How to access private S3 bucket using VPC gateway endpoint?

0

I have a bucket with Block public access enable, a VPC with S3 Gateway endpoint. When I call request to object URL from EC2 inside this VPC (have IAM Role to access S3) ====>> Access denied So, how to access private S3 bucket using VPC gateway endpoint?

已提問 1 年前檢視次數 1106 次
2 個答案
0

Block public access must be disabled to access by object URL.
Only via VPC endpoints if the following bucket policy is set.
However, it has not been verified whether access by object URL is possible.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowVPCe",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                 "s3:Get*",
                 "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET-NAME",
                "arn:aws:s3::: BUCKET-NAME /*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:sourceVpce": "VPC Endpoint ID"
                }
            }
        }
    ]
}
profile picture
專家
已回答 1 年前
  • Thanh you for your suggest. As I understand, if bucket and EC2 are in the same account, only need IAM Role to access bucket. But now I have S3 bucket with block public access and got error Permission denied when s3 cp object form S3 to EC2. Normally, which solution we use to get object from S3 to EC2 if S3 block public access?

  • I think it is common via VPC endpoints.

0

You only have to disable Block Public Access if you want to access your bucket as a static website (not recommended). Otherwise if you're accessing it via its REST interface (e.g. via the AWS CLI or API) then you just need the right credentials. As you said, an IAM Role allowing your EC2 instance to access S3 should be fine.

To use a VPC Gateway endpoint, you need an entry in your subnet route table directing an AWS-managed Prefix List to that gateway.

專家
已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南