# AWS Endpoint Policy for Trusted S3 Buckets An **AWS VPC Endpoint Policy for Amazon S3** controls **who can access specific S3 buckets** when using a **VPC Endpoint**. This is useful for **restricting access to trusted AWS accounts, IAM roles, or specific resources**. *** ### **📌 Use Case: SecureCart’s Trusted S3 Buckets** 📌 **Scenario:** SecureCart stores customer order data and transaction logs in **Amazon S3**. To enhance security: ✔ **Only SecureCart’s AWS accounts should access S3 via VPC Endpoints.**\ ✔ **Public access to S3 should be blocked.**\ ✔ **Only specific IAM roles should have read/write access to the bucket.** *** #### **✅ Sample S3 VPC Endpoint Policy (Allow Only Trusted Accounts & IAM Roles)** ```json jsonCopyEdit{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::securecart-private-bucket", "arn:aws:s3:::securecart-private-bucket/*" ], "Condition": { "StringEquals": { "aws:PrincipalAccount": "123456789012" } } }, { "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::securecart-private-bucket", "arn:aws:s3:::securecart-private-bucket/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] } ``` *** #### **📌 Explanation of Policy:** 🔹 **Statement 1 (Allow Access for Trusted AWS Account)**\ ✔ Allows **all actions (`s3:*`)** on **SecureCart’s S3 bucket**.\ ✔ Restricts access to **SecureCart’s AWS Account (`123456789012`)**. 🔹 **Statement 2 (Deny Unencrypted Requests)**\ ✔ Blocks requests where **TLS (SSL) is not used (`aws:SecureTransport: false`)**.\ ✔ Ensures all access to SecureCart’s S3 bucket happens over **HTTPS only**. *** ### **📌 Additional Enhancements** 1️⃣ **Restrict Access to Specific IAM Roles** ```json jsonCopyEdit"Condition": { "ArnEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/SecureCartDataAccess" } } ``` 🔹 **Only allows IAM role `SecureCartDataAccess` to access the bucket.** 2️⃣ **Restrict Access to a Specific VPC** ```json jsonCopyEdit"Condition": { "StringEquals": { "aws:SourceVpc": "vpc-abcdef123456" } } ``` 🔹 **Ensures SecureCart’s S3 bucket is only accessible from a specific VPC.** 3️⃣ **Limit Access to Read-Only or Write-Only** * Allow only **read access** (`s3:GetObject`) to certain roles. * Allow only **write access** (`s3:PutObject`) for specific workloads. *** ### **📌 Summary** 🚀 This **VPC Endpoint Policy** ensures SecureCart’s S3 buckets are:\ ✔ **Only accessible to SecureCart’s AWS account.**\ ✔ **Restricted to IAM roles that should access it.**\ ✔ **Only reachable from a trusted VPC.**\ ✔ **Forces encryption (TLS/SSL) for all requests.** ## **Hands-On Guide: Implementing a Secure VPC Endpoint Policy for Trusted S3 Buckets in SecureCart’s AWS Environment** This guide walks through the **step-by-step process** of securing SecureCart’s **Amazon S3 buckets** using a **VPC Endpoint Policy** that ensures: ✔ **Only SecureCart’s AWS account can access the bucket**\ ✔ **Only specific IAM roles can perform actions**\ ✔ **Access is restricted to a specific VPC**\ ✔ **Requests must use HTTPS (TLS/SSL)** *** ### **📌 Step 1: Create a VPC Endpoint for Amazon S3** 📌 **Why?** VPC Endpoints allow SecureCart’s **S3 bucket** to be accessed **privately** from within the **VPC**—without using the public internet. #### **✅ Actions:** 1️⃣ **Sign in to the AWS Management Console.**\ 2️⃣ Navigate to **VPC → Endpoints → Create Endpoint**.\ 3️⃣ Select **AWS Service** and search for **S3**.\ 4️⃣ Choose the **VPC where SecureCart’s applications are running**.\ 5️⃣ Select the **private subnets** that need access.\ 6️⃣ Choose an **appropriate security group** (allowing outbound HTTPS traffic).\ 7️⃣ Click **Create Endpoint**. ✅ **Result:** A new VPC endpoint is created, allowing **S3 access from within the VPC**. *** ### **📌 Step 2: Attach a Secure Endpoint Policy** 📌 **Why?** The **endpoint policy** restricts **who can access S3** via the **VPC Endpoint**. #### **✅ Actions:** 1️⃣ **Navigate to the VPC Endpoint you just created.**\ 2️⃣ Click **Policy** → **Edit Policy**.\ 3️⃣ **Copy and paste the following policy** (adjusting AWS Account ID, VPC ID, and IAM role names). ```json jsonCopyEdit{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::securecart-private-bucket", "arn:aws:s3:::securecart-private-bucket/*" ], "Condition": { "StringEquals": { "aws:PrincipalAccount": "123456789012" } } }, { "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::securecart-private-bucket", "arn:aws:s3:::securecart-private-bucket/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] } ``` ✔ **Restricts access to SecureCart’s AWS Account (`123456789012`)**\ ✔ **Denies requests that are not encrypted (HTTPS required)** 4️⃣ **Click Save**. ✅ **Result:** Now, only SecureCart’s **trusted AWS account can access the bucket**, and **unencrypted requests are denied**. *** ### **📌 Step 3: Restrict Access to Specific IAM Roles** 📌 **Why?** Only authorized IAM roles should have access. #### **✅ Actions:** 1️⃣ Edit the VPC Endpoint Policy.\ 2️⃣ Add the **IAM Role Restriction**: ```json jsonCopyEdit"Condition": { "ArnEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/SecureCartDataAccess" } } ``` 📌 **Example Updated Policy** ```json jsonCopyEdit{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::securecart-private-bucket", "arn:aws:s3:::securecart-private-bucket/*" ], "Condition": { "StringEquals": { "aws:PrincipalAccount": "123456789012" }, "ArnEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/SecureCartDataAccess" } } }, { "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::securecart-private-bucket", "arn:aws:s3:::securecart-private-bucket/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] } ``` ✅ **Result:**\ ✔ **Only the IAM role `SecureCartDataAccess` can access the bucket.**\ ✔ **No unauthorized IAM roles or users can access it.** *** ### **📌 Step 4: Enforce Access from a Specific VPC** 📌 **Why?** Ensure **S3 is only accessible from SecureCart’s trusted VPC**. #### **✅ Actions:** 1️⃣ Edit the VPC Endpoint Policy.\ 2️⃣ Add the **VPC Restriction**: ```json jsonCopyEdit"Condition": { "StringEquals": { "aws:SourceVpc": "vpc-abcdef123456" } } ``` 📌 **Example Updated Policy** ```json jsonCopyEdit{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::securecart-private-bucket", "arn:aws:s3:::securecart-private-bucket/*" ], "Condition": { "StringEquals": { "aws:PrincipalAccount": "123456789012", "aws:SourceVpc": "vpc-abcdef123456" }, "ArnEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/SecureCartDataAccess" } } }, { "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::securecart-private-bucket", "arn:aws:s3:::securecart-private-bucket/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] } ``` ✅ **Result:**\ ✔ **Only requests originating from SecureCart’s VPC (`vpc-abcdef123456`) are allowed.**\ ✔ **Even if an IAM role is authorized, access from an external network is denied.** *** ### **📌 Step 5: Test & Validate the Secure Setup** 📌 **Why?** Ensure SecureCart’s security restrictions are working. #### **✅ Actions:** 1️⃣ **Try accessing S3 from an unauthorized IAM user → Request should be denied**.\ 2️⃣ **Try accessing S3 without HTTPS → Request should be denied**.\ 3️⃣ **Access S3 from a trusted IAM role & VPC → Request should be allowed**.\ 4️⃣ **Monitor AWS CloudTrail logs** to verify access patterns. ✅ **Final Result:** SecureCart’s **S3 bucket is now fully locked down**, allowing **only trusted accounts, IAM roles, and VPC access** while enforcing **TLS encryption**. *** ### **📌 Summary** 🚀 **SecureCart’s Trusted S3 VPC Endpoint Setup Achieves:**\ ✔ **Secure access without exposing S3 to the public internet**.\ ✔ **IAM Role-based access control for granular security**.\ ✔ **Restricts access to a specific AWS VPC**.\ ✔ **Forces HTTPS encryption to prevent data leaks**. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/task-statement-1.2-design-secure-workloads-and-applications/use-cases/aws-endpoint-policy-for-trusted-s3-buckets.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.