Configuring Vpc Endpoints For Private Aws Service Access
Provision VPC interface and gateway endpoints so workloads reach S3, EC2, SSM, and Secrets Manager without internet egress.
Overview
Configuring VPC Endpoints for Private AWS Service Access is an agent skill for the Operate phase that provisions VPC gateway and interface endpoints for private AWS API connectivity.
Install
npx skills add https://github.com/aws/agent-toolkit-for-aws --skill configuring-vpc-endpoints-for-private-aws-service-accessWhat is this skill?
- Parameterized SOP: vpc_id, subnet_ids, service_names, optional route tables, security groups, and custom endpoint policy
- Creates interface endpoints (PrivateLink) and gateway endpoints with DNS hostname/support toggles
- Step 1 verifies call_aws / AWS CLI availability and discloses API usage before execution
- Supports multi-service batches via comma-separated service names (e.g. s3, ec2, ssm, secretsmanager)
- Required parameters: vpc_id, subnet_ids, service_names
- Optional: route_table_ids, security_group_ids, policy_document, enable_dns_hostnames, enable_dns_support (defaults true)
Adoption & trust: 978 installs on skills.sh; 819 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You need AWS service access from private subnets without routing sensitive traffic through the internet or a NAT-only path.
Who is it for?
Solo builders or indies operating VPC-hosted APIs or workers that must call S3, SSM, Secrets Manager, or similar services privately.
Skip if: Greenfield VPC design from scratch without IDs—or teams that only need public endpoint URLs and no private networking.
When should I use this skill?
You must enable private connectivity from a VPC to supported AWS services or PrivateLink endpoint services.
What do I get? / Deliverables
After the SOP runs, the VPC has the requested endpoints, DNS, routing, and security attachments aligned for private service access.
- VPC endpoints created for the requested service_names
- DNS, routing, and security group associations per SOP parameters
Recommended Skills
Journey fit
Private service routing is a production networking control applied after the VPC exists and before or during steady-state operations. Infra subphase covers VPC topology, endpoints, route tables, and security groups for ongoing cloud operations.
How it compares
Structured AWS infra SOP with verified CLI tooling—not a generic Terraform module generator.
Common Questions / FAQ
Who is configuring-vpc-endpoints-for-private-aws-service-access for?
Indie and solo builders running AWS VPC workloads who want agent-guided endpoint creation with explicit CLI and API disclosure.
When should I use configuring-vpc-endpoints-for-private-aws-service-access?
During Operate infra work when you already have a VPC and subnets and need private paths to one or more AWS services before or after launch.
Is configuring-vpc-endpoints-for-private-aws-service-access safe to install?
Review the Security Audits panel on this Prism page; the skill drives AWS API calls and needs appropriate IAM boundaries in your account.
SKILL.md
READMESKILL.md - Configuring Vpc Endpoints For Private Aws Service Access
# Configure VPC Endpoints for Private AWS Service Access ## Overview This SOP configures VPC endpoints to enable private access to AWS services without routing traffic through the internet. VPC endpoints provide secure, private connectivity to supported AWS services and VPC endpoint services powered by AWS PrivateLink. ## Parameters - vpc_id (required): The ID of the VPC where endpoints will be created - subnet_ids (required): Comma-separated list of subnet IDs for interface endpoints - service_names (required): Comma-separated list of AWS service names to create endpoints for (e.g., s3, ec2, ssm, secretsmanager) - route_table_ids (optional): Comma-separated list of route table IDs for gateway endpoints - security_group_ids (optional): Comma-separated list of security group IDs for interface endpoints - policy_document (optional): Custom endpoint policy JSON document - enable_dns_hostnames (optional, default: "true"): Enable DNS hostnames for interface endpoints - enable_dns_support (optional, default: "true"): Enable DNS support for interface endpoints ## Steps ### 1. Verify Dependencies Check for required tools and inform the user about capabilities needed. Constraints: - You MUST verify that the `call_aws` tool is available in your context - You MUST inform the user that this SOP requires AWS CLI access and will make AWS API calls - You MUST inform the user about any missing tools with a clear message - You MUST ask if the user wants to proceed anyway despite missing tools - You MUST respect the user's decision to proceed or abort - You MUST inform the user that passwords will be managed through AWS Secrets Manager and MUST NEVER prompt for password input ### 2. Gather Required Parameters Collect all required parameters from the user in a single prompt. Constraints: - You MUST ask for all required parameters upfront in a single prompt rather than one at a time - You MUST support multiple input methods for parameter provision - You MUST validate that vpc_id follows the format vpc-xxxxxxxx - You MUST validate that subnet_ids follow the format subnet-xxxxxxxx - You MUST confirm successful acquisition of all parameters before proceeding ### 3. Validate VPC and Subnets Verify that the specified VPC and subnets exist and are properly configured. Constraints: - You MUST call AWS CLI to describe the VPC and verify it exists - You MUST call AWS CLI to describe subnets and verify they exist in the specified VPC - You MUST inform the user about each validation step being performed and why - You MUST check that DNS hostnames and DNS resolution are enabled on the VPC for interface endpoints - You SHOULD warn the user if DNS settings are not optimal for VPC endpoints ### 4. Check Existing VPC Endpoints Check for existing VPC endpoints to avoid duplicates. Constraints: - You MUST call AWS CLI to list existing VPC endpoints in the VPC - You MUST inform the user about existing endpoints for the requested services - You MUST ask the user whether to skip, replace, or modify existing endpoints - You MUST respect the user's decision on handling existing endpoints ### 5. Create Security Groups for Interface Endpoints Create or validate security groups for interface endpoints if not provided. Constraints: - You MUST create a security group for interface endpoints if security_group_ids is not provided - You MUST configure inbound rules to allow HTTPS traffic (port 443) from VPC CIDR - You MUST call AWS CLI to create security group and rules - You MUST inform the user about security group creation and configuration - You MUST use AWS Secrets Manager for any authentication requirements and MUST NEVER prompt for passwords ### 6. Determine Endpoint Types Categorize services into gateway and interface endpoint types. Constraints: - You MUST identify which services support gateway endpoints (S3, DynamoDB) - You MUST identify which services require interface endpoints (EC2, SSM, Secrets Manager, etc.) - You MUST inform the user abou