How do I restrict access to an s3 bucket behind a transit gateway?
Suppose I have 2 VPCs, VPC-A and VPC-B. My workspace (where traffic originates from) is in VPC-A, and I have my application in VPC-B. These VPCs are attached by a transit gateway. These VPCs are in two accounts, Account-A and Account-B respectively.
Suppose I want to make a private S3 bucket in Account-B. This S3 bucket houses a static site which we only want to make visible to the interconnected network, VPC-A and VPC-B.
How would I go about doing this without modifying any resources in Account-A?
Note: It seems you cannot just use an S3 Gateway Service Endpoint. As per the docs,
Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, AWS Direct Connect connection, or ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.
(This is because a typical "Gateway" Service endpoint works on the principle of actively modifying a subnet's route table so that IPs that match the current public S3 IPs are redirected through the endpoint. If modifications are only in Account-B, then adding these route tables would be impossible)
Instead of a Gateway Endpoint you can use a PrivateLink endpoint which is accessibly from outside the VPC in which it is created (via Transit Gateway in this case but that's not the only network access path).
However, at this time you can't use S3 PrivateLink endpoints as a target for a web browser - it only accepts S3 API calls - so a little unhelpful in this case. You could create a proxy server in a VPC that does the work for you but that's extra cost plus an instance to maintain (actually, good practice dictates that you should have a load balancers and at least two instances for redundancy) - so not really an option either.
Therefore: given that there is no cost for creating Gateway Endpoints why not create one in each VPC? Then modify the bucket policy to only allow access via the endpoint.
Relevant questions
Transit Gateway - Multiple Subnet per AZ
asked 3 years agoHow do I restrict access to an s3 bucket behind a transit gateway?
asked 3 months agoBenefits to S3 cross-region access with VPC peered interface endpoints vs. public internet using NAT gateways?
Accepted Answerasked 2 months agoVPC peering and Network Firewall
asked 3 months agoS3 bucket access on EC2 Instance using boto3
Accepted Answerasked 5 days agoWhat is Best Practice configuration for a SECURE single user WorkSpaces VPC?
asked 3 months agoHow to access OpenSearch from few different VPCs?
asked 4 months agoSecurity VPC is not working with Transit Gateway
Accepted Answerasked 10 months agoHow do we correctly link the DC Gateway into the VPC, is a VG required?
Accepted Answerasked 9 months agoLightsail S3 Bucket behind Lightsail Distribution
asked a month ago