How do I troubleshoot connectivity issues when I use interface VPC endpoints to connect to my Amazon S3 bucket?

3 minute read
0

I want to resolve issues that I experience when I use interface Amazon Virtual Private Cloud (Amazon VPC) endpoints to connect to my Amazon Simple Storage Service (Amazon S3) bucket.

Short description

To troubleshoot your connectivity issues, complete the following steps:

  • Check the policy that's associated with the interface Amazon VPC endpoint and Amazon S3 bucket.
  • Check that your network has connectivity to the interface Amazon S3 endpoints.
  • Check that your DNS resolves to the IP addresses of the interface Amazon S3 endpoints.
  • Fix SSL validation errors.

Resolution

Note: In the following commands, replace the example values with your values.

Check the policy that's associated with the Amazon VPC endpoint and Amazon S3 bucket

By default, a policy isn't associated with an Amazon S3 bucket when the bucket is created. When you create an Amazon S3 interface endpoint, you can associate a policy. By default, the policy that you associate allows any action to the bucket. For information, see Access an AWS service using an interface VPC endpoint.

Check that your network has connectivity to the interface Amazon S3 endpoints

To check connectivity to your interface Amazon S3 endpoints, complete the following steps:

  • Check connectivity between the source and the destination. Check the network access control list (network ACL) and the security group that's associated with the Amazon S3 interface endpoints. Make sure that traffic is allowed to the interface endpoint.
  • Test connectivity between the AWS resource or on-premises host and the Amazon S3 endpoint:
telnet bucket.example_S3_interface_endpoint_DNS 443
  • To determine connectivity issues with the security group or the network ACL, use an Amazon Elastic Compute Cloud (Amazon EC2) instance to test the connectivity in the subnet where the source endpoint is. Check that layer 3 connectivity exists from the source to the destination AWS resource. Make sure that you use the same security group in the test instance as the Amazon S3 interface endpoint.

Check that your DNS resolves to the IP addresses of the interface Amazon S3 endpoints

To check that your DNS resolves to the correct IP addresses, use tools such as nslookup and dig.

Example dig command:

dig *example_s3_interface_endpoint_DNS@example_local_nameserver

Note: The Amazon provided DNS server is the .2 IP address of the Amazon VPC CIDR. Your on-premises host is the local name server of the host that's listed in the /etc/resolv.conf file.

Resolve SSL validation errors

To resolve or prevent an SSL validation failure, make sure that the endpoint URL matches the domain. After this URL verification completes, access the s3 bucket and list the object in the bucket.

Note: Certificates for AWS PrivateLink for Amazon S3 endpoints have three subdomains, bucket, access point, and control. Make sure that you specify the correct subdomain when you address an AWS PrivateLink endpoint for Amazon S3.

To troubleshoot SSL errors, run the following commands:

Check URL verification:

aws s3 ls s3://<example-bucket-name>/ --region <example-region> --endpoint-url https://bucket.<example-endpoint-id>.s3.<example-region>.

Check the supported certificates:

openssl s_client -connect <example-endpoint-URL>:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep DNS

Check the connectivity over the SSL protocol:

openssl s_client -connect <Endpoint URL>:443

Related information

Accessing buckets, access points, and Amazon S3 Control API operations from S3 interface endpoints

Share your services through AWS PrivateLink

Gateway endpoints for Amazon S3

AWS OFFICIAL
AWS OFFICIALUpdated a year ago