2 Answers
- Newest
- Most votes
- Most comments
0
Block public access must be disabled to access by object URL.
Only via VPC endpoints if the following bucket policy is set.
However, it has not been verified whether access by object URL is possible.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowVPCe",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::BUCKET-NAME",
"arn:aws:s3::: BUCKET-NAME /*"
],
"Condition": {
"StringEquals": {
"aws:sourceVpce": "VPC Endpoint ID"
}
}
}
]
}
0
You only have to disable Block Public Access if you want to access your bucket as a static website (not recommended). Otherwise if you're accessing it via its REST interface (e.g. via the AWS CLI or API) then you just need the right credentials. As you said, an IAM Role allowing your EC2 instance to access S3 should be fine.
To use a VPC Gateway endpoint, you need an entry in your subnet route table directing an AWS-managed Prefix List to that gateway.
Relevant content
- asked 2 months ago
AWS OFFICIALUpdated 2 years ago- How can I configure my Amazon VPC to privately connect to my S3 bucket without using authentication?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
Thanh you for your suggest. As I understand, if bucket and EC2 are in the same account, only need IAM Role to access bucket. But now I have S3 bucket with block public access and got error Permission denied when s3 cp object form S3 to EC2. Normally, which solution we use to get object from S3 to EC2 if S3 block public access?
I think it is common via VPC endpoints.