How do I restrict access to an s3 bucket behind a transit gateway?
Suppose I have 2 VPCs, VPC-A and VPC-B. My workspace (where traffic originates from) is in VPC-A, and I have my application in VPC-B. These VPCs are attached by a transit gateway. These VPCs are in two accounts, Account-A and Account-B respectively.
Suppose I want to make a private S3 bucket in Account-B. This S3 bucket houses a static site which we only want to make visible to the interconnected network, VPC-A and VPC-B.
How would I go about doing this without modifying any resources in Account-A?
Note: It seems you cannot just use an S3 Gateway Service Endpoint. As per the docs,
Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, AWS Direct Connect connection, or ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.
(This is because a typical "Gateway" Service endpoint works on the principle of actively modifying a subnet's route table so that IPs that match the current public S3 IPs are redirected through the endpoint. If modifications are only in Account-B, then adding these route tables would be impossible)
Instead of a Gateway Endpoint you can use a PrivateLink endpoint which is accessibly from outside the VPC in which it is created (via Transit Gateway in this case but that's not the only network access path).
However, at this time you can't use S3 PrivateLink endpoints as a target for a web browser - it only accepts S3 API calls - so a little unhelpful in this case. You could create a proxy server in a VPC that does the work for you but that's extra cost plus an instance to maintain (actually, good practice dictates that you should have a load balancers and at least two instances for redundancy) - so not really an option either.
Therefore: given that there is no cost for creating Gateway Endpoints why not create one in each VPC? Then modify the bucket policy to only allow access via the endpoint.
Transit Gateway - Multiple Subnet per AZasked 3 years ago
How do I restrict access to an s3 bucket behind a transit gateway?asked 3 months ago
Benefits to S3 cross-region access with VPC peered interface endpoints vs. public internet using NAT gateways?Accepted Answerasked 2 months ago
VPC peering and Network Firewallasked 3 months ago
S3 bucket access on EC2 Instance using boto3Accepted Answerasked 5 days ago
What is Best Practice configuration for a SECURE single user WorkSpaces VPC?asked 3 months ago
How to access OpenSearch from few different VPCs?asked 4 months ago
Security VPC is not working with Transit GatewayAccepted Answerasked 10 months ago
How do we correctly link the DC Gateway into the VPC, is a VG required?Accepted Answerasked 9 months ago
Lightsail S3 Bucket behind Lightsail Distributionasked a month ago