VPCE和S3

通过VPC端点连接S3可以确保不会绕行到公网访问到S3，此时设置VPCE的策略如下：

<BUCKET_NAME>更改为需要访问的S3存储桶名称，设置为组织ID，<THE_ROLE_ARN>为允许访问S3的角色的ARN，比如EC2代入的IAM role的ARN

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket",
                "s3:GetBucketPolicy",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>",
                "arn:aws:s3:::<BUCKET_NAME>/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:PrincipalIsAWSService": "true"
                },
                "StringEquals": {
                    "aws:PrincipalOrgID": "<my-org-id>",
                    "aws:ResourceOrgID": "<my-org-id>"
                },
                "ArnEquals": {
                    "aws:PrincipalArn": "<THE_ROLE_ARN>"
                }
            }
        }
    ]
}