- 新しい順
- 投票が多い順
- コメントが多い順
You should be able to solve this problem by using a VPC endpoint for S3. A VPC endpoint enables you to privately connect your VPC to supported AWS services without requiring an internet connection, keeping the traffic within the AWS network. From a high level the steps would be to create an VPC endpoint for S3, and then to modify your bucket policy to allow access from your VPC. Your lambda function can still generate pre-signed URL's but the request will be routed over the VPC endpoint instead of the internet.
https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html#vpc-endpoints-s3
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html
If this helped please remember to mark this answer as accepted. Thanks and good luck.
You don't need NATGW or IGW, only s3 gateway vpc endpoint would serve the prupose.
You would need to configure Gateway VPC endpoint for S3 and add the the associated Route Table for that private subnet, then access to objects stored in S3 accessed via a Signed URL would work without a NAT Gateway or IGW.
Configure VPC Endpoint for S3 to be used by Private Subnets. Generate a signed URL for an object and try to use wget from EC2 instance from private subnet to retrieve it.
Hope this helps.
関連するコンテンツ
AWS公式更新しました 2年前
When you have a Private Subnet in a VPC (no internet connectivity) you can access S3 using a Gateway endpoint for Amazon S3.
Details for these VPC endpoints are here: https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html
These VPC endpoints provide access to S3 (which is a public endpoint) without needing to get internet access to your VPC resources. Ideal for 'private' connectivity to public Amazon services.