Add support for S3 VPC-only endpoints

[allanparsons]

This is a:

• [] Feature request or change

For feature requests or changes:

Current behavior (if any):

Current spec allows us to send in a BucketPolicy to restrict access to either IPs or VPCs. What we would like is for us to explicitly only listen / setup the bucket on the PRIVATE interface and attach that in a private VPC to limit public traffic. PR#59 only handles accomodating a bucket policy, not bucket setup (private v. public interface).

Proposed behavior

Take an ARN or explicit VPC-ID when setting up a bucket. If the VPC-ID exists, disable the public interface on the public bucket.

Proposed implementation details (optional)

See above.

Justification

We are writing a serverless app that should only be accessible on a private network. Our CIDR blocks change frequently, and we would like to have the S3-hosted application run only within a private, secure environment. Allowing traffic on a public interface increases exposure to risk.

cc: @ryanmalesic

[fernando-mc]

It seems like this is partially supported by the current bucket policy implementation? You should be able to specify the bucket policy manually so that it is not public and will allow requests from the intended VPC?

I can see this being done if you use a policy like this one here - https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html#example-bucket-policies-restrict-accesss-vpc-endpoint

It sounds like you'd like to add an additional step where the plugin checks if the VPC exists first and then if it does apply a policy relevant to allowing that. I'm not necessarily opposed to adding a canned policy to make this easier, but I'm not sure if the plugin should be maintaining several custom policies - that might be more appropriate for the developer to do on their own?