Controlling access from VPC endpoints with bucket policies

Restricting access to a specific VPC endpoint

• aws:SourceVpce is used to specify the endpoint and requires the VPC endpoint ID.

• Following Example:

  • Restricts access to a specific bucket, awsexamplebucket1, only from the VPC endpoint with the ID vpce-1a2b3c4d.

  • Denies all access to the bucket if the specified endpoint is not being used.

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
     {
       "Sid": "Access-to-specific-VPCE-only",
       "Principal": "*",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::awsexamplebucket1",
                    "arn:aws:s3:::awsexamplebucket1/*"],
       "Condition": {
         "StringNotEquals": {
           "aws:SourceVpce": "vpce-1a2b3c4d"
         }
       }
     }
   ]
}

Restricting access to a specific VPC

• aws:SourceVpc restricts access to a specific VPC and requires the VPC ID.

• Useful if you have multiple VPC endpoints configured in the same VPC, and you want to manage access to your S3 buckets for all of your endpoints.

• Following Example:

  • Allows VPC vpc-111bbb22 to access awsexamplebucket1 and its objects.

  • Denies all access to the bucket if the specified VPC is not being used.

  • vpc-111bbb22 key does not require an ARN for the VPC resource, only the VPC ID.

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909153",
   "Statement": [
     {
       "Sid": "Access-to-specific-VPC-only",
       "Principal": "*",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::awsexamplebucket1",
                    "arn:aws:s3:::awsexamplebucket1/*"],
       "Condition": {
         "StringNotEquals": {
           "aws:SourceVpc": "vpc-111bbb22"
         }
       }
     }
   ]
}