💾 Archived View for cfdocs.wetterberg.nu › cfn-vpce-bucketnames.gemini captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

Setting up VPC endpoints for AWS CloudFormation

Search

You can improve the security posture of your VPC by configuring AWS CloudFormation to use an interface VPC endpoint. Interface endpoints are powered by PrivateLink, a technology that enables you to privately access AWS CloudFormation APIs by using private IP addresses. PrivateLink restricts all network traffic between your VPC and AWS CloudFormation to the Amazon network. Also, you don't need an Internet gateway, a NAT device, or a virtual private gateway.

You are not required to configure PrivateLink, but it's recommended. For more information about PrivateLink and VPC endpoints, see Accessing AWS services through PrivateLink.

Accessing AWS services through PrivateLink

Before you begin

Before you configure VPC endpoints for AWS CloudFormation, be aware of the following considerations.

• When using the VPC endpoint feature, grant access to AWS CloudFormation-specific S3 buckets for resources in a VPC that must respond to a custom resource request or a wait condition.If you use AWS CloudFormation to create resources in a VPC with a VPC endpoint, you might need to modify your IAM endpoint policy so that it permits access to certain S3 buckets.AWS CloudFormation has S3 buckets in each Region to monitor responses to a custom resource request or a wait condition. If a template includes custom resources or wait conditions in a VPC, the VPC endpoint policy must allow users to send responses to the following buckets:For custom resources, permit traffic to the cloudformation-custom-resource-response-region bucket. When using custom resources, region names do not contain dashes. For example, uswest2.For wait conditions, permit traffic to the cloudformation-waitcondition-region bucket. When using wait conditions, region names do contain dashes. For example, us-west-2.If the endpoint policy blocks traffic to these buckets, AWS CloudFormation won't receive responses and the stack operation fails. For example, if you have a resource in a VPC in the us-west-2 Region that must respond to a wait condition, the resource must be able to send a response to the cloudformation-waitcondition-us-west-2 bucket.For a list of Regions that AWS CloudFormation supports, see the Regions and endpoints page in the Amazon Web Services General Reference.
• VPC endpoints currently do not support cross-Region requests—ensure that you create your endpoint in the same Region in which you plan to issue your API calls to AWS CloudFormation.
• VPC endpoints only support Amazon-provided DNS through Route 53. If you want to use your own DNS, you can use conditional DNS forwarding. For more information, see DHCP options sets in the Amazon VPC User Guide.
• The security group attached to the VPC endpoint must allow incoming connections on port 443 from the private subnet of the VPC.

custom resource

wait condition

Regions and endpoints

DHCP options sets

Creating the VPC EndPoint for AWS CloudFormation

To create the VPC endpoint for the AWS CloudFormation service, use the Creating an interface endpoint procedure in the Amazon VPC User Guide to create the following endpoint:

Creating an interface endpoint

• com\.amazonaws\.region\.cloudformation*

• region* represents the region identifier for an AWS region supported by AWS CloudFormation, such as `us-east-2` for the US East (Ohio) Region.