Infrastructure description: I have a dynamo db table in one AWS account (Say A1) and an application hosted in EC2 in another account (say A2) /VPC-private subnet. This app (in account A2) reads/writes that dynamo db table in account A1. Both accounts are under same organization and the table and app are in same AWS region. I created a VPC endpoint (say VPC-E1) for the dynamo db in the application's account (A2) and the route table is correctly populated with the VPC endpoint targets. The app authorizes itself using AssumeRole method. I created an role policy to the same IAM account that the EC2 uses to allow connecting to the DynamoDB only if the source VPC endpoint is the one I created (VPC-E1). NOTE: the EC2 has internet connectivity via NAT gateway.
IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "dynamodb:*",
"Effect": "Deny",
"Resource": [
"My DynamoDb table ARN"
],
"Condition": {
"StringNotEquals": {
"aws:SourceVpce": "VPC-E1"
}
}
}
]
}
The Reachability analyzer says that the traffic from Ec2 to the VPC endpoint will work fine.
The problem: The traffic is denied by the policy because either 1. the traffic is not taking place via that VPC endpoint or I assume that the traffic is taking place via Nat gateway/internet. When I remove this policy it works fine; because the traffic might take place via NAT gateway.
Have anyone configured such setup successfully? i.e. Accessing DynamoDb across accounts via AWS private network (VPC endpoint). My aim is to send the traffic via AWS private network from one account/VPC to another account that the dyanamo db table belongs to.
Yes. DynamoDb is a SaaS and is not hosted inside your VPC. I removed the condition in the IAM policy. I created a cloudtrail logs at account (A2 - where dynamodb belongs to) to capture the data events from specific dynamodb table . The VPC endpoint created in the consumer account (A2) appears in the cloudtrail logs (Data events from specific DynamoDb table/index) in the target AWS account (A1). Hence this works.