By using AWS re:Post, you agree to the Terms of Use
/How do I restrict access to an s3 bucket behind a transit gateway?/

How do I restrict access to an s3 bucket behind a transit gateway?


Suppose I have 2 VPCs, VPC-A and VPC-B. My workspace (where traffic originates from) is in VPC-A, and I have my application in VPC-B. These VPCs are attached by a transit gateway. These VPCs are in two accounts, Account-A and Account-B respectively.

Suppose I want to make a private S3 bucket in Account-B. This S3 bucket houses a static site which we only want to make visible to the interconnected network, VPC-A and VPC-B.

How would I go about doing this without modifying any resources in Account-A?

Note: It seems you cannot just use an S3 Gateway Service Endpoint. As per the docs,

Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, AWS Direct Connect connection, or ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.

(This is because a typical "Gateway" Service endpoint works on the principle of actively modifying a subnet's route table so that IPs that match the current public S3 IPs are redirected through the endpoint. If modifications are only in Account-B, then adding these route tables would be impossible)

1 Answers

Instead of a Gateway Endpoint you can use a PrivateLink endpoint which is accessibly from outside the VPC in which it is created (via Transit Gateway in this case but that's not the only network access path).

However, at this time you can't use S3 PrivateLink endpoints as a target for a web browser - it only accepts S3 API calls - so a little unhelpful in this case. You could create a proxy server in a VPC that does the work for you but that's extra cost plus an instance to maintain (actually, good practice dictates that you should have a load balancers and at least two instances for redundancy) - so not really an option either.

Therefore: given that there is no cost for creating Gateway Endpoints why not create one in each VPC? Then modify the bucket policy to only allow access via the endpoint.

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions