reserved instanceAWS

Example AWS IAM role to create VPC endpoints

An example of an AWS IAM role with permissions to create VPC endpoints in your account to IBM® MQ as a Service Reserved Instances.

Specific role definition and permissions will be influenced by your security and compliance requirements.

  1. Create your IAM role (for example, MQ_SaaS_network_admin) by following the steps in the AWS documentation, see Create a role using custom trust policies.
    Ensure that your trust policy allows you to assume your role (you can restrict which IAM identities can assume your role).
    { 
        "Version": "2012-10-17", 
        "Statement": [{ 
            "Effect": "Allow", 
            "Principal": { 
                "AWS": "arn:aws:iam::<your_account_id>:root" 
            }, 
            "Action": "sts:AssumeRole" 
        }] 
    } 
  2. Open the role MQ_SaaS_network_admin:
    1. Go to the Permissions tab.
    2. Click Add permissions > Create inline policy
    3. Switch to JSON
    4. Paste the VPC endpoint policy, for example:
      { 
          "Version": "2012-10-17", 
          "Statement": [ 
              { 
                  "Sid": "CreateApprovedMQInterfaceEndpointsOnly", 
                  "Effect": "Allow", 
                  "Action": "ec2:CreateVpcEndpoint", 
                  "Resource": "*", 
                  "Condition": { 
                      "StringEquals": { 
                          "ec2:VpceServiceName": [ 
                              "com.amazonaws.vpce.REGION.vpce-svc-aaaa1111", 
                              "com.amazonaws.vpce.REGION.vpce-svc-bbbb2222", 
                              “com.amazonaws.vpce.REGION.vpce-svc-cccc3333" 
                          ] 
                      } 
                  } 
              }, 
              { 
                  "Sid": "ManageVpcEndpoints", 
                  "Effect": "Allow", 
                  "Action": [ 
                      "ec2:DeleteVpcEndpoints", 
                      "ec2:ModifyVpcEndpoint", 
                      "ec2:DescribeVpcEndpoints", 
                      "ec2:DescribeVpcEndpointConnections" 
                  ], 
                  "Resource": "*" 
              }, 
            { 
                  "Sid": "DiscoverEndpointServices", 
                  "Effect": "Allow", 
                  "Action": [ 
                      "ec2:DescribeVpcEndpointServices", 
                      "ec2:DescribeVpcEndpointServiceConfigurations", 
                      "ec2:DescribeVpcEndpointServicePermissions", 
                      "ec2:DescribeInstanceConnectEndpoints" 
                  ], 
                  "Resource": "*" 
              }, 
              { 
                  "Sid": "ReadOnlyVpcContext", 
                  "Effect": "Allow", 
                  "Action": [ 
                      "ec2:DescribeSubnets", 
                      "ec2:DescribeSecurityGroups", 
                      "ec2:DescribeRouteTables", 
                      "ec2:DescribeVpcs", 
                      "ec2:DescribeNetworkInterfaces", 
                      "ec2:DescribeAvailabilityZones" 
                  ], 
                  "Resource": "*" 
              }, 
              { 
                  "Sid": "TagVpcEndpointsOnly", 
                  "Effect": "Allow", 
                  "Action": [ 
                      "ec2:CreateTags", 
                      "ec2:DeleteTags", 
                      "ec2:DescribeTags" 
                  ], 
                  "Resource": "*" 
              }, 
              { 
                  "Sid": "Route53PrivateDnsAssociation", 
                  "Effect": "Allow", 
                  "Action": [ 
                      "route53:AssociateVPCWithHostedZone", 
                      "route53:DisassociateVPCFromHostedZone" 
                  ], 
                  "Resource": "*" 
              } 
          ] 
      } 
      • CreateApprovedMQInterfaceEndpointsOnly – Allows creation of VPC Endpoints only if they target one of the explicitly approved IBM MQ as a Service Reserved Instance’s endpoint service names (giving tight controls on which endpoint services can be used).
      • ManageOwnVpcEndpoints – Allows full lifecycle management of VPC endpoints (delete, modify, describe, view connections) .
      • DiscoverEndpointServices – Allows discovery of available AWS PrivateLink services and related configurations/permissions (read-only visibility into endpoint services).
      • ReadOnlyVpcContext – Allows read-only access to core VPC networking resources (subnets, security groups, route tables, VPCs, ENIs, AZs), this is needed to place VPC endpoints correctly.
      • TagVpcEndpointsOnly – Allows tagging operations but only for VPC endpoint resources. This prevents tagging of unrelated resource types.
      • Route53PrivateDnsAssociation – Allows associating or disassociating VPCs with private Route53 hosted zones (this enables private DNS resolution for endpoints/services).
  3. Give your user permission to assume the role. Complete the following steps in the AWS Console:
    1. Go to IAM > Users > your user
    2. Go to Permissions.
    3. Click Add permissions > Create inline policy
    4. Enter the following code in the JSON tab:
      { 
        "Version": "2012-10-17", 
        "Statement": [ 
          { 
            "Sid": "AllowAssumeMQNetworkAdminRole", 
            "Effect": "Allow", 
            "Action": "sts:AssumeRole", 
            "Resource": "arn:aws:iam::<your_account_id>:role/MQ_SaaS_network_admin" 
          } 
        ] 
      } 

Now you can allow-list the ARN of your AWS IAM role (for example, arn:aws:iam::<your_account_id>:role/MQ_SaaS_network_admin) in your IBM MQ as a Service Reserved Instance Private Inbound connection (see Step 1 -IBM MQ as a Service side (Provider) - Configure AWS service consumer ARNs in AWS private connectivity.

Only your allow-listed AWS IAM role is able to establish connections (create VPC endpoints) from your account to your IBM MQ as a Service Reserved Instance.