Identity-based policy examples for Amazon PrivateLink
By default, users and roles don't have permission to create or modify Amazon PrivateLink resources. They also can't perform tasks by using the Amazon Web Services Management Console, Amazon Command Line Interface (Amazon CLI), or Amazon API. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies. The administrator can then add the IAM policies to roles, and users can assume the roles.
To learn how to create an IAM identity-based policy by using these example JSON policy documents, see Creating IAM policies in the IAM User Guide.
For details about actions and resource types defined by Amazon PrivateLink, including the format of the ARNs for each of the resource types, see Actions, resources, and condition keys for Amazon EC2 in the Service Authorization Reference.
Examples
Control the use of VPC endpoints
By default, users do not have permission to work with endpoints. You can create an identity-based policy that grants users permission to create, modify, describe, and delete endpoints. The following is an example.
{ "Version": "2012-10-17", "Statement":[ { "Effect": "Allow", "Action":"ec2:*VpcEndpoint*", "Resource":"*" } ] }
For information about controlling access to services using VPC endpoints, see Control access to VPC endpoints using endpoint policies.
Control VPC endpoints creation based on the service owner
You can use the ec2:VpceServiceOwner condition key to control what VPC endpoint
can be created based on who owns the service (amazon,
aws-marketplace, or the account ID). The following example grants
permission to create VPC endpoints with the specified service owner. To use this
example, substitute the Region, the account ID, and the service owner.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateVpcEndpoint", "Resource": [ "arn:aws-cn:ec2:region:account-id:vpc/*", "arn:aws-cn:ec2:region:account-id:security-group/*", "arn:aws-cn:ec2:region:account-id:subnet/*", "arn:aws-cn:ec2:region:account-id:route-table/*" ] }, { "Effect": "Allow", "Action": "ec2:CreateVpcEndpoint", "Resource": [ "arn:aws-cn:ec2:region:account-id:vpc-endpoint/*" ], "Condition": { "StringEquals": { "ec2:VpceServiceOwner": [ "amazon" ] } } } ] }
Control the private DNS names that can be specified for VPC endpoint services
You can use the ec2:VpceServicePrivateDnsName condition key to control what VPC
endpoint service can be modified or created based on the private DNS name associated
with the VPC endpoint service. The following example grants permission to create a
VPC endpoint service with the specified private DNS name. To use this example,
substitute the Region, the account ID, and the private DNS name.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:ModifyVpcEndpointServiceConfiguration", "ec2:CreateVpcEndpointServiceConfiguration" ], "Resource": [ "arn:aws-cn:ec2:region:account-id:vpc-endpoint-service/*" ], "Condition": { "StringEquals": { "ec2:VpceServicePrivateDnsName": [ "example.com" ] } } } ] }
Control the service names that can be specified for VPC endpoint services
You can use the ec2:VpceServiceName condition key to control what
VPC endpoint can be created based on the VPC endpoint service name. The following
example grants permission to create a VPC endpoint with the specified service name. To
use this example, substitute the Region, the account ID, and the service name.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateVpcEndpoint", "Resource": [ "arn:aws-cn:ec2:region:account-id:vpc/*", "arn:aws-cn:ec2:region:account-id:security-group/*", "arn:aws-cn:ec2:region:account-id:subnet/*", "arn:aws-cn:ec2:region:account-id:route-table/*" ] }, { "Effect": "Allow", "Action": "ec2:CreateVpcEndpoint", "Resource": [ "arn:aws-cn:ec2:region:account-id:vpc-endpoint/*" ], "Condition": { "StringEquals": { "ec2:VpceServiceName": [ "com.amazonaws.region.s3" ] } } } ] }