Get started with Amazon S3 VPC Gateway Endpoint
An Amazon S3 VPC (Virtual Private Cloud) Gateway Endpoint is a feature offered by Amazon Web Services that allows you to create a private connection between your VPC and Amazon S3, keeping your data traffic isolated from the public internet.
This connection is made without requiring an Internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. After you create the gateway endpoint, you can add it as a target in your route table for traffic destined from your VPC to Amazon S3. The traffic between your VPC and Amazon S3 goes over the Amazon network, enhancing the security and privacy of your data transfers.
Gateway VPC endpoints provide reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC. Gateway endpoints do not use AWS PrivateLink, unlike other types of VPC endpoints.
There is no additional charge for using gateway endpoints.
Amazon S3 supports both gateway endpoints and interface endpoints. With a gateway endpoint, you can access Amazon S3 from your VPC, without requiring an internet gateway or NAT device for your VPC, and with no additional cost. However, gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway. For those scenarios, you must use an interface endpoint, which is available for an additional cost. For more information, see Types of VPC endpoints for Amazon S3 in the Amazon S3 User Guide.
Features
Private Access to S3: The primary feature of an S3 VPC Gateway Endpoint is to enable instances in your VPC to use their private IP addresses to access S3 resources, without needing to traverse the public internet. This can help to secure your data transfers and potentially reduce costs associated with data transfer rates.
Policy-Based Access Control: You can attach endpoint policies to your S3 VPC Gateway Endpoint that specify the S3 buckets accessible through the endpoint. This adds an additional layer of access control, allowing you to manage which resources can be accessed from your VPC.
S3 Bucket Policies Integration: Along with endpoint policies, you can also use S3 bucket policies to control access to buckets from specific endpoints, VPCs, IP address ranges, and AWS accounts. For more information, see Control access using bucket policies.
Supported S3 Actions: Most actions available in Amazon S3 are supported through the VPC Gateway Endpoint, including PUT, GET, DELETE, and LIST operations on objects in your buckets.
Benefits
Enhanced Security: Since the data between your VPC and Amazon S3 doesn't travel over the public internet, it's less exposed to potential threats. This setup can be part of a broader strategy to enhance the security posture of your applications and data.
Cost-Efficiency: Data transferred between your VPC and Amazon S3 through a VPC Gateway Endpoint may incur lower charges compared to data transferred over the public internet, especially when considering data egress fees.
Simplified Network Architecture: By eliminating the need for Internet Gateways or NAT devices for S3 access, the VPC Gateway Endpoint can simplify your network architecture. This can make it easier to manage and secure your AWS resources.
Improved performance: Direct routing to S3 can potentially offer faster transfer speeds and lower latency.
Access through an internet gateway
In general, you can access Amazon S3 or DynamoDB through their public service endpoints or through gateway endpoints.
The following diagram shows how instances access Amazon S3 and DynamoDB through their public service endpoints. Traffic to Amazon S3 or DynamoDB from an instance in a public subnet is routed to the internet gateway for the VPC and then to the service. Instances in a private subnet can't send traffic to Amazon S3 or DynamoDB, because by definition private subnets do not have routes to an internet gateway. To enable instances in the private subnet to send traffic to Amazon S3 or DynamoDB, you would add a NAT device to the public subnet and route traffic in the private subnet to the NAT device. While traffic to Amazon S3 or DynamoDB traverses the internet gateway, it does not leave the AWS network.
Image credits: AWS
Access through a gateway endpoint
The following diagram shows how instances access Amazon S3 and DynamoDB through a gateway endpoint. Traffic from your VPC to Amazon S3 or DynamoDB is routed to the gateway endpoint. Each subnet route table must have a route that sends traffic destined for the service to the gateway endpoint using the prefix list for the service. For more information, see AWS-managed prefix lists in the Amazon VPC User Guide.
Implementation
Create a gateway endpoint using the console
To set up an S3 VPC Gateway Endpoint using the console, you would typically:
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Endpoints.
Choose Create endpoint.
For Service category, choose AWS services.
For Services, add the filter Type: Gateway and select com.amazonaws.
region
.s3.For VPC, select the VPC in which to create the endpoint.
For Route tables, select the route tables to be used by the endpoint. AWS automatically add a route that points traffic destined for the service to the endpoint network interface.
For Policy, select Full access to allow all operations by all principals on all resources over the VPC endpoint. Otherwise, select Custom to attach a VPC endpoint policy that controls the permissions that principals have to perform actions on resources over the VPC endpoint.
(Optional) To add a tag, choose Add new tag and enter the tag key and the tag value.
Choose Create endpoint.
Create a gateway endpoint using the AWS CLI
To create a VPC endpoint for Amazon S3 via the AWS CLI, you'll need to use the create-vpc-endpoint
command. This command allows you to specify various parameters including the VPC ID, the type of endpoint, the service name, route table IDs, and endpoint policy documents.
Here's a step-by-step guide to creating a VPC Gateway Endpoint for Amazon S3 using the AWS CLI:
1. Ensure AWS CLI is installed and configured
First, make sure that you have the AWS CLI installed and configured on your machine. You can check if the AWS CLI is installed by running aws --version
.
2. Identify the Service Name for Amazon S3
The service name for Amazon S3 endpoints is usually in the format com.amazonaws.region.s3
, where region
is the AWS region in which you want to create the endpoint (e.g., us-east-1
).
3. Create the VPC Endpoint
Use the create-vpc-endpoint
command to create your S3 VPC Gateway Endpoint. Replace vpc-id
, region
, and route-table-ids
with your actual VPC ID, desired AWS region, and route table IDs.
aws ec2 create-vpc-endpoint --vpc-id vpc-xxxxxx --vpc-endpoint-type Gateway --service-name com.amazonaws.region.s3 --route-table-ids rtb-xxxxxx rtb-yyyyyy --region region
--vpc-id
: The ID of your VPC.--vpc-endpoint-type
: For S3, this should beGateway
.--service-name
: The service name for S3 in your region (e.g.,com.amazonaws.us
-east-1.s3
).--route-table-ids
: The route table(s) associated with your subnet(s). Multiple route table IDs can be specified separated by spaces.--region
: The AWS region where the command is executed.
Optional Parameters
--policy-document
: You can specify an endpoint policy (as a JSON string) that controls access to S3 from the VPC endpoint. If not specified, a full access policy is applied by default.--tag-specifications
: Allows you to specify tags for the endpoint in the format'ResourceType=resource-type,Tags=[{Key=key,Value=value}]'
.
4. Verify the Endpoint Creation
After running the command, you'll receive output containing information about the created VPC endpoint. Verify the details to ensure that the endpoint has been set up as expected.
Example
Here's an example command that creates a VPC Gateway Endpoint for S3 in the us-east-1
region:
aws ec2 create-vpc-endpoint --vpc-id vpc-006ec5c8e535a0fae --vpc-endpoint-type Gateway --service-name com.amazonaws.us-east-1.s3 --route-table-ids rtb-05efd6de260e24a5e --region us-east-1
This command creates a VPC Gateway Endpoint for Amazon S3, allowing instances within the specified VPC to privately access S3 resources without traversing the public internet.
Remember to replace placeholder values with your actual VPC and route table IDs, and adjust the region and service name as necessary for your specific requirements.