1. Go to AWS VPC console.
2. In the left sidebar,
3. In the Endpoint settings section,
ecr-dkr-endpoint
.4. In the Services section,
ecr.dkr
value.5. In the VPC section, select the VPC named fcj
.
6. In the Subnets section,
7. In the Security groups section, select fcj-vpc-endpoint security group.
8. In the Policy section,
{
"Statement": [
{
"Sid": "PreventDelete",
"Effect": "Deny",
"Principal": "*",
"Action": "ecr:DeleteRepository",
"Resource": "arn:aws:ecr:us-east-1:<YOUR-AWS-ACCOUNT-ID>:repository/awsome-books"
},
{
"Sid": "AllowPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskExecutionRole"
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "arn:aws:ecr:us-east-1:<YOUR-AWS-ACCOUNT-ID>:repository/awsome-books"
},
{
"Sid": "GetAuthorizationToken",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskExecutionRole"
},
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": "*"
}
]
}
9. Scroll down to the bottom. Click Create endpoint.
1. Go to AWS VPC console.
2. In the left sidebar,
3. In the Endpoint settings section,
ecr-api-endpoint
.4. In the Services section,
ecr.api
value.5. In the VPC section, select the VPC named fcj
.
6. In the Subnets section,
7. In the Security groups section, select fcj-vpc-endpoint security group.
8. In the Policy section,
{
"Statement": [
{
"Sid": "PreventDelete",
"Effect": "Deny",
"Principal": "*",
"Action": "ecr:DeleteRepository",
"Resource": "arn:aws:ecr:us-east-1:<YOUR-AWS-ACCOUNT-ID>:repository/awsome-books"
},
{
"Sid": "AllowPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskExecutionRole"
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "arn:aws:ecr:us-east-1:<YOUR-AWS-ACCOUNT-ID>:repository/awsome-books"
},
{
"Sid": "GetAuthorizationToken",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskExecutionRole"
},
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": "*"
}
]
}
9. Scroll down to the bottom. Click Create endpoint.
1. Go to AWS VPC console.
2. In the left sidebar,
3. In the Endpoint settings section,
s3-endpoint
.4. In the Services section,
gateway
type.5. In the VPC section, select the VPC named fcj
.
6. In the Route tables setion, choose the main route table.
7. In the Policy section,
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::prod-us-east-1-starport-layer-bucket/*"
}
]
}
8. Scroll down to the bottom. Click Create endpoint.
1. Go to AWS VPC console.
2. In the left sidebar,
3. In the Endpoint settings section,
secretsmanager-endpoint
.4. In the Services section,
secretsmanager
value.5. In the VPC section, select the VPC named fcj
.
6. In the Subnets section,
7. In the Security groups section, select fcj-vpc-endpoint security group.
8. In the Policy section,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskRole"
},
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "arn:aws:secretsmanager:us-east-1:<YOUR-AWS-ACCOUNT-ID>:secret:*"
}
]
}
9. Scroll down to the bottom. Click Create endpoint.
CloudWatch Logs seem to be really essential for debugging your AWS services in many circumstances. For example, without enabling logging, it could take hours or even days to analyze AWS ECS tasks that failed to run properly.