Improve the security of EC2 instances by using VPC endpoints for Systems Manager
You can improve the security posture of your managed nodes (including non-EC2 machines in a hybrid and multicloud environment) by configuring Amazon Systems Manager to use an interface VPC endpoint in Amazon Virtual Private Cloud (Amazon VPC). By using an interface VPC endpoint (interface endpoint), you can connect to services powered by Amazon PrivateLink. Amazon PrivateLink is a technology that allows you to privately access Amazon Elastic Compute Cloud (Amazon EC2) and Systems Manager APIs by using private IP addresses.
Amazon PrivateLink restricts all network traffic between your managed instances, Systems Manager, and Amazon EC2 to the Amazon network. This means that your managed instances don't have access to the Internet. If you use Amazon PrivateLink, you don't need an internet gateway, a NAT device, or a virtual private gateway.
You aren't required to configure Amazon PrivateLink, but it's recommended. For more information about Amazon PrivateLink and VPC endpoints, see Amazon PrivateLink and VPC endpoints.
Note
The alternative to using a VPC endpoint is to allow outbound internet access on your managed instances. In this case, the managed instances must also allow HTTPS (port 443) outbound traffic to the following endpoints:
-
ssm.region.amazonaws.com.cn -
ssmmessages.region.amazonaws.com.cn -
ec2messages.region.amazonaws.com.cn
SSM Agent initiates all connections to the Systems Manager service in the cloud. For this reason, you don't need to configure your firewall to allow inbound traffic to your instances for Systems Manager.
For more information about calls to these endpoints, see Reference: ec2messages, ssmmessages, and other API operations.
About Amazon VPC
You can use Amazon Virtual Private Cloud (Amazon VPC) to define a virtual network in your own logically isolated area within the Amazon Web Services Cloud, known as a virtual private cloud (VPC). You can launch your Amazon resources, such as instances, into your VPC. Your VPC closely resembles a traditional network that you might operate in your own data center, with the benefits of using the scalable infrastructure of Amazon. You can configure your VPC; you can select its IP address range, create subnets, and configure route tables, network gateways, and security settings. You can connect instances in your VPC to the internet. You can connect your VPC to your own corporate data center, making the Amazon Web Services Cloud an extension of your data center. To protect the resources in each subnet, you can use multiple layers of security, including security groups and network access control lists. For more information, see the Amazon VPC User Guide.
Topics
VPC endpoint restrictions and limitations
Before you configure VPC endpoints for Systems Manager, be aware of the following restrictions and limitations.
Cross-Region requests
VPC endpoints don't support cross-Region requests—ensure that you
create your endpoint in the same Amazon Web Services Region as your bucket. You can find the
location of your bucket by using the Amazon S3 console, or by using the get-bucket-location command. Use a Region-specific Amazon S3 endpoint to
access your bucket; for example,
DOC-EXAMPLE-BUCKET.s3-us-west-2.amazonaws.com. For more
information about Region-specific endpoints for Amazon S3, see Amazon S3
endpoints in the Amazon Web Services General Reference. If you use
the Amazon CLI to make requests to Amazon S3, set your default region to the same region
as your bucket, or use the --region parameter in your
requests.
VPC peering connections
VPC interface endpoints can be accessed through both intra-Region and inter-Region VPC peering connections. For more information about VPC peering connection requests for VPC interface endpoints, see VPC peering connections (Quotas) in the Amazon Virtual Private Cloud User Guide.
VPC gateway endpoint connections can't be extended out of a VPC. Resources on the other side of a VPC peering connection in your VPC can't use the gateway endpoint to communicate with resources in the gateway endpoint service. For more information about VPC peering connection requests for VPC gateway endpoints, see VPC endpoints (Quotas) in the Amazon Virtual Private Cloud User Guide
Incoming connections
The security group attached to the VPC endpoint must allow incoming connections on port 443 from the private subnet of the managed instance. If incoming connections aren't allowed, then the managed instance can't connect to the SSM and EC2 endpoints.
DNS resolution
If you use a custom DNS server, you must add a conditional forwarder for any
queries to the amazonaws.com.cn domain to the Amazon DNS server for
your VPC.
S3 buckets
Your VPC endpoint policy must allow access to at least the Amazon S3 buckets listed in SSM Agent communications with Amazon managed S3 buckets.
Note
If you use an on-premises firewall and plan to use Patch Manager, that firewall must also allow access to the appropriate patch baseline endpoint.
Amazon CloudWatch Logs
If you don't allow your instances to access the internet, create a VPC endpoint for CloudWatch Logs to use features that send logs to CloudWatch Logs. For more information about creating an endpoint for CloudWatch Logs, see Creating a VPC endpoint for CloudWatch Logs in the Amazon CloudWatch Logs User Guide.
DNS in hybrid and multicloud environment
For information about configuring DNS to work with Amazon PrivateLink endpoints in hybrid and multicloud environments, see Private DNS for interface endpoints in the Amazon VPC User Guide. If you want to use your own DNS, you can use Route 53 Resolver. For more information, see Resolving DNS queries between VPCs and your network in the Amazon Route 53 Developer Guide.
Creating VPC endpoints for Systems Manager
Use the following information to create VPC interface and gateway endpoints for Amazon Systems Manager. This topic links to procedures in the Amazon VPC User Guide.
To create VPC endpoints for Systems Manager
In the first step of this procedure, you create three required and one
optional interface endpoints for Systems Manager. The
first three endpoints are required for Systems Manager to work in a VPC. The fourth,
com.amazonaws.,
is required only if you're using Session Manager capabilities.region.ssmmessages
In the second step, you create the required gateway endpoint for Systems Manager to access Amazon S3.
Note
region represents the identifier for an Amazon Web Services Region
supported by Amazon Systems Manager, such as us-east-2 for the US East (Ohio) Region. For a list of
supported region values, see the Region column in Systems Manager service endpoints in the
Amazon Web Services General Reference.
-
Follow the steps in Create an interface endpoint to create the following interface endpoints:
-
com.amazonaws.– The endpoint for the Systems Manager service.region.ssm -
com.amazonaws.– Systems Manager uses this endpoint to make calls from SSM Agent to the Systems Manager service. Beginning with version 3.3.40.0 of SSM Agent, Systems Manager began using theregion.ec2messagesssmmessages:*endpoint (Amazon Message Gateway Service) whenever available instead of theec2messages:*endpoint (Amazon Message Delivery Service). -
com.amazonaws.– If you're using Systems Manager to create VSS-enabled snapshots, you need to ensure that you have an endpoint to the EC2 service. Without the EC2 endpoint defined, a call to enumerate attached Amazon EBS volumes fails, which causes the Systems Manager command to fail.region.ec2 -
com.amazonaws.– This endpoint is required for the SSM Agent to communicate with Systems Manager service, for Run Command, and if you're connecting to your instances through a secure data channel using Session Manager. For more information, see Amazon Systems Manager Session Manager and Reference: ec2messages, ssmmessages, and other API operations.region.ssmmessages -
com.amazonaws.– This endpoint is optional. However, it can be created if you want to use Amazon Key Management Service (Amazon KMS) encryption for Session Manager or Parameter Store parameters.region.kms -
com.amazonaws.– This endpoint is optional. However, it can be created if you want to use Amazon CloudWatch Logs (CloudWatch Logs) for Session Manager, Run Command, or SSM Agent logs.region.logs
-
-
Follow the steps in Create a gateway endpoint to create the following gateway endpoint for Amazon S3.
-
com.amazonaws.– Systems Manager uses this endpoint to update SSM Agent and to perform patching operations. Systems Manager also uses this endpoint for tasks like uploading output logs you choose to store in S3 buckets, retrieving scripts or other files you store in buckets, and so on. If the security group associated with your instances restricts outbound traffic, you must add a rule to allow traffic to the prefix list for Amazon S3. For more information, see Modify your security group in the Amazon PrivateLink Guide.region.s3
For information about the Amazon managed S3 buckets that SSM Agent must be able to access, see SSM Agent communications with Amazon managed S3 buckets. If you're using a virtual private cloud (VPC) endpoint in your Systems Manager operations, you must provide explicit permission in an EC2 instance profile for Systems Manager, or in a service role for non-EC2 managed nodes in a hybrid and multicloud environment.
-
Create an interface VPC endpoint policy
You can create policies for VPC interface endpoints for Amazon Systems Manager in which you can specify:
-
The principal that can perform actions
-
The actions that can be performed
-
The resources that can have actions performed on them
For more information, see Control access to services with VPC endpoints in the Amazon VPC User Guide.