Update list of interface gateways in `vpc/vpc-endpoint`

[ambsw-technology]

TemplateID: vpc/vpc-endpoint Region: us-east-1

The command now shows (in addition to the existing services):

"com.amazonaws.us-east-1.access-analyzer",
"com.amazonaws.us-east-1.acm-pca",
"com.amazonaws.us-east-1.application-autoscaling",
"com.amazonaws.us-east-1.appmesh-envoy-management",
"com.amazonaws.us-east-1.appstream.api",
"com.amazonaws.us-east-1.appstream.streaming",
"com.amazonaws.us-east-1.athena",
"com.amazonaws.us-east-1.autoscaling",
"com.amazonaws.us-east-1.autoscaling-plans",
"com.amazonaws.us-east-1.awsconnector",
"com.amazonaws.us-east-1.cassandra",
"com.amazonaws.us-east-1.clouddirectory",
"com.amazonaws.us-east-1.codeartifact.api",
"com.amazonaws.us-east-1.codeartifact.repositories",
"com.amazonaws.us-east-1.dataexchange",
"com.amazonaws.us-east-1.datasync",
"com.amazonaws.us-east-1.ebs",
"com.amazonaws.us-east-1.elasticbeanstalk",
"com.amazonaws.us-east-1.elasticbeanstalk-health",
"com.amazonaws.us-east-1.elasticfilesystem",
"com.amazonaws.us-east-1.elasticfilesystem-fips",
"com.amazonaws.us-east-1.elasticmapreduce",
"com.amazonaws.us-east-1.glue",
"com.amazonaws.us-east-1.qldb.session",
"com.amazonaws.us-east-1.rds-data",
"com.amazonaws.us-east-1.rekognition",
"com.amazonaws.us-east-1.rekognition-fips",
"com.amazonaws.us-east-1.sms-fips",
"com.amazonaws.us-east-1.sns",
"com.amazonaws.us-east-1.states",
"com.amazonaws.us-east-1.storagegateway",
"com.amazonaws.us-east-1.sts",
"com.amazonaws.us-east-1.synthetics",
"com.amazonaws.us-east-1.workspaces"

... which will need to be added to the allowed values.

I also wonder if you should remove s3 to force people to use the dedicated template. I assume a dedicated s3 template was created since RouteTableIds is required (or that's what I gather from some links I was reading) and not supported in the base template. Is dynamodb the same?

P.S. Note the sagemaker subdomain on notebook:

"aws.sagemaker.us-east-1.notebook"

I don't think this is compatible with the current service string creator.

[michaelwittig]

see #432

I would recommend not to use an interface endpoint for s3 and dynamodb but if people prefer to make Mr. Bezozs even richer they are allowed to do so :)

I asked support about why SageMaker follows a different approach than the other 73.

[ambsw-technology]

In an effort to create defense in depth, I ignored your advice in #427 and tried to use a very tight ACL on my private subnet. I was having issues with my ECS deployment. I knew Fargate required S3 to store docker layers and eventually figured out that the S3 Gateway requires S3 IP addresses in the subnet ACL.

But first I tried to get around it by using an S3 Interface. I figured an interface would get an IP address within the subnet and I could leave the ACL in place. When I tried to use an s3 Interface, however, I actually got an error:

The Vpc Endpoint Service 'com.amazonaws.us-east-1.s3' does not exist (Service: AmazonEC2; Status Code: 400; Error Code: InvalidServiceName; Request ID: 2a8defff-0fb0-4aa9-8f1d-a372a9208a89)

I have a support ticket open for my ECS issue. In addition to explaining my diagnosis, I'm going to confirm that this is not possible. However, it's likely that you do need to remove it from this template. I suggest commenting it out and adding a comment right above it stating that "S3 does not support the Interface mode; use endpoint-s3.yaml to deploy a Gateway". It will both explain the absence to users and remind you not to restore it in the future.

[ambsw-technology]

Support confirmed that S3 is only available in Gateway mode. Looks like DyanmoDB is the same so both need to be excluded from this "Interface" version of endpoints.