Is it possible to establish VPN connectivity to Amazon S3 directly without utilizing Elastic cloud EC2?
Since S3 bucket names are globally unique and accessible over http using a unique url, it is not possible to isolate S3 at network level and it requires access control using Bucket Policies, IAM policies or Access control lists. You can also use Bucket Policies to whitelist Source Ip's that could access your buckets.
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
"NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"}
}
}
]
}
The Access Control system available in S3, enforces security in accessing S3. In addition the data in transit is encrypted using https and optionally you can also leverage encryption at rest for objects residing in S3 to further harden the security.
In addition there are multiple ways to establish connections to S3 based on the egress restrictions at the S3 access client locations (e.g. On-premise, VPC private/public subnet & etc.).
Unfortunately since S3 is not providing a feature for network segmentation, it is not possible to use a VPN connection to S3, restricting access at Network Level.
No. Routing in a VPC is non-transitive.
The relevant documentation:
Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, a VPC peering connection, an AWS Direct Connect connection, or a ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With