Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
How do I use VPC endpoints to access Amazon S3 buckets from EC2 instances?
I want to use VPC endpoints to privately access my Amazon Simple Storage Service (Amazon S3) bucket from an Amazon Elastic Compute Cloud (Amazon EC2) instance.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Configure VPC endpoints to securely access S3 buckets from EC2 instances
You can use either an interface endpoint or gateway endpoint without an internet gateway or NAT device to access Amazon S3.
To create and configure an S3 gateway endpoint, see Create a gateway endpoint.
To create an S3 interface endpoint, see Create a VPC endpoint. If you use an interface endpoint to connect to the S3 bucket, then you must pass the endpoint url parameter in the AWS CLI or AWS SDK environments. If you connect through HTTP(S), then you must use the interface endpoint URL as the host name. For more information, see Accessing buckets, access points, and Amazon S3 Control API operations from S3 interface endpoints.
Example interface endpoint URL to an S3 bucket endpoint:
your-resource-name.vpce-0e25b8cdd720f900e-argc85vg.s3.us-east-1.vpce.amazonaws.com
Note: Replace your-resource-name with your resource name.
To confirm connection to the S3 bucket, run the ls AWS CLI command.
aws s3 ls s3://doc-example-bucket --endpoint-url https://bucket.vpce-0e25b8cdd720f900e-argc85vg.s3.us-east-1.vpce.amazonaws.com
Note: Replace doc-example-bucket with your bucket name.
Restrict public access and use IAM roles to secure S3 bucket access
If you don't connect your bucket to originate from your VPC endpoint, then you receive an Access denied error. To enforce VPC private connections to your S3 bucket, attach the following AWS Identity and Access Management (IAM) bucket policy:
{ "Version": "2012-10-17", "Id": "DenyNonVPCeAccess", "Statement": [ { "Sid": "Access-to-specific-VPCE-only", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::doc-example-bucket", "arn:aws:s3:::doc-example-bucket/*"], "Condition": { "StringNotEquals": { "aws:SourceVpce": "vpce-1a2b3c4d" } } } ] }
Note: Replace doc-example-bucket with your bucket name.
Troubleshoot connectivity issues between EC2 instances and S3 buckets with VPC endpoints
If you experience a connection timeout error from the VPC endpoint, then use the VPC Reachability Analyzer to analyze the connection path. For more information, see Getting started with Reachability Analyzer.
Make sure that you pass the correct endpoint resource in the URL when you use the VPC interface endpoint. Verify that the interface endpoint security group allows inbound traffic on port 443.
Related information
This guide provides a clear and concise explanation of how to use VPC endpoints for accessing Amazon S3 from EC2 instances. The step-by-step instructions for setting up both interface and gateway endpoints are particularly helpful. Additionally, the inclusion of troubleshooting tips and IAM policies to restrict access enhances security best practices. It would be great to see more real-world examples or common pitfalls users face when setting up these endpoints.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 4 days ago
