Endpoint Resource Policy

You will now configure the Gateway Endpoint Resource Policy restricting which S3 buckets can be accessed via the gateway endpoint

figure14

Endpoint Policy Configuration

  1. Access the Endpoints screen in the VPC dashboard in the AWS console: https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#Endpoints:sort=vpcEndpointId
  2. Refer to the collected output values from your CloudFormation. Note the value of the “S3VPCGatewayEndpoint” output. This is your VPC Gateway Endpoint ID.

figure15

  1. Select your S3 Gateway Endpoint ID in the upper pane of the AWS console. Details for the endpoint are presented in the lower pane. Click on the Policy tab. Click “Edit Policy” to edit the policy. Click the custom radio button so that you can enter a custom policy.

Resource) Policy template / example

{
  "Statement": [
    {
      "Sid": "Access-to-specific-bucket-only",
      "Principal": "*",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::examplerestrictedbucketname",
                   "arn:aws:s3:::examplerestrictedbucketname/*"]
    }
  ]
}
  1. Refer to the collected output values from your CloudFormation. Copy/paste the value of the “RestrictedS3BucketName” output and use it to replace the value of examplerestrictedbucketname in the template/example above and save the custom policy.

figure16