We need to setup S3 bucket replication from a SaaS provider (in a different tenant and account, but same S3 region) to our S3 bucket to capture logs from the SaaS application.
We have a bucket policy in place preventing access unless it came from a VPC endpoint.
Will we need to whitelist IP addresses of the SaaS provider on this bucket policy?
You do not need to "open the bucket".
The replication will be done across the AWS backplane. Since you are in the same AWS Region, nothing goes across the Internet.
Regardless, your data is encrypted while being replicated.