5.5.3 Configuring IAM Policies for Endpoints
After you have updated the authorized principals in HeatWave on AWS, configure IAM policies in your AWS account to grant principals the permissions to create and delete VPC endpoints. See Principal.
If you are already using AWS-managed IAM policies for permission management, check that your current AWS-managed IAM policies grant principals the permission to create and delete VPC endpoints. If not, add the appropriate managed policies to the principals you wish to authorize for VPC endpoint management. The following policies enable you to create and delete endpoints:
NetworkAdministratorAmazonVPCFullAccessandAmazonRoute53FullAccess
These AWS managed policies grant broader permissions than those strictly required for PrivateLink. For enhanced security, administer your AWS account to grant least privileges to your IAM principals. For AWS guidance on how to grant least privilege, see Grant least privilege .
If you are using least-privilege permissions in your AWS account, add policies enabling specific principals to create and delete VPC endpoints for a given PrivateLink. See Control the service names that can be specified for VPC endpoint services.
To limit access to PrivateLink in policies for least privilege, you can either specify the service name of the PrivateLink or the account ID as shown below. See Viewing PrivateLink Details.
"Condition": {
"StringEquals": {
"ec2:VpceServiceName": "<privatelink-service-name>"
}
}"Condition": {
"StringEquals": {
"ec2:VpceServiceOwner": "612981981079"
}
}Parent topic: PrivateLink