Application Auto Scaling and interface VPC endpoints
You can improve the security posture of your VPC by configuring Application Auto Scaling to use an interface VPC endpoint. Interface endpoints are powered by Amazon PrivateLink, a technology that enables you to privately access Application Auto Scaling APIs by restricting all network traffic between your VPC and Application Auto Scaling to the Amazon network. With interface endpoints, you also don't need an internet gateway, a NAT device, or a virtual private gateway.
You are not required to configure Amazon PrivateLink, but it's recommended. For more information about Amazon PrivateLink and VPC endpoints, see What is Amazon PrivateLink? in the Amazon PrivateLink Guide.
Create an interface VPC endpoint
Create an endpoint for Application Auto Scaling using the following service name:
com.amazonaws.region.application-autoscaling
For more information, see Access an Amazon service using an interface VPC endpoint in the Amazon PrivateLink Guide.
You do not need to change any other settings. Application Auto Scaling calls other Amazon services using either service endpoints or private interface VPC endpoints, whichever are in use.
Create a VPC endpoint policy
You can attach a policy to your VPC endpoint to control access to the Application Auto Scaling API. The policy specifies:
-
The principal that can perform actions.
-
The actions that can be performed.
-
The resource on which the actions can be performed.
The following example shows a VPC endpoint policy that denies everyone permission to delete a scaling policy through the endpoint. The example policy also grants everyone permission to perform all other actions.
{ "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*", "Principal": "*" }, { "Action": "application-autoscaling:DeleteScalingPolicy", "Effect": "Deny", "Resource": "*", "Principal": "*" } ] }
For more information, see VPC endpoint policies in the Amazon PrivateLink Guide.