Using endpoint policies to control access with VPC endpoints - Amazon Elastic Beanstalk
S3 buckets permissions and VPC
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using endpoint policies to control access with VPC endpoints

This topic explains how you can attach a policy to VPC endpoints to controls access to your application (your service) and your Elastic Beanstalk environment.

An endpoint policy is an Amazon Identity and Access Management (IAM) resource policy that controls access from the endpoint to the specified service. The endpoint policy is specific to the endpoint. It's separate from any user or instance IAM policies that your environment might have and doesn't override or replace them.

By default, a VPC endpoint allows full access to the service with which it's associated. When you create or modify an endpoint, you can attach an endpoint policy to it to control access to specific resources associated with the service. For details about authoring and using VPC endpoint policies, see Control access to VPC endpoints using endpoint policies in the Amazon PrivateLink Guide.

Note

When you create restrictive endpoint policies you may need to add specific permissions to required resources, so that access to these resources isn't blocked by the endpoint policy. Doing so ensures that your environment continues to deploy and function properly.

The following example denies all users the permission to terminate an environment through the VPC endpoint, and allows full access to all other actions.

{
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal": "*"
        },
        {
            "Action": "elasticbeanstalk:TerminateEnvironment",
            "Effect": "Deny",
            "Resource": "*",
            "Principal": "*"
        }
    ]
}

Required Amazon S3 bucket permissions for restrictive VPC endpoint policies

If you add restrictions to your VPC endpoint policies, you must include specific Amazon S3 bucket permissions to ensure that your environment continues to deploy and function properly. This section explains the required S3 buckets and includes example policies.

S3 Buckets that store assets to manage environment platforms

The Elastic Beanstalk service owns S3 buckets that store the assets associated with a solution stack (platform version). These assets include configuration files, the sample application, and available instance types. When Elastic Beanstalk creates and manages your environment it retrieves the required information for the specific platform version from the asset bucket for each corresponding Amazon Web Services Region.

S3 Bucket ARN

arn:aws:s3:::elasticbeanstalk-samples-region

Amazon Linux 2 and later

  • arn:aws:s3:::elasticbeanstalk-platform-assets-region

    Note

    The bucket name follows a different convention for the BJS region. The string public-beta-cn-north-1 is used in place of region. For example, arn:aws:s3:::elasticbeanstalk-platform-assets-public-beta-cn-north-1.

Windows Server, Amazon Linux (AMI), Amazon Linux 2 and later

  • arn:aws:s3:::elasticbeanstalk-env-resources-region

  • arn:aws:s3:::elasticbeanstalk-region

Operations

GetObject

VPC endpoint policy example

The following example illustrates how to provide access to the S3 buckets required for Elastic Beanstalk operations in the US East (Ohio) Region (us-east-2). The example lists all of the buckets for both Amazon Linux and Windows Server platforms. Update your policy to only include the buckets that apply to the operating system of your environment.

Important

We recommend that you avoid using wildcard characters (*) in place of specific Regions in this policy. For example, use arn:aws:s3:::cloudformation-waitcondition-us-east-2/* and don't use arn:aws:s3:::cloudformation-waitcondition-*/*. Using wildcards could provide access to S3 buckets that you don’t intend to grant access to. If you want to use the policy for more than one Region, we recommend repeating the first Statement block for each Region.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowRequestsToAWSResources",
            "Effect": "Allow",
            "Principal": {"AWS": "*"},
            "Action": ["s3:GetObject"],
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk-platform-assets-us-east-2/*",
                "arn:aws:s3:::elasticbeanstalk-env-resources-us-east-2/*",
                "arn:aws:s3:::elasticbeanstalk-env-resources-us-east-2/*",
                "arn:aws:s3:::elasticbeanstalk-samples-us-east-2/*"
            ]
         }
    ]
}

S3 Buckets owned by Amazon CloudFormation

Elastic Beanstalk uses Amazon CloudFormation to create resources for your environment. CloudFormation owns S3 buckets in each Amazon Web Services Region to monitor responses to wait conditions.

Services like Elastic Beanstalk communicate with CloudFormation by sending requests to a presigned Amazon S3 URL for the S3 bucket that CloudFormation owns. CloudFormation creates the presigned Amazon S3 URL using the cloudformation.amazonaws.com service principal.

For more detailed information, see Considerations for CloudFormation VPC endpoints in the Amazon CloudFormation User Guide. To learn more about presigned URLs, see Working with presigned URLs in the Amazon S3 User Guide.

S3 Bucket ARN

  • arn:aws:s3:::cloudformation-waitcondition-region

    When using wait conditions, region names do contain dashes. For example, us-west-2.

  • arn:aws:s3:::cloudformation-custom-resource-response-region

    When using custom resources, region names don't contain dashes. For example, uswest2.

Operations

GetObject

VPC endpoint policy example

The following example illustrates how to provide access to the S3 buckets required for Elastic Beanstalk operations in the US East (Ohio) Region (us-east-2).

Important

We recommend that you avoid using wildcard characters (*) in place of specific Regions in this policy. For example, use arn:aws:s3:::cloudformation-waitcondition-us-east-2/* and don't use arn:aws:s3:::cloudformation-waitcondition-*/*. Using wildcards could provide access to S3 buckets that you don’t intend to grant access to. If you want to use the policy for more than one Region, we recommend repeating the first Statement block for each Region.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowRequestsToCloudFormation",
            "Effect": "Allow",
            "Principal": {"AWS": "*"},
            "Action": ["s3:GetObject"],
            "Resource": [
                "arn:aws:s3:::cloudformation-waitcondition-us-east-2/*",
                "arn:aws:s3:::cloudformation-custom-resource-response-us-east-2/*"
            ]
         }
    ]
}

S3 Buckets owned by customer accounts to store source code and other items

This bucket is owned by the Amazon customer account that owns the environment. It stores resources that are specific to your environment, such as source code and requested logs.

S3 Bucket ARN

arn:aws:s3:::elasticbeanstalk-region-account-id

Operations

  • GetObject

  • GetObjectAcl

  • PutObject

  • PutObjectAcl

  • ListBucket

VPC endpoint policy example

The following example illustrates how to provide access to the S3 buckets required for Elastic Beanstalk operations in the US East (Ohio) Region (us-east-2) and for the example Amazon account id 123456789012.

Important

We recommend that you avoid using wildcard characters (*) in place of specific Regions in this policy. For example, use arn:aws:s3:::cloudformation-waitcondition-us-east-2/* and don't use arn:aws:s3:::cloudformation-waitcondition-*/*. Using wildcards could provide access to S3 buckets that you don’t intend to grant access to. If you want to use the policy for more than one Region, we recommend repeating the first Statement block for each Region.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowRequestsToCustomerItems",
            "Effect": "Allow",
            "Principal": {"AWS": "*"},
            "Action": ["GetObject",
                       "GetObjectAcl",
                       "PutObject",
                       "PutObjectAcl",
                       "ListBucket"
                       ],
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk-us-east-2-123456789012/*"
            ]
         }
    ]
}

S3 Buckets owned by customer accounts to support Docker registry authentication

This bucket only applies to environments based on the Docker platform. The bucket stores a file used to authenticate to a private Docker registry that resides on an S3 bucket provisioned by the customer. For more information, see Using the Dockerrun.aws.json v3 file in the Docker platform chapter of this guide.

S3 Bucket ARN

The ARN varies by customer account.

The S3 bucket ARN has the following format: arn:aws:s3:::bucket-name

Operations

GetObject

VPC endpoint policy example

The following example illustrates how to provide access to an S3 bucket with the name amzn-s3-demo-bucket1.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowRequestsToDockerRegistryAuth",
            "Effect": "Allow",
            "Principal": {"AWS": "*"},
            "Action": ["GetObject"],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket1"
            ]
         }
    ]
}

Updating your VPC endpoint policy

Because a VPC endpoint has only one policy attached, you must combine all of the permissions into the one policy. The following example provides all of the previous examples combined into one.

For details about authoring and using VPC endpoint policies, see Control access to VPC endpoints using endpoint policies in the Amazon PrivateLink Guide.

Like the previous examples, the following one illustrates how to provide access to the S3 buckets required for Elastic Beanstalk operations in the US East (Ohio) Region (us-east-2). It also includes buckets with example Amazon account id 123456789012 and example bucket name amzn-s3-demo-bucket1.

Important

We recommend that you avoid using wildcard characters (*) in place of specific Regions in this policy. For example, use arn:aws:s3:::cloudformation-waitcondition-us-east-2/* and don't use arn:aws:s3:::cloudformation-waitcondition-*/*. Using wildcards could provide access to S3 buckets that you don’t intend to grant access to. If you want to use the policy for more than one Region, we recommend repeating the first Statement block for each Region.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowRequestsToAWSResources",
            "Effect": "Allow",
            "Principal": {"AWS": "*"},
            "Action": ["s3:GetObject"],
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk-platform-assets-us-east-2/*",
                "arn:aws:s3:::elasticbeanstalk-env-resources-us-east-2/*",
                "arn:aws:s3:::elasticbeanstalk-env-resources-us-east-2/*",
                "arn:aws:s3:::elasticbeanstalk-samples-us-east-2/*"
            ]
         },
        {
            "Sid": "AllowRequestsToCloudFormation",
            "Effect": "Allow",
            "Principal": {"AWS": "*"},
            "Action": ["s3:GetObject"],
            "Resource": [
                "arn:aws:s3:::cloudformation-waitcondition-us-east-2/*",
                "arn:aws:s3:::cloudformation-custom-resource-response-us-east-2/*"
            ]
         },
         {
            "Sid": "AllowRequestsToCustomerItems",
            "Effect": "Allow",
            "Principal": {"AWS": "*"},
            "Action": ["GetObject",
                       "GetObjectAcl",
                       "PutObject",
                       "PutObjectAcl",
                       "ListBucket"
                       ],
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk-us-east-2-123456789012/*"
            ]
         },
        {
            "Sid": "AllowRequestsToDockerRegistryAuth",
            "Effect": "Allow",
            "Principal": {"AWS": "*"},
            "Action": ["GetObject"],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket1""
            ]
         }
    ]
}