# AWS Management Console Private Access — implementation checklist Companion to [AWS Management Console Private Access (June 2026): Console Without Internet](/blog/aws-management-console-private-access/). AWS [announced](https://aws.amazon.com/about-aws/whats-new/2026/06/aws-management-console-private/) air-gapped console access on **June 15, 2026**. ## Phase 0 — Scope and cost (week 0) - [ ] Download Region config JSON: `https://configuration.private-access.console.amazonaws.com/us-east-1.config.json` (repeat per workload Region) - [ ] Count `ServiceName` entries → interface VPC endpoints required for full console parity - [ ] Run [`private-access-cost-model.csv`](private-access-cost-model.csv) — get finance sign-off on pilot vs full-Region endpoint count - [ ] Identify operator personas (platform, security, break-glass) and their top 10 service consoles - [ ] Document auditor question: *"Does any console traffic traverse the public internet?"* — target answer: **no** (with documented docs/health exception) ## Phase 1 — Network (pilot VPC) - [ ] Select pilot VPC (private subnets only; no NAT required for console path post–June 2026) - [ ] Create interface VPC endpoints in **us-east-1** for: - [ ] `com.amazonaws.us-east-1.console` - [ ] `com.amazonaws.us-east-1.signin` - [ ] Pilot service APIs (see adoption matrix — typically ec2, s3, rds, lambda, ecs, eks, kms, secretsmanager, monitoring, sts) - [ ] Repeat console + signin + pilot services in **one workload Region** if operators manage resources there - [ ] Attach security groups allowing HTTPS (443) from operator subnets to endpoint ENIs - [ ] Enable `enableDnsSupport` and `enableDnsHostnames` on the VPC ## Phase 2 — DNS - [ ] Create **two** private hosted zones per Region (per [AWS DNS guide](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/dns-configuration-console-signin.html)): - [ ] `signin.aws.amazon.com` zone - [ ] `console.aws.amazon.com` zone (Regional subdomains) - [ ] Add CNAME records from config JSON `PrivateIpv4DnsNames` for each endpoint - [ ] **Do not** wildcard-route all `*.aws.amazon.com` to private zones — breaks docs/health widgets - [ ] Route 53 Resolver **inbound endpoint** in pilot VPC if operators start on-premises - [ ] Forward on-prem DNS queries for console/signin subdomains to Resolver inbound IPs ## Phase 3 — Authorization - [ ] VPC endpoint policy: allow-list production account IDs / organization IDs - [ ] IAM: least-privilege console roles per persona (endpoint policy ≠ IAM permission) - [ ] SCP (optional): `aws:SourceVpc` or `aws:SourceIp` condition for console API actions - [ ] Break-glass role: MFA required, CloudTrail alarm on `AssumeRole` - [ ] Test **deny** path — confirm operators see expected error when account not on allow list ## Phase 4 — Validate - [ ] From pilot subnet **without** internet route: sign in at Regional console URL - [ ] Open each pilot service console (EC2, S3, RDS, …) — confirm no browser errors - [ ] Confirm `docs.aws.amazon.com` loads (public path) while service consoles stay private - [ ] CloudTrail: verify `ConsoleLogin` and service API calls from expected VPC/source - [ ] Run denial test from non-allow-listed account ## Phase 5 — Operate - [ ] Calendar reminder: **monthly** pull of `configuration.private-access.console.amazonaws.com/{region}.config.json` - [ ] Diff new `ServiceName` entries → ticket to provision endpoints + DNS records - [ ] Quarterly: re-run cost model if operator console usage expands to new services - [ ] Document runbook link in security compliance packet ([Security Hub](/blog/how-to-set-up-aws-security-hub-compliance-monitoring/), auditor requests) ## Rollback - [ ] Remove private hosted zone associations (traffic reverts to public DNS) - [ ] Delete interface VPC endpoints (stops PrivateLink charges) - [ ] Re-enable prior break-glass path (VPN to public console or bastion CLI) — test before decommissioning pilot