AWS Security ChangesHomeSearch

AWS macie high security documentation change

Service: macie · 2025-07-04 · Security-related high

File: macie/latest/user/vpc-interface-endpoints-macie.md

Summary

Added documentation for creating VPC endpoint policies to control Macie access, removed statement about VPC endpoint policies not being supported

Security assessment

The change introduces guidance for implementing granular access controls via endpoint policies, addressing the previous default of full access. This mitigates risks of over-permissive access to Macie API operations through VPC endpoints. The removal of 'VPC endpoint policies are not supported' indicates a security improvement.

Diff

diff --git a/macie/latest/user/vpc-interface-endpoints-macie.md b/macie/latest/user/vpc-interface-endpoints-macie.md
index e408280dd..e32e880bd 100644
--- a//macie/latest/user/vpc-interface-endpoints-macie.md
+++ b//macie/latest/user/vpc-interface-endpoints-macie.md
@@ -5 +5 @@
-Considerations for Macie interface endpointsCreating an interface endpoint for Macie
+Considerations for Macie interface endpointsCreating an interface endpoint for MacieCreating an endpoint policy for Macie
@@ -20,0 +21,2 @@ For more information, see [Access AWS services through AWS PrivateLink](https://
+  * Creating an endpoint policy for Macie
+
@@ -26 +28 @@ For more information, see [Access AWS services through AWS PrivateLink](https://
-Amazon Macie supports interface endpoints in all the AWS Regions where it's currently available except the Asia Pacific (Osaka) and Israel (Tel Aviv) Regions. For a list of Regions where Macie is currently available, see [Amazon Macie endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/macie.html) in the _AWS General Reference_. Macie supports making calls to all of its API operations through interface endpoints.
+Amazon Macie supports interface endpoints in all the AWS Regions where it's currently available. For a list of these Regions, see [Amazon Macie endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/macie.html) in the _AWS General Reference_. Macie supports making calls to all of its API operations through interface endpoints.
@@ -30,2 +31,0 @@ If you create an interface endpoint for Macie, consider doing the same for other
-Note that VPC endpoint policies are not supported for Macie. By default, full access to Macie is allowed through an interface endpoint. Alternatively, you can associate a security group with the endpoint network interfaces to control traffic to Macie through the interface endpoint.
-
@@ -34 +34 @@ Note that VPC endpoint policies are not supported for Macie. By default, full ac
-You can create an interface endpoint for Amazon Macie by using the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see [Create an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws) in the _AWS PrivateLink Guide_.
+You can create an interface endpoint for Amazon Macie by using the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see [Create a VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws) in the _AWS PrivateLink Guide_.
@@ -43,0 +44,56 @@ If you enable private DNS for the interface endpoint, you can make API requests
+## Creating an endpoint policy for Macie
+
+An _endpoint policy_ is an AWS Identity and Access Management (IAM) resource that you can attach to an interface endpoint. The default endpoint policy allows full access to Amazon Macie through the interface endpoint. To control the access allowed to Macie from your VPC, attach a custom endpoint policy to the interface endpoint.
+
+An endpoint policy specifies the following information:
+
+  * The principals that can perform actions (AWS accounts, IAM users, and IAM roles).
+
+  * The actions that can be performed.
+
+  * The resources on which the actions can be performed.
+
+
+
+
+It's a separate policy for controlling access from the endpoint to the specified service. For more information, see [Control access to VPC endpoints using endpoint policies](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html) in the _AWS PrivateLink Guide_.
+
+###### Example: VPC endpoint policy for Macie actions
+
+The following is an example of a custom endpoint policy for Macie. If you attach this policy to your interface endpoint, it grants access to the listed Macie actions for all principals on all resources. It allows users connecting to Macie through the VPC to access findings data by using the Amazon Macie API.
+    
+    
+    {
+       "Statement": [
+          {
+             "Principal": "*",
+             "Effect": "Allow",
+             "Action": [
+                "macie2:GetFindings",
+                "macie2:GetFindingStatistics",
+                "macie2:ListFindings"
+             ],
+             "Resource": "*"
+          }
+       ]
+    }
+
+To also allow users to access findings data or perform other actions by using the Amazon Macie console, the policy should also grant access to the `macie2:GetMacieSession` action, for example:
+    
+    
+    {
+       "Statement": [
+          {
+             "Principal": "*",
+             "Effect": "Allow",
+             "Action": [
+                "macie2:GetMacieSession",
+                "macie2:GetFindings",
+                "macie2:GetFindingStatistics",
+                "macie2:ListFindings"
+             ],
+             "Resource": "*"
+          }
+       ]
+    }
+