PrivateLink 2 Flashcards

1
Q

Gateway Endpoints

What is a Gateway Endpoint?

A

Provide private access to S3 or Dynamo DB

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Gateway Endpoints

What happens when you create a GW Endpoint?

A

Prefix list added to route table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Gateway Endpoints

Which services support both Interface Endpoints and Gateway Endpoints?

A

Only S3 (not Dynamo)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Gateway Endpoints

Can you use Security Groups or NACLs to control access to a Gateway Endpoint?

A

Nope, it’s not an ENI and doesn’t live IN a Subnet (it’s just routing rules).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Gateway Endpoints

What does this addition to the route table look like?

A

Prefix list is CIDRs as a destination, target is the GW Endpoint

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Gateway Endpoints

Are GW endpoints regional, zonal, or global?

A

Regional within a VPC (only one per VPC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Gateway Endpoints

If GW endpoints aren’t per-Subnet, how does routing work (which is per-subnet)?

A

Associate a GW Endpoint to Subnets. Each Subnet’s route table gets routes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Gateway Endpoints

Is a GW Endpoint HA?

A

Yes, HA across all AZs in a region by default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Gateway Endpoints

What other VPC things is a GW Endpoint similar to?

A

IGW, VPG. It’s a thing on the VPC border that you can route things to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Gateway Endpoints

How do you control access to a GW Endpoint?

A

Endpoint Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Gateway Endpoints

Example of something you can control access to with a GW Endpoint?

A

Restrict an S3 Endpoint to only connect to certain S3 buckets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Gateway Endpoints

Can a GW Endpoint connect to a resource in a different region?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Gateway Endpoints

Security Design Pattern for S3 Gateway Endpoints?

A

Prevent Leaky Buckets: bucket policy only allow from Gateway Endpoint

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Endpoint Policies

What is the TL;DR for Endpoint Policies?

A

Policy (action/effect/resource/principal) for what the Endpoint can access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Endpoint Policies

What can an Endpoint Policy grant access to?

A

Nothing! It’s like an SCP: it sets the bounds for what can be accessed through it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Endpoint Policies

Can/How do you limit an S3 bucket so it can only be reached by one VPC and not another?

A

Each VPC has an Endpoint. Bucket policy has DENY if not from the Endpoint ID.

17
Q

Endpoint Policies

Couldn’t you juse use a Condition with “aws:SourceIP” and pick VPC CIDR?

A

Nope, aws:SourceIP only works on publicly routable, external IP address space