docs.aws.amazon.com Open in urlscan Pro
13.35.58.67  Public Scan

Submitted URL: https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#gateway-endpoint-considerations-s3
Effective URL: https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html
Submission: On May 16 via api from DE — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies


CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.


ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.




PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed


FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed


ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.

CancelSave preferences




UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss


Contact Us
English


Create an AWS Account
 1. AWS
 2. ...
    
    
 3. Documentation
 4. Amazon VPC
 5. AWS PrivateLink

Feedback
Preferences


AMAZON VIRTUAL PRIVATE CLOUD


AWS PRIVATELINK

 * What is AWS PrivateLink?
    * Concepts

 * Get started
 * Access AWS services
    * Services that integrate
    * Create an interface endpoint
    * Configure an interface endpoint
    * Receive alerts for interface endpoint events
    * Delete an interface endpoint
    * Gateway endpoints
       * Endpoints for Amazon S3
       * Endpoints for DynamoDB

 * Access SaaS products
 * Access virtual appliances
    * Create a Gateway Load Balancer endpoint service
    * Create a Gateway Load Balancer endpoint

 * Share your services
    * Create an endpoint service
    * Configure an endpoint service
    * Manage DNS names
    * Receive alerts for endpoint service events
    * Delete an endpoint service

 * Identity and access management
    * How AWS PrivateLink works with IAM
    * Identity-based policy examples
    * Endpoint policies

 * CloudWatch metrics
 * Quotas
 * Document history

Gateway endpoints for Amazon S3 - Amazon Virtual Private Cloud
AWSDocumentationAmazon VPCAWS PrivateLink
ConsiderationsPrivate DNSCreate a gateway endpointControl access using bucket
policiesAssociate route tablesEdit the VPC endpoint policyDelete a gateway
endpoint


GATEWAY ENDPOINTS FOR AMAZON S3

PDFRSS

You can access Amazon S3 from your VPC using gateway VPC endpoints. After you
create the gateway endpoint, you can add it as a target in your route table for
traffic destined from your VPC to Amazon S3.

There is no additional charge for using gateway endpoints.

Amazon S3 supports both gateway endpoints and interface endpoints. With a
gateway endpoint, you can access Amazon S3 from your VPC, without requiring an
internet gateway or NAT device for your VPC, and with no additional cost.
However, gateway endpoints do not allow access from on-premises networks, from
peered VPCs in other AWS Regions, or through a transit gateway. For those
scenarios, you must use an interface endpoint, which is available for an
additional cost. For more information, see Types of VPC endpoints for Amazon S3
in the Amazon S3 User Guide.

CONTENTS

 * Considerations
 * Private DNS
 * Create a gateway endpoint
 * Control access using bucket policies
 * Associate route tables
 * Edit the VPC endpoint policy
 * Delete a gateway endpoint


CONSIDERATIONS


 * A gateway endpoint is available only in the Region where you created it. Be
   sure to create your gateway endpoint in the same Region as your S3 buckets.

 * If you're using the Amazon DNS servers, you must enable both DNS hostnames
   and DNS resolution for your VPC. If you're using your own DNS server, ensure
   that requests to Amazon S3 resolve correctly to the IP addresses maintained
   by AWS.

 * The rules for the security groups for your instances that access Amazon S3
   through a gateway endpoint must allow traffic to and from Amazon S3. You can
   reference the ID of the prefix list for Amazon S3 in security group rules.

 * The network ACL for the subnet for your instances that access Amazon S3
   through a gateway endpoint must allow traffic to and from Amazon S3. You
   can't reference prefix lists in network ACL rules, but you can get the IP
   address range for Amazon S3 from the prefix list for Amazon S3.

 * Check whether you are using an AWS service that requires access to an S3
   bucket. For example, a service might require access to buckets that contain
   log files, or might require you to download drivers or agents to your EC2
   instances. If so, ensure that your endpoint policy allows the AWS service or
   resource to access these buckets using the s3:GetObject action.

 * You can't use the aws:SourceIp condition in an identity policy or a bucket
   policy for requests to Amazon S3 that traverse a VPC endpoint. Instead, use
   the aws:VpcSourceIp condition. Alternatively, you can use route tables to
   control which EC2 instances can access Amazon S3 through the VPC endpoint.

 * Gateway endpoints support only IPv4 traffic.

 * The source IPv4 addresses from instances in your affected subnets as received
   by Amazon S3 change from public IPv4 addresses to the private IPv4 addresses
   in your VPC. An endpoint switches network routes, and disconnects open TCP
   connections. The previous connections that used public IPv4 addresses are not
   resumed. We recommend that you do not have any critical tasks running when
   you create or modify an endpoint; or that you test to ensure that your
   software can automatically reconnect to Amazon S3 after the connection break.

 * Endpoint connections cannot be extended out of a VPC. Resources on the other
   side of a VPN connection, VPC peering connection, transit gateway, or AWS
   Direct Connect connection in your VPC cannot use a gateway endpoint to
   communicate with Amazon S3.

 * Your account has a default quota of 20 gateway endpoints per Region, which is
   adjustable. There is also a limit of 255 gateway endpoints per VPC.


PRIVATE DNS


You can configure private DNS to optimize costs when you create both a gateway
endpoint and an interface endpoint for Amazon S3.

ROUTE 53 RESOLVER

Amazon provides a DNS server, called the Route 53 Resolver, for your VPC. The
Route 53 Resolver automatically resolves local VPC domain names and records in
private hosted zones. However, you can't use the Route 53 Resolver from outside
your VPC. Route 53 provides Resolver endpoints and Resolver rules so that you
can use the Route 53 Resolver from outside your VPC. An inbound Resolver
endpoint forwards DNS queries from the on-premises network to Route 53 Resolver.
An outbound Resolver endpoint forwards DNS queries from the Route 53 Resolver to
the on-premises network.

When you configure your interface endpoint for Amazon S3 to use private DNS only
for the inbound Resolver endpoint, we create an inbound Resolver endpoint. The
inbound Resolver endpoint resolves DNS queries to Amazon S3 from on-premises to
the private IP addresses of the interface endpoint. We also add ALIAS records
for the Route 53 Resolver to the public hosted zone for Amazon S3, so that DNS
queries from your VPC resolve to the Amazon S3 public IP addresses, which routes
traffic to the gateway endpoint.

PRIVATE DNS

If you configure private DNS for your interface endpoint for Amazon S3 but do
not configure private DNS only for the inbound Resolver endpoint, requests from
both your on-premises network and your VPC use the interface endpoint to access
Amazon S3. Therefore, you pay to use the interface endpoint for traffic from the
VPC, instead of using the gateway endpoint for no additional charge.



PRIVATE DNS ONLY FOR THE INBOUND RESOLVER ENDPOINT

If you configure private DNS only for the inbound Resolver endpoint, requests
from your on-premises network use the interface endpoint to access Amazon S3,
and requests from your VPC use the gateway endpoint to access Amazon S3.
Therefore, you optimize your costs, because you pay to use the interface
endpoint only for traffic that can't use the gateway endpoint.



CONFIGURE PRIVATE DNS

You can configure private DNS for an interface endpoint for Amazon S3 when you
create it or after you create it. For more information, see Create a VPC
endpoint (configure during creation) or Enable private DNS names (configure
after creation).


CREATE A GATEWAY ENDPOINT


Use the following procedure to create a gateway endpoint that connects to Amazon
S3.

TO CREATE A GATEWAY ENDPOINT USING THE CONSOLE

 1.  Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

 2.  In the navigation pane, choose Endpoints.

 3.  Choose Create endpoint.

 4.  For Service category, choose AWS services.

 5.  For Services, add the filter Type: Gateway and select
     com.amazonaws.region.s3.

 6.  For VPC, select the VPC in which to create the endpoint.

 7.  For Route tables, select the route tables to be used by the endpoint. We
     automatically add a route that points traffic destined for the service to
     the endpoint network interface.

 8.  For Policy, select Full access to allow all operations by all principals on
     all resources over the VPC endpoint. Otherwise, select Custom to attach a
     VPC endpoint policy that controls the permissions that principals have to
     perform actions on resources over the VPC endpoint.

 9.  (Optional) To add a tag, choose Add new tag and enter the tag key and the
     tag value.

 10. Choose Create endpoint.

TO CREATE A GATEWAY ENDPOINT USING THE COMMAND LINE

 * create-vpc-endpoint (AWS CLI)

 * New-EC2VpcEndpoint (Tools for Windows PowerShell)


CONTROL ACCESS USING BUCKET POLICIES


You can use bucket policies to control access to buckets from specific
endpoints, VPCs, IP address ranges, and AWS accounts. These examples assume that
there are also policy statements that allow the access required for your use
cases.

EXAMPLE: RESTRICT ACCESS TO A SPECIFIC ENDPOINT

You can create a bucket policy that restricts access to a specific endpoint by
using the aws:sourceVpce condition key. The following policy denies access to
the specified bucket using the specified actions unless the specified gateway
endpoint is used. Note that this policy blocks access to the specified bucket
using the specified actions through the AWS Management Console.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Allow-access-to-specific-VPCE",
      "Effect": "Deny",
      "Principal": "*",
      "Action": ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
      "Resource": ["arn:aws:s3:::bucket_name",
                   "arn:aws:s3:::bucket_name/*"],
      "Condition": {
        "StringNotEquals": {
          "aws:sourceVpce": "vpce-1a2b3c4d"
        }
      }
    }
  ]
}

EXAMPLE: RESTRICT ACCESS TO A SPECIFIC VPC

You can create a bucket policy that restricts access to specific VPCs by using
the aws:sourceVpc condition key. This is useful if you have multiple endpoints
configured in the same VPC. The following policy denies access to the specified
bucket using the specified actions unless the request comes from the specified
VPC. Note that this policy blocks access to the specified bucket using the
specified actions through the AWS Management Console.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Allow-access-to-specific-VPC",
      "Effect": "Deny",
      "Principal": "*",
      "Action": ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
      "Resource": ["arn:aws:s3:::example_bucket",
                   "arn:aws:s3:::example_bucket/*"],
      "Condition": {
        "StringNotEquals": {
          "aws:sourceVpc": "vpc-111bbb22"
        }
      }
    }
  ]
}

EXAMPLE: RESTRICT ACCESS TO A SPECIFIC IP ADDRESS RANGE

You can create a policy that restricts access to specific IP address ranges by
using the aws:VpcSourceIp condition key. The following policy denies access to
the specified bucket using the specified actions unless the request comes from
the specified IP address. Note that this policy blocks access to the specified
bucket using the specified actions through the AWS Management Console.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Allow-access-to-specific-VPC-CIDR",
      "Effect": "Deny",
      "Principal": "*",
      "Action": ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
      "Resource": ["arn:aws:s3:::bucket_name",
                   "arn:aws:s3:::bucket_name/*"],
      "Condition": {
        "NotIpAddress": {
          "aws:VpcSourceIp": "172.31.0.0/16"
        }
      }
    }
  ]
}

EXAMPLE: RESTRICT ACCESS TO BUCKETS IN A SPECIFIC AWS ACCOUNT

You can create a policy that restricts access to the S3 buckets in a specific
AWS account by using the s3:ResourceAccount condition key. The following policy
denies access to S3 buckets using the specified actions unless they are owned by
the specified AWS account.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Allow-access-to-bucket-in-specific-account",
      "Effect": "Deny",
      "Principal": "*",
      "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
      "Resource": "arn:aws:s3:::*",
      "Condition": {
        "StringNotEquals": {
          "s3:ResourceAccount": "111122223333"
        }
      }
    }
  ]
}


ASSOCIATE ROUTE TABLES


You can change the route tables that are associated with the gateway endpoint.
When you associate a route table, we automatically add a route that points
traffic destined for the service to the endpoint network interface. When you
disassociate a route table, we automatically remove the endpoint route from the
route table.

TO ASSOCIATE ROUTE TABLES USING THE CONSOLE

 1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

 2. In the navigation pane, choose Endpoints.

 3. Select the gateway endpoint.

 4. Choose Actions, Manage route tables.

 5. Select or deselect route tables as needed.

 6. Choose Modify route tables.

TO ASSOCIATE ROUTE TABLES USING THE COMMAND LINE

 * modify-vpc-endpoint (AWS CLI)

 * Edit-EC2VpcEndpoint (Tools for Windows PowerShell)


EDIT THE VPC ENDPOINT POLICY


You can edit the endpoint policy for a gateway endpoint, which controls access
to Amazon S3 from the VPC through the endpoint. The default policy allows full
access. For more information, see Endpoint policies.

TO CHANGE THE ENDPOINT POLICY USING THE CONSOLE

 1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

 2. In the navigation pane, choose Endpoints.

 3. Select the gateway endpoint.

 4. Choose Actions, Manage policy.

 5. Choose Full Access to allow full access to the service, or choose Custom and
    attach a custom policy.

 6. Choose Save.

The following are example endpoint policies for accessing Amazon S3.

EXAMPLE: RESTRICT ACCESS TO A SPECIFIC BUCKET

You can create a policy that restricts access to specific S3 buckets only. This
is useful if you have other AWS services in your VPC that use S3 buckets.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Allow-access-to-specific-bucket",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
         "s3:ListBucket",
         "s3:GetObject",
         "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::bucket_name",
        "arn:aws:s3:::bucket_name/*"
      ]
    }
  ]
}

EXAMPLE: RESTRICT ACCESS TO A SPECIFIC IAM ROLE

You can create a policy that restricts access to a specific IAM role. You must
use aws:PrincipalArn to grant access to a principal.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Allow-access-to-specific-IAM-role",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": "arn:aws:iam::111122223333:role/role_name"
        }
      }
    }
  ]
}

EXAMPLE: RESTRICT ACCESS TO USERS IN A SPECIFIC ACCOUNT

You can create a policy that restricts access to a specific account.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Allow-callers-from-specific-account",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalAccount": "111122223333"
        }
      }
    }
  ]
}


DELETE A GATEWAY ENDPOINT


When you are finished with a gateway endpoint, you can delete it. When you
delete a gateway endpoint, we remove the endpoint route from the subnet route
tables.

You can't delete a gateway endpoint if private DNS is enabled.

TO DELETE A GATEWAY ENDPOINT USING THE CONSOLE

 1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

 2. In the navigation pane, choose Endpoints.

 3. Select the gateway endpoint.

 4. Choose Actions, Delete VPC endpoints.

 5. When prompted for confirmation, enter delete.

 6. Choose Delete.

TO DELETE A GATEWAY ENDPOINT USING THE COMMAND LINE

 * delete-vpc-endpoints (AWS CLI)

 * Remove-EC2VpcEndpoint (Tools for Windows PowerShell)

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.

Document Conventions
Gateway endpoints
Endpoints for DynamoDB
Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of
it.



Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.





DID THIS PAGE HELP YOU?

Yes
No
Provide feedback

NEXT TOPIC:

Endpoints for DynamoDB

PREVIOUS TOPIC:

Gateway endpoints

NEED HELP?

 * Try AWS re:Post 
 * Connect with an AWS IQ expert 

PrivacySite termsCookie preferences
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.


ON THIS PAGE

 * Considerations
 * Private DNS
 * Create a gateway endpoint
 * Control access using bucket policies
 * Associate route tables
 * Edit the VPC endpoint policy
 * Delete a gateway endpoint








CONCEPTUAL GRAPHIC THAT SHOWS HOW AMAZON S3 REQUESTS ARE ROUTED BY DEFAULT WHEN
YOU HAVE BOTH ENDPOINT TYPES.



Close



CONCEPTUAL GRAPHIC THAT SHOWS HOW AMAZON S3 REQUESTS ARE ROUTED WHEN YOU HAVE
BOTH ENDPOINT TYPES AND YOU CONFIGURE PRIVATE DNS WITH AN INBOUND RESOLVER
ENDPOINT.



Close