1 Answer
- Newest
- Most votes
- Most comments
0
You could add a bucket policy that only allows access from specific VPC endpoints. See: Controlling access from VPC endpoints with bucket policies.
The traffic over a VPC Endpoint stays on the AWS network. However, even traffic routed out an Internet Gateway will stay on the AWS network if calling AWS services. See this FAQ:
Q. Does traffic go over the internet when two instances communicate using public IP
addresses, or when instances communicate with a public AWS service endpoint?
No. When using public IP addresses, all communication between instances and services
hosted in AWS use AWS's private network. Packets that originate from the AWS network
with a destination on the AWS network stay on the AWS global network, except traffic
to or from AWS China Regions.
In addition, all data flowing across the AWS global network that interconnects our
data centers and Regions is automatically encrypted at the physical layer before it
leaves our secured facilities. Additional encryption layers exist as well; for example,
all VPC cross-region peering traffic, and customer or service-to-service
Transport Layer Security (TLS) connections.
Relevant content
- Accepted Answerasked 8 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 9 months ago
Thank you for your answer!
I have a question please, I would like to know if the put/get from S3 using a pre-signed URL goes over the public internet or over the AWS backbone?
how can the partner access my S3 bucket privately via the resigned URL (without going over public internet) Thank you!