Bronze IS3: Demonstrate Your Skills
Morning Madan,
You're very nearly there! You just need to remove the condition block from your access point policy statement. It's not necessary when you have already set the access point's network origin to be a specific VPC.
Although the `aws:SourceVpc` condition can also restrict access to a specific VPC, it functions differently. Specifying a network origin creates a network-level restriction on the access point, whereas using a condition creates a policy-level restriction. This can be especially important if an access point policy is using `Deny` as the effect, because requests from outside of AWS VPCs (e.g., over the internet) won't have an `aws:SourceVpc` context key, so conditions may not be met as expected, providing unintended access.
Therefore, from a security perspective, it's encouraged to restrict access to the access point by setting the network origin, which gives network-level isolation.
Hope this helps, and well done on completing the rest of the tasks 😄
