Help Center/ VPC Endpoint/ User Guide/ VPC Endpoints/ Managing the Policy of a VPC Endpoint
Updated on 2024-09-26 GMT+08:00
View PDF
Share

Managing the Policy of a VPC Endpoint

VPC endpoint policies are a type of resource-based policies. You can configure a policy to control which principals can use the VPC endpoint to access Huawei Cloud services.

VPC endpoint policies do not override or replace the identity-based or resource-based policies in IAM. For example, if you have accessed OBS using a gateway VPC endpoint, you can still set OBS bucket policies to control access to an OBS bucket from a specific VPC endpoint or VPC.

There are two types of VPC endpoint policies:

  • Policies of gateway VPC endpoints: policies that are configured to control which VPC endpoint can access gateway VPC endpoint services.
    • After this function is enabled, you can create custom policies. If you do not customize policies, the FullAccess policy is used by default.
      Default Policy: 
      [
    {
        "Effect": "Allow",
        "Action": "*",
        "Resource": [
            "*",
            "*/*"
        ]
    }
]
    • If this function is disabled, you cannot create custom policies.
  • Policies of interface VPC endpoints: policies that are configured to control which VPC endpoint can access interface VPC endpoint services.
    • After this function is enabled, you can create custom policies. If you do not customize policies, the FullAccess policy is used by default.
      Default Policy: 
      {
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
    • If this function is disabled, you cannot create custom policies.

Constraints

  • A VPC endpoint policy is defined in the JSON document of IAM policies. VPC endpoint policies must comply with the grammar and structure of IAM permission policies.
  • When creating an interface VPC endpoint for accessing a Huawei Cloud service, you can configure a policy for a single VPC endpoint and update the policy in real time. If you do not configure a VPC endpoint policy, full access is allowed for the VPC endpoint by default.
  • Some Huawei Cloud services support VPC endpoint policies. For details, see the console. If a cloud service does not support VPC endpoint policies, the service can be accessed by any VPC endpoint.
  • When you create a VPC endpoint for accessing a private service, full access is allowed for the VPC endpoint.

Configuring a Policy of a VPC Endpoint

You can enable Policy when buying a VPC endpoint. For details, see Buying a VPC Endpoint.

Viewing the Policy of a VPC Endpoint

  1. Log in to the VPC Endpoint console.
  2. Click in the upper left corner and select the desired region and project.
  3. In the VPC endpoint list, click the VPC endpoint ID.
  4. Click the Policy tab and view the VPC endpoint policy.

Modifying the Policy of a VPC Endpoint

  1. Log in to the VPC Endpoint console.
  2. Click in the upper left corner and select the desired region and project.
  3. In the VPC endpoint list, click the VPC endpoint ID.
  4. Go to the Policy tab, click Edit and modify the policy.
  5. Click Confirm.
Parent topic: VPC Endpoints