See the example below for a policy that denies access to all users except for a list of users and roles. And also, it denies access to all request that are not coming from a specific VPC.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::xxx:user/user1",
"arn:aws:iam::xxx:user/user2",
"arn:aws:iam::xxx:role/healthcare-role"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::testmybucket",
"arn:aws:s3:::testmybucket/*"
],
"Condition": {
"StringNotEquals": {
"aws:SourceVpc": "vpc-xxx"
}
}
}
]
}