Control access to services using endpoint policies - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Control access to services using endpoint policies

When you create an interface endpoint or a gateway endpoint, you can attach an endpoint policy. The endpoint policy controls which Amazon principals (Amazon Web Services accounts, IAM users, and IAM roles) can use the VPC endpoint to access the endpoint service.

You cannot attach more than one policy to an endpoint. However, you can modify an endpoint policy at any time.

An endpoint policy does not override or replace IAM user policies or service-specific policies (such as S3 bucket policies). If you're using an interface endpoint to connect to Amazon S3, you can also use Amazon S3 bucket policies to control access to buckets from specific endpoints or specific VPCs.

VPC endpoint policies

A VPC endpoint policy is an IAM resource policy that is attached to an endpoint. If you do not specify an endpoint policy when you create an endpoint, we attach the following policy, which allows full access to the service.

{ "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*" } ] }

Considerations

  • Your policy must contain a Principal element.

  • The size of an endpoint policy cannot exceed 20,480 characters (including white space).

  • Not all endpoint services support endpoint policies. If a service does not support endpoint policies, the endpoint allows full access to the service. For information about the Amazon Web Services that support endpoint policies, see Amazon Web Services that integrate with Amazon PrivateLink.

For more information about writing policies, see Overview of IAM Policies in the IAM User Guide.

Principals for gateway endpoints

With gateway endpoints, if you specify the principal in one of the following formats, access is granted to the account root user only, not all IAM users and roles for the account.

"AWS": "account_id"
"AWS": "arn:aws-cn:iam::account_id:root"

If you specify an Amazon Resource Name (ARN) for the principal, the ARN is transformed to a unique principal ID when the policy is saved.

For example IAM policies for gateway endpoints, see the following:

Update a VPC endpoint policy

Use the following procedure to update an endpoint policy. After you update an endpoint policy, it can take a few minutes for the changes to take effect.

To update a VPC endpoint policy

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, choose Endpoints.

  3. Select the VPC endpoint.

  4. Choose Actions, Manage policy.

  5. Choose Full Access to allow full access to the service, or choose Custom and attach a custom policy.

  6. Choose Save.