I am running several Lambda functions within my VPC, and want to configure VPC endpoints for private access to certain services (secretsmanager, s3, etc.). My goal is to lock down the VPC endpoint so that only requests from within my VPC can use it. However, I am having a lot of trouble trying to specify this within the policy.
I am unable to explicitly set the lambda function's role due to the structure of our projects in Terraform.
I have tried using the aws:sourceVpc condition as well as several others, however they all block the Lambda's access to the VPC endpoint.
Are there any other conditions I could use? I would really prefer to not have a complete Allow statement as the policy.
The VPC endpoint is already attached to your VPC. You don't need to restrict the access to any other resources, because it is already restricted by itself.
Only the services inside your VPC can access to the VPC Endpoint.