Access Private S3 static website over VPC peering with VPN

0

Followed step based on : https://repost.aws/knowledge-center/s3-private-connection-no-authentication

  1. I created bucket where I store my Great Expectations documentation and I want to make it accessible over my company's VPN. My bucket has: Block all public access: On: Enter image description here

  2. Created s3 gateway endpoint with attached routing table associated with private subnets and which has routes to NAT and Peering Connection to our VPN: Enter image description here

  3. Added bucket policy that allows traffic from my endpoint:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowVpcEndpoint",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::great-expectations-docs",
                "arn:aws:s3:::great-expectations-docs/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:sourceVpce": "vpce-0c0f4bb767f820bda"
                }
            }
        }
    ]
}

After all theese steps I am getting error:

403 Forbidden
Code: AccessDenied
Message: Access Denied
RequestId: DN74M08H99PNGYE5
HostId: NmWdSKz5qg7UU0Il/8OoovRo9XoMA1giGLsAC2nHq5cIJy7yqX/09NOkFNt5w5agMOfU7FwUBMc=

If I switch to: Block all public access: Off then I can access my website.

asked 2 months ago330 views
2 Answers
2

The AWS blog below is in Japanese, but I think it matches what you want to do.
I am using a VPN to access an S3 static hosting site from on-premises by creating an interfaced VPC endpoint and using it as a target for NLB.
https://aws.amazon.com/jp/blogs/news/internal-static-web-hosting/

profile picture
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile pictureAWS
EXPERT
reviewed 2 months ago
  • In this blog, an ALB is used instead of NLB. Is there a difference in this scenario? Also, is ACM mandatory? My website is going to be accessed by multiple people so all of them would need to install certificates on their machines? We are using Tailscale VPN, what if would add it's IP's to bucket policy? Sorry, if my questions doesn't make sense, I not an expert on this matter.

  • In this blog, an ALB is used instead of NLB. Is there a difference in this scenario?

    Since the access is via HTTP, I think you should use ALB.

    Also, is ACM mandatory? My website is going to be accessed by multiple people so all of them would need to install certificates on their machines?

    ACM is not required. This is required if you want to perform HTTPS communication using a custom domain. It is possible to create an ACM SSL certificate in the public domain and link it to a private ALB.

    We are using Tailscale VPN, what if would add it's IP's to bucket policy?

    In order to apply IP restrictions to the bucket policy, I think the following policy would be used. The following policy is a policy that only allows access via VPC endpoints. This will make it impossible to access S3 via communication that does not go through the VPC.

    {
       "Version": "2012-10-17",
       "Id": "Policy1415115909152",
       "Statement": [
         {
           "Sid": "Access-to-specific-VPCE-only",
           "Principal": "*",
           "Action": "s3:GetObject",
           "Effect": "Allow",
           "Resource": ["arn:aws:s3:::yourbucketname",
                        "arn:aws:s3:::yourbucketname/*"],
           "Condition": {
             "StringEquals": {
               "aws:SourceVpce": "vpce-1a2b3c4d"
             }
           }
         }
       ]
    }
    
0

Gateway endpoints are not transitive and can only be used by resources running on the same VPC as the endpoints. from the documentation:

Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC cannot use a gateway endpoint to communicate with Amazon S3.

So you need to use S3 interface endpoint instead of gateway endpoint.

profile pictureAWS
EXPERT
answered 2 months ago
profile pictureAWS
EXPERT
reviewed 2 months ago
  • You can create a route53 inbound Resolver endpoint under the same VPC and set your company's DNS server to forward the DNS queries to the endpoint for your domain (URL). This way you when your on-prem clients wants to reach the bucket they will get routed through the endpoint in order to reach the bucket. I suggest you read the this blog post to help you understand it better: https://aws.amazon.com/blogs/storage/introducing-private-dns-support-for-amazon-s3-with-aws-privatelink/

  • Ok, I can try this approach, but I believe also would need to modify URL on which I am trying to access website by incorporating endpoint details? Maybe you have have any examples?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions