add s3 outpost exemption example and writeup

liwadman · liwadman · commit d2b1b144dc7e · 2025-12-15T15:31:23.000-08:00
diff --git a/service_control_policies/README.md b/service_control_policies/README.md
@@ -88,6 +88,7 @@ This policy statement is included in the [network_perimeter_sourcevpc_scp](netwo
     * `rds-db:Connect` – Required to use [Amazon Relational Database Service (RDS)](https://aws.amazon.com/rds/) with [IAM authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html). Amazon RDS databases are deployed in your VPC and are accessed over a network interface in the VPC. The `rds-db` IAM namespace is only used for authentication to RDS databases. 
     * `kafka-cluster:*` – Required to use [Amazon Managed Streaming for Apache Kafka (MSK)](https://aws.amazon.com/msk/) with [IAM access control](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html). The `kafka-cluster` IAM namespace is only used to access Amazon MSK clusters in your VPCs with IAM authentication.
     * `es:ESHttpGet`, `es:ESHttpPut`,`es:ESHttpDelete`,`es:ESHttpPost`,`es:ESHttpPatch`,`es:ESHttpHead`  – Required to use [Amazon OpenSearch Service](https://aws.amazon.com/opensearch-service/) with [IAM authentication for OpenSearch Domains](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource). These IAM actions are only used to access OpenSearch domains. When an OpenSearch domain is deployed with "VPC Access" selected, requests to that OpenSearch domain traverse a network interface in your VPC and does not traverse a VPC endpoint. If you are using IAM authentication with an OpenSearch domain that is configured to be accessible in "public" mode over the Internet, you can use the `aws:SourceIp` condition key to help control from which networks the OpenSearch domain can be accessed. To save space in the policy example, these IAM actions are written with a wildcard character as `es:ES*`.
+    * `s3-outposts:*` - Required for [Amazon S3 on Outposts](https://docs.aws.amazon.com/AmazonS3/latest/s3-outposts/S3OutpostsGS.html). S3 buckets on Outposts operate differently from other S3 buckets because they run on AWS Outposts infrastructure and are accessed through network interfaces in [your VPC or on-premises network](https://docs.aws.amazon.com/AmazonS3/latest/s3-outposts/S3OutpostsNetworking.html) and not over an AWS API endpoint, or VPC endpoint. Operations against S3 Outposts buckets or objects within them, such as GetObject do not support AWS global condition keys for network context, such as `aws:SourceIp` or `aws:SourceVPC`. While we exempt the entire `s3-outposts` IAM namespace in this example for simplicity, only operations against S3 Outposts buckets and objects in those buckets require this exemption.
 
 
 #### Example data access patterns
diff --git a/service_control_policies/network_perimeter_sourcevpc_scp.json b/service_control_policies/network_perimeter_sourcevpc_scp.json
@@ -18,7 +18,8 @@
             "neptune-db:*",
             "kafka-cluster:*",
             "elasticfilesystem:client*",
-            "rds-db:connect"
+            "rds-db:connect",
+            "s3-outposts:*"
          ],
          "Resource":"*",
          "Condition":{
