Control access to VPC endpoints using endpoint policies - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Control access to VPC endpoints using endpoint policies

An endpoint policy is a resource-based policy that you attach to a VPC endpoint to control which Amazon principals can use the endpoint to access an Amazon Web Service.

An endpoint policy does not override or replace identity-based policies or resource-based policies. For example, if you're using an interface endpoint to connect to Amazon S3, you can also use Amazon S3 bucket policies to control access to buckets from specific endpoints or specific VPCs.


  • An endpoint policy is a JSON policy document that uses the IAM policy language. It must contain a Principal element. The size of an endpoint policy cannot exceed 20,480 characters, including white space.

  • When you create an interface or gateway endpoint for an Amazon Web Service, you can attach a single endpoint policy to the endpoint. You can update the endpoint policy at any time. If you don't attach an endpoint policy, we attach the default endpoint policy.

  • Not all Amazon Web Services support endpoint policies. If an Amazon Web Service doesn't support endpoint policies, we allow full access to any endpoint for the service. For more information, see View endpoint policy support.

  • When you create a VPC endpoint for an endpoint service other than an Amazon Web Service, we allow full access to the endpoint.

Default endpoint policy

The default endpoint policy grants full access to the endpoint.

{ "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*" } ] }

Policies for interface endpoints

For example endpoint policies for Amazon Web Services, see Amazon Web Services that integrate with Amazon PrivateLink. The first column in the table contains links to Amazon PrivateLink documentation for each Amazon Web Service. If an Amazon Web Service supports endpoint policies, its documentation includes example endpoint policies.

Principals for gateway endpoints

With gateway endpoints, you must use the aws:PrincipalArn condition key to grant access to a principal.

If you specify the principal in one of the following formats, access is granted to the Amazon Web Services account root user only, not all users and roles for the account.

"AWS": "account_id"
"AWS": "arn:aws-cn:iam::account_id:root"

If you specify an Amazon Resource Name (ARN) for the principal, the ARN is transformed to a unique principal ID when the policy is saved.

For example endpoint policies for gateway endpoints, see the following:

Update a VPC endpoint policy

Use the following procedure to update an endpoint policy for an Amazon Web Service. After you update an endpoint policy, it can take a few minutes for the changes to take effect.

To update an endpoint policy using the console
  1. Open the Amazon VPC console at

  2. In the navigation pane, choose Endpoints.

  3. Select the VPC endpoint.

  4. Choose Actions, Manage policy.

  5. Choose Full Access to allow full access to the service, or choose Custom and attach a custom policy.

  6. Choose Save.

To update an endpoint policy using the command line