Creating a VPC Interface Endpoint for SQS in Cloud Formation

Question

I was wondering if it is possible to create a Resource in my CloudFormation file to create a VPC Endpoint for SQS. I was able to do this for SQS and DynamoDB, but I believe it is because they were Gateway endpoints.

For now I have defined my SQS resource as:

SQSEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: '*'
            Action:
              - 'sqs:*'
            Resource:
              - '*'
      ServiceName: !Join 
        - ''
        - - com.amazonaws.
          - !Ref 'AWS::Region'
          - .sqs
      SubnetIds:
        - !Ref PrivateSubnet
        - !Ref PublicSubnet
      VpcId: !Ref 'VPC'
      VpcEndpointType: Interface

Though, when I try to create the stack I get the error:

It seems like it is possible from reading this blog post from AWS. Though I can't find any examples or documentation. Any ideas?

Answer 1

So to sum it all up:

  SQSEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Join 
        - ''
        - - com.amazonaws.
          - !Ref 'AWS::Region'
          - .sqs
      SubnetIds:
        - !Ref PrivateSubnet
      VpcId: !Ref 'VPC'
      VpcEndpointType: Interface
      SecurityGroupIds:
        - !Ref PrivateSubnetInstanceSG # has to allow traffic from your VPC
      PrivateDnsEnabled: true

Background

I figured it out, for DynamoDB and S3, which use Gateway Endpoints, the PolicyDocument property has to be defined. For all other services, This doesn't need to be defined. So for SQS first I thought all that is needed is:

 SQSEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Join 
        - ''
        - - com.amazonaws.
          - !Ref 'AWS::Region'
          - .sqs
      SubnetIds:
        - !Ref PrivateSubnet
        - !Ref PublicSubnet
      VpcId: !Ref 'VPC'
      VpcEndpointType: Interface

But that still wasn't working, even though the interface endpoint was setup, I had to:

1. set the PrivateDnsEnabled property to true so that you can use the AWS CLI as the AWS CLI uses the public endpoint, and setting the PrivateDnsEnabled allows the private endpoint to automatically be mapped to the public one

2. set the SecurityGroupsIds to have a security group that allows Inbound traffic from your VPC. If this instance set, the default security group is used and it only allows inbound traffic from sources that have the default security group, meaning that SQS won't be able to send traffic back to your instance