Fix VPC Endpoints for Agents

Opportunity Name


Fix VPC Endpoints for Agents


AWS Resource Type




Opportunity Description


Cloudfix will add CloudWatch, SSM, and S3 related VPC endpoints on private VPC subnets connected to EC2 instances to allow Cloudwatch and SSM agents to connect to those instances.


Criteria for identifying the opportunity


For each VPC connected to an EC2 instance:

  • Look for private subnets (those without Internet access)

  • Check if VPC endpoints exist on those private subnets for the following SSM/CloudWatch services:

    • SSM

    • EC2 Messages

    • SMS Messages

    • Monitoring

    • S3

  • Add a VPC endpoint on the private subnet for any missing services, provided IP addresses are available.


Potential savings (range in % on annual basis)


This FF will not save money. Instead, it will increase the cost by $87 per annum (infrastructure charges) for each VPC endpoint it creates. It will potentially unlock greater savings from improved Compute Optimizer recommendations (when SSM Agent installs CloudWatch Agent, and they successfully communicate). These savings will outweigh the increased spending.


What happens when the Fixer is executed?


The fixer creates the missing VPC endpoints and configures them appropriately.


Is it possible to rollback once CloudFix implements the fixer?


Yes. The customer can rollback manually by deleting the newly created VPC endpoints.


Can CloudFix implement the fix automatically once I accept the recommendation?




Does this fix require downtime?




Additional Resources



Article is closed for comments.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request