Policy Agent - Custom VPC Endpoint Hostname Configuration
The Policy Agent uses default endpoint hostnames to communicate with other AWS services (for example, secretsmanager.amazonaws.com). This configuration will only work in VPCs where Amazon-provided DNS is available (default VPC configuration with private DNS option enabled for the endpoint). If your VPC uses custom DNS, follow the instructions below to configure the Policy Agent Lambda to use custom endpoint hostnames.
Note
This configuration is only available with the Cloud Protect version 1.5.0 or higher. For more information about the upgrade instructions, refer to Upgrading to the Latest Version.Identify DNS Hostnames
To identify DNS hostnames:
From AWS console, select VPC > Endpoints.
Select Secrets Manager endpoint from the list of endpoints.
Under Details > DNS Names, note the private endpoint DNS names adding https:// at the beginning of the endpoint name.
For example, https://vpce-1234-4pzomrye.kms.us-west-1.vpce.amazonaws.com
Note down DNS names for the KMS and Lambda endpoints:
AWS_SECRETSMANAGER_ENDPOINT: https://_________________
AWS_KMS_ENDPOINT: https://_________________
AWS_LAMBDA_ENDPOINT: https://_________________
Update the Policy Agent Lambda configuration
To update policy agent lambda configuration:
From the AWS console, navigate to Lambda, and select the Policy Agent Lambda function.
Select the Configuration section and choose Environment variables.
Select Edit and add the following environment variables with the corresponding endpoint URLs recorded in steps 3-4:
Parameters Value AWS_SECRETSMANAGER_ENDPOINT_URL <AWS_SECRETS_ENDPOINT> AWS_KMS_ENDPOINT_URL <AWS KMS ENDPOINT> AWS_LAMBDA_ENDPOINT_URL <AWS LAMBDA ENDPOINT> Click Save and Run the Lambda. The Lambda will now use endpoints you have just configured.
Feedback
Was this page helpful?