tL;dr
Control AWS access via endpoint policies
VPC endpoint policies let you control which AWS principals and actions are allowed through your private link to services like S3, making them a key control at the network layer. A properly scoped S3 VPC endpoint policy can stop unauthorized access even if the bucket is publicly accessible. To enforce an AWS VPC endpoint policy, explicitly allow or deny specific services, actions, or accounts. Most VPC endpoint policy examples follow the same pattern – conditionally scoped allow or deny statements targeting a principal and an action.
Sola makes this easy by showing exactly what your policies allow and who can reach your S3 buckets, using the AWS Network Security Posture app or your own AI-built check.
Sola makes this easy by showing exactly what your policies allow and who can reach your S3 buckets, using the AWS Network Security Posture app or your own AI-built check.
Sola apps that could help you
Visit the App GalleryUnderstand the VPC endpoint policy basics
When you create a VPC endpoint for S3, it feels private, but it is only as safe as its policies. If you leave the endpoint policy at its default, any principal in the VPC whose traffic routes through the endpoint and whose IAM permissions allow S3 actions can reach your buckets.
A custom endpoint policy lets you specify actions, resources, and principals, limiting who can use the endpoint. For example, you can allow only a specific IAM role to reach one bucket and deny everything else.
Just remember: the endpoint policy only governs traffic through the endpoint. If you haven’t locked down public access at the bucket level, users might still reach it over the internet. To block that, you’ll need conditions like aws:SourceVpce.
Remember that the endpoint policy governs traffic through the endpoint only. To stop users from reaching the same bucket over the public internet, add a bucket policy condition such as aws:SourceVpce (or aws:SourceVpc) so S3 accepts requests only from your endpoint.
Apply the same scrutiny elsewhere: verify RDS public access settings and secure AWS API Gateway with resource policies and private integrations to avoid parallel exposure paths.
Best Practices for Enforcing Endpoint Policies
- Use explicit denies for anything you absolutely want to block. IAM allows are permissive by default.
- Combine with S3 bucket policies to restrict access based on the
aws:SourceVpcecondition key. This ensures that even if a user has access, they must go through the intended VPC endpoint. - Avoid overly broad permissions—limit access to exact actions (e.g.
s3:GetObject) and specific resources. - Test using IAM Policy Simulator or CloudTrail logs to validate that your endpoint policy behaves as expected.
- Tag your VPC endpoints and enforce tagging policies via SCPs or automation if you’re running multi-account setups.
Don’t just write it. Enforce it with Sola.
Want to know if your VPC endpoint policy is actually doing what you think it’s doing? Sola helps you find out in minutes. Use the AWS Network Security Posture app or build your own logic using Sola’s AI-powered studio. Just define your question (“Is any VPC endpoint letting in unwanted roles?”), connect your data source, and you’ve got an answer. No need for audits, spreadsheets, or assumptions.
Answer more security questions
How to secure AWS API gateway?
Cybersecurity for startups: Where to Start?
Is my RDS instance publicly accessible?