s3-vpce

We can use IAM resource based policy to force the request to be only from a vpce. aws:SourceVpce