Securing Your S3 Bucket: Creating a VPC Endpoint to Filter Access from VPCs

To Nha Notes | Feb. 4, 2025, 4:10 p.m.

Why Create a VPC Endpoint for S3?

A VPC Endpoint is a secure connection between your VPC and S3, ensuring that traffic to and from your S3 bucket stays within the Amazon network and never traverses the public internet. This provides better performance, security, and compliance for your infrastructure.

Steps to Create a VPC Endpoint for S3 Access

To create a gateway endpoint using the console:

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

2. In the navigation pane, choose Endpoints.

3. Choose Create endpoint.

4. For Service category, choose AWS services.

5. For Services, add the filter Type = Gateway and select com.amazonaws.region.s3.

6. For VPC, select the VPC in which to create the endpoint.

7. For Route tables, select the route tables to be used by the endpoint. We automatically add a route that points traffic destined for the service to the endpoint network interface.

8. For Policy, select Full access to allow all operations by all principals on all resources over the VPC endpoint. Otherwise, select Custom to attach a VPC endpoint policy that controls the permissions that principals have to perform actions on resources over the VPC endpoint.

9. (Optional) To add a tag, choose Add new tag and enter the tag key and the tag value.

10. Choose Create endpoint.

Configure S3 Bucket Policies to Allow Access

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceVpc": "vpc-xxxxxxxx"
        }
      }
    }
  ]
}
 

References

https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html

https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#create-gateway-endpoint-s3