Subsequent steps for the deployment of a Query PrivateLink requires the abilities to create and delete VPC endpoints in your AWS account. This section helps to ensure that the desired principals in your AWS Account have the permissions for those actions.

If you are already using AWS-managed IAM policies for permission management, check that your current AWS-managed IAM policies grant principals the permission to create and delete VPC endpoints. If not, add the appropriate managed policies to the principals you wish to authorize for VPC endpoint management. The following AWS-managed policies enable your IAM principals to create and delete endpoints:

• NetworkAdministrator
• AmazonVPCFullAccess and AmazonRoute53FullAccess

These AWS managed policies grant broader permissions than those strictly required for deploying PrivateLinks. For enhanced security, administer your AWS account to Grant least privilege to your IAM principals using a customer-managed policy that permits the Actions of CreateVpcEndpoint and DeleteVpcEndpoint.

You can also limit your IAM principals to only perform operations against a specific PrivateLink by specifying its service name (available on the Viewing PrivateLink Details page) with the following Condition:

"Condition": {            
              "StringEquals": {     
                 "ec2:VpceServiceName": "<privatelink-service-name>"       
         }                
    }

Or, you can restrict your principals to perform operations against all PrivateLinks in HeatWave on AWS by specifying the following service owner Condition:

"Condition": {                      
             "StringEquals": {                   
                 "ec2:VpceServiceOwner": "612981981079"
         }
    }

See Control the service names that can be specified for VPC endpoint services.