The Cloud Conformity VPC Endpoint Exposed check brought my attention to this one, as I think they have a bug in this check: https://www.cloudconformity.com/knowledge-base/aws/VPC/endpoint-exposed.html
There are two types of VPC endpoint: Interface and Gateway (S3, DynamoDB). What are suggested in the above link only applies to the Interface endpoint, but not the Gateway endpoint. As for endpoint polices that are applied to gateway endpoints, you cannot limit the Principal element to a specific IAM role or user. You can specify "*" to grant access to all IAM roles and users. If you specify Principal in the format "AWS":"AWS-account-ID" or "AWS":"arn:aws:iam::AWS-account-ID:root", access is granted to the AWS account root user only, and not all IAM users and roles for the account.
To limit use of the gateway endpoint to a specific principal, you can use the Condition element in your endpoint policy and specify the aws:PrincipalArn condition key.
Here is a example to only allow the IAM role arn:aws:iam::123456789:role/my-test-instance-role to GetObject and ListBucket against S3 bucket my-test-data bucket through the S3 VPC endpoint.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "MyTestDataBucketReadAccess",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-test-data",
"arn:aws:s3:::my-test-data/*"
],
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::123456789:role/my-test-instance-role"
}
}
}
]
}Reference:
https://docs.amazonaws.cn/en_us/vpc/latest/userguide/vpc-endpoints-access.html#vpc-endpoint-policies
Jackie Chen's IT Workshop 