Amazon VPC Endpoint policy generator

Generate VPC endpoint policies from AWS Policy Generator action metadata and export JSON, Terraform, or CloudFormation snippets.

Step 1

Configure endpoint policy defaults

Set the AWS context used when adding generated DynamoDB resources to the endpoint policy.

RegionAccount ID

Step 2

Choose VPC endpoint actions

Filter on

The action list is scoped to AWS Policy Generator's VPC Endpoint Policy actions.

Step 3

Configure endpoint policy statements

No VPC endpoint actions selected yet.

Search for a VPC endpoint action above to start generating an endpoint policy.

Generated VPC endpoint policy

{
  "Version": "2012-10-17",
  "Statement": []
}

Generated from 191 VPC Endpoint Policy actions across S3 and DynamoDB in AWS Policy Generator and enriched with Service Authorization Reference metadata. Last updated 2026-05-21.

Need this implemented safely?

Lock down VPC endpoint access without breaking applications

We can help turn endpoint policies into secure AWS guardrails, private service access controls, and auditable infrastructure as code with an AWS Security Review or AWS CDK Review.

Explore AWS consulting services

Build VPC endpoint policies from AWS action metadata

This generator uses AWS Policy Generator's VPC Endpoint Policy action set and enriches it with Service Authorization Reference metadata for Amazon S3 and Amazon DynamoDB so you can build endpoint policies with actions, principals, resources, and condition keys in one place.

How to use the VPC endpoint policy generator

Configure the region and account ID used for generated DynamoDB table ARN samples.
Search for one of the VPC Endpoint Policy actions exposed by AWS Policy Generator.
Configure effect, resources, principals, and supported condition keys.
Copy the generated JSON, Terraform, or CloudFormation endpoint policy.

VPC endpoint policies are resource policies

VPC endpoint policies include a Principal element because the policy is attached to the endpoint and controls who can use that private path to reach the target service. The resource scope still points at the service resource, such as an S3 bucket/object ARN or a DynamoDB table ARN.

Need a different policy type? Switch to the IAM policy generator, S3 bucket policy generator, SNS topic policy generator, or SQS queue policy generator.

Frequently asked questions

Which AWS services does this VPC endpoint policy generator cover?

It follows AWS Policy Generator's VPC Endpoint Policy scope, which currently exposes Amazon S3 actions and a DynamoDB VPC policy action subset. The generated dataset cross-checks those actions against AWS Service Authorization Reference data.

Should I use a VPC endpoint policy or an IAM identity policy?

Use IAM identity policies to grant permissions to identities. Use a VPC endpoint policy to add a network boundary on the endpoint path so requests through that endpoint are limited to specific principals, actions, resources, and conditions.

Why does a VPC endpoint policy need a Principal?

Endpoint policies are resource policies. The Principal element identifies who can use the endpoint policy statement, such as an AWS account, IAM role ARN, service principal, federated principal, or wildcard.

Does the Resource point to the VPC endpoint ARN?

No. The policy is attached to the VPC endpoint, but the Resource element targets service resources, for example arn:aws:s3:::example-bucket/* or a DynamoDB table ARN.

Which condition keys are available?

The generator includes AWS global condition keys from AWS Policy Generator plus service condition keys from the enriched S3 and DynamoDB action metadata, including keys such as aws:SourceVpce, aws:SecureTransport, s3:prefix, and DynamoDB action-specific keys.

Can I use the generated output in Terraform or CloudFormation?

Yes. The JSON output is a standard endpoint policy document, the Terraform output includes an aws_iam_policy_document data source with aws_vpc_endpoint_policy, and the CloudFormation output includes an AWS::EC2::VPCEndpoint snippet with a PolicyDocument.

Related tools

Amazon SQS Policy Generator

Generate SQS queue policies from AWS Policy Generator action metadata and export JSON, Terraform, or CloudFormation snippets.

S3 Bucket Policy Generator

Generate S3 bucket policies from AWS Policy Generator action metadata and export JSON, Terraform, or CloudFormation snippets.

Amazon SNS Policy Generator

Generate SNS topic policies from AWS Policy Generator action metadata and export JSON, Terraform, or CloudFormation snippets.

Next step

Want AWS engineering that feels this practical?

I build these tools to make AWS easier to manage. If this level of quality is what you want in your own cloud platform, Towards The Cloud can help with landing zones, infrastructure as code, security reviews, migrations, and cost optimization.

Explore AWS services

← Back to tools