Control access to VPC endpoints using endpoint policies - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Control access to VPC endpoints using endpoint policies

An endpoint policy is a resource-based policy that you attach to a VPC endpoint to control which Amazon principals can use the endpoint to access an Amazon Web Services service.

An endpoint policy does not override or replace identity-based policies or resource-based policies. For example, if you're using an interface endpoint to connect to Amazon S3, you can also use Amazon S3 bucket policies to control access to buckets from specific endpoints or specific VPCs.

Considerations

  • An endpoint policy is a JSON policy document that uses the IAM policy language. It must contain a Principal element. The size of an endpoint policy cannot exceed 20,480 characters, including white space.

  • When you create an interface or gateway endpoint for an Amazon Web Services service, you can attach a single endpoint policy to the endpoint. You can update the endpoint policy at any time. If you don't attach an endpoint policy, we attach the default endpoint policy.

  • Not all Amazon Web Services services support endpoint policies. If an Amazon Web Services service doesn't support endpoint policies, we allow full access to any endpoint for the service. For more information, see View endpoint policy support.

  • When you create a VPC endpoint for an endpoint service other than an Amazon Web Services service, we allow full access to the endpoint.

  • You can't use wildcard characters (* or ?) or numeric condition operators with global context keys that reference system-generated identifiers (for example, aws:PrincipalAccount or aws:SourceVpc).

  • When you use a string condition operator, you must use at least six consecutive characters before or after each wildcard character.

  • When you specify an ARN in a resource or condition element, the account portion of the ARN can include an account ID or a wildcard character, but not both.

Default endpoint policy

The default endpoint policy grants full access to the endpoint.

{ "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*" } ] }

Policies for interface endpoints

For example endpoint policies for Amazon Web Services services, see Amazon Web Services services that integrate with Amazon PrivateLink. The first column in the table contains links to Amazon PrivateLink documentation for each Amazon Web Services service. If an Amazon Web Services service supports endpoint policies, its documentation includes example endpoint policies.

Principals for gateway endpoints

With gateway endpoints, the Principal element must be set to *. To specify a principal, use the aws:PrincipalArn condition key.

"Condition": { "StringEquals": { "aws:PrincipalArn": "arn:aws-cn:iam::123456789012:user/endpointuser" } }

If you specify the principal in the following format, access is granted to the Amazon Web Services account root user only, not all users and roles for the account.

"AWS": "account_id"

For example endpoint policies for gateway endpoints, see the following:

Update a VPC endpoint policy

Use the following procedure to update an endpoint policy for an Amazon Web Services service. After you update an endpoint policy, it can take a few minutes for the changes to take effect.

To update an endpoint policy using the console
  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, choose Endpoints.

  3. Select the VPC endpoint.

  4. Choose Actions, Manage policy.

  5. Choose Full Access to allow full access to the service, or choose Custom and attach a custom policy.

  6. Choose Save.

To update an endpoint policy using the command line