Posted On: Apr 10, 2020

VPC Interface endpoints (powered by Amazon PrivateLink) and gateway endpoints now support additional IAM condition keys. With this launch, you can now use the IAM condition key ec2: VpceServiceOwner to restrict creation of interface endpoints to either Amazon Web Services services or services owned by specific Amazon Web Services accounts. You can also restrict endpoint creation to only specific services by using the ec2: VpceServiceName condition key in your IAM policies. Additionally, you can manage actions on your VPC endpoint and endpoint services based on existing tags on resources like VPCs and subnets using the ec2:resourceTag condition key. 

These IAM condition keys are available in all Amazon Web Services regions, including Amazon Web Services China (Beijing) Region, operated by Sinnet and Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more about IAM condition keys for VPC Endpoints, please visit the documentation