Top / Amazon Web Service / AWS Amazon EC2 / Endpoint Service

AWS Amazon EC2 Endpoint Service

This page shows how to write Terraform and CloudFormation for Amazon EC2 Endpoint Service and write them securely.

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_vpc_endpoint_service (Terraform)

The Endpoint Service in Amazon EC2 can be configured in Terraform with the resource name aws_vpc_endpoint_service. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

dexterchan/Terraform_CrossRegionVPCPeering

vpc-endpoint-service.tf#L1

resource "aws_vpc_endpoint_service" "mktsvc" {
  acceptance_required        = false
  network_load_balancer_arns = [aws_lb.fargate.arn]
  allowed_principals = var.vpc_endpointsvc_allowed_principals
}

Find out how to use this setting securely with Shisho Cloud

dexterchan/Terraform_CrossRegionVPCPeering

vpc-endpoint-service.tf#L1

resource "aws_vpc_endpoint_service" "mktsvc" {
  acceptance_required        = false
  network_load_balancer_arns = [aws_lb.fargate.arn]
  allowed_principals = var.vpc_endpointsvc_allowed_principals
}

Find out how to use this setting securely with Shisho Cloud

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

acceptance_required required - bool
allowed_principals optional computed - set of string
arn optional computed - string
availability_zones optional computed - set of string
base_endpoint_dns_names optional computed - set of string
gateway_load_balancer_arns optional - set of string
id optional computed - string
manages_vpc_endpoints optional computed - bool
network_load_balancer_arns optional - set of string
private_dns_name optional computed - string
private_dns_name_configuration optional computed - list of object
- name - string
- state - string
- type - string
- value - string
service_name optional computed - string
service_type optional computed - string
state optional computed - string
tags optional - map from string to string

>> from Terraform Registry

Explanation in Terraform Registry

Provides a VPC Endpoint Service resource. Service consumers can create an Interface VPC Endpoint to connect to the service.
NOTE on VPC Endpoint Services and VPC Endpoint Service Allowed Principals: Terraform provides both a standalone VPC Endpoint Service Allowed Principal resource and a VPC Endpoint Service resource with an allowed_principals attribute. Do not use the same principal ARN in both a VPC Endpoint Service resource and a VPC Endpoint Service Allowed Principal resource. Doing so will cause a conflict and will overwrite the association.

>> from Terraform Registry

Tips: Best Practices for The Other AWS Amazon EC2 Resources

In addition to the aws_default_vpc, AWS Amazon EC2 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

aws_default_vpc

Ensure to avoid using default VPC

It is better to define the own VPC and use it.

aws_network_acl_rule

Ensure your network ACL rule blocks unwanted inbound traffic

It is better to block unwanted inbound traffic.

aws_ebs_volume

Ensure to use a customer-managed key for EBS volume encryption

It is better to use a customer-managed key for EBS volume encryption. It can be gain more control over the encryption by using customer-managed keys (CMK).

aws_instance

Ensure to avoid storing AWS access keys in user data

It is better to avoid storing AWS access keys in user data. `aws_iam_instance_profile` could be used instead.

aws_security_group

Ensure your security group blocks unwanted inbound traffic

It is better to block unwanted inbound traffic.

Review your AWS Amazon EC2 settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::EC2::VPCEndpointService (CloudFormation)

The VPCEndpointService in EC2 can be configured in CloudFormation with the resource name AWS::EC2::VPCEndpointService. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

stefanycos/aws-cloudformation-vpc-endpoints

template-vpc-endpoint-service.yml#L31

    Type: AWS::EC2::VPCEndpointService
    Properties:
      AcceptanceRequired: true
      NetworkLoadBalancerArns:
        - !Ref NetworkLoadBalancer

dgaydukov/cert-aws

vpc-endpoint-ec2-privatelink.yml#L260

    Type: AWS::EC2::VPCEndpointService
    Properties:
      AcceptanceRequired: false # if you don't set it or set to true, you have to manually accept endpoint requests
      NetworkLoadBalancerArns:
        - !Ref NLB
  Vpc2Endpoint:

YAwasom/project

lb.yml#L259

    Type: AWS::EC2::VPCEndpointService
    Properties:
      AcceptanceRequired: false
      NetworkLoadBalancerArns:
      - !Ref WebLb

rjackson-dev-ops/groundhog_day

vpc-endpoint-privatelink-service.yml#L247

    Type: AWS::EC2::VPCEndpointService
    Properties:
      AcceptanceRequired: true # if you don't set it or set to true, you have to manually accept endpoint requests
      NetworkLoadBalancerArns:
        - !Ref NLB

kimdragon50/gwlb

1.GWLBVPC.yml#L218

    Type: AWS::EC2::VPCEndpointService
    Properties:
      GatewayLoadBalancerArns:
        - !Ref GWLB
      AcceptanceRequired: false

kusl/aws-cli