Restricting AWS Service Access with VPC Endpoint Policies

Yes, VPC Endpoint Policies allow you to granularly restrict the resources and actions for API calls passing through the endpoint.

It's important to understand that VPC Endpoint Policies don't replace IAM policies — they act as an additional filter. A call must be allowed by both the IAM policy and the VPC Endpoint Policy to succeed.

Example 1: S3 Gateway Endpoint — Allow Only a Specific Bucket

Apply the following policy to the S3 Gateway Endpoint:

• Action: s3:GetObject, s3:PutObject, s3:ListBucket
• Resource: arn:aws:s3:::my-prod-data-bucket and arn:aws:s3:::my-prod-data-bucket/*
• This ensures that no bucket other than my-prod-data-bucket can be accessed through this VPC's S3 Endpoint. Even if IAM grants permissions to other buckets, the Endpoint Policy blocks them.

Example 2: Bedrock Runtime Interface Endpoint — Allow Only Specific Models

Apply the following policy to the com.amazonaws.<region>.bedrock-runtime endpoint:

• Action: bedrock:InvokeModel, bedrock:InvokeModelWithResponseStream, bedrock:Converse, bedrock:ConverseStream
• Resource: Specify only specific model ARNs (e.g., anthropic.claude-sonnet-4-20250514-v1:0, amazon.titan-embed-text-v2:0)

Important Notes

• When you write an Endpoint Policy as Allow-based (allowlist), all resources/actions not explicitly allowed are implicitly denied.
• If using Cross-Region Inference Profiles, the Resource ARN takes the form arn:aws:bedrock:<region>:<account-id>:inference-profile/*, which must be allowed separately.
• For S3 Gateway Endpoints, adding the aws:sourceVpce condition key to the S3 Bucket Policy lets you restrict access on the bucket side to only allow traffic through that specific VPC Endpoint.
• Endpoint Policy changes may take a few seconds to a few minutes to propagate. Wait briefly before testing.
• If you're currently running with a Full Access policy (Allow *), suddenly applying a restrictive policy can cause service outages. It's recommended to first analyze actual call patterns in CloudTrail, then add only the necessary actions/resources to the allow list.