Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Private DNS name for S3 VPC endpoint

1

Good afternoon,

I have deployed an interface VPC endpoint for S3 and I would like to map it to my internal domain (e.g. s3.example.local). I have created a private PHZ and created an ALIAS record pointing to my VPC endpoint. This works; however I'm getting a TLS error because the certificate name doesn't match my internal name. I see the certificate assigned to the VPC endpoint is specific to the endpoint, so I was wondering if there was a way to somehow include a custom name into that certificate?

The other alternative I see would be to ignore SSL verification checks, but obviously I would like to avoid this.

Thanks! Fred.

Topics
StorageNetworking & Content Delivery
Tags
Amazon VPCAmazon Simple Storage Service
Language
English
asked 4 years ago7.1K views
3 Answers
1

You're correct, you can't assign a Private DNS name to the S3 interface endpoint. It's called out in the documentation. You have to either use the name or (as you suggest) disable SSL verification but that's not recommended.

Update: We've now released a feature that provides private DNS support for PrivateLink: https://aws.amazon.com/blogs/storage/introducing-private-dns-support-for-amazon-s3-with-aws-privatelink/

AWS
EXPERT
answered 4 years ago
0

Hi,

I was trying to access S3 from a VPC located in a different region (this because we don't want to go the public Internet for security reasons) and I believe there is a bit of lack of documentation on how to achieve this. We are already using the same approach for the other AWS services, but S3 is different, when you create then interface endpoint it returns you a wildcard and this does not allow to just create a standard Alias (A) record to the service. After a few tries I figure you can do a name redirection specifying a CNAME for *s3.<REGION>.amazonaws.com to <S3_INTERFACE_ENDPOINT_WILDCARD>, this allows you to access S3 Service over the VPC peering without the need to specify the --endpoint-url for all the commands.

In your case changing domain to something that is not native from AWS might still be a problem for the SSL cert, but as long as you link you DNS Resolver to this private DNS entry on AWS, you can use native naming convention without having to actually use AWS public endpoints to access the service.

Hope this helps!

BR, Michele

answered 2 years ago
0

This problem with this entire approach is AWS considers non-regional endpoints (s3.amazonaws.com) as legacy even though they use this as the default to connect to us-east-1 s3 via the SDK (ie python SDK). Basically even with DNS magic by pointing s3.us-east-1.amazonaws.com to the vpc interface endpoint, the codebases do not automatically use this endpoint since the SDKs defaults to s3.amazonaws.com. You have to explicitly make a section in the codebase to "use regional endpoints" to make this work; which I would argue puts you in the same position as explicitly setting the s3 endpoint in the codebase making a lot of this not useful.

We cannot point s3.amazonaws.com to the vpc interface endpoint in us-east-1 since this will give SSL issues. Ideally they should put a SAN on the certificate which is returned from the us-east-1 vpc endpoint for the name "s3.amazonaws.com"

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content