VPC Endpoint ポリシーで AWS アカウントID単位で S3 へのアクセスを制限する例。

Using the new s3:ResourceAccount IAM condition key, you can write simple IAM or Virtual Private Cloud Endpoint (VPCE) policies to restrict user or application access to S3 buckets that are owned by specified AWS Accounts. Additionally, since this new condition key filters access by AWS Account ID instead of by bucket or resource name, you can be certain that policies will be predictably applied into the future, even as buckets are added and removed over time.

New IAM condition keys for Amazon S3 limit requests to buckets owned by specific AWS accounts, and to specific TLS versions

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "s3:ResourceAccount": [
                        "012345678901",
                        "123456789012"
                    ]
                }
            }
        }
    ]
}