AWS Cloud Operations Blog
Amazon Managed Service for Prometheus now offers VPC endpoint policy support
Today, Amazon Managed Service for Prometheus announces support for Amazon Virtual Private Cloud (Amazon VPC) endpoint policies. With VPC endpoint policy support, customers can now further control access to Amazon Managed Service for Prometheus through restricting user access or allowable actions. Amazon Managed Service for Prometheus is a fully managed Prometheus-compatible monitoring service that monitors and alarms on operational metrics at scale. It does this without you having to manage the underlying infrastructure required to scale and secure the ingestion, storage, alerting, and querying of metrics. With interface VPC endpoints, customers can privately and reliably connect their VPC resources to their Amazon Managed Service for Prometheus workspace. However, customers had told us that they wanted to further control access to their Amazon Managed Service for Prometheus workspaces by restricting allowable actions or the users that are allowed to access the service.
Customers can now control which AWS principals (AWS accounts, IAM users, and IAM roles) use the VPC endpoint to access Amazon Managed Service for Prometheus and its APIs. A VPC endpoint policy is an IAM resource policy that you can attach to a VPC endpoint which can be configured in the Amazon VPC console. For more information on VPC endpoint policies, see Control access to services using endpoint policies.
To start using VPC endpoint policies, if you do not already have an interface VPC endpoint for Amazon Managed Service for Prometheus, create one by following the steps outlined in Using Amazon Managed Service for Prometheus with interface VPC endpoints. Then, attach a VPC endpoint policy to the newly created VPC endpoint.
The following VPC endpoint policy examples show how policies can be used to restrict allowable actions and the AWS principals that can access the service (1) and restrict sourceIPs directly (2).
VPC endpoint policy examples
Example 1: VPC endpoint policy granting access to specific principals
Below is an example of VPC endpoint policy which allows only specified users to use VPC endpoint to perform certain actions such as Describe and ListWorkspace on their Amazon Managed Service for Prometheus workspaces. The user highlighted in the below policy is not able to perform other actions such as CreateWorkspace or DeleteWorkspace.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazonManagedPrometheusPermissions",
"Effect": "Allow",
"Action": [
"aps:DescribeWorkspace",
"aps:DescribeRuleGroupsNamespace",
"aps:ListRuleGroupsNamespace",
"aps:ListWorkspaces"
],
"Resource": "arn:aws:aps:*:*:/workspaces*",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:ops"
]
}
}
]
}
Example 2: VPC endpoint policy allowing requests from a specific IP address
Below is an example of how to allow all requests from a given IP using aws:VpcSourceIp. Query requests from the specified IP address will succeed, while query requests from any other IP address will fail.
{
"Statement": [
{
"Action": "aps:*",
"Effect": "Allow",
"Principal": "*",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:VpcSourceIp": "10.0.140.7"
},
"StringEquals": {
"aws:SourceVpc": "vpc-111122223333"
}
}
}
]
}
Conclusion
In this launch blog post, we showed how customers can use VPC endpoint policies to control access to Amazon Managed Service for Prometheus. To learn more about VPC endpoint policies, see Control access to services using endpoint policies. For more information and hands-on experience with Amazon Managed Prometheus, check out the interactive and immersive One Observability Workshop.
About the authors: