Before you start
The blog entry here explains why you should use VPC endpoints. In this part, we’ll dive deeper into the technical aspects.
How does an EC2 instance access S3?
- Public instances can access S3 directly.
- Instances in private subnets use either NAT or VPC endpoints to access S3.
Note: For security reasons, EC2 instances should not have a public IP assigned. Doing so provides a large surface attack for malicious users.
What are S3 VPC endpoints?
An S3 VPC endpoint is a managed virtual device that
- Can be attached to any routing table within a single VPC
- Can be used to route traffic S3 within a single region
- Can be used in a multi-account setting
- Has lower network latency than accessing S3 via NAT
- Is more secure because the network packets never leave the internal AWS network
- Check if subnet routes S3 traffic use an Internet gateway. Accessing S3 through an Internet gateway is free. You can still use a S3 VPC if you want to increase security, but without any cost savings.
- Verify that there are subnets having a route to S3. Don’t add a S3 endpoint in this case, since the route to S3 might have been removed for sandboxing or security purposes.
- The target S3 bucket should be in the same region. AWS routes cross-region access via the NAT gateway.
- Verify your application isn’t using legacy paths. AWS routes legacy paths via the NAT gateway
- Make sure there are no open connections to the S3 bucket. Any open connection might be dropped during re-routing. Perform these changes during maintenance windows to avoid interruptions.
- Open the VPC dashboard in the AWS Management Console
- Select the desired region
- Select the Endpoints tab
- Click on Create Endpoint
- Select the S3 service and the VPC you want to connect
- Select the subnets that will access this endpoint
- Select the security groups and review the policy
- Add tags (Optional)
- Click on Create Endpoint
- Verify S3 access is routed over the new endpoint. You can use traceroute on the EC2 instance to check the routes to S3 are correct.
- New – VPC Endpoint for Amazon S3. (2015, May 11). Amazon Web Services. Read more
- Logically Isolated Virtual Network – Amazon VPC Pricing – Amazon Web Services. (n.d.-a). Amazon Web Services, Inc. Read more
- Amazon S3 Path Deprecation Plan – The Rest of the Story. (2020, September 23). Amazon Web Services. Retrieved October 18, 2021, from Read more
- Connect to an S3 bucket privately without using authentication. (n.d.). Amazon Web Services, Inc. Retrieved October 18, 2021, from Read more
- How can I find the IP address ranges used by Amazon S3? (n.d.). Amazon Premium Support. Retrieved October 18, 2021, from Read more