6.1.2. Secure and Private Access Mechanisms

First Principle: Data doesn't need to traverse the public internet to reach AWS services. Private access mechanisms keep traffic on the AWS network, eliminating internet exposure and reducing the attack surface.

AWS PrivateLink (Interface VPC Endpoints):

• Creates private connections from your VPC to AWS services or third-party services
• Traffic stays on the AWS network — never traverses the internet
• Uses private IP addresses in your subnet
• Supports endpoint policies to control which principals and actions are allowed

Gateway VPC Endpoints:

• Free, route-table-based endpoints for S3 and DynamoDB
• No NAT Gateway or Internet Gateway required
• Traffic stays within the AWS network
• Endpoint policies control access

AWS Client VPN:

• Managed OpenVPN-based service for remote user access to VPCs
• Certificate-based or AD-based authentication
• Authorization rules control which networks users can access
• All traffic encrypted between client and VPN endpoint

AWS Verified Access (covered in 4.3.3):

• Zero-trust application access without VPN
• Per-request identity and device verification
• Application-level access policies

Choosing the Right Private Access Mechanism:

⚠️ Exam Trap: Gateway endpoints are free (S3 and DynamoDB only). Interface endpoints have hourly + data processing charges. If a question asks about cost-effective private S3 access, gateway endpoint is the answer.

Scenario: Lambda functions in a private subnet need to access KMS and S3. You create a gateway endpoint for S3 (free, route-table based) and an interface endpoint for KMS (PrivateLink), with endpoint policies restricting access to specific key ARNs and bucket ARNs.

Reflection Question: Why do endpoint policies add an important security layer beyond just making the connection private?