{ "Version": "2012-10-17", "Id": "restrict-to-set-of-vpcs", "Statement": [ { "Sid": "DenyAllOutsideOfVpcsAndNotAllowlisted", "Effect": "Deny", "Resource": "*", "Condition": { "StringNotEquals": { "aws:sourceVpc": [ "vpc-foo", "vpc-bar", "vpc-baz" ] }, "StringNotEqualsIgnoreCaseIfExists": { "aws:PrincipalTag/canMakeRequestsOutsideOfVpc": "true" } } } ] }