Create VPC Endpoints

Create ecr.dkr Interface Endpoint

1. Go to AWS VPC console.

2. In the left sidebar,

  • Choose Endpoints.
  • Click Create endpoint.

0001

3. In the Endpoint settings section,

  • For Name tag, enter ecr-dkr-endpoint.
  • For Service category, select AWS services.

0002

4. In the Services section,

  • Filter with value ecr.dkr.
  • Choose com.amazonaws.us-east-1.ecr.dkr.

0003

5. In the VPC section, select the VPC named fcj.

0004

6. In the Subnets section,

  • Select us-east-1a for Availability Zone and subnet-id / fcj-private-02 for Subnet ID.
  • Select us-east-1b for Availability Zone and subnet-id / fcj-private-05 for Subnet ID.

0005

7. In the Security groups section, select fcj-vpc-endpoint security group.

0006

8. In the Policy section,

  • Select custom.
  • Fill out the following policy. Replace <YOUR-AWS-ACCOUNT-ID> with yours.
{
	"Statement": [
		{
			"Sid": "PreventDelete",
			"Effect": "Deny",
			"Principal": "*",
			"Action": "ecr:DeleteRepository",
			"Resource": "arn:aws:ecr:us-east-1:<YOUR-AWS-ACCOUNT-ID>:repository/awsome-books"
		},
		{
			"Sid": "AllowPull",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskExecutionRole"
			},
			"Action": [
				"ecr:BatchGetImage",
				"ecr:GetDownloadUrlForLayer"
			],
			"Resource": "arn:aws:ecr:us-east-1:<YOUR-AWS-ACCOUNT-ID>:repository/awsome-books"
		},
		{
			"Sid": "GetAuthorizationToken",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskExecutionRole"
			},
			"Action": [
				"ecr:GetAuthorizationToken"
			],
			"Resource": "*"
		}
	]
}

0007

9. Scroll down to the bottom. Click Create endpoint.

0008

Create ecr.api Interface Endpoint

1. Go to AWS VPC console.

2. In the left sidebar,

  • Choose Endpoints.
  • Click Create endpoint.

0009

3. In the Endpoint settings section,

  • For Name tag, enter ecr-api-endpoint.
  • For Service category, select AWS services.

00010

4. In the Services section,

  • Filter with value ecr.api.
  • Choose com.amazonaws.us-east-1.ecr.api.

00011

5. In the VPC section, select the VPC named fcj.

00012

6. In the Subnets section,

  • Select us-east-1a for Availability Zone and subnet-id / fcj-private-02 for Subnet ID.
  • Select us-east-1b for Availability Zone and subnet-id / fcj-private-05 for Subnet ID.

00013

7. In the Security groups section, select fcj-vpc-endpoint security group.

00014

8. In the Policy section,

  • Select custom.
  • Fill out the following policy. Replace <YOUR-AWS-ACCOUNT-ID> with yours.
{
	"Statement": [
		{
			"Sid": "PreventDelete",
			"Effect": "Deny",
			"Principal": "*",
			"Action": "ecr:DeleteRepository",
			"Resource": "arn:aws:ecr:us-east-1:<YOUR-AWS-ACCOUNT-ID>:repository/awsome-books"
		},
		{
			"Sid": "AllowPull",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskExecutionRole"
			},
			"Action": [
				"ecr:BatchGetImage",
				"ecr:GetDownloadUrlForLayer"
			],
			"Resource": "arn:aws:ecr:us-east-1:<YOUR-AWS-ACCOUNT-ID>:repository/awsome-books"
		},
		{
			"Sid": "GetAuthorizationToken",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskExecutionRole"
			},
			"Action": [
				"ecr:GetAuthorizationToken"
			],
			"Resource": "*"
		}
	]
}

00015

9. Scroll down to the bottom. Click Create endpoint.

00016

Create s3 Gateway Endpoint

1. Go to AWS VPC console.

2. In the left sidebar,

  • Choose Endpoints.
  • Click Create endpoint.

00017

3. In the Endpoint settings section,

  • For Name tag, enter s3-endpoint.
  • For Service category, select AWS services.

00018

4. In the Services section,

  • Filter with type gateway.
  • Choose com.amazonaws.us-east-1.s3.

00019

5. In the VPC section, select the VPC named fcj.

00020

6. In the Route tables setion, choose the main route table.

00021

7. In the Policy section,

  • Select custom.
  • Fill out the following policy.
{
	"Version": "2008-10-17",
	"Statement": [
		{
			"Sid": "Access-to-specific-bucket-only",
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::prod-us-east-1-starport-layer-bucket/*"
		}
	]
}

00022

8. Scroll down to the bottom. Click Create endpoint.

00023

Create secretsmanager Interface Endpoint

1. Go to AWS VPC console.

2. In the left sidebar,

  • Choose Endpoints.
  • Click Create endpoint.

00024

3. In the Endpoint settings section,

  • For Name tag, enter secretsmanager-endpoint.
  • For Service category, select AWS services.

00025

4. In the Services section,

  • Filter with value secretsmanager.
  • Choose com.amazonaws.us-east-1.secretsmanager.

00026

5. In the VPC section, select the VPC named fcj.

00027

6. In the Subnets section,

  • Select us-east-1a for Availability Zone and subnet-id / fcj-private-02 for Subnet ID.
  • Select us-east-1b for Availability Zone and subnet-id / fcj-private-05 for Subnet ID.

00028

7. In the Security groups section, select fcj-vpc-endpoint security group.

00029

8. In the Policy section,

  • Select custom.
  • Fill out the following policy. Replace <YOUR-AWS-ACCOUNT-ID> with yours.
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskRole"
			},
			"Action": [
				"secretsmanager:GetSecretValue",
				"secretsmanager:DescribeSecret"
			],
			"Resource": "arn:aws:secretsmanager:us-east-1:<YOUR-AWS-ACCOUNT-ID>:secret:*"
		}
	]
}

00030

9. Scroll down to the bottom. Click Create endpoint.

00031