Premise: my organization has a direct connect connection to AWS.
I have created an S3 bucket, and I want to limit connectivity to it so that users can only connect to it via the direct connection (so to prohibit any access from outside our network).
Is this possible?
CodePudding user response:
Yes, it's possible. You have to create a VPC interface endpoint for S3 in the desired subnet(s), and then you can use the --region
and –-endpoint-url
flags in CLI commands, e.g.:
$ aws s3 ls s3://mybucket --region eu-west-2 --endpoint-url http://vpce-001760f0be22cd4e2-3ew5rhyv.s3.eu-west-2.vpce.amazonaws.com
This blog walks you through this step by step.
You can combine this with a bucket policy that prohibits any traffic coming from outside the VPC endpoint for further security.