-: Hey, everyone, and welcome back.

Now, in today's video, we'll be discussing

about the VPC endpoint policies.

Now at the high level overview,

whenever you go ahead and create a VPC endpoint,

let's assume a gateway endpoint,

then you can attach a endpoint policy

to it that controls the access

to the service that you are connecting to, for example.

Let's say that you have a VPC endpoint over here,

and the traffic to the S3 service from the EC2 instance

is directed from here.

Now within the S3, there are two buckets that are available.

You have a demo bucket and you have the KPL apps bucket.

Now, by default, the EC2 instance will be able to

communicate with both of the buckets,

considering that it has its associated proper IAM role.

However, as a additional measure,

at VPC endpoint level also,

you can go ahead and control

the traffic to a specific S3 bucket.

So, for example, you have an endpoint policy

which says allow connection to demo bucket.

So if this endpoint policy is associated,

then even though the EC2 instance

has a full S3 permission,

it will only be able to communicate to the demo bucket.

It will not be able to communicate to the KPL apps bucket

considering that the traffic is flowing

through the VPC endpoint.

And this is the basic idea behind the VPC endpoint policies.

So let's do one thing.

Let's go ahead and try this out practically

to understand it in a better way.

Now, currently, we have a gateway endpoint

based on the S3 service that is available.

Now if you look into the policy over here,

by default, the endpoint policy

allows all the connection to all the resources.

So this is one other default policies.

However, if we need,

we can go ahead and customize it as well.

So for today's demo,

for the region where our endpoint is created,

which is US West Two, I have two S3 buckets.

And based on these two S3 buckets,

we'll go ahead and design our endpoint policies.

So before we go ahead and start to write

our endpoint policies from our private EC2 instance,

let's go ahead and verity the connection

to both of these S3 buckets.

Now, first, we'll go ahead and do a AWS S3 LS

on one of the buckets here.

Let's do an Enter.

And as expected, we are able to see the results.

And in a similar way, we'll go ahead and connect to

another S3 bucket within the same region.

Let's press Enter,

and we are able to see the content.

So basically, both of these S3 buckets have a similar file.

Now let's go ahead and design a policy

where the VPC endpoint

will only connection to the second bucket from here,

which is temp endpoint US West Two.

It should not allow connection to any other S3 buckets.

So now from the endpoint,

let's go ahead and edit the policy.

Now there are multiple ways

in which you can create a policy.

One of the easiest way is to use

a policy creation tool.

So let's go ahead and open this up.

And within the policy creation tool,

you can go ahead and easily select the basic context,

and the policy will be created for you.

So the policy type will be the VPC endpoint principle.

Let's just put it as start.

Now within the AWS service, we'll just use S3.

Within the actions, we'll just use all actions,

and then you have to specify the ARN.

Now ARN, you can either directly write it,

or you can even get it from the S3 console.

So if I go to Properties,

you'll basically can get the ARN.

Let me paste the ARN.

And once I add the statement,

we can quickly generate the policy.

So this is the policy that is created.

Let me copy this up.

And within the policy, I'll select Custom,

and let's paste our policy here.

So based on this policy,

only the connection to this S3 bucket would be allowed.

Let's try it out.

So I'll just quickly do a save.

And as expected,

now we see you have a custom policy.

Now, from our private EC2 instance,

if we connect to the temp endpoint US West Two,

so this is S3 bucket

that is allowed within the endpoint policy.

It is working perfectly well.

If you try to connect to temp endpoint two.

So this our second S3 bucket.

And immediately, you see you are getting

access denied on the operations

associated with this S3 bucket.

Great.

So I hope, at a high-level overview,

you understood the importance of the VPC endpoint policies,

and this allows great number of customization

and the access control

based on the requirement for your organization.

Now a few important things that you should know

when we discuss about the policy decisions

specifically at the VPC endpoint based architecture.

First important policy-based decision

comes from the IAM role,

which is associated with the EC2 instance,

or if you have access secret key,

it is associated with the policy

for those access secret key.

So this is the first step.

So only after the EC2 instance is authorized,

then the decision can be made.

Then the next important decision,

which can be allowed or denied

is at a gateway VPC endpoint level.

So we already have seen on how we can go ahead and create

a resource level policy at a VPC endpoint level.

And the third place where the policy decision

can allow or can deny is at the S3 level.

So you can go ahead and create a S3 bucket

which can also deny the connection.

So whenever you are going ahead

and implementing a VPC endpoint based architecture

and due to some reason you are getting access denied,

then these are the three primary places

that you need to look into

as part of the troubleshooting step.

That's great.

So with this, we'll conclude today's video.