Considerations for Cloud Control API VPC endpoints Creating an interface VPC endpoint for Cloud Control API Creating a VPC endpoint policy for Cloud Control API See also

Amazon Cloud Control API and interface VPC endpoints (Amazon PrivateLink)

You can establish a private connection between your virtual private cloud (VPC) and Amazon Cloud Control API by creating an interface VPC endpoint. Interface endpoints are powered by Amazon PrivateLink, a technology that enables you to privately access Cloud Control API APIs without an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Cloud Control API APIs. Traffic between your VPC and Cloud Control API doesn't keep the Amazon network.

Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.

For more information, see Interface VPC endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.

Considerations for Cloud Control API VPC endpoints

Before you set up an interface VPC endpoint for Cloud Control API, ensure that you review Interface endpoint properties and limitations in the Amazon VPC User Guide.

Cloud Control API supports making calls to all of its API actions from your VPC.

Creating an interface VPC endpoint for Cloud Control API

You can create a VPC endpoint for the Cloud Control API service using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

Create a VPC endpoint for Cloud Control API using the following service name:

cn.com.amazonaws.region.cloudcontrolapi

If you enable private DNS for the endpoint, you can make API requests to Cloud Control API using its default DNS name for the Region.

For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy for Cloud Control API

You can attach an endpoint policy to your VPC endpoint that controls access to Cloud Control API. The policy specifies the following information:

The principal that can perform actions.
The actions that can be performed.
The resources on which actions can be performed.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Important

VPCE endpoint policy details are not passed to any downstream services invoked by Cloud Control API for evaluation. Because of this, policies specifying actions or resources that belong to downstream services are not enforced.

For example, suppose you created an Amazon EC2 instance in a VPC instance with a VPC endpoint for Cloud Control API in a subnet with no Internet access. Next, you attach the following VPC endpoint policy to the VPCE:


{
  "Statement": [
    {
      "Action": [
        "cloudformation:*",
        "ec2:*",
        "lambda": "*"
      ]
      "Effect": "Allow",
      "Principal": "*",
      "Resource": "*"
    }
  ]
}

If a user with administrator access then sends a request to access an Amazon S3 bucket in the instance, no service error would be returned, even though Amazon S3 access is not granted in the VPCE policy.

Example: VPC endpoint policy for Cloud Control API actions

The following is an example of an endpoint policy for Cloud Control API. When attached to an endpoint, this policy grants access to the listed Cloud Control API actions for all principals on all resources. The following example denies all users the permission to create resources through the VPC endpoint, and allows full access to all other actions on the Cloud Control API service.


{
  "Statement": [
    {
      "Action": "cloudformation:*",
      "Effect": "Allow",
      "Principal": "*",
      "Resource": "*"
    },
    {
      "Action": "cloudformation:CreateResource",
      "Effect": "Deny",
      "Principal": "*",
      "Resource": "*"
    }
  ]
}