By using AWS re:Post, you agree to the Terms of Use

s3 static private website 403 forbidden over cross account client VPN

0

We have a setup where s3 bucket in production account runs a private static website , and I'm trying to get the access working from our network account using VPC endpoint Interface/Gateway, we use transit gateway, client VPN and the goal is to get this working with AWS client VPN.

We are using different VPN solution that runs in prod account and there it works fine, and we are intending to move to multi account setup with aws client vpn.

I found that VPC endpoint gateway does not support that so I tested using VPC endpoint interface but still getting the same error.Is this meant to work for static website hosted on s3 ? or am I doing something wrong here?

Thank you

2 Answers
1

You are correct, connectivity to an S3 Gateway endpoint would not work but connectivity to an S3 Interface endpoint should work. Suggest following troubleshooting steps mentioned here. Before trying the connectivity remotely from the ClientVPN client I suggest testing the connectivity locally from within the VPC where your ClientVPN endpoint is spun up. Also note that ClientVPN does an SNAT so traffic to the destination will be sourced by the ENI of the CVPN endpoint, so need to make sure those IPs are whitelisted as necessary.


You can use two types of VPC endpoints to access Amazon S3: gateway endpoints and interface endpoints (using AWS PrivateLink).

A gateway endpoint is a gateway that you specify in your route table to access Amazon S3 from your VPC over the AWS network. Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC cannot use a gateway endpoint to communicate with Amazon S3.

Interface endpoints extend the functionality of gateway endpoints by using private IP addresses to route requests to Amazon S3 from within your VPC, on premises, or from a VPC in another AWS Region using VPC peering or AWS Transit Gateway.

profile picture
answered 23 days ago
profile picture
SUPPORT ENGINEER
reviewed 2 days ago
  • Thank you for your answer, Now I'm using VPC endpoint interface type and I'm still receiving 403 forbidden , I tried Vpc and Vpce conditions to allow access via the s3 bucket policy but still not managing to get the static website working via aws client vpn ( auth rules allows public s3 IPs , and security group of the VPN endpoint as well) Additionally I allowed the private IPs of the VPC endpoint on the security group, those are from the same VPC where VPN endpoint is created. Thanks again for the support. My IAM/s3 policy might not be the best , here is my IAM policy

  • { Statement = [ { Action = "s3:GetObject" Condition = { StringEquals = { aws:SourceVpc = "vpc-819" } } Effect = "Allow" Principal = "arn:aws:iam::yyyyprodyyy:root" Resource = "arn:aws:s3:::bucket.com/" Sid = "" }, { Action = "s3:" Condition = { StringEquals = { aws:SourceVpce = "vpce-ab" } } Effect = "Allow" Principal = { AWS = "arn:aws:iam::xxxnetworkxx:root" } Resource = "arn:aws:s3:::bucket.com/*" Sid = "" }, ] }

0

Looks like VPC endpoint does not support static website ,it will need a proxy which does not fit our requirement

answered 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions