0

AWS recommends QLDB Standard permissions mode instead of Allow_all in order to allow least privilege access for resources which need to run operations on QLDB.

Reference: https://docs.aws.amazon.com/qldb/latest/developerguide/getting-started-standard-mode.html

However, If you are using VPC endpoints to have a private channel between these resources and QLDB, according to the following documentation only the SendCommand action is allowed supported by VPC endpoint: "This policy example specifies only the SendCommand action because it's the only QLDB action that currently supports interface endpoints."

Reference: https://docs.aws.amazon.com/qldb/latest/developerguide/vpc-endpoints.html

That being said, it looks like is not possible to implement QLDB standard mode through VPC endpoint.

Is that assumption right or is it possible to have QLDB standard mode + VPC endpoint?

Thiago Scodeler
  • 141
  • 7

2 Answers2

1

I've updated a little POC to show QLDB in standard mode working with a VPC endpoint. You can find the repo here - https://github.com/AWS-South-Wales-User-Group/qldb-vpc

Matt Lewis
  • 91
  • 2
0

Thanks for your feedback on the doc. QLDB standard mode + VPC endpoint is supported. You are able to restrict permissions to run PartiQL commands on QLDB resources with IAM actions in standard mode, e.g. qldb:PartiQLCreateTable.

Ang
  • 66
  • 3
  • I tried to use these IAM actions by following this page you shared and was not able to work with standard mode + vpc endpoint. I basically have a IAM policy attached to a role used by a lambda who is trying to communicate with QLDB through the VPC endpoint and also a policy attached to QLDB VPC endpoint. Please check both here: https://pastebin.com/0EVgnDip – Thiago Scodeler Nov 23 '22 at 10:34