Why can't I connect to an S3 bucket using a gateway VPC endpoint?

6 minute read

I'm using a gateway endpoint to connect to an Amazon Simple Storage Service (Amazon S3) bucket from an Amazon Elastic Compute Cloud (Amazon EC2) instance in the Amazon Virtual Private Cloud (Amazon VPC). However, the connection isn't working.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

Gateway VPC endpoint connectivity issues might be due to network access or security rules that allow the connection to Amazon S3 from the Amazon VPC. Check the following resources and configurations to troubleshoot your connectivity issues.

Region configurations

You can access Amazon S3 objects using VPC endpoint only when the S3 objects are in the same AWS Region as the Amazon S3 gateway VPC endpoint. Confirm that your objects and endpoint are in the same Region.

DNS settings in your VPC

Important: DNS resolution must be activated in your VPC. If you're using your own DNS server, then be sure that DNS requests to AWS services resolve to IP addresses maintained by AWS.

1. Open the Amazon VPC console.

2. In the navigation pane, under Virtual Private Cloud, choose Your VPCs.

3. In the resource list, choose the Amazon VPC that has Amazon S3 connectivity issues.

4. In the Summary view, set DNS resolution to yes.

Route table settings to Amazon S3

1. Open the Amazon VPC console.

2. In the navigation pane, under Virtual Private Cloud, choose Route Tables.

3. Choose the route table associated with the VPC subnet that has Amazon S3 connectivity issues.

4. Choose the Routes view.

5. Confirm that there's a route to Amazon S3 using the gateway VPC endpoint.

Security group outbound rules

1. Open the Amazon EC2 console.

2. In the navigation pane, under Network & Security, choose Security Groups.

3. In the resource list, choose the security group associated with the instance that you're using to connect to Amazon S3.

4. In the Outbound view, confirm that the available outbound rules allow traffic to Amazon S3.

5. The default outbound rule allows all outbound traffic. If the security group has more restrictive rules than the default outbound rule, then add one of the following:

An outbound rule allowing traffic to the ID of the prefix list associated with the gateway VPC endpoint.
An outbound rule with Destination set to the VPC endpoint for Amazon S3.

For more information, see Associate security groups.

Network ACL rules

1. Open the Amazon VPC console.

2. In the navigation pane, under Security, choose Network ACLs.

3. In the resource list, choose the network access control list (network ACL) associated with the VPC subnet that has Amazon S3 connectivity issues.

4. In the Inbound Rules view, confirm that the rules allow inbound return traffic from Amazon S3 on ephemeral TCP ports 1024-65535.

5. In the Outbound Rules view, confirm that the rules allow traffic to Amazon S3 on HTTPS port.

Note: By default, network ACLs allow all inbound and outbound IPv4 traffic. Network ACLs also allow all inbound and outbound IPv6 traffic, if applicable. If your network ACL rules restrict traffic, then you must specify the CIDR block (IP address range) for Amazon S3. You can receive the notifications whenever Amazon S3 IP changes and you can use scripts to automatically update the network ACL rules.

Gateway VPC endpoint policy

Important: Endpoints currently don't support cross-Region requests. Be sure that your endpoint is in the same Region as your bucket. You can use the get-bucket-location command to find the location of your bucket.

1. Open the Amazon VPC console.

2. In the navigation pane, under Virtual Private Cloud, choose Endpoints.

3. In the resource list, choose the endpoint associated with the VPC subnet that has Amazon S3 connectivity issues.

4. Choose the Policy view.

5. Review the endpoint policy. Check if the policy blocks access to the S3 bucket or to the AWS Identity and Access Management (IAM) user affected by the connectivity issues. If necessary, edit the policy to allow access for the S3 bucket or IAM user. For more information, see Endpoint policies for Amazon S3.

S3 bucket policy

1. Open the Amazon S3 console.

2. Choose the S3 bucket with connectivity issues.

3. Choose the Permissions view.

4. Choose Bucket Policy.

5. Be sure that the bucket policy allows access from the gateway VPC endpoint and the VPC that you want to connect. Edit the policy to allow access from the gateway VPC endpoint and VPC. For more information, see Control access using bucket policies.

Note: Your bucket policy can restrict access only from a specific public or Elastic IP address associated with an instance in a VPC. You can't restrict access based on private IP addresses associated with instances. For more information, see Managing access based on specific IP addresses.

If you're using a proxy server, then be sure to allow your VPC connections through the server. If you don't use a proxy server for Amazon S3, then use the following command to bypass the proxy server when accessing your Amazon S3 bucket:

export no_proxy = mybucket.s3.us-west-2.amazonaws.com

Note: Be sure to replace us-west-2 with your Region.

IAM policy

1. Open the AWS IAM console.

2. Choose the IAM user or role used to access the S3 bucket from the instance.

3. Choose the Permissions view.

4. Be sure that the users associated with the IAM user or role have the correct permissions to access Amazon S3. For more information, see How to restrict Amazon S3 bucket access to a specific IAM role and Controlling access to a bucket with user policies.

AWS CLI configuration

Configure the AWS CLI and set a default AWS Region. Use the aws configure command to specify a Default region name. Or, you can set the --region option in each AWS CLI command if:

You don't want to specify a default Region.
-or-
You want to override the default Region.

AWS SDK configuration

When making requests to an S3 bucket using a gateway VPC endpoint, you must configure the SDK (or client objects) to use the correct Region. For more information, see Using the Config object.

Related information

Control access to VPC endpoints using endpoint policies

Access management for AWS resources

Topics

Networking & Content Delivery

Relevant content

Access S3 using Role in python or command line tool
Amit Joshi
asked 3 months ago
Access S3 bucket via VPC endpoint from EC2 instance in private subnet using boto3
rePost-User-9230892
asked 7 months ago
S3 Interface Endpoint
Accepted Answer
Rodel
asked a year ago
How do I restrict access to an s3 bucket behind a transit gateway?
Brandon-Ellis-AI
asked a year ago
Use Case for VPC Interface Endpoint for S3 and AWS Transfer Family for S3
Accepted Answer
Arunava
asked 2 months ago
How can I fix the error "Unable to locate credentials" when I try to connect to my Amazon S3 bucket using the AWS CLI?
AWS OFFICIALUpdated 6 months ago
Why can't I connect to my S3 bucket using interface VPC endpoints?
AWS OFFICIALUpdated a year ago
Why am I receiving errors when running AWS CLI commands?
AWS OFFICIALUpdated 3 years ago
How can I troubleshoot the "Could not connect to the endpoint URL" error when I run the sync command on my Amazon S3 bucket?
AWS OFFICIALUpdated 2 years ago
Support Automation Workflow (SAW) Runbook: Analyze connectivity to an AWS service endpoint
EXPERT
Maya Karalic
published 5 days ago