VPC Endpoint access via Lambda isn't filterable by Policy

Question

My customer wants to create a private access between a Lambda function and Amazon S3.

Therefore we set up:

- Lambda inside a VPC
- VPC Endpoint for Amazon S3
- S3 bucket with Policy

I already tested it. Everything works fine until I add a filtered policy to the endpoint.

***What can we add as a principal to filter access via VPC Endpoint for a Lambda only?***

### Policies:

What works
(If we add this VPCE Policy, then the Lambda can access S3):

{
        "Statement": [
            {
                "Action": "*",
                "Effect": "Allow",
                "Resource": "*",
                "Principal": "*"
            }
        ]
    }

What doesn't work
(If we add this VPC Endpoint Policy, then the Lambda gets an AccessDenied):

{
        "Version": "2008-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                "AWS": [
                    "AROA4JHTAY7WBFYZGH4QV", # ID of the used Lambda role
                    "123456789012" # Account Id
                },
                "PrincipalGroup": {
                    "AWS": "svc:lambda.amazonaws.com" # Lambda service whitelisted itself
                },
                "Action": "s3:*",
                "Resource": "*"
            }
        ]
    }

Accepted Answer

When your function runs in the VPC the traffic comes from the VPC so all you need to do is set the VPC Endpoint in the policy. You should not care that it comes from Lambda. You can find more information about how to do it [here](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html).

VPC Endpoint access via Lambda isn't filterable by Policy

Policies:

Relevant content