AWS deadline-cloud medium security documentation change
Summary
Added dual-stack endpoint support documentation, updated endpoint count from 2 to 4 (IPv4/IPv6), corrected endpoint URLs, and enabled VPC endpoint policies
Security assessment
The change explicitly enables VPC endpoint policies (previously stated as unsupported), which allows granular access control for the service. This is a security feature addition.
Diff
diff --git a/deadline-cloud/latest/userguide/vpc-interface-endpoints.md b/deadline-cloud/latest/userguide/vpc-interface-endpoints.md index 3d5dc1edf..4b8d3700b 100644 --- a/deadline-cloud/latest/userguide/vpc-interface-endpoints.md +++ b/deadline-cloud/latest/userguide/vpc-interface-endpoints.md @@ -12,0 +13,2 @@ You establish this private connection by creating an _interface endpoint_ , powe +Deadline Cloud also has dual-stack endpoints available. Dual-stack endpoints support requests over IPv6 and IPv4. + @@ -23 +25 @@ By default, full access to Deadline Cloud is allowed through the interface endpo -Deadline Cloud doesn't support VPC endpoint policies. For more information, see [Control access to VPC endpoints using endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) in the _AWS PrivateLink Guide_. +Deadline Cloud also supports VPC endpoint policies. For more information, see [Control access to VPC endpoints using endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) in the _AWS PrivateLink Guide_. @@ -27 +29 @@ Deadline Cloud doesn't support VPC endpoint policies. For more information, see -Deadline Cloud uses two endpoints for access to the service using AWS PrivateLink. +Deadline Cloud uses four endpoints for access to the service using AWS PrivateLink - two for IPv4 and two for IPv6. @@ -29 +31 @@ Deadline Cloud uses two endpoints for access to the service using AWS PrivateLin -Workers use the `com.amazonaws.`region`.deadline.scheduling` endpoint to get tasks from the queue, report progress to Deadline Cloud, and to send task output back. If you are using a customer-managed fleet, the scheduling endpoint is the only endpoint that you need to create unless you are using management operations. For example, if a job creates more jobs, you need to enable the management endpoint to call the `CreateJob` operation. +Workers use the `scheduling.deadline.`region`.amazonaws.com` endpoint to get tasks from the queue, report progress to Deadline Cloud, and to send task output back. If you are using a customer-managed fleet, the scheduling endpoint is the only endpoint that you need to create unless you are using management operations. For example, if a job creates more jobs, you need to enable the management endpoint to call the `CreateJob` operation. @@ -31 +33 @@ Workers use the `com.amazonaws.`region`.deadline.scheduling` endpoint to get tas -The Deadline Cloud monitor uses the `com.amazonaws.`region`.deadline.management` to manage the resources in your farm, such as creating and modifying queues and fleets or getting lists of jobs, steps, and tasks. +The Deadline Cloud monitor uses the `management.deadline.`region`.amazonaws.com` to manage the resources in your farm, such as creating and modifying queues and fleets or getting lists of jobs, steps, and tasks. @@ -56 +58,3 @@ Create management and scheduling endpoints for Deadline Cloud using the followin -If you enable private DNS for the interface endpoints, you can make API requests to Deadline Cloud using its default Regional DNS name. For example, `worker.deadline.us-east-1.amazonaws.com` for worker operations, or `management.deadline.us-east-1.amazonaws.com` for all other operations. +Deadline Cloud supports dual-stack endpoints. + +If you enable private DNS for the interface endpoints, you can make API requests to Deadline Cloud using its default Regional DNS name. For example, `scheduling.deadline.us-east-1.amazonaws.com` for worker operations, or `management.deadline.us-east-1.amazonaws.com` for all other operations.