Configuring DynamoDB VPC Endpoints with AWS CloudFormation

May 1, 2017
Back to Notes
Featured image for “Configuring DynamoDB VPC Endpoints with AWS CloudFormation”

VPC Endpoints on Amazon Web Services (AWS) are a service that allows you to create a private connection between your VPC and a service that supports VPC endpoints without being required to traverse a NAT device, proxy server, or other similar service.

Since their launch in May 2015, VPC endpoints have only been available for connectivity to Amazon Simple Storage Service (S3) — their high performance object storage platform.

Just a few weeks ago AWS announced that VPC Endpoints for DynamoDB are now available in public preview. Of course I joined.

All of the documentation for this feature indicates using the console to activate the endpoints, but as I build my environment exclusively with CloudFormation I wanted to see if it was possible to do it here.

The answer is yes.

To get started I created a DynamoDB endpoint resource in my CloudFormation template:

  DynamoDBEndpoint:
    Type: "AWS::EC2::VPCEndpoint"
    Properties:
      RouteTableIds:
        - !Ref PublicRouteTable
        - !Ref Private0RouteTable
        - !Ref Private1RouteTable
        - !Ref Private2RouteTable
      ServiceName:
        !Sub "com.amazonaws.${AWS::Region}.dynamodb"
      VpcId: !Ref VPC

The following resources are defined elsewhere in the template, so adjust to suit your environment:

  • VPC – The VPC resource. You could set this to an existing VPC ID.
  • PublicRouteTable – my public route table.
  • Private(0/1/2)RouteTable – my private route tables. These will be updated with a route to the endpoint.

Of course the primary benefit of a VPC endpoint is the ability to restrict what it can be used for. You could for example attach a policy document that only allows the endpoint to be used to access a specific DynamoDB table.

For example, this resource with attached policy document would restrict access only to the table “arn:aws:dynamodb:ap-southeast-2:123412341234:table/test”:

  DynamoDBEndpoint:
    Type: "AWS::EC2::VPCEndpoint"
    Properties:
      RouteTableIds:
        - !Ref PublicRouteTable
        - !Ref Private0RouteTable
        - !Ref Private1RouteTable
        - !Ref Private2RouteTable
      ServiceName:
        !Sub "com.amazonaws.${AWS::Region}.dynamodb"
      VpcId: !Ref VPC
      PolicyDocument: {
        "Id": "Policy",
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "Statement",
            "Action": "dynamodb:*",
            "Effect": "Allow",
            "Resource": "arn:aws:dynamodb:ap-southeast-2:123412341234:table/test",
            "Principal": "*"
          }
        ]
      }

The AWS Policy Generator is a useful tool that can be used to generate the policies that you need.

With the CloudFormation template complete I executed the revised template, and the endpoint was created as expected.

Share: