Skip to content

Deba43/Accessing-S3-Objects-Through-VPC-Endpoints

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
Accessing Object.png
Accessing Object.png
 
 
Bucket Policy.png
Bucket Policy.png
 
 
Bucket.png
Bucket.png
 
 
Endpoint.png
Endpoint.png
 
 
README.md
README.md
 
 
Route Table.png
Route Table.png
 
 
Subnet.png
Subnet.png
 
 

Repository files navigation

🔐 Accessing S3 Objects Through VPC Endpoints (Gateway Endpoint)

📌 Project Overview

This project demonstrates how to securely access an Amazon S3 bucket from an EC2 instance inside a VPC using a VPC Endpoint.

By default, when an EC2 instance communicates with S3, the traffic may route through the public internet.
To improve security and ensure private connectivity, we use an S3 Gateway VPC Endpoint so that traffic stays within the AWS network.

❓ Problem Statement

Normally, an EC2 instance can access S3 through the public internet.

Even though the instance runs inside a VPC, services like S3 are not deployed inside the VPC, because they are global/regional AWS-managed services designed for high availability.

⚠️ This means traffic between EC2 and S3 can potentially traverse public routes, increasing exposure.

Solution: Use a VPC Endpoint to privately connect the VPC to S3 without requiring internet access.

✅ Goals of This Project

  • Create a VPC from scratch
  • Launch an EC2 instance and configure access
  • Create an S3 bucket
  • Add an S3 Gateway VPC Endpoint
  • Verify the endpoint by locking down the bucket using a Bucket Policy
  • Ensure bucket access is allowed ONLY through the endpoint

🏗️ Architecture (High-Level)

EC2 Instance (VPC) → VPC Gateway Endpoint → S3 Bucket
✅ No public internet required
✅ Traffic stays inside AWS backbone network

🛠️ Tech Stack / AWS Services Used

  • Amazon VPC
  • EC2
  • S3
  • VPC Gateway Endpoint (S3)
  • IAM / Bucket Policies
  • EC2 Instance Connect
  • AWS CLI (for testing)

🔍 Key Concepts Covered

✅ Why VPC Endpoints?

Without a VPC endpoint:

  • Traffic from EC2 to S3 can go out through the public route

With a VPC endpoint:

  • EC2 can reach S3 privately without internet access
  • Improved security + reduced data transfer exposure

✅ Bucket Policy Validation Test

To confirm that S3 access is truly private through the endpoint:

  1. Block all access to the S3 bucket
  2. Allow access only from the VPC endpoint
  3. Test from EC2 using AWS CLI

If EC2 can still access → endpoint works ✅
If EC2 is blocked → endpoint is not being used ❌

✅ Steps Followed

  1. Created a custom VPC

    • Subnets
    • Route Tables
    • Security Groups

  2. Launched an EC2 instance

    • Connected using EC2 Instance Connect
    • Installed / configured AWS CLI

  3. Created an S3 bucket

    • Uploaded objects for testing

  4. Configured an S3 Gateway VPC Endpoint

    • Attached endpoint to the VPC route table

  5. Applied a restricted bucket policy

    • Allowed only aws:SourceVpce endpoint traffic

  6. Tested access from EC2

    • Verified that access works ONLY through the endpoint

📜 Sample Bucket Policy (Endpoint-Only Access)

Replace YOUR_BUCKET_NAME and YOUR_VPCE_ID

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAccessOnlyFromVPCEndpoint",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::YOUR_BUCKET_NAME",
        "arn:aws:s3:::YOUR_BUCKET_NAME/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:SourceVpce": "YOUR_VPCE_ID"
        }
      }
    }
  ]
}

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors