWS Management Console Private Access environment Amazon EC2 CloudFormation template
```
Description: |
AWS Management Console Private Access.
Parameters:
VpcCIDR:
Type: String
Default: 172.16.0.0/16
Description: CIDR range for VPC
Ec2KeyPair:
Type: AWS::EC2::KeyPair::KeyName
Description: The EC2 KeyPair to use to connect to the Windows instance
PublicSubnet1CIDR:
Type: String
Default: 172.16.1.0/24
Description: CIDR range for Public Subnet A
PublicSubnet2CIDR:
Type: String
Default: 172.16.0.0/24
Description: CIDR range for Public Subnet B
PublicSubnet3CIDR:
Type: String
Default: 172.16.2.0/24
Description: CIDR range for Public Subnet C
PrivateSubnet1CIDR:
Type: String
Default: 172.16.4.0/24
Description: CIDR range for Private Subnet A
PrivateSubnet2CIDR:
Type: String
Default: 172.16.5.0/24
Description: CIDR range for Private Subnet B
PrivateSubnet3CIDR:
Type: String
Default: 172.16.3.0/24
Description: CIDR range for Private Subnet C
LatestWindowsAmiId:
Type: 'AWS::SSM::Parameter::Value'
Default: '/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base'
InstanceTypeParameter:
Type: String
Default: 't3.medium'
Resources:
#########################
# VPC AND SUBNETS
#########################
AppVPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: !Ref VpcCIDR
InstanceTenancy: default
EnableDnsSupport: true
EnableDnsHostnames: true
PublicSubnetA:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref AppVPC
CidrBlock: !Ref PublicSubnet1CIDR
MapPublicIpOnLaunch: true
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
PublicSubnetB:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref AppVPC
CidrBlock: !Ref PublicSubnet2CIDR
MapPublicIpOnLaunch: true
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
PublicSubnetC:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref AppVPC
CidrBlock: !Ref PublicSubnet3CIDR
MapPublicIpOnLaunch: true
AvailabilityZone:
Fn::Select:
- 2
- Fn::GetAZs: ""
PrivateSubnetA:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref AppVPC
CidrBlock: !Ref PrivateSubnet1CIDR
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
PrivateSubnetB:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref AppVPC
CidrBlock: !Ref PrivateSubnet2CIDR
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
PrivateSubnetC:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref AppVPC
CidrBlock: !Ref PrivateSubnet3CIDR
AvailabilityZone:
Fn::Select:
- 2
- Fn::GetAZs: ""
InternetGateway:
Type: AWS::EC2::InternetGateway
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref AppVPC
NatGatewayEIP:
Type: AWS::EC2::EIP
DependsOn: InternetGatewayAttachment
NatGateway:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt NatGatewayEIP.AllocationId
SubnetId: !Ref PublicSubnetA
#########################
# Route Tables
#########################
PrivateRouteTable:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref AppVPC
DefaultPrivateRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NatGateway
PrivateSubnetRouteTableAssociation1:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PrivateRouteTable
SubnetId: !Ref PrivateSubnetA
PrivateSubnetRouteTableAssociation2:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PrivateRouteTable
SubnetId: !Ref PrivateSubnetB
PrivateSubnetRouteTableAssociation3:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PrivateRouteTable
SubnetId: !Ref PrivateSubnetC
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref AppVPC
DefaultPublicRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PublicSubnetARouteTableAssociation1:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnetA
PublicSubnetBRouteTableAssociation2:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnetB
PublicSubnetBRouteTableAssociation3:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnetC
#########################
# SECURITY GROUPS
#########################
VPCEndpointSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Allow TLS for VPC Endpoint
VpcId: !Ref AppVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: !GetAtt AppVPC.CidrBlock
EC2SecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Default EC2 Instance SG
VpcId: !Ref AppVPC
#########################
# VPC ENDPOINTS
#########################
VPCEndpointGatewayS3:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3'
VpcEndpointType: Gateway
VpcId: !Ref AppVPC
RouteTableIds:
- !Ref PrivateRouteTable
VPCEndpointInterfaceSSM:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: Interface
PrivateDnsEnabled: false
SubnetIds:
- !Ref PrivateSubnetA
- !Ref PrivateSubnetB
SecurityGroupIds:
- !Ref VPCEndpointSecurityGroup
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssm'
VpcId: !Ref AppVPC
VPCEndpointInterfaceEc2messages:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: Interface
PrivateDnsEnabled: false
SubnetIds:
- !Ref PrivateSubnetA
- !Ref PrivateSubnetB
- !Ref PrivateSubnetC
SecurityGroupIds:
- !Ref VPCEndpointSecurityGroup
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ec2messages'
VpcId: !Ref AppVPC
VPCEndpointInterfaceSsmmessages:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: Interface
PrivateDnsEnabled: false
SubnetIds:
- !Ref PrivateSubnetA
- !Ref PrivateSubnetB
- !Ref PrivateSubnetC
SecurityGroupIds:
- !Ref VPCEndpointSecurityGroup
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssmmessages'
VpcId: !Ref AppVPC
VPCEndpointInterfaceSignin:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: Interface
PrivateDnsEnabled: false
SubnetIds:
- !Ref PrivateSubnetA
- !Ref PrivateSubnetB
- !Ref PrivateSubnetC
SecurityGroupIds:
- !Ref VPCEndpointSecurityGroup
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.signin'
VpcId: !Ref AppVPC
VPCEndpointInterfaceConsole:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: Interface
PrivateDnsEnabled: false
SubnetIds:
- !Ref PrivateSubnetA
- !Ref PrivateSubnetB
- !Ref PrivateSubnetC
SecurityGroupIds:
- !Ref VPCEndpointSecurityGroup
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.console'
VpcId: !Ref AppVPC
#########################
# ROUTE53 RESOURCES
#########################
ConsoleHostedZone:
Type: "AWS::Route53::HostedZone"
Properties:
HostedZoneConfig:
Comment: 'Console VPC Endpoint Hosted Zone'
Name: 'console.aws.amazon.com'
VPCs:
-
VPCId: !Ref AppVPC
VPCRegion: !Ref "AWS::Region"
ConsoleRecordGlobal:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: 'console.aws.amazon.com'
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
GlobalConsoleRecord:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: 'global.console.aws.amazon.com'
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
ConsoleS3ProxyRecordGlobal:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: 's3.console.aws.amazon.com'
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
ConsoleSupportProxyRecordGlobal:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: "support.console.aws.amazon.com"
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
ExplorerProxyRecordGlobal:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: "resource-explorer.console.aws.amazon.com"
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
WidgetProxyRecord:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: "*.widget.console.aws.amazon.com"
AliasTarget:
DNSName: !Select ["1", !Split [":", !Select ["0", !GetAtt VPCEndpointInterfaceConsole.DnsEntries],],]
HostedZoneId: !Select ["0", !Split [":", !Select ["0", !GetAtt VPCEndpointInterfaceConsole.DnsEntries],],]
Type: A
ConsoleRecordRegional:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: !Sub "${AWS::Region}.console.aws.amazon.com"
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
ConsoleRecordRegionalMultiSession:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: !Sub "*.${AWS::Region}.console.aws.amazon.com"
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
SigninHostedZone:
Type: "AWS::Route53::HostedZone"
Properties:
HostedZoneConfig:
Comment: 'Signin VPC Endpoint Hosted Zone'
Name: 'signin.aws.amazon.com'
VPCs:
-
VPCId: !Ref AppVPC
VPCRegion: !Ref "AWS::Region"
SigninRecordGlobal:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'SigninHostedZone'
Name: 'signin.aws.amazon.com'
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceSignin.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceSignin.DnsEntries]]]
Type: A
SigninRecordRegional:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'SigninHostedZone'
Name: !Sub "${AWS::Region}.signin.aws.amazon.com"
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceSignin.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceSignin.DnsEntries]]]
Type: A
#########################
# EC2 INSTANCE
#########################
Ec2InstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Ec2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref Ec2InstanceRole
EC2WinInstance:
Type: 'AWS::EC2::Instance'
Properties:
ImageId: !Ref LatestWindowsAmiId
IamInstanceProfile: !Ref Ec2InstanceProfile
KeyName: !Ref Ec2KeyPair
InstanceType:
Ref: InstanceTypeParameter
SubnetId: !Ref PrivateSubnetA
SecurityGroupIds:
- Ref: EC2SecurityGroup
BlockDeviceMappings:
- DeviceName: /dev/sda1
Ebs:
VolumeSize: 50
Tags:
- Key: "Name"
Value: "Console VPCE test instance"
```
**To set up a network**
1. Sign in to the management account for your organization and open the [CloudFormation console](https://console.aws.amazon.com/cloudformation).
1. Choose **Create stack**.
1. Choose **With new resources (standard)**. Upload the CloudFormation template file that you previously created, and choose **Next**.
1. Enter a name for the stack, such as **PrivateConsoleNetworkForS3**, then choose **Next**.
1. For **VPC and subnets**, enter your preferred IP CIDR ranges, or use the provided default values. If you use the default values, verify that they don’t overlap with existing VPC resources in your AWS account.
1. For the **Ec2KeyPair** parameter, select one from the existing Amazon EC2 key pairs in your account. If you don't have an existing Amazon EC2 key pair, you must create one before proceeding to the next step. For more information, see [Create a key pair using Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-key-pairs.html#having-ec2-create-your-key-pair) in the *Amazon EC2 User Guide*.
1. Choose **Create stack**.
1. After the stack is created, choose the **Resources** tab to view the resources that have been created.
**To connect to the Amazon EC2 instance**
1. Sign in to the management account for your organization and open the [Amazon EC2 console](https://console.aws.amazon.com/ec2).
1. In the navigation pane, choose **Instances**.
1. On the **Instances** page, select **Console VPCE test instance** that was created by the CloudFormation template. Then choose **Connect**.
**Note**
This example uses Fleet Manager, a capability of AWS Systems Manager Explorer, to connect to your Windows Server. It might take a few minutes before the connection can be started.
1. On the **Connect to instance** page, choose **RDP Client**, then **Connect using Fleet Manager**.
1. Choose **Fleet Manager Remote Desktop**.
1. To get the administrative password for the Amazon EC2 instance and access the Windows Desktop using the web interface, use the private key associated with the Amazon EC2 key pair that you used when creating the CloudFormation template .
1. From the Amazon EC2 Windows instance, open the AWS Management Console in the browser.
1. After you sign in with your AWS credentials, open the [Amazon S3 console](https://console.aws.amazon.com/s3) and verify that you are connected using AWS Management Console Private Access.
**To test AWS Management Console Private Access setup**
1. Sign in to the management account for your organization and open the [Amazon S3 console](https://console.aws.amazon.com/s3).
1. Choose the lock-private icon in the navigation bar to view the VPC endpoint in use. The following screenshot shows the location of the lock-private icon and the VPC information.
![\[The Amazon S3 console showing the lock icon and AWS Management Console Private Access information.\]](http://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/images/console-private-access-verify-1.png)
# Test setup with Amazon WorkSpaces
Amazon WorkSpaces enables you to provision virtual, cloud-based Windows, Amazon Linux, or Ubuntu Linux desktops for your users, known as WorkSpaces. You can quickly add or remove users as your needs change. Users can access their virtual desktops from multiple devices or web browsers. To learn more about WorkSpaces, see the [Amazon WorkSpaces Administration Guide](https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces.html).
The example in this section describes a test environment in which a user environment uses a web browser running on a WorkSpace to sign in to AWS Management Console Private Access. Then, the user visits the Amazon Simple Storage Service console. This WorkSpace is meant to simulate the experience of a corporate user with a laptop on a VPC-connected network, accessing the AWS Management Console from their browser.
This tutorial uses AWS CloudFormation to create and configure the network setup and a Simple Active Directory to be used by WorkSpaces along with step by step instructions to setup a WorkSpace using the AWS Management Console.
The following diagram describes the workflow for using a WorkSpace to test an AWS Management Console Private Access setup. It shows the relationship between a client WorkSpace, an Amazon managed VPC and a customer managed VPC.
![\[The setup configuration for testing a AWS Management Console Private Access using an Amazon WorkSpaces.\]](http://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/images/vpce-workspaces-how-to-1.png)
Copy the following CloudFormation template and save it to a file that you will use in step 3 of the procedure to set up a network.
## AWS Management Console Private Access environment CloudFormation template
```
Description: |
AWS Management Console Private Access.
Parameters:
VpcCIDR:
Type: String
Default: 172.16.0.0/16
Description: CIDR range for VPC
PublicSubnet1CIDR:
Type: String
Default: 172.16.1.0/24
Description: CIDR range for Public Subnet A
PublicSubnet2CIDR:
Type: String
Default: 172.16.0.0/24
Description: CIDR range for Public Subnet B
PrivateSubnet1CIDR:
Type: String
Default: 172.16.4.0/24
Description: CIDR range for Private Subnet A
PrivateSubnet2CIDR:
Type: String
Default: 172.16.5.0/24
Description: CIDR range for Private Subnet B
DSAdminPasswordResourceName:
Type: String
Default: ADAdminSecret
Description: Password for directory services admin
# Amazon WorkSpaces is available in a subset of the Availability Zones for each supported Region.
# https://docs.aws.amazon.com/workspaces/latest/adminguide/azs-workspaces.html
Mappings:
RegionMap:
us-east-1:
az1: use1-az2
az2: use1-az4
az3: use1-az6
us-west-2:
az1: usw2-az1
az2: usw2-az2
az3: usw2-az3
ap-south-1:
az1: aps1-az1
az2: aps1-az2
az3: aps1-az3
ap-northeast-2:
az1: apne2-az1
az2: apne2-az3
ap-southeast-1:
az1: apse1-az1
az2: apse1-az2
ap-southeast-2:
az1: apse2-az1
az2: apse2-az3
ap-northeast-1:
az1: apne1-az1
az2: apne1-az4
ca-central-1:
az1: cac1-az1
az2: cac1-az2
eu-central-1:
az1: euc1-az2
az2: euc1-az3
eu-west-1:
az1: euw1-az1
az2: euw1-az2
eu-west-2:
az1: euw2-az2
az2: euw2-az3
sa-east-1:
az1: sae1-az1
az2: sae1-az3
Resources:
iamLambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: describe-ec2-az
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'ec2:DescribeAvailabilityZones'
Resource: '*'
MaxSessionDuration: 3600
Path: /service-role/
fnZoneIdtoZoneName:
Type: AWS::Lambda::Function
Properties:
Runtime: python3.8
Handler: index.lambda_handler
Code:
ZipFile: |
import boto3
import cfnresponse
def zoneId_to_zoneName(event, context):
responseData = {}
ec2 = boto3.client('ec2')
describe_az = ec2.describe_availability_zones()
for az in describe_az['AvailabilityZones']:
if event['ResourceProperties']['ZoneId'] == az['ZoneId']:
responseData['ZoneName'] = az['ZoneName']
cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData, str(az['ZoneId']))
def no_op(event, context):
print(event)
responseData = {}
cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData, str(event['RequestId']))
def lambda_handler(event, context):
if event['RequestType'] == ('Create' or 'Update'):
zoneId_to_zoneName(event, context)
else:
no_op(event,context)
Role: !GetAtt iamLambdaExecutionRole.Arn
getAZ1:
Type: "Custom::zone-id-zone-name"
Properties:
ServiceToken: !GetAtt fnZoneIdtoZoneName.Arn
ZoneId: !FindInMap [ RegionMap, !Ref 'AWS::Region', az1 ]
getAZ2:
Type: "Custom::zone-id-zone-name"
Properties:
ServiceToken: !GetAtt fnZoneIdtoZoneName.Arn
ZoneId: !FindInMap [ RegionMap, !Ref 'AWS::Region', az2 ]
#########################
# VPC AND SUBNETS
#########################
AppVPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: !Ref VpcCIDR
InstanceTenancy: default
EnableDnsSupport: true
EnableDnsHostnames: true
PublicSubnetA:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref AppVPC
CidrBlock: !Ref PublicSubnet1CIDR
MapPublicIpOnLaunch: true
AvailabilityZone: !GetAtt getAZ1.ZoneName
PublicSubnetB:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref AppVPC
CidrBlock: !Ref PublicSubnet2CIDR
MapPublicIpOnLaunch: true
AvailabilityZone: !GetAtt getAZ2.ZoneName
PrivateSubnetA:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref AppVPC
CidrBlock: !Ref PrivateSubnet1CIDR
AvailabilityZone: !GetAtt getAZ1.ZoneName
PrivateSubnetB:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref AppVPC
CidrBlock: !Ref PrivateSubnet2CIDR
AvailabilityZone: !GetAtt getAZ2.ZoneName
InternetGateway:
Type: AWS::EC2::InternetGateway
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref AppVPC
NatGatewayEIP:
Type: AWS::EC2::EIP
DependsOn: InternetGatewayAttachment
NatGateway:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt NatGatewayEIP.AllocationId
SubnetId: !Ref PublicSubnetA
#########################
# Route Tables
#########################
PrivateRouteTable:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref AppVPC
DefaultPrivateRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NatGateway
PrivateSubnetRouteTableAssociation1:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PrivateRouteTable
SubnetId: !Ref PrivateSubnetA
PrivateSubnetRouteTableAssociation2:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PrivateRouteTable
SubnetId: !Ref PrivateSubnetB
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref AppVPC
DefaultPublicRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PublicSubnetARouteTableAssociation1:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnetA
PublicSubnetBRouteTableAssociation2:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnetB
#########################
# SECURITY GROUPS
#########################
VPCEndpointSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Allow TLS for VPC Endpoint
VpcId: !Ref AppVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: !GetAtt AppVPC.CidrBlock
#########################
# VPC ENDPOINTS
#########################
VPCEndpointGatewayS3:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3'
VpcEndpointType: Gateway
VpcId: !Ref AppVPC
RouteTableIds:
- !Ref PrivateRouteTable
VPCEndpointInterfaceSignin:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: Interface
PrivateDnsEnabled: false
SubnetIds:
- !Ref PrivateSubnetA
- !Ref PrivateSubnetB
SecurityGroupIds:
- !Ref VPCEndpointSecurityGroup
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.signin'
VpcId: !Ref AppVPC
VPCEndpointInterfaceConsole:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: Interface
PrivateDnsEnabled: false
SubnetIds:
- !Ref PrivateSubnetA
- !Ref PrivateSubnetB
SecurityGroupIds:
- !Ref VPCEndpointSecurityGroup
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.console'
VpcId: !Ref AppVPC
#########################
# ROUTE53 RESOURCES
#########################
ConsoleHostedZone:
Type: "AWS::Route53::HostedZone"
Properties:
HostedZoneConfig:
Comment: 'Console VPC Endpoint Hosted Zone'
Name: 'console.aws.amazon.com'
VPCs:
-
VPCId: !Ref AppVPC
VPCRegion: !Ref "AWS::Region"
ConsoleRecordGlobal:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: 'console.aws.amazon.com'
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
GlobalConsoleRecord:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: 'global.console.aws.amazon.com'
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
ConsoleS3ProxyRecordGlobal:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: 's3.console.aws.amazon.com'
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
ConsoleSupportProxyRecordGlobal:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: "support.console.aws.amazon.com"
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
ExplorerProxyRecordGlobal:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: "resource-explorer.console.aws.amazon.com"
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
WidgetProxyRecord:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref "ConsoleHostedZone"
Name: "*.widget.console.aws.amazon.com"
AliasTarget:
DNSName: !Select ["1", !Split [":", !Select ["0", !GetAtt VPCEndpointInterfaceConsole.DnsEntries],],]
HostedZoneId: !Select ["0", !Split [":", !Select ["0", !GetAtt VPCEndpointInterfaceConsole.DnsEntries],],]
Type: A
ConsoleRecordRegional:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: !Sub "${AWS::Region}.console.aws.amazon.com"
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
ConsoleRecordRegionalMultiSession:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: !Sub "*.${AWS::Region}.console.aws.amazon.com"
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
SigninHostedZone:
Type: "AWS::Route53::HostedZone"
Properties:
HostedZoneConfig:
Comment: 'Signin VPC Endpoint Hosted Zone'
Name: 'signin.aws.amazon.com'
VPCs:
-
VPCId: !Ref AppVPC
VPCRegion: !Ref "AWS::Region"
SigninRecordGlobal:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'SigninHostedZone'
Name: 'signin.aws.amazon.com'
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceSignin.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceSignin.DnsEntries]]]
Type: A
SigninRecordRegional:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'SigninHostedZone'
Name: !Sub "${AWS::Region}.signin.aws.amazon.com"
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceSignin.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceSignin.DnsEntries]]]
Type: A
#########################
# WORKSPACE RESOURCES
#########################
ADAdminSecret:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Ref DSAdminPasswordResourceName
Description: "Password for directory services admin"
GenerateSecretString:
SecretStringTemplate: '{"username": "Admin"}'
GenerateStringKey: password
PasswordLength: 30
ExcludeCharacters: '"@/\'
WorkspaceSimpleDirectory:
Type: AWS::DirectoryService::SimpleAD
DependsOn: AppVPC
Properties:
Name: "corp.awsconsole.com"
Password: '{{resolve:secretsmanager:ADAdminSecret:SecretString:password}}'
Size: "Small"
VpcSettings:
SubnetIds:
- Ref: PrivateSubnetA
- Ref: PrivateSubnetB
VpcId:
Ref: AppVPC
Outputs:
PrivateSubnetA:
Description: Private Subnet A
Value: !Ref PrivateSubnetA
PrivateSubnetB:
Description: Private Subnet B
Value: !Ref PrivateSubnetB
WorkspaceSimpleDirectory:
Description: Directory to be used for Workspaces
Value: !Ref WorkspaceSimpleDirectory
WorkspacesAdminPassword:
Description : "The ARN of the Workspaces admin's password. Navigate to the Secrets Manager in the AWS Console to view the value."
Value: !Ref ADAdminSecret
```
**Note**
This test setup is designed to run in the US East (N. Virginia) (us-east-1) Region.
**To set up a network**
1. Sign in to the management account for your organization and open the [CloudFormation console](https://console.aws.amazon.com/cloudformation).
1. Choose **Create stack**.
1. Choose **With new resources (standard)**. Upload the CloudFormation template file that you previously created, and choose **Next**.
1. Enter a name for the stack, such as **PrivateConsoleNetworkForS3**, then choose **Next**.
1. For **VPC and subnets**, enter your preferred IP CIDR ranges, or use the provided default values. If you use the default values, verify that they don’t overlap with existing VPC resources in your AWS account.
1. Choose **Create stack**.
1. After the stack is created, choose the **Resources** tab to view the resources that have been created.
1. Choose the **Outputs** tab, to view the values for private subnets and the Workspace Simple Directory. Take note of these values, as you will use them in step four of the next procedure for creating and configuring a WorkSpace.
The following screenshot shows the view of the **Outputs** tab displaying the values for the private subnets and the Workspace Simple Directory.
![\[The private subnets and Workspace Simple Directory and their corresponding values.\]](http://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/images/vpce-workspaces-how-to-2-latest.png)
Now that you have created your network, use the following procedures to create and access a WorkSpace.
**To create a WorkSpace**
1. Open the [WorkSpaces console](https://console.aws.amazon.com/workspaces).
1. In the navigation pane, choose **Directories**.
1. On the **Directories** page, verify that the directory status is **Active**. The following screenshot shows a **Directories** page with an active directory.
![\[The Directories page with an entry for a directory with an active status.\]](http://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/images/vpce-workspaces-how-to-3-updated.png)
1. To use a directory in WorkSpaces, you must register it. In the navigation pane, choose **WorkSpaces**, then choose **Create WorkSpaces**.
1. For **Select a directory**, choose the directory created by CloudFormation in the preceding procedure. On the **Actions** menu, choose **Register**.
1. For the subnet selection, select the two private subnets noted in step nine of the preceding procedure.
1. Select **Enable self-service permissions**, then choose **Register**.
1. After the directory is registered, continue creating the WorkSpace. Select the registered directory, then choose **Next**.
1. On the **Create users** page, choose **Create additional user**. Enter your name and email to enable you to use the WorkSpace. Verify that the email address is valid as the WorkSpace login information is sent to this email address.
1. Choose **Next**.
1. On the **Identify Users** page, select the user you created in step nine, then choose **Next**.
1. On the **Select Bundle** page, choose **Standard with Amazon Linux 2**, then choose **Next**.
1. Use the default settings for the running mode and user customization, and then choose **Create Workspace**. The WorkSpace starts out in `Pending` status and transitions to `Available` within about 20 minutes.
1. When the WorkSpace is available, you will receive an email with instructions for accessing it at the email address you provided in step nine.
After you sign in to your WorkSpace, you can test that you are accessing it using your AWS Management Console Private Access.
**To access a WorkSpace**
1. Open the email that you received in step 14 of the preceding procedure.
1. In the email, choose the unique link that is provided to set up your profile and download the WorkSpaces client.
1. Set your password.
1. Download the client of your choice.
1. Install and launch the client. Enter the registration code that was provided in your email, then choose **Register**.
1. Sign in to Amazon WorkSpaces using the credentials you created in step three.
**To test AWS Management Console Private Access setup**
1. From your WorkSpace, open your browser. Then, navigate to the [AWS Management Console](https://console.aws.amazon.com/console) and sign in using your credentials.
**Note**
If you are using Firefox as your browser, verify that the **Enable DNS over HTTPS** option is turned off in your browser settings.
1. Open the [Amazon S3 console](https://console.aws.amazon.com/s3) where you can verify that you are connected using AWS Management Console Private Access.
1. Choose the lock-private icon on the navigation bar to view the VPC and VPC endpoint in use. The following screenshot shows the location of the lock-private icon and the VPC information.
![\[The Amazon S3 console showing the lock-private icon location and AWS Management Console Private Access information.\]](http://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/images/console-private-access-verify-1.png)
# Test VPC setup with IAM policies
You can further test your VPC that you have set up with Amazon EC2 or WorkSpaces by deploying IAM policies that restrict access.
The following policy denies access to Amazon S3 unless it is using your specified VPC.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "S3:*",
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:SourceVpc": "vpc-12345678"
},
"Bool": {
"aws:ViaAwsService": "false"
}
}
}
]
}
```
------
The following policy limits sign in to selected AWS account IDs by using a AWS Management Console Private Access policy for the sign-in endpoint.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": [
"AWSAccountID"
]
}
}
}
]
}
```
------
If you connect with an identity that does not belong to your account, the following error page is displayed.
![\[The error page with a message that indicates that you don't have permission to use AWS Management Console Private Access.\]](http://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/images/console-private-access-denied.png)
# Reference architecture
To connect privately to AWS Management Console Private Access from an on-premises network, you can leverage the AWS Site-to-Site VPN to AWS Virtual Private Gateway (VGW) connection option. AWS Site-to-Site VPN enables access to your remote network from your VPC by creating a connection, and configuring routing to pass traffic through the connection. For more information, see [What is AWS Site-to-Site VPN](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html) in the *AWS Site-to-Site VPN User Guide*. AWS Virtual Private Gateway (VGW) is a highly available Regional service that acts as a gateway between a VPC and the on-premises network.
**AWS Site-to-Site VPN to AWS Virtual Private Gateway (VGW)**
![\[A workflow diagram that describes the architecture set up for connecting AWS Site-to-Site VPN to AWS Virtual Private Gateway (VGW).\]](http://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/images/vpce-architectures-4.png)
An essential component in this reference architecture design is the Amazon Route 53 Resolver, specifically the inbound resolver. When you set it up in the VPC where the AWS Management Console Private Access endpoints are created, resolver endpoints (network interfaces) are created in the specified subnets. Their IP addresses can then be referred to in conditional forwarders on the on-premises DNS servers, to allow querying of records in a Private Hosted Zone. When on-premises clients connect to the AWS Management Console, they are routed to the AWS Management Console Private Access endpoints’ private IPs.
Before setting up the connection to the AWS Management Console Private Access endpoint, complete the prerequisites steps of setting up the AWS Management Console Private Access endpoints in all the Regions where you want to access the AWS Management Console, as well as in US East (N. Virginia) Region, and configuring the Private Hosted Zone.