By using AWS re:Post, you agree to the Terms of Use

VPC Endpoint access via Lambda isn't filterable by Policy

0

My customer wants to create a private access between a Lambda function and Amazon S3.

Therefore we set up:

  • Lambda inside a VPC
  • VPC Endpoint for Amazon S3
  • S3 bucket with Policy

I already tested it. Everything works fine until I add a filtered policy to the endpoint.

What can we add as a principal to filter access via VPC Endpoint for a Lambda only?

Policies:

What works (If we add this VPCE Policy, then the Lambda can access S3):

{
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal": "*"
        }
    ]
}

What doesn't work (If we add this VPC Endpoint Policy, then the Lambda gets an AccessDenied):

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
            "AWS": [
                "AROA4JHTAY7WBFYZGH4QV", # ID of the used Lambda role
                "123456789012" # Account Id
            },
            "PrincipalGroup": {
                "AWS": "svc:lambda.amazonaws.com" # Lambda service whitelisted itself
            },
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}
1 Answer
0
Accepted Answer

When your function runs in the VPC the traffic comes from the VPC so all you need to do is set the VPC Endpoint in the policy. You should not care that it comes from Lambda. You can find more information about how to do it here.

profile picture
EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions