{ "Version": "2012-10-17", "Id": "restrict-to-set-of-vpcs-allow-presigned-get-object", "Statement": [ { "Sid": "DenyAllOutsideOfVpcsAndNotAllowlisted", "Effect": "Deny", "NotAction": "s3:getObject", "Resource": "*", "Condition": { "StringNotEquals": { "aws:sourceVpc": [ "vpc-foo", "vpc-bar", "vpc-baz" ] }, "StringNotEqualsIgnoreCaseIfExists": { "aws:PrincipalTag/canMakeRequestsOutsideOfVpc": "true" } } }, { "Sid": "DenyGetObjectCallsOutsideOfVpcsAndNotPresignedAndNotAllowlisted", "Effect": "Deny", "Action": "s3:getObject", "Resource": "*", "Condition": { "StringNotEquals": { "aws:sourceVpc": [ "vpc-foo", "vpc-bar", "vpc-baz" ], "s3:authtype": "REST-QUERY-STRING" }, "StringNotEqualsIgnoreCaseIfExists": { "aws:PrincipalTag/canMakeRequestsOutsideOfVpc": "true" } } } ] }