Configuring DynamoDB VPC Endpoints with AWS CloudFormation

By · · 2 mins read · AWS, Tech

VPC Endpoints on Amazon Web Services (AWS) are a service that allows you to create a private connection between your VPC and a service that supports VPC endpoints without being required to traverse a NAT device, proxy server, or other similar service.

Since their launch in May 2015, VPC endpoints have only been available for connectivity to Amazon Simple Storage Service (S3) — their high performance object storage platform.

Just a few weeks ago AWS announced that VPC Endpoints for DynamoDB are now available in public preview. Of course I joined.

All of the documentation for this feature indicates using the console to activate the endpoints, but as I build my environment exclusively with CloudFormation I wanted to see if it was possible to do it here.

The answer is yes.

To get started I created a DynamoDB endpoint resource in my CloudFormation template:

  DynamoDBEndpoint:
    Type: "AWS::EC2::VPCEndpoint"
    Properties:
      RouteTableIds:
        - !Ref PublicRouteTable
        - !Ref Private0RouteTable
        - !Ref Private1RouteTable
        - !Ref Private2RouteTable
      ServiceName:
        !Sub "com.amazonaws.${AWS::Region}.dynamodb"
      VpcId: !Ref VPC

The following resources are defined elsewhere in the template, so adjust to suit your environment:

  • VPC - The VPC resource. You could set this to an existing VPC ID.
  • PublicRouteTable - my public route table.
  • Private(0/1/2)RouteTable - my private route tables. These will be updated with a route to the endpoint.

Of course the primary benefit of a VPC endpoint is the ability to restrict what it can be used for. You could for example attach a policy document that only allows the endpoint to be used to access a specific DynamoDB table.

For example, this resource with attached policy document would restrict access only to the table “arn:aws:dynamodb:ap-southeast-2:123412341234:table/test”:

  DynamoDBEndpoint:
    Type: "AWS::EC2::VPCEndpoint"
    Properties:
      RouteTableIds:
        - !Ref PublicRouteTable
        - !Ref Private0RouteTable
        - !Ref Private1RouteTable
        - !Ref Private2RouteTable
      ServiceName:
        !Sub "com.amazonaws.${AWS::Region}.dynamodb"
      VpcId: !Ref VPC
      PolicyDocument: {
        "Id": "Policy",
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "Statement",
            "Action": "dynamodb:*",
            "Effect": "Allow",
            "Resource": "arn:aws:dynamodb:ap-southeast-2:123412341234:table/test",
            "Principal": "*"
          }
        ]
      }

The AWS Policy Generator is a useful tool that can be used to generate the policies that you need.

With the CloudFormation template complete I executed the revised template, and the endpoint was created as expected.