Remove VPC Endpoint security group usage

farski · farski · commit cb1638646605 · 2025-11-10T15:56:05.000-05:00
diff --git a/spire/templates/apps-100A.yml b/spire/templates/apps-100A.yml
@@ -24,8 +24,6 @@ Parameters:
   VpcPrivateSubnet1Id: { Type: AWS::EC2::Subnet::Id }
   VpcPrivateSubnet2Id: { Type: AWS::EC2::Subnet::Id }
   VpcPrivateSubnet3Id: { Type: AWS::EC2::Subnet::Id }
-  KinesisStreamsEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  StsEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   SharedMemcachedEndpointAddress: { Type: String }
   AmazonSesSmtpCredentialsGeneratorServiceToken: { Type: String }
   SharedEcsAsgInstanceSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
@@ -195,8 +193,6 @@ Resources:
         VpcPrivateSubnet1Id: !Ref VpcPrivateSubnet1Id
         VpcPrivateSubnet2Id: !Ref VpcPrivateSubnet2Id
         VpcPrivateSubnet3Id: !Ref VpcPrivateSubnet3Id
-        KinesisStreamsEndpointAccessSecurityGroupId: !Ref KinesisStreamsEndpointAccessSecurityGroupId
-        StsEndpointAccessSecurityGroupId: !Ref StsEndpointAccessSecurityGroupId
         ArrangementsDynamodbRegion: !Sub /prx/${EnvironmentTypeAbbreviation}/dovetail-cdn-arranger/ARRANGEMENTS_DDB_REGION
         ArrangementsDynamodbTableName: !Sub /prx/${EnvironmentTypeAbbreviation}/dovetail-cdn-arranger/ARRANGEMENTS_DDB_TABLE
         ArrangementsDynamodbAccessRoleArn: !Sub /prx/${EnvironmentTypeAbbreviation}/dovetail-cdn-arranger/ARRANGEMENTS_DDB_ACCESS_ROLE
diff --git a/spire/templates/apps-200A.yml b/spire/templates/apps-200A.yml
@@ -39,11 +39,6 @@ Parameters:
   AmazonSesSmtpCredentialsGeneratorServiceToken: { Type: String }
   EchoServiceToken: { Type: String }
   TransferServerIpFinderServiceToken: { Type: String }
-  EcsLaunchEndpointsAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  SystemManagerEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  KmsEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  CloudWatchEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  EventBridgeEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   SharedEcsAsgInstanceSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   SharedMysqlClientSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   S3SigningUserName: { Type: String }
@@ -206,9 +201,6 @@ Resources:
         TransferServerIpFinderServiceToken: !Ref TransferServerIpFinderServiceToken
         S3SigningEndpointUrl: !Ref S3SigningEndpointUrl
         S3SigningAccessKeyId: !Ref S3SigningAccessKeyId
-        SystemManagerEndpointAccessSecurityGroupId: !Ref SystemManagerEndpointAccessSecurityGroupId
-        CloudWatchEndpointAccessSecurityGroupId: !Ref CloudWatchEndpointAccessSecurityGroupId
-        EventBridgeEndpointAccessSecurityGroupId: !Ref EventBridgeEndpointAccessSecurityGroupId
         SharedMysqlClientSecurityGroupId: !Ref SharedMysqlClientSecurityGroupId
         SharedMemcachedEndpointAddress: !Ref SharedMemcachedEndpointAddress
         SharedMemcachedEndpointPort: !Ref SharedMemcachedEndpointPort
@@ -369,8 +361,6 @@ Resources:
         SharedMemcachedEndpointAddress: !Ref SharedMemcachedEndpointAddress
         SharedMemcachedEndpointPort: !Ref SharedMemcachedEndpointPort
         EchoServiceToken: !Ref EchoServiceToken
-        EcsLaunchEndpointsAccessSecurityGroupId: !Ref EcsLaunchEndpointsAccessSecurityGroupId
-        KmsEndpointAccessSecurityGroupId: !Ref KmsEndpointAccessSecurityGroupId
         SharedMysqlClientSecurityGroupId: !Ref SharedMysqlClientSecurityGroupId
         SharedAuroraMysqlEndpoint: !Ref SharedAuroraMysqlEndpoint
         SharedAuroraMysqlPort: !Ref SharedAuroraMysqlPort
diff --git a/spire/templates/apps-300A.yml b/spire/templates/apps-300A.yml
@@ -25,8 +25,6 @@ Parameters:
   VpcPublicSubnet1Id: { Type: AWS::EC2::Subnet::Id }
   VpcPublicSubnet2Id: { Type: AWS::EC2::Subnet::Id }
   VpcPublicSubnet3Id: { Type: AWS::EC2::Subnet::Id }
-  EcsLaunchEndpointsAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  KmsEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   DeploymentPackageBucketName: { Type: String }
   EchoServiceToken: { Type: String }
   SharedEcsAsgInstanceSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
@@ -103,8 +101,6 @@ Resources:
         VpcPublicSubnet1Id: !Ref VpcPublicSubnet1Id
         VpcPublicSubnet2Id: !Ref VpcPublicSubnet2Id
         VpcPublicSubnet3Id: !Ref VpcPublicSubnet3Id
-        EcsLaunchEndpointsAccessSecurityGroupId: !Ref EcsLaunchEndpointsAccessSecurityGroupId
-        KmsEndpointAccessSecurityGroupId: !Ref KmsEndpointAccessSecurityGroupId
         SharedAppRedisEndpointAddress: !Ref SharedAppRedisEndpointAddress
         SharedAppRedisEndpointPort: !Ref SharedAppRedisEndpointPort
         SharedAuroraPostgresqlEndpoint: !Ref SharedAuroraPostgresqlEndpoint
diff --git a/spire/templates/apps/augury.yml b/spire/templates/apps/augury.yml
@@ -43,8 +43,6 @@ Parameters:
   VpcPublicSubnet1Id: { Type: AWS::EC2::Subnet::Id }
   VpcPublicSubnet2Id: { Type: AWS::EC2::Subnet::Id }
   VpcPublicSubnet3Id: { Type: AWS::EC2::Subnet::Id }
-  EcsLaunchEndpointsAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  KmsEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   SharedAppRedisEndpointAddress: { Type: String }
   SharedAppRedisEndpointPort: { Type: String }
   SharedAuroraPostgresqlEndpoint: { Type: String }
@@ -1174,8 +1172,6 @@ Resources:
           VPC_SUBNET_2: !Ref VpcPublicSubnet2Id
           VPC_SUBNET_3: !Ref VpcPublicSubnet3Id
           SECURITY_GROUP_1: !GetAtt SlowWorkerSecurityGroup.GroupId
-          SECURITY_GROUP_2: !Ref EcsLaunchEndpointsAccessSecurityGroupId
-          SECURITY_GROUP_3: !Ref KmsEndpointAccessSecurityGroupId
           # Using the combined legacy clickhouse + castle security groups for
           # now to overcome the security group limit.
           SECURITY_GROUP_4: !Ref ClickhouseLegacyClientSecurityGroupId
diff --git a/spire/templates/apps/dovetail-counts.yml b/spire/templates/apps/dovetail-counts.yml
@@ -25,8 +25,6 @@ Parameters:
   VpcPrivateSubnet1Id: { Type: AWS::EC2::Subnet::Id }
   VpcPrivateSubnet2Id: { Type: AWS::EC2::Subnet::Id }
   VpcPrivateSubnet3Id: { Type: AWS::EC2::Subnet::Id }
-  KinesisStreamsEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  StsEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   ArrangementsDynamodbRegion: { Type: AWS::SSM::Parameter::Value<String> }
   ArrangementsDynamodbTableName: { Type: AWS::SSM::Parameter::Value<String> }
   ArrangementsDynamodbAccessRoleArn: { Type: AWS::SSM::Parameter::Value<String> }
@@ -131,8 +129,6 @@ Resources:
         # Ipv6AllowedForDualStack: true
         SecurityGroupIds:
           - !GetAtt CountsFunctionSecurityGroup.GroupId
-          - !Ref KinesisStreamsEndpointAccessSecurityGroupId
-          - !Ref StsEndpointAccessSecurityGroupId
           - !Ref DovetailRedisClientSecurityGroupId
         SubnetIds:
           - !Ref VpcPrivateSubnet1Id
diff --git a/spire/templates/apps/exchange.yml b/spire/templates/apps/exchange.yml
@@ -53,9 +53,6 @@ Parameters:
   TransferServerIpFinderServiceToken: { Type: String }
   S3SigningEndpointUrl: { Type: String }
   S3SigningAccessKeyId: { Type: String }
-  SystemManagerEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  CloudWatchEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  EventBridgeEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   SharedMysqlClientSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   SharedMemcachedEndpointAddress: { Type: String }
   SharedMemcachedEndpointPort: { Type: String }
@@ -1480,9 +1477,6 @@ Resources:
         SecurityGroupIds:
           - !GetAtt FtpServerAuthorizerFunctionSecurityGroup.GroupId
           - !Ref SharedMysqlClientSecurityGroupId
-          - !Ref SystemManagerEndpointAccessSecurityGroupId
-          - !Ref CloudWatchEndpointAccessSecurityGroupId
-          - !Ref EventBridgeEndpointAccessSecurityGroupId
         SubnetIds:
           - !Ref VpcPrivateSubnet1Id
           - !Ref VpcPrivateSubnet2Id
diff --git a/spire/templates/apps/networks.yml b/spire/templates/apps/networks.yml
@@ -47,8 +47,6 @@ Parameters:
   SharedMemcachedEndpointAddress: { Type: String }
   SharedMemcachedEndpointPort: { Type: String }
   EchoServiceToken: { Type: String }
-  EcsLaunchEndpointsAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  KmsEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   SharedMysqlClientSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   SharedAuroraMysqlEndpoint: { Type: String }
   SharedAuroraMysqlPort: { Type: String }
@@ -670,8 +668,6 @@ Resources:
         AwsvpcConfiguration:
           SecurityGroups:
             - !GetAtt SphinxServerSecurityGroup.GroupId
-            - !Ref EcsLaunchEndpointsAccessSecurityGroupId
-            - !Ref KmsEndpointAccessSecurityGroupId
             - !Ref SharedMysqlClientSecurityGroupId
           AssignPublicIp: DISABLED
           Subnets:
diff --git a/spire/templates/root.yml b/spire/templates/root.yml
@@ -413,10 +413,6 @@ Resources:
         SharedMysqlClientSecurityGroupId: !GetAtt SharedDatabaseSecurityGroupsStack.Outputs.SharedMysqlClientSecurityGroupId
         SharedPostgresqlClientSecurityGroupId: !GetAtt SharedDatabaseSecurityGroupsStack.Outputs.SharedPostgresqlClientSecurityGroupId
         SharedClickhouseClientSecurityGroupId: !GetAtt SharedClickhouseSecurityGroupStack.Outputs.ClientSecurityGroupId
-        EcsLaunchEndpointsAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.EcsLaunchEndpointsAccessSecurityGroupId
-        KmsEndpointAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.KmsEndpointAccessSecurityGroupId
-        StsEndpointAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.StsEndpointAccessSecurityGroupId
-        EventBridgeEndpointAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.EventBridgeEndpointAccessSecurityGroupId
         DovetailRedisClientSecurityGroupId: !GetAtt SharedRedisSecurityGroupStack.Outputs.ClientSecurityGroupId
         DovetailRedisReplicationGroupEndpointAddress: !GetAtt SharedRedisStack.Outputs.ValkeyReplicationGroupEndpointAddress
         DovetailRedisReplicationGroupEndpointPort: !GetAtt SharedRedisStack.Outputs.ValkeyReplicationGroupEndpointPort
@@ -451,10 +447,6 @@ Resources:
         SharedMysqlClientSecurityGroupId: !GetAtt SharedDatabaseSecurityGroupsStack.Outputs.SharedMysqlClientSecurityGroupId
         SharedPostgresqlClientSecurityGroupId: !GetAtt SharedDatabaseSecurityGroupsStack.Outputs.SharedPostgresqlClientSecurityGroupId
         SharedClickhouseClientSecurityGroupId: !GetAtt SharedClickhouseSecurityGroupStack.Outputs.ClientSecurityGroupId
-        EcsLaunchEndpointsAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.EcsLaunchEndpointsAccessSecurityGroupId
-        KmsEndpointAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.KmsEndpointAccessSecurityGroupId
-        StsEndpointAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.StsEndpointAccessSecurityGroupId
-        EventBridgeEndpointAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.EventBridgeEndpointAccessSecurityGroupId
         DovetailRedisClientSecurityGroupId: !GetAtt SharedRedisSecurityGroupStack.Outputs.ClientSecurityGroupId
         DovetailRedisReplicationGroupEndpointAddress: !GetAtt SharedRedisStack.Outputs.ValkeyReplicationGroupEndpointAddress
         DovetailRedisReplicationGroupEndpointPort: !GetAtt SharedRedisStack.Outputs.ValkeyReplicationGroupEndpointPort
@@ -653,8 +645,6 @@ Resources:
         RootStackName: !Ref AWS::StackName
         VpcPublicSubnet1Id: !GetAtt SharedVpcStack.Outputs.PublicSubnet1Id
         SharedClickhouseInstanceSecurityGroupId: !GetAtt SharedClickhouseSecurityGroupStack.Outputs.InstanceSecurityGroupId
-        CloudWatchLogsEndpointAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.CloudWatchLogsEndpointAccessSecurityGroupId
-        CloudWatchEndpointAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.CloudWatchEndpointAccessSecurityGroupId
       Tags:
         - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
         - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
@@ -691,8 +681,6 @@ Resources:
         VpcPrivateSubnet1Id: !GetAtt SharedVpcStack.Outputs.PrivateSubnet1Id
         VpcPrivateSubnet2Id: !GetAtt SharedVpcStack.Outputs.PrivateSubnet2Id
         VpcPrivateSubnet3Id: !GetAtt SharedVpcStack.Outputs.PrivateSubnet3Id
-        KinesisStreamsEndpointAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.KinesisStreamsEndpointAccessSecurityGroupId
-        StsEndpointAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.StsEndpointAccessSecurityGroupId
         SharedMemcachedEndpointAddress: !GetAtt SharedMemcachedStack.Outputs.CacheEndpointAddress
         DovetailRedisClientSecurityGroupId: !GetAtt SharedRedisSecurityGroupStack.Outputs.ClientSecurityGroupId
         DovetailRedisReplicationGroupEndpointAddress: !GetAtt SharedRedisStack.Outputs.ValkeyReplicationGroupEndpointAddress
@@ -783,11 +771,6 @@ Resources:
         AmazonSesSmtpCredentialsGeneratorServiceToken: !GetAtt CustomResourcesStack.Outputs.AmazonSesSmtpCredentialsGeneratorServiceToken
         EchoServiceToken: !GetAtt CustomResourcesStack.Outputs.EchoServiceToken
         TransferServerIpFinderServiceToken: !GetAtt CustomResourcesStack.Outputs.TransferServerIpFinderServiceToken
-        EcsLaunchEndpointsAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.EcsLaunchEndpointsAccessSecurityGroupId
-        SystemManagerEndpointAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.SystemManagerEndpointAccessSecurityGroupId
-        KmsEndpointAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.KmsEndpointAccessSecurityGroupId
-        CloudWatchEndpointAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.CloudWatchEndpointAccessSecurityGroupId
-        EventBridgeEndpointAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.EventBridgeEndpointAccessSecurityGroupId
         SharedEcsAsgInstanceSecurityGroupId: !GetAtt SharedEcsAsgSecurityGroupStack.Outputs.InstanceSecurityGroupId
         SharedMysqlClientSecurityGroupId: !GetAtt SharedDatabaseSecurityGroupsStack.Outputs.SharedMysqlClientSecurityGroupId
         S3SigningUserName: !GetAtt Apps100AStack.Outputs.S3SigningUserName
@@ -876,8 +859,6 @@ Resources:
         VpcPublicSubnet1Id: !GetAtt SharedVpcStack.Outputs.PublicSubnet1Id
         VpcPublicSubnet2Id: !GetAtt SharedVpcStack.Outputs.PublicSubnet2Id
         VpcPublicSubnet3Id: !GetAtt SharedVpcStack.Outputs.PublicSubnet3Id
-        EcsLaunchEndpointsAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.EcsLaunchEndpointsAccessSecurityGroupId
-        KmsEndpointAccessSecurityGroupId: !GetAtt SharedVpcStack.Outputs.KmsEndpointAccessSecurityGroupId
         DeploymentPackageBucketName: !GetAtt Constants2.Outputs.DeploymentPackageBucketName
         EchoServiceToken: !GetAtt CustomResourcesStack.Outputs.EchoServiceToken
         SharedEcsAsgInstanceSecurityGroupId: !GetAtt SharedEcsAsgSecurityGroupStack.Outputs.InstanceSecurityGroupId
diff --git a/spire/templates/shared-clickhouse/instance.yml b/spire/templates/shared-clickhouse/instance.yml
@@ -25,8 +25,6 @@ Parameters:
   RootStackName: { Type: String }
   VpcPublicSubnet1Id: { Type: AWS::EC2::Subnet::Id }
   SharedClickhouseInstanceSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  CloudWatchLogsEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  CloudWatchEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
 
 Conditions:
   EnableNestedChangeSetScrubbingResources: !Equals [!Ref NestedChangeSetScrubbingResourcesState, Enabled]
@@ -287,8 +285,6 @@ Resources:
           DeviceIndex: 0
           GroupSet:
             - !Ref SharedClickhouseInstanceSecurityGroupId
-            - !Ref CloudWatchLogsEndpointAccessSecurityGroupId
-            - !Ref CloudWatchEndpointAccessSecurityGroupId
           SubnetId: !Ref VpcPublicSubnet1Id
       Tags:
         - { Key: Name, Value: !Sub "${RootStackName}-clickhouse_server" }
diff --git a/spire/templates/shared-ecs/asg-aarch64.yml b/spire/templates/shared-ecs/asg-aarch64.yml
@@ -32,10 +32,6 @@ Parameters:
   SharedMysqlClientSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   SharedPostgresqlClientSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   SharedClickhouseClientSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  EcsLaunchEndpointsAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  KmsEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  StsEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  EventBridgeEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   DovetailRedisClientSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   DovetailRedisReplicationGroupEndpointAddress: { Type: String }
   DovetailRedisReplicationGroupEndpointPort: { Type: String }
@@ -155,10 +151,6 @@ Resources:
             DeviceIndex: 0
             Groups:
               - !Ref SharedEcsAsgInstanceSecurityGroupId
-              - !Ref EcsLaunchEndpointsAccessSecurityGroupId
-              - !Ref KmsEndpointAccessSecurityGroupId
-              - !Ref StsEndpointAccessSecurityGroupId
-              - !Ref EventBridgeEndpointAccessSecurityGroupId
               - !Ref SharedMysqlClientSecurityGroupId
               - !Ref SharedPostgresqlClientSecurityGroupId
               - !Ref DovetailRedisClientSecurityGroupId
diff --git a/spire/templates/shared-ecs/asg-x86-64.yml b/spire/templates/shared-ecs/asg-x86-64.yml
@@ -41,10 +41,6 @@ Parameters:
   SharedMysqlClientSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   SharedPostgresqlClientSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   SharedClickhouseClientSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  EcsLaunchEndpointsAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  KmsEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  StsEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
-  EventBridgeEndpointAccessSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   DovetailRedisClientSecurityGroupId: { Type: AWS::EC2::SecurityGroup::Id }
   DovetailRedisReplicationGroupEndpointAddress: { Type: String }
   DovetailRedisReplicationGroupEndpointPort: { Type: String }
@@ -165,10 +161,6 @@ Resources:
             DeviceIndex: 0
             Groups:
               - !Ref SharedEcsAsgInstanceSecurityGroupId
-              - !Ref EcsLaunchEndpointsAccessSecurityGroupId
-              - !Ref KmsEndpointAccessSecurityGroupId
-              - !Ref StsEndpointAccessSecurityGroupId
-              - !Ref EventBridgeEndpointAccessSecurityGroupId
               - !Ref SharedMysqlClientSecurityGroupId
               - !Ref SharedPostgresqlClientSecurityGroupId
               - !Ref DovetailRedisClientSecurityGroupId
diff --git a/spire/templates/shared-vpc.yml b/spire/templates/shared-vpc.yml
@@ -302,41 +302,5 @@ Outputs:
     Description: AZ of private subnet 1
     Value: !GetAtt PrivateSubnetsStack.Outputs.Subnet3AZ
 
-  CloudWatchLogsEndpointAccessSecurityGroupId:
-    Description: >-
-      The ID of a security group allows outbound HTTPS traffic to flow to
-      CloudWatch Logs VPC Endpoints
-    Value: !GetAtt InterfaceEndpointsStack.Outputs.CloudWatchLogsEndpointAccessSecurityGroupId
-  CloudWatchEndpointAccessSecurityGroupId:
-    Description: >-
-      The ID of a security group allows outbound HTTPS traffic to flow to
-      CloudWatch VPC Endpoints
-    Value: !GetAtt InterfaceEndpointsStack.Outputs.CloudWatchEndpointAccessSecurityGroupId
-  EventBridgeEndpointAccessSecurityGroupId:
-    Description: >-
-      The ID of a security group allows outbound HTTPS traffic to flow to
-      EventBridge VPC Endpoints
-    Value: !GetAtt InterfaceEndpointsStack.Outputs.EventBridgeEndpointAccessSecurityGroupId
-  EcsLaunchEndpointsAccessSecurityGroupId:
-    Description: >-
-      The ID of a security group that has VPC Endpoint access to AWS services
-      required to launch tasks in ECS.
-    Value: !GetAtt InterfaceEndpointsStack.Outputs.EcsLaunchEndpointsAccessSecurityGroupId
-  KinesisStreamsEndpointAccessSecurityGroupId:
-    Description: >-
-      The ID of a security group that has Kinesis VPC Endpoint access.
-    Value: !GetAtt InterfaceEndpointsStack.Outputs.KinesisStreamsEndpointAccessSecurityGroupId
-  KmsEndpointAccessSecurityGroupId:
-    Description: >-
-      The ID of a security group that has KMS VPC Endpoint access.
-    Value: !GetAtt InterfaceEndpointsStack.Outputs.KmsEndpointAccessSecurityGroupId
-  StsEndpointAccessSecurityGroupId:
-    Description: >-
-      The ID of a security group that has STS VPC Endpoint access.
-    Value: !GetAtt InterfaceEndpointsStack.Outputs.StsEndpointAccessSecurityGroupId
-  SystemManagerEndpointAccessSecurityGroupId:
-    Description: >-
-      The ID of a security group that has System Manager VPC Endpoint access.
-    Value: !GetAtt InterfaceEndpointsStack.Outputs.SystemManagerEndpointAccessSecurityGroupId
   FlowLogsLogGroupName:
     Value: !GetAtt FlowLogsStack.Outputs.LogGroupName
