Private DNS name for S3 VPC endpoint

You're correct, you can't assign a Private DNS name to the S3 interface endpoint. It's called out in the documentation. You have to either use the name or (as you suggest) disable SSL verification but that's not recommended.

Update: We've now released a feature that provides private DNS support for PrivateLink: https://aws.amazon.com/blogs/storage/introducing-private-dns-support-for-amazon-s3-with-aws-privatelink/

Hi,

I was trying to access S3 from a VPC located in a different region (this because we don't want to go the public Internet for security reasons) and I believe there is a bit of lack of documentation on how to achieve this. We are already using the same approach for the other AWS services, but S3 is different, when you create then interface endpoint it returns you a wildcard and this does not allow to just create a standard Alias (A) record to the service. After a few tries I figure you can do a name redirection specifying a CNAME for *s3.<REGION>.amazonaws.com to <S3_INTERFACE_ENDPOINT_WILDCARD>, this allows you to access S3 Service over the VPC peering without the need to specify the --endpoint-url for all the commands.

In your case changing domain to something that is not native from AWS might still be a problem for the SSL cert, but as long as you link you DNS Resolver to this private DNS entry on AWS, you can use native naming convention without having to actually use AWS public endpoints to access the service.

Hope this helps!

BR, Michele