使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

S3 Interface Endpoint from On-Prem Acccess Denied

0

Hello,

We have S3 Endpoint (interface type) created at eu-west-1 region.

We are trying to write to the buckets using the DNS created in eu-west-1 from our on-premise location connected via Direct Connect.

DNS: *.vpce-1234567890-abcd2zc.s3.eu-west-1.vpce.amazonaws.com

I have given the following permission in the bucket policy to write to these bucket but still when we try to upload/write to this bucket, we are getting Access Denied error as below.

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutObjectAcl",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3::<bucket-name>/*",
                "arn:aws:s3:::<bucket-name>"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutObjectAcl",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/*",
                "arn:aws:s3::<bucket-name>
            ]
        }
    ]
}

OTErrWrnLn||ERROR||-1||SERVICE||GBS3||<Bucket_Name> Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 0QWNYWPJZY14EGRC; S3 Extended Request ID: sXic/CHy/OU5oakn7MBb6UESIbggdr9IxaILUiVuGMeUu7iZTUpIUpLeIUieNs82g6jXdBdQ3sU=)||-1||-1||-1|| Access Denied

I would like to know what permission is required to write to this bucket from on-premise please. Or any other steps or configuration I need to apply please.

When I run nslookup on the s3 endpoint from the on-prem server, it resolves to private IP.

BTW, it works when I enable Allow Public Access.

Thank you

主題
儲存空間網路與內容交付
標籤
Amazon Simple Storage Service網路與內容交付
語言
English
rePost-User-1570100
已提問 2 年前檢視次數 460 次
2 個答案
0

When you say "I run nslookup on the s3 endpoint from the on-prem server, it resolves to private IP", what s3 endpoint do you mean? At some point you need to override DNS resolution of the standard s3 service name (as opposed to your vpc endpoint domain name) so that it no longer maps to a public IP. Within a VPC you can do that by directly overriding with a Private Hosted Zone, but in your hybrid situation where you need to do this on-prem, you need to delegate resolution via a Route 53 Resolver Endpoint. See for example https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html.

專家
skinsman
已回答 2 年前
  • rePost-User-1570100
    2 年前

    The nslookup is on the S3 endpoint DNS: *.vpce-1234567890-abcd2zc.s3.eu-west-1.vpce.amazonaws.com which we are using to connect from on-premise and resolves to private IP.

0

A couple of the Resources in your policy don't look right - they are "s3::<bucket-name>" instead of "s3:::<bucket-name>". If you still have problems, what are you using to access S3 from on-prem?

專家
skinsman
已回答 2 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容