Control access to VPC endpoints using endpoint policies - Amazon Virtual Private Cloud

Control access to VPC endpoints using endpoint policies

An endpoint policy is a resource-based policy that you attach to a VPC endpoint to control which AWS principals can use the endpoint to access an AWS service.

An endpoint policy does not override or replace identity-based policies or resource-based policies. For example, if you're using an interface endpoint to connect to Amazon S3, you can also use Amazon S3 bucket policies to control access to buckets from specific endpoints or specific VPCs.


  • An endpoint policy is a JSON policy document that uses the IAM policy language. It must contain a Principal element. The size of an endpoint policy cannot exceed 20,480 characters, including white space.

  • When you create an interface or gateway endpoint for an AWS service, you can attach a single endpoint policy to the endpoint. You can update the endpoint policy at any time. If you don't attach an endpoint policy, we attach the default endpoint policy.

  • Not all AWS services support endpoint policies. If an AWS service doesn't support endpoint policies, we allow full access to any endpoint for the service. For more information, see View endpoint policy support.

  • When you create a VPC endpoint for an endpoint service other than an AWS service, we allow full access to the endpoint.

Default endpoint policy

The default endpoint policy grants full access to the endpoint.

{ "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*" } ] }

Policies for interface endpoints

For example endpoint policies for AWS services, see AWS services that integrate with AWS PrivateLink. The first column in the table contains links to AWS PrivateLink documentation for each AWS service. If an AWS service supports endpoint policies, its documentation includes example endpoint policies.

Principals for gateway endpoints

With gateway endpoints, you must use the aws:PrincipalArn condition key to grant access to a principal.

If you specify the principal in one of the following formats, access is granted to the AWS account root user only, not all users and roles for the account.

"AWS": "account_id"
"AWS": "arn:aws:iam::account_id:root"

If you specify an Amazon Resource Name (ARN) for the principal, the ARN is transformed to a unique principal ID when the policy is saved.

For example endpoint policies for gateway endpoints, see the following:

Update a VPC endpoint policy

Use the following procedure to update an endpoint policy for an AWS service. After you update an endpoint policy, it can take a few minutes for the changes to take effect.

To update an endpoint policy using the console
  1. Open the Amazon VPC console at

  2. In the navigation pane, choose Endpoints.

  3. Select the VPC endpoint.

  4. Choose Actions, Manage policy.

  5. Choose Full Access to allow full access to the service, or choose Custom and attach a custom policy.

  6. Choose Save.

To update an endpoint policy using the command line