Identity-based policy examples for AWS PrivateLink - Amazon Virtual Private Cloud

Identity-based policy examples for AWS PrivateLink

By default, users and roles don't have permission to create or modify AWS PrivateLink resources. They also can't perform tasks by using the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS API. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies. The administrator can then add the IAM policies to roles, and users can assume the roles.

To learn how to create an IAM identity-based policy by using these example JSON policy documents, see Create IAM policies (console) in the IAM User Guide.

For details about actions and resource types defined by AWS PrivateLink, including the format of the ARNs for each of the resource types, see Actions, resources, and condition keys for Amazon EC2 in the Service Authorization Reference.

Control the use of VPC endpoints

By default, users do not have permission to work with endpoints. You can create an identity-based policy that grants users permission to create, modify, describe, and delete endpoints. The following is an example.

{ "Version": "2012-10-17", "Statement":[ { "Effect": "Allow", "Action":"ec2:*VpcEndpoint*", "Resource":"*" } ] }

For information about controlling access to services using VPC endpoints, see Control access to VPC endpoints using endpoint policies.

Control VPC endpoints creation based on the service owner

You can use the ec2:VpceServiceOwner condition key to control what VPC endpoint can be created based on who owns the service (amazon, aws-marketplace, or the account ID). The following example grants permission to create VPC endpoints with the specified service owner. To use this example, substitute the Region, the account ID, and the service owner.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateVpcEndpoint", "Resource": [ "arn:aws:ec2:region:account-id:vpc/*", "arn:aws:ec2:region:account-id:security-group/*", "arn:aws:ec2:region:account-id:subnet/*", "arn:aws:ec2:region:account-id:route-table/*" ] }, { "Effect": "Allow", "Action": "ec2:CreateVpcEndpoint", "Resource": [ "arn:aws:ec2:region:account-id:vpc-endpoint/*" ], "Condition": { "StringEquals": { "ec2:VpceServiceOwner": [ "amazon" ] } } } ] }

Control the private DNS names that can be specified for VPC endpoint services

You can use the ec2:VpceServicePrivateDnsName condition key to control what VPC endpoint service can be modified or created based on the private DNS name associated with the VPC endpoint service. The following example grants permission to create a VPC endpoint service with the specified private DNS name. To use this example, substitute the Region, the account ID, and the private DNS name.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:ModifyVpcEndpointServiceConfiguration", "ec2:CreateVpcEndpointServiceConfiguration" ], "Resource": [ "arn:aws:ec2:region:account-id:vpc-endpoint-service/*" ], "Condition": { "StringEquals": { "ec2:VpceServicePrivateDnsName": [ "example.com" ] } } } ] }

Control the service names that can be specified for VPC endpoint services

You can use the ec2:VpceServiceName condition key to control what VPC endpoint can be created based on the VPC endpoint service name. The following example grants permission to create a VPC endpoint with the specified service name. To use this example, substitute the Region, the account ID, and the service name.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateVpcEndpoint", "Resource": [ "arn:aws:ec2:region:account-id:vpc/*", "arn:aws:ec2:region:account-id:security-group/*", "arn:aws:ec2:region:account-id:subnet/*", "arn:aws:ec2:region:account-id:route-table/*" ] }, { "Effect": "Allow", "Action": "ec2:CreateVpcEndpoint", "Resource": [ "arn:aws:ec2:region:account-id:vpc-endpoint/*" ], "Condition": { "StringEquals": { "ec2:VpceServiceName": [ "com.amazonaws.region.s3" ] } } } ] }