Does your VPC endpoint allow access to half of the Internet?

Andreas Wittig – 22 Feb 2021

Are you using VPC endpoints to enable private connections between your VPC and AWS services? Drop everything and check the policy attached to your VPC Endpoint for S3. You might have allowed access to half of the Internet - assuming that half of the Internet is hosted on S3 - from your private network accidentally.

Does your VPC endpoint allow access to half of the Internet?

The Problem

By default, a VPC endpoint for S3 allows access to all S3 buckets. So an EC2 instance running in your VPC has access to all S3 buckets worldwide. Not only the S3 buckets you own but also the S3 buckets owned by other AWS customers. For example, anyone with access to your VPC could copy data from your systems to S3 buckets owned by someone else. Of course, the other way round - downloading data from S3 aka. half of the Internet - is possible as well.

A VPC endpoint allows access to any S3 bucket by default.

Looking for a new challenge?

  • tecRacer

    Cloud Consultant • AWS Serverless Development

    tecRacer • Premier AWS Consulting Partner • Germany, Austria, Portugal, and Switzerland
    Serverless Lambda Python Node.js Go

    Senior Lead Cloud Solutions Architect AWS

    DEMICON • AWS Advanced Consulting Partner • Remote (Europe)
    GitLab Terraform K8s EKS Lambda Python Go

The Solution

By attaching an endpoint policy to your VPC endpoint for S3, you can restrict the usage of the endpoint to certain S3 buckets. I came up with the following endpoint policy recently, which allows access to all S3 buckets owned by your AWS account. In my opinion, a good tradeoff limiting access and configuration overhead.

Make sure to replace 111111111111 with your AWS account ID.

"Version": "2008-10-17",
"Statement": [
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"s3:ResourceAccount": "111111111111"

Warning: In case you need to access S3 buckets from your VPC that you do not own, you need to extend the endpoint policy. That’s example the case for S3 buckets offered by AWS.

That’s it. Don’t forget, details are important!

Become a cloudonaut supporter

Andreas Wittig

Andreas Wittig ( Email Twitter LinkedIn Mastodon )

We launched the cloudonaut blog in 2015. Since then, we have published 366 articles, 60 podcast episodes, and 58 videos. It's all free and means a lot of work in our spare time. We enjoy sharing our AWS knowledge with you.

Please support us

Have you learned something new by reading, listening, or watching our content? With your help, we can spend enough time to keep publishing great content in the future. Learn more

Amount must be a multriply of 5. E.g, 5, 10, 15.

Thanks to Alan Leech, Alex DeBrie, ANTHONY RAITI, Christopher Hipwell, e9e4e5f0faef, Jason Yorty, Jeff Finley, jhoadley, Johannes Grumböck, Johannes Konings, John Culkin, Jonas Mellquist, Jonathan Deamer, Juraj Martinka, Ken Snyder, Markus Ellers, Oriol Rodriguez, Ross Mohan, Ross Mohan, sam onaga, Satyendra Sharma, Simon Devlin, Thorsten Hoeger, Todd Valentine, Victor Grenu, waldensystems, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt.