Amazon Web Services recently introduced VPC endpoints to enable a "private connection between your VPC and another AWS service without requiring access over the Internet, through a NAT instance, a VPN connection, or AWS Direct Connect". VPC endpoint policies provide granular access control to other service's resources. Initially available are connections to Amazon S3, and other AWS services will be supported later on.
An Amazon Virtual Private Cloud (VPC) is a "logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define". This isolation and advanced networking features have been established as EC2's preferred modus operandi quite a while ago with the introduction of the default VPC. However, lacking the VPC endpoint concept still, all traffic to Amazon S3 from EC2 instances running in a private VPC subnet had to traverse the public internet. This usually required an internet gateway and a NAT instance, which implied respective bandwidth, cost and availability challenges. Furthermore, security compliance auditing required egress network traffic scanning for example.
These operational and security challenges can now be addressed via VPC endpoints, which are "horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and AWS services without imposing availability risks or bandwidth constraints on your network traffic". This considerably simplifies network management and auditing, since traffic between a VPC and other AWS services does not leave Amazon’s network anymore.
VPC endpoints allow attachment of an endpoint policy to control access to other AWS services, for example to restrict access to specific Amazon S3 buckets as follows:
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}
When no such custom policy is attached to an endpoint, a default policy which grants full access to S3 applies. Any custom policy needs to account for other AWS services that implicitly make use of S3 buckets and may be affected accordingly. In turn, it is also possible to define Amazon S3 bucket policies to restrict access to a specific VPC or a subset of its VPC endpoints.
As usual, VPC endpoints can be provisioned via the AWS Management Console and the AWS API and CLIs. A dedicated AWS::EC2::VPCEndpoint resource type has meanwhile been added to AWS CloudFormation too, including management of aforementioned endpoint policy and the associated route tables to be used by the VPC to reach the endpoint. Its "ServiceName" property simply denotes any "AWS service to which you want to establish a connection", though the announcement still mentions VPC endpoints to support Amazon S3 only at this point.
The Amazon VPC user guide provides more details about involved concepts and a hands-on introduction how to create a virtual network manually using the AWS Management Console. The VPC related actions for programmatic usage are integrated with the EC2 API reference and the EC2 commands of the AWS Command Line Interface (AWS CLI). Support is available via the Amazon Virtual Private Cloud (VPC) and Amazon Simple Storage Service (S3) forums.