I want to create a private connection from my Amazon Virtual Private Cloud (Amazon VPC) to an Amazon Simple Storage Service (Amazon S3) bucket. But I don't want to use authentication, such as AWS Identity and Access Management (IAM) credentials.
Short description
Warning: For security, it's a best practice to use AWS IAM to manage requests to your Amazon S3 bucket. Because anonymous requests aren't authenticated, it's difficult to identify the entity that requests access to your Amazon S3 bucket when you don't use AWS IAM.
You can access an Amazon S3 bucket privately without authentication when you access the bucket from an Amazon VPC.
Note: The Amazon VPC endpoint that you use must point to Amazon S3.
To set up an Amazon VPC endpoint that you can use to access to your S3 bucket, complete the following steps:
- Create a VPC endpoint for Amazon S3.
- Add a bucket policy that allows access from the VPC endpoint.
- Verify that you can access objects in S3 without authentication from within the VPC.
Resolution
Prerequisite: You must create a VPC that you'll access the bucket from.
Create a VPC endpoint for Amazon S3
To create a VPC endpoint for Amazon S3, complete the following steps:
- Open the Amazon VPC console.
- Use the Region selector in the navigation bar to set the AWS Region to the same Region as your S3 bucket.
- From the navigation pane, choose Endpoints.
- Choose Create Endpoint.
- For Service category, choose AWS services.
- For Service Name, select the s3 service name and Gateway type. For example, the service name in the US East (N. Virginia) Region is com.amazonaws.us-east-1.s3.
- For VPC, select your VPC.
- For Configure route tables, select the route tables based on the associated subnets that you want to be able to access the endpoint from.
- For Policy, choose Full Access.
- Choose Create endpoint.
- Note the VPC Endpoint ID. You'll need this endpoint ID for a later step.
Add a bucket policy that allows access from the VPC endpoint
Update your bucket policy with a condition that allows users to access the bucket when the request is from the VPC endpoint that you created.
To allow those users to download objects, you must grant the s3:GetObject permission. Use a bucket policy like the following example:
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Principal": "*",
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
],
"Condition": {
"StringEquals": {
"aws:sourceVpce": "vpce-1a2b3c4d"
}
}
}
]
}
For the value of aws:sourceVpce, make sure to enter the VPC endpoint ID of the endpoint that you previously created.
Important: This policy allows access from the VPC endpoint, but it doesn't deny all access from outside the endpoint. If a user from the same account is authenticated, this policy still allows the user to access the bucket from outside the VPC endpoint. For a more restrictive bucket policy, use a policy that explicitly denies access to any requests from outside the endpoint.
Verify that you can access objects in S3 without authentication from within the VPC
To verify that you can now access objects in S3 without authentication from within the VPC, use an HTTP client to make an anonymous request. For example, use curl to run a command that's similar to the following from an EC2 instance configured with S3 the gateway endpoint mentioned earlier:
curl -i https://bucketname.s3.region.amazonaws.com/folder/file.txt
If the bucket policy is configured correctly, then you get a 200 OK message for SSE-S3 encrypted objects. For objects encrypted with SSE-KMS, you get a 400 Bad Request error message because the anonymous request isn't signed with AWS credentials.
Related information
Gateway endpoints for Amazon S3