{
    "Version": "2012-10-17",
    "Id": "restrict-to-set-of-vpcs-allow-presigned-get-object",
    "Statement": [
        {
            "Sid": "DenyAllOutsideOfVpcsAndNotAllowlisted",
            "Effect": "Deny",
            "NotAction": "s3:getObject",
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpc": [
                        "vpc-foo",
                        "vpc-bar",
                        "vpc-baz"
                    ]
                },
                "StringNotEqualsIgnoreCaseIfExists": {
                    "aws:PrincipalTag/canMakeRequestsOutsideOfVpc": "true"
                }
            }
        },
        {
            "Sid": "DenyGetObjectCallsOutsideOfVpcsAndNotPresignedAndNotAllowlisted",
            "Effect": "Deny",
            "Action": "s3:getObject",
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpc": [
                        "vpc-foo",
                        "vpc-bar",
                        "vpc-baz"
                    ],
                    "s3:authtype": "REST-QUERY-STRING"
                },
                "StringNotEqualsIgnoreCaseIfExists": {
                    "aws:PrincipalTag/canMakeRequestsOutsideOfVpc": "true"
                }
            }
        }
    ]
}