Permission management controls the access of a VPC endpoint in one account to a VPC endpoint service in another.

After a VPC endpoint service is created, you can add or delete an authorized account ID to and from the whitelist of the VPC endpoint service.

If the whitelist is empty, access from a VPC endpoint in another account is not allowed.
If an authorized account ID is already in the whitelist, you can use this account to create a VPC endpoint for connecting to the VPC endpoint service.
If an authorized account ID is not in the whitelist, you cannot use this account to create a VPC endpoint for connecting to the VPC endpoint service.

This section describes how to add or delete a whitelist record for a VPC endpoint service.

In the navigation pane on the left, choose VPC Endpoint > VPC Endpoint Services.
In the VPC endpoint service list, locate the VPC endpoint service and click its name.
On the displayed page, select the Permission Management tab and click Add to Whitelist.
Enter an authorized account ID in the required format and click OK.
Figure 1 Add to Whitelist
- Your account is in the whitelist of your VPC endpoint service by default.
- The authorized account ID is in the iam:domain::domain_id format.
  domain_id indicates the ID of the authorized account, for example, iam:domain::1564ec50ef2a47c791ea5536353ed4b9
- Adding * to the whitelist means that all users can access the VPC endpoint service.

In the navigation pane on the left, choose VPC Endpoint > VPC Endpoint Services.
In the VPC endpoint service list, locate the VPC endpoint service and click its name.
On the displayed page, click the Permission Management tab, locate the account ID, and click Delete in the Operation column.
To delete multiple whitelist records, select the account IDs to be deleted and click Delete in the upper left corner.
Click Yes.

Managing Whitelist Records of a VPC Endpoint Service