Restrict access to s3 bucket

Question

Our company has an application running on Amazon EC2 instances in a VPC. One of the applications needs to call an Amazon S3 API to store and read objects. The company’s security policies restrict any internet-bound traffic from the applications. Which action will fulfill these requirements and maintain security?

Accepted Answer

If you want to avoid internet traffic, then leverage a VPC Endpoint for S3 from within the VPC where the EC2 instance will reside that need access to the data.

Then leverage a policy on the EndPoint to restrict access to just that VPC, additionally then add a bucket policy onto the S3 bucket that only allows access to the VPC Endpoint.

https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html
https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html

Answer

You should create a Gateway Endpoint for S3. Relevant steps can be found [here](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html)

Restrict access to s3 bucket

관련 콘텐츠