AWS IAM launches new VPC endpoint condition keys for network perimeter controls

AWS Identity and Access Management (IAM) now offers three new global condition keys that will make it easier for you to establish a network perimeter. The new condition keys - aws:VpceAccount, aws:VpceOrgPaths, and aws:VpceOrgID - help you ensure that requests to your AWS resources or by your identities are made through your VPC endpoints. The condition keys provide you with varied levels of granularity, enabling you to implement your network perimeter controls at an account, organization path, and entire organization level. The controls automatically scale with your VPC usage, eliminating the need to enumerate VPC endpoints or update policies as you add or remove them. You can use these condition keys with both new and existing service control policies (SCPs), resource control policies (RCPs), resource-based policies, and identity-based policies. The condition keys are supported for a [select set of AWS services](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference%5Fpolicies%5Fcondition-keys.html) and are available in all commercial AWS Regions where those services support AWS PrivateLink. To learn more about these new condition keys and supported services, please visit the [AWS IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference%5Fpolicies%5Fcondition-keys.html) and [AWS blog.](https://aws.amazon.com/blogs/security/use-scalable-controls-to-help-prevent-access-from-unexpected-networks/)