What is the difference between VPC endpoint policies and IAM policies?

VPC endpoint policies are a separate authorization layer that is evaluated in addition to IAM policies. Even if an IAM role has full S3 access, a VPC endpoint policy can restrict that access to specific buckets when traffic flows through the endpoint. The effective permissions are the intersection of the IAM policy and the endpoint policy. Endpoint policies cannot grant permissions beyond what IAM allows — they can only further restrict access through the endpoint.

How do VPC endpoint policies help with data perimeter controls?

Data perimeter controls ensure that only trusted identities can access trusted resources from trusted networks. VPC endpoint policies enforce the network component by restricting which resources are accessible through your endpoint. Combined with aws:PrincipalOrgId conditions that limit access to principals in your organization and S3 bucket policies that require vpc-endpoint-restricted access, endpoint policies create a comprehensive data perimeter that prevents unauthorized data movement.

Can I use condition keys in VPC endpoint policies?

Yes, VPC endpoint policies support the full range of IAM condition keys plus service-specific keys. Common conditions include aws:PrincipalOrgId to restrict to your organization, aws:PrincipalAccount for account-level restrictions, and service-specific keys like s3:prefix or s3:ExistingObjectTag. You can also use aws:ResourceOrgID to ensure only organization-owned resources are accessed through the endpoint.

AWS VPC Endpoint Policy Builder

NetworkingAWS

Build VPC endpoint policies to restrict service access through interface and gateway endpoints.

Last verified: May 2026

VPC Endpoint Policy Configuration

Statement 1

SID (optional)

Effect

Principal

Actions (comma-separated)

Resources (comma-separated)

Condition Operator

Condition Key

Condition Value

Generated VPC Endpoint Policy

Output will appear here...

About This Tool

VPC endpoint policies control which AWS principals, actions, and resources can be accessed through a VPC interface or gateway endpoint. By default, endpoints allow full access to the target service, but custom policies can restrict this to specific S3 buckets, DynamoDB tables, or API actions — enforcing data perimeter controls that prevent data exfiltration even from compromised workloads. The VPC Endpoint Policy Builder helps you write policies with correct principal ARNs, action lists, resource constraints, and condition keys specific to each AWS service, generating policies that enforce least-privilege access through the endpoint.

Real-World Scenario

Your security team needs to prevent a recurrence of last year's incident where a compromised EC2 instance copied 5 TB of customer data to an attacker-controlled S3 bucket. The builder generates an endpoint policy on the S3 gateway endpoint requiring aws:ResourceOrgID == your org ID. Combined with a bucket policy on customer data buckets requiring access via the specific endpoint, the architecture is now impossible to exfiltrate via legitimate AWS APIs from this VPC. Even compromised credentials can only reach buckets in your org through the endpoint.

When to Use This Tool

•Building an S3 gateway endpoint policy that restricts access to only specific buckets owned by your organization, preventing data exfiltration to external buckets
•Creating an STS interface endpoint policy that limits AssumeRole calls to roles within your AWS Organization, blocking cross-organization role assumption
•Designing endpoint policies for ECR that allow pulling images only from your organization's repositories, preventing supply chain attacks via unauthorized images
•Generating KMS endpoint policies that restrict which encryption keys can be accessed from your VPC, enforcing key isolation between environments

Pro Tips

TIP

S3 gateway endpoints are FREE — unlike interface endpoints which cost $0.01/hr per AZ + $0.01/GB processed. Always use a gateway endpoint for S3 (and DynamoDB) when possible. The naive 'use interface endpoint for everything' approach can add hundreds per month for no benefit.

TIP

Endpoint policies don't apply to traffic that doesn't transit the endpoint. If a workload reaches S3 via a NAT gateway + internet, the endpoint policy is silently bypassed. To enforce it, you also need bucket policies that require `aws:sourceVpce` matching the endpoint ID.

TIP

The aws:PrincipalOrgId condition is the killer pattern for data perimeter. Combined with endpoint policies that require this condition, you create an architecture where data CAN'T be exfiltrated to non-org S3 buckets even if a workload is fully compromised.

How It Works Under the Hood

The builder constructs VPC endpoint policy JSON documents matching the IAM policy schema (Statement array with Effect, Principal, Action, Resource, Condition). Templates exist for common scenarios: org-scoped S3 access, ECR image pull restrictions, STS role assumption restrictions, KMS key isolation. Output is generated as JSON ready for the EndpointPolicyDocument parameter on aws ec2 modify-vpc-endpoint or in Terraform aws_vpc_endpoint.policy.

Frequently Asked Questions

What is the difference between VPC endpoint policies and IAM policies?: VPC endpoint policies are a separate authorization layer that is evaluated in addition to IAM policies. Even if an IAM role has full S3 access, a VPC endpoint policy can restrict that access to specific buckets when traffic flows through the endpoint. The effective permissions are the intersection of the IAM policy and the endpoint policy. Endpoint policies cannot grant permissions beyond what IAM allows — they can only further restrict access through the endpoint.
How do VPC endpoint policies help with data perimeter controls?: Data perimeter controls ensure that only trusted identities can access trusted resources from trusted networks. VPC endpoint policies enforce the network component by restricting which resources are accessible through your endpoint. Combined with aws:PrincipalOrgId conditions that limit access to principals in your organization and S3 bucket policies that require vpc-endpoint-restricted access, endpoint policies create a comprehensive data perimeter that prevents unauthorized data movement.
Can I use condition keys in VPC endpoint policies?: Yes, VPC endpoint policies support the full range of IAM condition keys plus service-specific keys. Common conditions include aws:PrincipalOrgId to restrict to your organization, aws:PrincipalAccount for account-level restrictions, and service-specific keys like s3:prefix or s3:ExistingObjectTag. You can also use aws:ResourceOrgID to ensure only organization-owned resources are accessed through the endpoint.

Related Learning Guides

VPC Architecture Patterns28 min read

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.