Build Interface Endpoints

You will now examine/update configurations to control access to resources and ensure data to SQS is transmitted on private network segments via an SQS Interface VPC Endpoint

figure17

  • 2.1. Interface Endpoint - IAM Roles. The EC2 instances will use an IAM Role with associated IAM policies which provide permissions to execute API calls against SQS. See IAM roles for EC2 instances for more information.
  • 2.2. Interface Endpoint - Security Groups. You will restrict network access to the SQS Interface VPC endpoint using security groups. The security group rules will only allow inbound access from private subnets in your VPC.
  • 2.3. Interface Endpoint - Interface Endpoint Resource Policy. Access to the SQS service will be restricted by an Interface Endpoint policy which allows access to a specific queue only and to IAM Principals within your AWS account only.
  • 2.4. Interface Endpoint - SQS Queue Resource Policy. Access to complete sqs:SendMessage, sqs:RecieveMessage or sqs:DeleteMessage API calls will be restricted by a resource policy (an Amazon SQS policy) that requires all messages written to the SQS queue are written via the specified VPC endpoint.