👋

Looking to use this policy option?

This feature must be enabled on your Tamr Cloud tenant. Contact Tamr at [email protected] to inquire about enabling it.

To ensure that your S3 bucket can only be accessed through Tamr's private network infrastructure, you can add a condition to your S3 bucket policy that allows access only from Tamr's VPC endpoint IDs.

Tamr VPC Endpoint IDS

Use the endpoint ID that corresponds to your Tamr deployment region.

Adding the Bucket Policy

Add the following statement to your S3 bucket policy, replacing <your-bucket-name> with your bucket name and <vpce-id> with the appropriate endpoint ID from the table above.

Note: This policy uses an Allow with StringEquals . If there is a Deny elsewhere, it takes precedent over this policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyNonVpcEndpointAccess",
      "Effect": "allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::<your-bucket-name>",
        "arn:aws:s3:::<your-bucket-name>/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:sourceVpce": "<vpce-id>"
        }
      }
    }
  ]
}

Important Considerations

• KMS-encrypted buckets: If your bucket uses SSE-KMS, no additional KMS policy changes are needed; KMS calls for S3 encryption are made server-side by the S3 service and are not subject to this endpoint restriction.
• IAM Policy: This example illustrates only how to set the aws:sourceVpce condition and is not the most minimal set of permissions needed. See Configuring S3 IAM Policies for all required permissions.