Use Amazon Kinesis Data Streams with interface VPC endpoints
You can use an interface VPC endpoint to prevent traffic between your Amazon VPC and Kinesis Data Streams from
leaving the Amazon network. Interface VPC endpoints don't require an internet gateway, NAT
device, VPN connection, or Amazon Direct Connect connection. Interface VPC endpoints are powered by Amazon
PrivateLink, an Amazon technology that enables private communication between Amazon services
using an elastic network interface with private IPs in your Amazon VPC. For more information, see
Amazon Virtual Private Cloud
Topics
Use interface VPC endpoints for Kinesis Data Streams
To get started, you do not need to change the settings for your streams, producers, or
consumers. Create an interface VPC endpoint for your Kinesis Data Streams to start traffic flowing from
and to your Amazon VPC resources through the interface VPC endpoint. FIPS-enabled interface
VPC endpoints are available for US Regions. For more information, see Creating an Interface Endpoint
The Kinesis Producer Library (KPL) and Kinesis Consumer Library (KCL) call Amazon services like Amazon CloudWatch and Amazon DynamoDB using either public endpoints or private interface VPC endpoints, whichever are in use. For example, if your KCL application is running in a VPC with DynamoDB interface with VPC endpoints enabled, calls between DynamoDB and your KCL application flow through the interface VPC endpoint.
Control access to VPC endpoints for Kinesis Data Streams
VPC endpoint policies let you control access by either attaching a policy to a VPC endpoint or by using additional fields in a policy that is attached to an IAM user, group, or role to restrict access to occur only through the specified VPC endpoint. Use these policies to restrict access to specific streams to a specified VPC endpoint when using them together with the IAM policies to grant only access to Kinesis data stream actions through the specified VPC endpoint.
The following are example endpoint policies for accessing Kinesis data streams.
-
VPC policy example: read-only access - this sample policy can be attached to a VPC endpoint. (For more information, see Controlling Access to Amazon VPC Resources
). It restricts actions to only listing and describing a Kinesis data stream through the VPC endpoint to which it is attached. { "Statement": [ { "Sid": "ReadOnly", "Principal": "*", "Action": [ "kinesis:List*", "kinesis:Describe*" ], "Effect": "Allow", "Resource": "*" } ] }
-
VPC policy example: restrict access to a specific Kinesis data stream - this sample policy can be attached to a VPC endpoint. It restricts access to a specific data stream through the VPC endpoint to which it is attached.
{ "Statement": [ { "Sid": "AccessToSpecificDataStream", "Principal": "*", "Action": "kinesis:*", "Effect": "Allow", "Resource": "arn:aws:kinesis:us-east-1:123456789012:stream/MyStream" } ] }
-
IAM policy example: restrict access to a specific stream from a specific VPC endpoint only - this sample policy can be attached to an IAM user, role, or group. It restricts access to a specified Kinesis data stream to occur only from a specified VPC endpoint.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AccessFromSpecificEndpoint", "Action": "kinesis:*", "Effect": "Deny", "Resource": "arn:aws:kinesis:us-east-1:123456789012:stream/MyStream", "Condition": { "StringNotEquals" : { "aws:sourceVpce": "vpce-11aa22bb" } } } ] }
Availability of VPC endpoint policies for Kinesis Data Streams
Kinesis Data Streams interface VPC endpoints with policies are supported in the following Regions:
-
Europe (Paris)
-
Europe (Ireland)
-
US East (N. Virginia)
-
Europe (Stockholm)
-
US East (Ohio)
-
Europe (Frankfurt)
-
South America (São Paulo)
-
Europe (London)
-
Asia Pacific (Tokyo)
-
US West (N. California)
-
Asia Pacific (Singapore)
-
Asia Pacific (Sydney)
-
China (Beijing)
-
China (Ningxia)
-
Asia Pacific (Hong Kong)
-
Middle East (Bahrain)
-
Middle East (UAE)
-
Europe (Milan)
-
Africa (Cape Town)
-
Asia Pacific (Mumbai)
-
Asia Pacific (Seoul)
-
Canada (Central)
-
US West (Oregon) except usw2-az4
-
Amazon GovCloud (US-East)
-
Amazon GovCloud (US-West)
-
Asia Pacific (Osaka)
-
Europe (Zurich)
-
Asia Pacific (Hyderabad)