Home > Enterprise >  Cannot access static website hosted on S3 bucket, from within VPC
Cannot access static website hosted on S3 bucket, from within VPC

Time:10-29

I am looking to host a static website on AWS, using an S3 bucket.

I followed these steps.

The site is a usual directory with subdirectories:

app
│   index.html   
└───scripts
│   │   things.js
│   │   stuff.js
└───images
    │   img1.png
    │   img2.jpg

I want to make the website accessible only to people inside our VPC. I attached the following type of policy to the bucket holding the site files (adding my specific bucket name and VPC id):

{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
    {
        "Sid": "Access-to-specific-VPCE-only",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::my_bucket*",
        "Condition": {
            "StringEquals": {
                "aws:sourceVpce": "vpce-blahblahblah"
            }
        }
    }
]
}

I also setup a VPC endpoint, with the endpoint ID set as the value for aws:sourceVpce inside the bucket policy.

I setup the VPC endpoint following these steps.

But I still cannot access this site on my browser (I'm assuming that since I am accessing the AWS console with the same browser that AWS is aware I am inside the VPC).

<Error>
    <Code>AccessDenied</Code>
    <Message>Access Denied</Message>
    <RequestId>blahblahblah</RequestId>
    <HostId>blahblahblah</HostId>
</Error>

CodePudding user response:

You may want to access your website using a VPC Endpoint, otherwise your traffic will routed through the public internet and not directly to the bucket.

From an AWS support page relating to accessing static websites from a VPC:

The VPC endpoint is associated to the route table of the EC2 instance that you're using, so that the traffic is associated with the VPC ID referenced in the bucket policy.

CodePudding user response:

S3 static websites require public access. There is no such thing as a private S3 website in a VPC or accessible only through a VPC endpoint.

To make your S3 website work, you must set your bucket to public, or use CloudFront which also is accessible only through the internet. But at least your bucket can be private when you front it with CloudFront (though not the website itself).

  • Related