Many AWS cloud practitioners know VPC Endpoints (VPCEs) are best practice for securely accessing AWS and partner services privately within a VPC, but those who have worked with Interface VPCEs can tell you the per-hour running costs of those VPCEs can add up quickly. Thankfully, AWS provides a solution - a centralized access pattern for sharing Interface VPCEs and subscribing to those VPCEs from multiple VPCs. There is just one catch - with shared VPCEs come shared VPCE policies, traditionally limiting the specificity of such policies. Must least privilege be sacrificed to make the finance team happy? Not any longer! This session will cover how practitioners can shape their centralized VPCE policies to mimic functionality available in a distributed VPCE architecture.

To level set understanding, this talk will cover a short overview of the centralized VPCE architecture, but familiarity with VPCs and Interface VPCE functionality and concepts will be assumed. Following that, we will cover VPC connectivity options (VPC Peering and Transit Gateway) and high-level considerations including character limits on the VPCE policies and how VPCE policies interact with IAM-policies and resource-based policies. Then we will cover key IAM policy condition keys which can be used to restrict policies based on VPC / CIDR blocks (for subnet-level controls). Finally we will put it all together with a live demo of various VPCE policies in action in a centralized VPCE architecture. At the end of the talk participants will understand the centralized VPCE architecture and how to utilize Interface VPCE policies to design distinct permissions for each subscribed VPC.