Controlling access from VPC endpoints with bucket policies
You can use Amazon S3 bucket policies to control access to buckets from specific virtual private cloud (VPC) endpoints, or specific VPCs. This section contains example bucket policies that can be used to control Amazon S3 bucket access from VPC endpoints. To learn how to set up VPC endpoints, see VPC Endpoints in the VPC User Guide.
VPC enables you to launch AWS resources into a virtual network that you define. A VPC endpoint enables you to create a private connection between your VPC and another AWS service without requiring access over the internet, through a VPN connection, through a NAT instance, or through AWS Direct Connect.
A VPC endpoint for Amazon S3 is a logical entity within a VPC that allows connectivity only to Amazon S3. The VPC endpoint routes requests to Amazon S3 and routes responses back to the VPC. VPC endpoints change only how requests are routed. Amazon S3 public endpoints and DNS names will continue to work with VPC endpoints. For important information about using VPC endpoints with Amazon S3, see Gateway VPC Endpoints and Endpoints for Amazon S3 in the VPC User Guide.
VPC endpoints for Amazon S3 provide two ways to control access to your Amazon S3 data:
-
You can control the requests, users, or groups that are allowed through a specific VPC endpoint. For information about this type of access control, see Controlling Access to Services with VPC Endpoints in the VPC User Guide.
-
You can control which VPCs or VPC endpoints have access to your buckets by using Amazon S3 bucket policies. For examples of this type of bucket policy access control, see the following topics on restricting access.
When applying the Amazon S3 bucket policies for VPC endpoints described in this section,
you might block your access to the bucket without intending to do so. Bucket permissions
that are intended to specifically limit bucket access to connections originating from
your VPC endpoint can block all connections to the bucket. For information about how to
fix this issue, see My bucket
policy has the wrong VPC or VPC endpoint ID. How can I fix the policy so that I can
access the bucket?
Restricting access to a specific VPC endpoint
The following is an example of an Amazon S3 bucket policy that restricts access to a
specific bucket, awsexamplebucket1
, only from the VPC endpoint with the ID
vpce-1a2b3c4d
. The policy denies all access to the bucket if the
specified endpoint is not being used. The aws:SourceVpce
condition is used
to specify the endpoint. The aws:SourceVpce
condition does not require an
Amazon Resource Name (ARN) for the VPC endpoint resource, only the VPC endpoint ID. For
more information about using conditions in a policy, see Amazon S3 condition key examples.
-
Before using the following example policy, replace the VPC endpoint ID with an appropriate value for your use case. Otherwise, you won't be able to access your bucket.
-
This policy disables console access to the specified bucket, because console requests don't originate from the specified VPC endpoint.
{ "Version": "2012-10-17", "Id": "Policy1415115909152", "Statement": [ { "Sid": "Access-to-specific-VPCE-only", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::
awsexamplebucket1
", "arn:aws:s3:::awsexamplebucket1
/*"], "Condition": { "StringNotEquals": { "aws:SourceVpce": "vpce-1a2b3c4d
" } } } ] }
Restricting access to a specific VPC
You can create a bucket policy that restricts access to a specific VPC by using the
aws:SourceVpc
condition. This is useful if you have multiple VPC
endpoints configured in the same VPC, and you want to manage access to your Amazon S3 buckets
for all of your endpoints. The following is an example of a policy that denies access to
awsexamplebucket1
and its objects from anyone outside VPC
vpc-111bbb22
. The policy denies all access to the bucket if the
specified VPC is not being used. This statement does not grant access, for that you will
need to add a separate Allow statement. The vpc-111bbb22
condition key does
not require an ARN for the VPC resource, only the VPC ID.
-
Before using the following example policy, replace the VPC ID with an appropriate value for your use case. Otherwise, you won't be able to access your bucket.
-
This policy disables console access to the specified bucket, because console requests don't originate from the specified VPC.
{ "Version": "2012-10-17", "Id": "Policy1415115909153", "Statement": [ { "Sid": "Access-to-specific-VPC-only", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::
awsexamplebucket1
", "arn:aws:s3:::awsexamplebucket1
/*"], "Condition": { "StringNotEquals": { "aws:SourceVpc": "vpc-111bbb22
" } } } ] }