Controlling access from VPC endpoints with bucket policies

Restricting access to a specific VPC endpoint

aws:SourceVpce is used to specify the endpoint and requires the VPC endpoint ID.
Following Example:
- Restricts access to a specific bucket, awsexamplebucket1, only from the VPC endpoint with the ID vpce-1a2b3c4d.
- Denies all access to the bucket if the specified endpoint is not being used.

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
     {
       "Sid": "Access-to-specific-VPCE-only",
       "Principal": "*",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::awsexamplebucket1",
                    "arn:aws:s3:::awsexamplebucket1/*"],
       "Condition": {
         "StringNotEquals": {
           "aws:SourceVpce": "vpce-1a2b3c4d"
         }
       }
     }
   ]
}

Restricting access to a specific VPC

aws:SourceVpc restricts access to a specific VPC and requires the VPC ID.
Useful if you have multiple VPC endpoints configured in the same VPC, and you want to manage access to your S3 buckets for all of your endpoints.
Following Example:
- Allows VPC vpc-111bbb22 to access awsexamplebucket1 and its objects.
- Denies all access to the bucket if the specified VPC is not being used.
- vpc-111bbb22 key does not require an ARN for the VPC resource, only the VPC ID.

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909153",
   "Statement": [
     {
       "Sid": "Access-to-specific-VPC-only",
       "Principal": "*",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::awsexamplebucket1",
                    "arn:aws:s3:::awsexamplebucket1/*"],
       "Condition": {
         "StringNotEquals": {
           "aws:SourceVpc": "vpc-111bbb22"
         }
       }
     }
   ]
}

PreviousOne specific EC2 instance not receiving inbound connections from the Internet NextShield + WAF for DDoS Mitigation

Last updated 3 years ago