Usage of Gateway endpoint

0

Hi Team,

i recently created gateway endpoint to S3. Uploaded some files from EC2 instance.

So wanted go check how the gateway endpoint being used. Please suggest.

Regards, Rajesh Khanna B

asked 10 months ago208 views
2 Answers
0

You can check the Gateway endpoint documentation to understand better how those works.

When you create a Gateway endpoint you will add a route in the route table of your VPC so the connections to S3 will be redirected to that path instead of using the public internet. Have a look at the routing section of the gateway documentation.

I leave you also this video where you can see a quick guide to how set up and use a S3 gateway endpoint (from beginning until minute 3).

profile pictureAWS
answered 10 months ago
profile picture
EXPERT
reviewed 10 months ago
0

Hi, this is Abhi from AWS. There are multiple ways of verifying. Here are a few:

  1. Subnet Route Table Review: Review the Subnet Route table of the subnet where the EC2 instance resides. Does it have a route to NAT Gateway, NAT instance or Internet Gateway (IGW)? If it does not, that in itself proves that the communication between the EC2 instance and the S3 bucket is via Gateway Endpoint for S3. If there is a route, then Step 2 and/or Step3 can be leveraged to get additional verification data.
  2. CloudTrail: You can review the CloudTrail logs, filter them based on the action you perform, for example, a get or a put. If the API call leveraged the Gateway Endpoint, you should see the field vpcEndpointId, which identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3.
  3. Server Access Logging: Server access logging provides detailed records for the requests that are made to an Amazon S3 bucket. Among other fields, it contains a field called "Remote IP" which can be defined as The apparent IP address of the requester. Intermediate proxies and firewalls might obscure the actual IP address of the machine that's making the request. In the case of Gateway Endpoints for S3, this should be the private IPv4 address of the EC2 instance making the request. The following is an example of a log where the "Remote IP" is 192.0.2.3:

79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be DOC-EXAMPLE-BUCKET1 [06/Feb/2019:00:00:38 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be 3E57427F3EXAMPLE REST.GET.VERSIONING - "GET /DOC-EXAMPLE-BUCKET1?versioning HTTP/1.1" 200 - 113 - 7 - "-" "S3Console/0.4" - s9lzHYrFp76ZVxRcpX9+5cjAnEH2ROuNkd2BHfIa6UkFVdtjf5mKR3/eTPFvsiP/XV/VLi31234= SigV4 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader DOC-EXAMPLE-BUCKET1.s3.us-west-1.amazonaws.com TLSV1.2 arn:aws:s3:us-west-1:123456789012:accesspoint/example-AP Yes

As a best practice, to have fine grain control on which resources can access a specific bucket, you can use Bucket Policies. As referenced in the linked re:Post article, you can use a bucket policy to specify which VPC endpoints, VPC source IP addresses, or external IP addresses can access the S3 bucket.

profile pictureAWS
EXPERT
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions