Endpoint policies for gateway endpoints

The Cloud Conformity VPC Endpoint Exposed check brought my attention to this one, as I think they have a bug in this check: https://www.cloudconformity.com/knowledge-base/aws/VPC/endpoint-exposed.html

There are two types of VPC endpoint: Interface and Gateway (S3, DynamoDB). What are suggested in the above link only applies to the Interface endpoint, but not the Gateway endpoint. As for endpoint polices that are applied to gateway endpoints, you cannot limit the Principal element to a specific IAM role or user. You can specify "*" to grant access to all IAM roles and users. If you specify Principal in the format "AWS":"AWS-account-ID" or "AWS":"arn:aws:iam::AWS-account-ID:root", access is granted to the AWS account root user only, and not all IAM users and roles for the account.

To limit use of the gateway endpoint to a specific principal, you can use the Condition element in your endpoint policy and specify the aws:PrincipalArn condition key.

Here is a example to only allow the IAM role arn:aws:iam::123456789:role/my-test-instance-role to GetObject and ListBucket against S3 bucket my-test-data bucket through the S3 VPC endpoint.

    "Version": "2008-10-17",
    "Statement": [
            "Sid": "MyTestDataBucketReadAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            "Action": [
            "Resource": [
            "Condition": {
                "StringLike": {
                    "aws:PrincipalArn": "arn:aws:iam::123456789:role/my-test-instance-role"



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s