AWS PrivateLink for Amazon S3
With AWS PrivateLink for Amazon S3, you can provision interface VPC endpoints (interface endpoints) in your virtual private cloud (VPC). These endpoints are directly accessible from applications that are on premises over VPN and AWS Direct Connect, or in a different AWS Region over VPC peering.
Interface endpoints are represented by one or more elastic network interfaces (ENIs) that are assigned private IP addresses from subnets in your VPC. Requests that are made to interface endpoints for Amazon S3 are automatically routed to Amazon S3 on the Amazon network. You can also access interface endpoints in your VPC from on-premises applications through AWS Direct Connect or AWS Virtual Private Network (AWS VPN). For more information about how to connect your VPC with your on-premises network, see the AWS Direct Connect User Guide and the AWS Site-to-Site VPN User Guide.
For general information about interface endpoints, see Interface VPC endpoints (AWS PrivateLink) in the AWS PrivateLink Guide.
Topics
Types of VPC endpoints for Amazon S3
You can use two types of VPC endpoints to access Amazon S3: gateway endpoints and interface endpoints (using AWS PrivateLink). A gateway endpoint is a gateway that you specify in your route table to access Amazon S3 from your VPC over the AWS network. Interface endpoints extend the functionality of gateway endpoints by using private IP addresses to route requests to Amazon S3 from within your VPC, on premises, or from a VPC in another AWS Region using VPC peering or AWS Transit Gateway. For more information, see What is VPC peering and Transit Gateway vs VPC peering.
Interface endpoints are compatible with gateway endpoints. If you have an existing gateway endpoint in the VPC, you can use both types of endpoints in the same VPC.
|
Gateway endpoints for Amazon S3 |
Interface endpoints for Amazon S3 |
|---|---|
|
In both cases, your network traffic remains on the AWS network. |
|
|
Use Amazon S3 public IP addresses |
Use private IP addresses from your VPC to access Amazon S3 |
|
Use the same Amazon S3 DNS names |
|
|
Does not allow access from on premises |
Allow access from on premises |
|
Does not allow access from another AWS Region |
Allow access from a VPC in another AWS Region using VPC peering or AWS Transit Gateway |
|
Not billed |
Billed |
For more information about gateway endpoints, see Gateway VPC endpoints in the AWS PrivateLink Guide.
Restrictions and limitations of AWS PrivateLink for Amazon S3
VPC limitations apply to AWS PrivateLink for Amazon S3. For more information, see Interface endpoint properties and limitations and AWS PrivateLink quotas in the AWS PrivateLink Guide. In addition, the following restrictions apply.
AWS PrivateLink for Amazon S3 does not support the following:
Accessing Amazon S3 interface endpoints
To access Amazon S3 using AWS PrivateLink, you must update your applications to use endpoint-specific DNS names.
When you create an interface endpoint, Amazon S3 generates two types of endpoint-specific, S3 DNS names: Regional and zonal.
-
Regional DNS names include a unique VPC endpoint ID, a service identifier, the AWS Region, and
vpce.amazonaws.comin its name. For example, for VPC endpoint IDvpce-1a2b3c4dvpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com -
Zonal DNS names include the Availability Zone—for example,
vpce-1a2b3c4d-5e6f-us-east-1a.s3.us-east-1.vpce.amazonaws.com
Endpoint-specific S3 DNS names can be resolved from the S3 public DNS domain.
Amazon S3 interface endpoints do not support the private DNS feature of interface endpoints. For more information about Private DNS for interface endpoints, see the AWS PrivateLink Guide.
Accessing buckets and S3 access points from S3 interface endpoints
You can use the AWS CLI or AWS SDK to access buckets, S3 access points, and S3-control APIs through S3 interface endpoints.
The following image shows the VPC console Details tab, where you can
find the DNS name of a VPC endpoint. In this example, the VPC endpoint ID (vpce-id) is
vpce-0e25b8cdd720f900e and the DNS name is
*.vpce-0e25b8cdd720f900e-argc85vg.s3.us-east-1.vpce.amazonaws.com. Remember to replace
* when using the DNS name. For example, to access a bucket, the
DNS name would be bucket.vpce-0e25b8cdd720f900e-argc85vg.s3.us-east-1.vpce.amazonaws.com.
You can also append the name of your bucket to the start of the URL. For example, if you wanted to access my-bucket
the URL would be my-bucket.bucket.vpce-0e25b8cdd720f900e-argc85vg.s3.us-east-1.vpce.amazonaws.com.
For more about how to view your endpoint-specific DNS names, see Viewing endpoint service private DNS name configuration in the VPC User Guide.
AWS CLI examples
Use the --region and --endpoint-url parameters to access S3 buckets, S3 access points, or S3 control APIs through S3 interface endpoints.
Example: Use the endpoint URL to list objects in your bucket
In the following example, replace the region
us-east-1vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.commy-bucket
aws s3 --regionus-east-1--endpoint-url https://bucket.vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.comls s3://my-bucket/
Example: Use the endpoint URL to list objects from an access point
In the following example, replace the ARN us-east-1:123456789012:accesspoint/testus-east-1vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com
aws s3api list-objects-v2 --bucket arn:aws:s3:us-east-1:123456789012:accesspoint/test--regionus-east-1--endpoint-url https://accesspoint.vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com
Example: Use the endpoint URL to list jobs with S3 control
In the following example, replace the region
us-east-1vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com12345678
aws s3control --regionus-east-1--endpoint-url https://control.vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.comlist-jobs --account-id12345678
AWS SDK examples
Update your SDKs to the latest version, and configure your clients to use an endpoint URL for accessing a bucket, access point, or S3 control API through S3 interface endpoints.
Updating an on-premises DNS configuration
When using endpoint-specific DNS names to access the interface endpoints for Amazon S3, you don’t have to update your on-premises DNS resolver. You can resolve the endpoint-specific DNS name with the private IP address of the interface endpoint from the public Amazon S3 DNS domain.
Using interface endpoints to access Amazon S3 without a gateway endpoint or an internet gateway in the VPC
Interface endpoints in your VPC can route both in-VPC applications and on-premises applications to Amazon S3 over the Amazon network, as illustrated in the following diagram.
The diagram illustrates the following:
-
Your on-premises network uses AWS Direct Connect or AWS VPN to connect to VPC A.
-
Your applications on-premises and in VPC A use endpoint-specific DNS names to access Amazon S3 through the S3 interface endpoint.
-
On-premises applications send data to the interface endpoint in the VPC through AWS Direct Connect (or AWS VPN). AWS PrivateLink moves the data from the interface endpoint to Amazon S3 over the AWS network.
-
In-VPC applications also send traffic to the interface endpoint. AWS PrivateLink moves the data from the interface endpoint to Amazon S3 over the AWS network.
Using gateway endpoints and interface endpoints together in the same VPC to access Amazon S3
You can create interface endpoints and retain the existing gateway endpoint in the same VPC, as the following diagram shows. By doing this, you allow in-VPC applications to continue accessing Amazon S3 through the gateway endpoint, which is not billed. Then, only your on-premises applications would use interface endpoints to access Amazon S3. To access S3 this way, you must update your on-premises applications to use endpoint-specific DNS names for Amazon S3.
The diagram illustrates the following:
-
On-premises applications use endpoint-specific DNS names to send data to the interface endpoint within the VPC through AWS Direct Connect (or AWS VPN). AWS PrivateLink moves the data from the interface endpoint to Amazon S3 over the AWS network.
-
Using default Regional Amazon S3 names, in-VPC applications send data to the gateway endpoint that connects to Amazon S3 over the AWS network.
For more information about gateway endpoints, see Gateway VPC endpoints in the VPC User Guide.
Creating a VPC endpoint policy for Amazon S3
You can attach an endpoint policy to your VPC endpoint that controls access to Amazon S3. The policy specifies the following information:
-
The AWS Identity and Access Management (IAM) principal that can perform actions
-
The actions that can be performed
-
The resources on which actions can be performed
You can also use Amazon S3 bucket policies to restrict access to specific buckets from a
specific VPC endpoint using the aws:sourceVpce condition in your bucket policy.
The following examples show policies that restrict access to a bucket or to an
endpoint.
Topics
-
When applying the Amazon S3 bucket policies for VPC endpoints described in this section, you might block your access to the bucket without intending to do so. Bucket permissions that are intended to specifically limit bucket access to connections originating from your VPC endpoint can block all connections to the bucket. For information about how to fix this issue, see My bucket policy has the wrong VPC or VPC endpoint ID. How can I fix the policy so that I can access the bucket?
in the AWS Support Knowledge Center. -
Before using the following example policy, replace the VPC endpoint ID with an appropriate value for your use case. Otherwise, you won't be able to access your bucket.
-
This policy disables console access to the specified bucket, because console requests don't originate from the specified VPC endpoint.
Example: Restricting access to a specific bucket from a VPC endpoint
You can create an endpoint policy that restricts access to specific Amazon S3 buckets only.
This is useful if you have other AWS services in your VPC that use buckets. The following
bucket policy restricts access to DOC-EXAMPLE-BUCKET1DOC-EXAMPLE-BUCKET1
{ "Version": "2012-10-17", "Id": "Policy1415115909151", "Statement": [ { "Sid": "Access-to-specific-bucket-only", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": ["arn:aws:s3:::", "arn:aws:s3:::DOC-EXAMPLE-BUCKET1/*"] } ] }DOC-EXAMPLE-BUCKET1
Example: Restricting access to buckets in a specific account from a VPC endpoint
You can create a policy that restricts access only to the S3 buckets in a specific
AWS account. Use this to prevent clients within your VPC from accessing buckets that you
do not own. The following example creates a policy that restricts access to resources owned
by a single AWS account ID, 111122223333.
{ "Statement": [ { "Sid": "Access-to-bucket-in-specific-account-only", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Deny", "Resource": "arn:aws:s3:::*", "Condition": { "StringNotEquals": { "aws:ResourceAccount": "111122223333" } } } ] }
You can use either the aws:ResourceAccount key or
s3:ResourceAccount key in your IAM policy to specify the AWS account ID of
the resource being accessed.
Example: Restricting access to a specific VPC endpoint in the S3 bucket policy
Example: Restricting access to a specific VPC endpoint in the S3 bucket policy
The following Amazon S3 bucket policy allows access to a specific bucket,
DOC-EXAMPLE-BUCKET2vpce-1a2b3c4daws:sourceVpce
condition is used to specify the endpoint and does not require an Amazon Resource Name (ARN)
for the VPC endpoint resource, only the endpoint ID. Replace
DOC-EXAMPLE-BUCKET2vpce-1a2b3c4d
{ "Version": "2012-10-17", "Id": "Policy1415115909152", "Statement": [ { "Sid": "Access-to-specific-VPCE-only", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::", "arn:aws:s3:::DOC-EXAMPLE-BUCKET2"], "Condition": {"StringNotEquals": {"aws:sourceVpce": "DOC-EXAMPLE-BUCKET2/*vpce-1a2b3c4d"}} } ] }
For more policy examples, see Endpoints for Amazon S3 in the VPC User Guide.
For more information about VPC connectivity, see Network-to-VPC connectivity options in the AWS whitepaper Amazon Virtual Private Cloud Connectivity Options.
