Considerations Default endpoint policy Policies for interface endpoints Principals for gateway endpoints Update a VPC endpoint policy

Control access to VPC endpoints using endpoint policies

An endpoint policy is a resource-based policy that you attach to a VPC endpoint to control which AWS principals can use the endpoint to access an AWS service.

An endpoint policy does not override or replace identity-based policies or resource-based policies. For example, if you're using an interface endpoint to connect to Amazon S3, you can also use Amazon S3 bucket policies to control access to buckets from specific endpoints or specific VPCs.

Considerations
Default endpoint policy
Policies for interface endpoints
Principals for gateway endpoints
Update a VPC endpoint policy

Considerations

An endpoint policy is a JSON policy document that uses the IAM policy language. It must contain a Principal element. The size of an endpoint policy cannot exceed 20,480 characters, including white space.
When you create an interface or gateway endpoint for an AWS service, you can attach a single endpoint policy to the endpoint. You can update the endpoint policy at any time. If you don't attach an endpoint policy, we attach the default endpoint policy.
Not all AWS services support endpoint policies. If an AWS service doesn't support endpoint policies, we allow full access to any endpoint for the service. For more information, see View endpoint policy support.
When you create a VPC endpoint for an endpoint service other than an AWS service, we allow full access to the endpoint.

Default endpoint policy

The default endpoint policy grants full access to the endpoint.


{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Policies for interface endpoints

For example endpoint policies for AWS services, see AWS services that integrate with AWS PrivateLink. The first column in the table contains links to AWS PrivateLink documentation for each AWS service. If an AWS service supports endpoint policies, its documentation includes example endpoint policies.

Principals for gateway endpoints

With gateway endpoints, the Principal element must be set to *. To specify a principal, use the aws:PrincipalArn condition key.


"Condition": {
    "StringEquals": {
        "aws:PrincipalArn": "arn:aws:iam::123456789012:user/endpointuser"
    }
}

If you specify the principal in the following format, access is granted to the AWS account root user only, not all users and roles for the account.


"AWS": "account_id"

For example endpoint policies for gateway endpoints, see the following:

Update a VPC endpoint policy

Use the following procedure to update an endpoint policy for an AWS service. After you update an endpoint policy, it can take a few minutes for the changes to take effect.

To update an endpoint policy using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Endpoints.
Select the VPC endpoint.
Choose Actions, Manage policy.
Choose Full Access to allow full access to the service, or choose Custom and attach a custom policy.
Choose Save.

To update an endpoint policy using the command line

modify-vpc-endpoint (AWS CLI)
Edit-EC2VpcEndpoint (Tools for Windows PowerShell)

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Identity-based policy examples

CloudWatch metrics