Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Amazon S3 over VPN

Is it possible to establish VPN connectivity to Amazon S3 directly without utilizing Elastic cloud EC2?

like image 894
moejoe11 Avatar asked Nov 19 '09 17:11

moejoe11


2 Answers

Since S3 bucket names are globally unique and accessible over http using a unique url, it is not possible to isolate S3 at network level and it requires access control using Bucket Policies, IAM policies or Access control lists. You can also use Bucket Policies to whitelist Source Ip's that could access your buckets.

{
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::examplebucket/*",
      "Condition": {
         "IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
         "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"} 
      } 
    } 
  ]
}

The Access Control system available in S3, enforces security in accessing S3. In addition the data in transit is encrypted using https and optionally you can also leverage encryption at rest for objects residing in S3 to further harden the security.

In addition there are multiple ways to establish connections to S3 based on the egress restrictions at the S3 access client locations (e.g. On-premise, VPC private/public subnet & etc.).

  • Accessing S3 over the internet if there are no egress restrictions.
  • Use VPC Endpoints to S3 if you are accessing S3 from a AWS VPC.
  • Direct Connect Connection from On Premise to AWS Data centers to access S3 over a dedicated, private network connection.

Unfortunately since S3 is not providing a feature for network segmentation, it is not possible to use a VPN connection to S3, restricting access at Network Level.

like image 176
Ashan Avatar answered Nov 12 '22 07:11

Ashan


No. Routing in a VPC is non-transitive.

The relevant documentation:

Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, a VPC peering connection, an AWS Direct Connect connection, or a ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.

like image 32
chris Avatar answered Nov 12 '22 08:11

chris