Ends in

24-Hour Anniversary Sale Extension! $3 OFF ALL Reviewers

Amazon S3 Bucket Policies for VPC Endpoints

Home » AWS Cheat Sheets » AWS Security & Identity Services » Security Related Notes » Amazon S3 Bucket Policies for VPC Endpoints

Amazon S3 Bucket Policies for VPC Endpoints

Amazon S3 and Amazon VPC Relationship

Amazon S3 is a versatile object storage solution that boasts virtually unlimited storage capacity. You can expect that your files will be durably stored in S3 given that AWS provides an SLA for this service. When creating your S3 bucket, AWS provides you with a unique bucket URL that you can use to access your S3 bucket directly from the public internet, if you have public access enabled. 

Amazon S3 is a service that is not used within a VPC. This means that traffic does not pass through VPC resources such as internet gateways or NAT gateways. This also means that, for security, instead of using security groups and network access control lists (NACL for short), you have bucket policies and S3 access control lists for managing access to your S3 bucket and objects. Amazon S3 traffic passes through the public internet. If you want your traffic to run only within the Amazon network then you will have to employ VPC endpoints.

What are VPC endpoints?

A VPC endpoint is what you use to privately connect your VPC to supported AWS services, such as Amazon S3. It adds a gateway entry in your VPC’s route table so that communication between your AWS resources, such as Amazon EC2 instances, and your S3 bucket pass through the gateway instead of the public internet. As a result, VPC endpoint is a regional service. You should create the endpoint in the same region as the VPC you want to link it to.

VPC endpoints are best used when you have compliance requirements or sensitive information stored in S3 that should not leave the Amazon network. A VPC endpoint is also a better option for private network connections in AWS, as compared to using a VPN solution or a NAT solution since it is easier to setup and offers you more network bandwidth at your disposal. 

How to secure your S3 bucket using bucket policies and endpoint policies

VPC endpoints for S3 are secured through VPC endpoint access policies, which allows you to set which S3 buckets the endpoints should and should not have access to. By default, any user or service within the VPC, using credentials from any AWS account, has access to any Amazon S3 resource. Use these together with S3 bucket policies to further refine access control over your buckets and objects.

To get started with creating and securing your VPC endpoint via console, 

Tutorials dojo strip
    1. Go to VPC and select Endpoints


2. Then select Create Endpoint and search for the S3 service. Select the VPC where you would want to register the endpoint. 

Amazon S3 Bucket Policies for VPC Endpoints

3. Choose which route tables will have the VPC endpoint entry

Amazon S3 Bucket Policies for VPC Endpoints

4. Modify your endpoint access control policy if you must. The example below shows a policy that allows only GetObject and PutObject actions to an S3 bucket named my_secure_bucket and the objects in it. 

Amazon S3 Bucket Policies for VPC Endpoints

5. Add any tags you like. Then select Create endpoint

Amazon S3 Bucket Policies for VPC Endpoints

To further refine access control to your S3 bucket and objects, you can create bucket policies that restrict VPC endpoint or VPC access.

The following is an example of an Amazon S3 bucket policy that restricts access to examplebucket unless the origin is from the VPC endpoint vpce-1a2b3c4d. The aws:sourceVpce condition is used to specify the endpoint.

Amazon S3 Bucket Policies for VPC Endpoints

For the next example, we have an Amazon S3 bucket policy that restricts access to examplebucket unless the origin is from a resource within the VPC vpc-111bbb22. The aws:sourceVpc condition is used to specify the VPC ID.

Amazon S3 Bucket Policies for VPC Endpoints

Final thoughts

If you have resources in your AWS VPC that are connecting to Amazon S3, and you don’t want them to go through the public internet or use the S3 bucket DNS, then you should make use of Amazon S3 VPC Endpoint. Be sure to follow the principle of Least Privilege by setting up Endpoint Policies and S3 Bucket Policies so that only the appropriate entities get access to your buckets and objects.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

AWS Certified Security - Specialty Exam Study Path


Tutorials Dojo portal

Enroll Now – Our AWS Certification Exam Reviewers

AWS Practice Exams Tutorials Dojo

FREE AWS Exam Readiness Digital Courses

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Recent Posts

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?