シンプルに VPC エンドポイント以外からの読み書きを禁止するS3バケットポリシー。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Access-to-specific-VPCE-only", "Effect": "Deny", "Principal": "*", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::test-bucket-20200129", "arn:aws:s3:::test-bucket-20200129/*" ], "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-0a******fa" } } } ] }