diff --git a/README.md b/README.md
index a9830dc..3ee1835 100644
--- a/README.md
+++ b/README.md
@@ -130,6 +130,7 @@ Available targets:
 | [aws_api_gateway_rest_api_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api_policy) | resource |
 | [aws_api_gateway_stage.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage) | resource |
 | [aws_api_gateway_vpc_link.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_vpc_link) | resource |
+| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
@@ -164,7 +165,7 @@ Available targets:
 | <a name="input_stage_name"></a> [stage\_name](#input\_stage\_name) | The name of the stage | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br/>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
 | <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
-| <a name="input_vpc_endpoints"></a> [vpc\_endpoints](#input\_vpc\_endpoints) | List of VPC Endpoint IDs to attach to the API Gateway | `list(string)` | `null` | no |
+| <a name="input_vpc_endpoints"></a> [vpc\_endpoints](#input\_vpc\_endpoints) | List of VPC Endpoint IDs to attach to the API Gateway | `list(string)` | `[]` | no |
 | <a name="input_xray_tracing_enabled"></a> [xray\_tracing\_enabled](#input\_xray\_tracing\_enabled) | A flag to indicate whether to enable X-Ray tracing. | `bool` | `false` | no |
 
 ## Outputs
diff --git a/docs/terraform.md b/docs/terraform.md
index 3014ff0..a5980ba 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -29,6 +29,7 @@
 | [aws_api_gateway_rest_api_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api_policy) | resource |
 | [aws_api_gateway_stage.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage) | resource |
 | [aws_api_gateway_vpc_link.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_vpc_link) | resource |
+| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
@@ -63,7 +64,7 @@
 | <a name="input_stage_name"></a> [stage\_name](#input\_stage\_name) | The name of the stage | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br/>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
 | <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
-| <a name="input_vpc_endpoints"></a> [vpc\_endpoints](#input\_vpc\_endpoints) | List of VPC Endpoint IDs to attach to the API Gateway | `list(string)` | `null` | no |
+| <a name="input_vpc_endpoints"></a> [vpc\_endpoints](#input\_vpc\_endpoints) | List of VPC Endpoint IDs to attach to the API Gateway | `list(string)` | `[]` | no |
 | <a name="input_xray_tracing_enabled"></a> [xray\_tracing\_enabled](#input\_xray\_tracing\_enabled) | A flag to indicate whether to enable X-Ray tracing. | `bool` | `false` | no |
 
 ## Outputs
diff --git a/examples/account-settings/variables.tf b/examples/account-settings/variables.tf
index 522d87a..ab451b1 100644
--- a/examples/account-settings/variables.tf
+++ b/examples/account-settings/variables.tf
@@ -2,9 +2,3 @@ variable "region" {
   type        = string
   description = "AWS Region for S3 bucket"
 }
-
-variable "iam_role_arn" {
-  type        = string
-  description = "ARN of the IAM role for API Gateway to use. If not specified, a new role will be created."
-  default     = null
-}
diff --git a/main.tf b/main.tf
index ef261e8..85b16ab 100644
--- a/main.tf
+++ b/main.tf
@@ -19,11 +19,38 @@ resource "aws_api_gateway_rest_api" "this" {
   }
 }
 
+data "aws_iam_policy_document" "this" {
+  count = local.enabled && length(var.vpc_endpoints) > 0 ? 1 : 0
+
+  source_policy_documents = var.rest_api_policy == null ? [] : [var.rest_api_policy]
+
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "execute-api:Invoke"
+    ]
+
+    resources = aws_api_gateway_rest_api.this[*].execution_arn
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:sourceVpce"
+      values   = var.vpc_endpoints
+    }
+  }
+}
+
 resource "aws_api_gateway_rest_api_policy" "this" {
-  count       = local.create_rest_api_policy ? 1 : 0
+  count       = local.create_rest_api_policy || length(var.vpc_endpoints) > 0 ? 1 : 0
   rest_api_id = aws_api_gateway_rest_api.this[0].id
 
-  policy = var.rest_api_policy
+  policy = data.aws_iam_policy_document.this[0].json
 }
 
 module "cloudwatch_log_group" {
diff --git a/variables.tf b/variables.tf
index 10ea8f1..b56124e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -20,7 +20,8 @@ variable "endpoint_type" {
 variable "vpc_endpoints" {
   type        = list(string)
   description = "List of VPC Endpoint IDs to attach to the API Gateway"
-  default     = null
+  default     = []
+  nullable    = false
 }
 
 variable "logging_level" {
@@ -138,4 +139,4 @@ variable "stage_name" {
   type        = string
   default     = ""
   description = "The name of the stage"
-}
\ No newline at end of file
+}