Gateway endpoints for Amazon S3 - Amazon Virtual Private Cloud

Gateway endpoints for Amazon S3

You can access Amazon S3 from your VPC using gateway VPC endpoints. After you create the gateway endpoint, you can add it as a target in your route table for traffic destined from your VPC to Amazon S3.

There is no additional charge for using gateway endpoints.

Amazon S3 supports both gateway endpoints and interface endpoints. For a comparison of the two options, see Types of VPC endpoints for Amazon S3 in the Amazon S3 User Guide.

Considerations

  • A gateway endpoint is available only in the Region where you created it. Be sure to create your gateway endpoint in the same Region as your S3 buckets.

  • If you're using the Amazon DNS servers, you must enable both DNS hostnames and DNS resolution for your VPC. If you're using your own DNS server, ensure that requests to Amazon S3 resolve correctly to the IP addresses maintained by AWS.

  • Check whether you are using an AWS service that uses an S3 bucket. If so, ensure that the endpoint policy allows full access to Amazon S3 (the default) or that it allows access to the buckets used by the AWS service. Alternatively, ensure that the requests to Amazon S3 do not originate from a subnet with a route table with an endpoint route for Amazon S3.

  • You cannot use an IAM policy or bucket policy to allow access from an VPC IPv4 CIDR range. VPC CIDR blocks can be overlapping or identical, which might lead to unexpected results. Therefore, you can't use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and to any bucket policies. If a statement includes the aws:SourceIp condition, the value fails to match any provided IP address or range. Instead, you can do the following:

    • Use route tables to control which instances can access resources in Amazon S3 through the gateway endpoint.

    • Use bucket policies to restrict access to a specific endpoint, VPC, or IP address range.

  • The outbound rules for the security group for instances that access Amazon S3 through the gateway endpoint must allow traffic to Amazon S3. You can use the prefix list ID for Amazon S3 as the destination in the outbound rule.

  • Gateway endpoints support only IPv4 traffic.

  • The source IPv4 addresses from instances in your affected subnets as received by Amazon S3 change from public IPv4 addresses to the private IPv4 addresses in your VPC. An endpoint switches network routes, and disconnects open TCP connections. The previous connections that used public IPv4 addresses are not resumed. We recommend that you do not have any critical tasks running when you create or modify an endpoint; or that you test to ensure that your software can automatically reconnect to Amazon S3 after the connection break.

  • Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC cannot use a gateway endpoint to communicate with Amazon S3.

  • Your account has a default quota of 20 gateway endpoints per Region, which is adjustable. There is also a limit of 255 gateway endpoints per VPC.

Create a gateway endpoint

Use the following procedure to create a gateway endpoint that connects to Amazon S3.

To create a gateway endpoint using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints.

  3. Choose Create endpoint.

  4. For Service category, choose AWS services.

  5. For Services, add the filter Type: Gateway and select com.amazonaws.region.s3.

  6. For VPC, select the VPC in which to create the endpoint.

  7. For Route tables, select the route tables to be used by the endpoint. We automatically add a route that points traffic destined for the service to the endpoint network interface.

  8. For Policy, select Full access to allow all operations by all principals on all resources over the VPC endpoint. Otherwise, select Custom to attach a VPC endpoint policy that controls the permissions that principals have to perform actions on resources over the VPC endpoint.

  9. (Optional) To add a tag, choose Add new tag and enter the tag key and the tag value.

  10. Choose Create endpoint.

To create a gateway endpoint using the command line

Control access using bucket policies

You can use bucket policies to control access to buckets from specific endpoints, VPCs, IP address ranges, and AWS accounts.

Example: Restrict access to a specific endpoint

You can create a bucket policy that restricts access to a specific endpoint by using the aws:sourceVpce condition key. The following policy denies access to the specified bucket unless the specified gateway endpoint is used. This example assumes that there is also a policy statement that allows the access required for your use cases.

{ "Version": "2012-10-17", "Id": "Access-to-bucket-using-specific-endpoint", "Statement": [ { "Sid": "Access-to-specific-VPCE-only", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": ["arn:aws:s3:::bucket_name", "arn:aws:s3:::bucket_name/*"], "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-1a2b3c4d" } } } ] }

Example: Restrict access to a specific VPC

You can create a bucket policy that restricts access to specific VPCs by using the aws:sourceVpc condition key. This is useful if you have multiple endpoints configured in the same VPC. The following policy denies access to the specified bucket and its objects that does not come from the specified VPC. This example assumes that there is also a policy statement that allows the access required for your use cases.

{ "Version": "2012-10-17", "Id": "Access-to-bucket-using-specific-VPC", "Statement": [ { "Sid": "Access-to-specific-VPC-only", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": ["arn:aws:s3:::example_bucket", "arn:aws:s3:::example_bucket/*"], "Condition": { "StringNotEquals": { "aws:sourceVpc": "vpc-111bbb22" } } } ] }

Example: Restrict access to a specific IP address range

You can create a policy that restricts access to specific IP address ranges by using the aws:VpcSourceIp condition key. The following policy denies access to the specified bucket and its objects that does not come from the specified IP address. This example assumes that there is also a policy statement that allows the access required for your use cases.

{ "Version": "2012-10-17", "Id": "Policy1415115909152", "Statement": [ { "Sid": "Access-to-specific-VPC-CIDR-only", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": ["arn:aws:s3:::bucket_name", "arn:aws:s3:::bucket_name/*"], "Condition": { "NotIpAddress": { "aws:VpcSourceIp": "172.31.0.0/16" } } } ] }

Example: Restrict access to buckets in a specific AWS account

You can create a policy that restricts access to the S3 buckets in a specific AWS account by using the s3:ResourceAccount condition key. The following policy denies access to resources that are not owned by the specified AWS account. This example assumes that there is also a policy statement that allows the access required for your use cases.

{ "Version": "2012-10-17", "Id": "Policy1415115909152", "Statement": [ { "Sid": "Access-to-bucket-in-specific-account-only", "Effect": "Deny", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::*", "Condition": { "StringNotEquals": { "s3:ResourceAccount": "111122223333" } } } ] }

Associate route tables

You can change the route tables that are associated with the gateway endpoint. When you associate a route table, we automatically add a route that points traffic destined for the service to the endpoint network interface. When you disassociate a route table, we automatically remove the endpoint route from the route table.

To associate route tables using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints.

  3. Select the gateway endpoint.

  4. Choose Actions, Manage route tables.

  5. Select or deselect route tables as needed.

  6. Choose Modify route tables.

To associate route tables using the command line

Edit the VPC endpoint policy

You can edit the endpoint policy for a gateway endpoint, which controls access to Amazon S3 from the VPC through the endpoint. The default policy allows full access. For more information, see VPC endpoint policies.

To change the endpoint policy using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints.

  3. Select the gateway endpoint.

  4. Choose Actions, Manage policy.

  5. Choose Full Access to allow full access to the service, or choose Custom and attach a custom policy.

  6. Choose Save.

The following are example endpoint policies for accessing Amazon S3.

Example: Restrict access to a specific bucket

You can create a policy that restricts access to specific S3 buckets only. This is useful if you have other AWS services in your VPC that use S3 buckets.

{ "Sid": "AccessToSpecificBucket", "Effect": "Allow", "Principal": "*", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucket_name", "arn:aws:s3:::bucket_name/*" ] }

Example: Restrict access to a specific IAM role

You can create a policy that restricts access to a specific IAM role.

{ "Sid": "Restrict-access-to-specific-IAM-role", "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*", "Condition": { "ArnEquals": { "aws:PrincipalArn": "arn:aws:iam::111122223333:role/role_name" } } }

Example: Restrict access to users in a specific account

You can create a policy that restricts access to a specific account.

{ "Sid": "AllowCallersFromAccount111122223333", "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalAccount": "111122223333" } } }

Delete a gateway endpoint

When you are finished with a gateway endpoint, you can delete it. When you delete a gateway endpoint, we remove the endpoint route from the subnet route tables.

To delete a gateway endpoint using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints.

  3. Select the gateway endpoint.

  4. Choose Actions, Delete VPC endpoints.

  5. When prompted for confirmation, enter delete.

  6. Choose Delete.

To delete a gateway endpoint using the command line