AWS S3 Website with private-only access
Hosting a static website on S3 has become a standard solution and there are lots of articles over the Internet describing the setup. But what if you need your website to be accessible only through your internal network? Let’s se how to do this :)
TL;DR
Use S3 VPC endpoints + route tables + bucket policy with conditions to limit your bucket acces to private nets only.
Setup description
Assume that you have several VPCs and running instances in them. You need to access your S3 buckets securely and without Internet traffic expenses, so you create S3 endpoints in all VPCs and configure route tables respectively.
At some moment you set up an S3 website. It has DNS name in your private DNS zone, e.g. it’s not resolvable from outside of your network. But website setup requires to give all clients access to read S3 objects:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yoursite.company.io/*"
}
]
}
To limit access preserving site functionality, add a Condition to your bucket policy statement(s) that will apply it only if the client comes through particular endpoints:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yoursite.company.io/*",
"Condition": {
"StringEquals": {
"aws:sourceVpce": [
"vpce-0011223344",
"vpce-aabbccddee"
]
}
}
}
]
}
Accessing S3 from AWS Client VPN
If you use AWS Client VPN and want to use a setup above, you’ll need to set up VPN routing. To do this:
- Go to any of the VPC route tables with S3 Endpoint route added. Find the route mentioned.
- Take S3 subnets list from the route’s “Destination” field. For me it looked like:
com.amazonaws.us-east-1.s3, 54.231.0.0/17, 52.216.0.0/15, 3.5.16.0/21, 3.5.0.0/20 - For each IP subnet (e.g. all except
com.amazonaws.us-east-1.s3) add a route to your Client VPN Access point configuration. You’ll need to add route to each S3 CIDR through each VPN subnet.
After this reconnect to your Client VPN. New routes will contain routes to S3.
NOTE: to prevent problems with S3 access, use the S3 endpoint that has no limitations (endpoint policy allows access to any bucket in any account from any client - the default).
blog comments powered by Disqus
Published
Category
awsTags
2020
August
- August 11, 2020 » Identifying AWS EBS volumes on instance
June
- June 24, 2020 » AWS S3 Website with private-only access
2018
September
- September 4, 2018 » Multiple ways of PowerShell templating
2017
September
- September 17, 2017 » Link: RDP URI scheme
August
- August 15, 2017 » Link: SSL settings and checks
- August 15, 2017 » Link: Template files substituter for Docker
- August 8, 2017 » Link: Classes in PowerShell
April
- April 15, 2017 » Bash tricks you didn't usually use
2016
August
- August 30, 2016 » Configuring RancherOS for use with AWS autoscaling + Swarm cluster
April
- April 26, 2016 » Building JS assets with MSBuild
- April 25, 2016 » Applying Web.config transforms to all config files
2015
August
- August 29, 2015 » Check if identifier is declared in Bash
2014
April
- April 2, 2014 » PID file management in Bash
- April 2, 2014 » Logging routine for Bash
- April 2, 2014 » Lock file management in Bash