0

I have the following setup:

  • A VPC in us-east-1
  • An Endpoint for SSM in the VPC
  • SG group blocks all outbound and inbound except my IP and self-reference

I was of the impression that you can ping/curl AWS services in a VPC with an endpoint so that you don't have to allow outbound rule that's open to 0.0.0.0 (or all the IPs for AWS services).

But when I try to run this from the instance:

curl https://ssm.us-east-1.amazonaws.com/

I'm not getting any response. What could be going wrong here?

Additionally, I want to access iam.amazonaws.com too but I cannot find any endpoint for IAM. How to access that via VPC?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
NEO
  • 1,961
  • 8
  • 34
  • 53
  • Have you tried accessing SSM via DNS record associated with VPC endpoint? like `vpce-...` – Oleksii Donoha May 22 '20 at 17:37
  • Update: I tried and and it work. Looks like I need to enable dns host names in my vpc. Do you have any suggestions for accessing iam.amazonaws.com? I don't see IAM as an endpoint. – NEO May 22 '20 at 20:43
  • I'm not aware whether there is a way to access IAM service from VPC – Oleksii Donoha May 22 '20 at 21:19
  • When you say "SG group blocks all outbound", is that a Security Group on an Amazon EC2 instance? (You don't specifically mention an instance being in the VPC.) If you change the security group to allow All Outbound traffic, does it work? Typically, you should leave the outbound security group rules as default, permitting all traffic. – John Rotenstein May 23 '20 at 04:54

0 Answers0