What is the difference between VPC endpoint policies and IAM policies?

VPC endpoint policies are a separate authorization layer that is evaluated in addition to IAM policies. Even if an IAM role has full S3 access, a VPC endpoint policy can restrict that access to specific buckets when traffic flows through the endpoint. The effective permissions are the intersection of the IAM policy and the endpoint policy. Endpoint policies cannot grant permissions beyond what IAM allows — they can only further restrict access through the endpoint.

How do VPC endpoint policies help with data perimeter controls?

Data perimeter controls ensure that only trusted identities can access trusted resources from trusted networks. VPC endpoint policies enforce the network component by restricting which resources are accessible through your endpoint. Combined with aws:PrincipalOrgId conditions that limit access to principals in your organization and S3 bucket policies that require vpc-endpoint-restricted access, endpoint policies create a comprehensive data perimeter that prevents unauthorized data movement.

Can I use condition keys in VPC endpoint policies?

Yes, VPC endpoint policies support the full range of IAM condition keys plus service-specific keys. Common conditions include aws:PrincipalOrgId to restrict to your organization, aws:PrincipalAccount for account-level restrictions, and service-specific keys like s3:prefix or s3:ExistingObjectTag. You can also use aws:ResourceOrgID to ensure only organization-owned resources are accessed through the endpoint.

AWS VPC Endpoint Policy Builder

NetworkingAWS

Build VPC endpoint policies to restrict service access through interface and gateway endpoints.

VPC Endpoint Policy Configuration

Statement 1

SID (optional)

Effect

Principal

Actions (comma-separated)

Resources (comma-separated)

Condition Operator

Condition Key

Condition Value

Generated VPC Endpoint Policy

Output will appear here...

About This Tool

VPC endpoint policies control which AWS principals, actions, and resources can be accessed through a VPC interface or gateway endpoint. By default, endpoints allow full access to the target service, but custom policies can restrict this to specific S3 buckets, DynamoDB tables, or API actions — enforcing data perimeter controls that prevent data exfiltration even from compromised workloads. The VPC Endpoint Policy Builder helps you write policies with correct principal ARNs, action lists, resource constraints, and condition keys specific to each AWS service, generating policies that enforce least-privilege access through the endpoint.

When to Use This Tool

•Building an S3 gateway endpoint policy that restricts access to only specific buckets owned by your organization, preventing data exfiltration to external buckets
•Creating an STS interface endpoint policy that limits AssumeRole calls to roles within your AWS Organization, blocking cross-organization role assumption
•Designing endpoint policies for ECR that allow pulling images only from your organization's repositories, preventing supply chain attacks via unauthorized images
•Generating KMS endpoint policies that restrict which encryption keys can be accessed from your VPC, enforcing key isolation between environments

Frequently Asked Questions

What is the difference between VPC endpoint policies and IAM policies?: VPC endpoint policies are a separate authorization layer that is evaluated in addition to IAM policies. Even if an IAM role has full S3 access, a VPC endpoint policy can restrict that access to specific buckets when traffic flows through the endpoint. The effective permissions are the intersection of the IAM policy and the endpoint policy. Endpoint policies cannot grant permissions beyond what IAM allows — they can only further restrict access through the endpoint.
How do VPC endpoint policies help with data perimeter controls?: Data perimeter controls ensure that only trusted identities can access trusted resources from trusted networks. VPC endpoint policies enforce the network component by restricting which resources are accessible through your endpoint. Combined with aws:PrincipalOrgId conditions that limit access to principals in your organization and S3 bucket policies that require vpc-endpoint-restricted access, endpoint policies create a comprehensive data perimeter that prevents unauthorized data movement.
Can I use condition keys in VPC endpoint policies?: Yes, VPC endpoint policies support the full range of IAM condition keys plus service-specific keys. Common conditions include aws:PrincipalOrgId to restrict to your organization, aws:PrincipalAccount for account-level restrictions, and service-specific keys like s3:prefix or s3:ExistingObjectTag. You can also use aws:ResourceOrgID to ensure only organization-owned resources are accessed through the endpoint.

Related Learning Guides

VPC Architecture Patterns28 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.