Sunday, June 29, 2025

Amazon S3 | Access Points with VPC Origin.

Amazon S3 – Access Points with VPC Origin

S3 Access Points simplify managing data access at scale by providing unique hostnames and fine-grained permissions for specific use cases.

When twtech uses an S3 Access Point with a VPC origin, twtech is enabling access to S3 only from within a specified VPC, effectively restricting internet access and enhancing network-level security.

 The concept: VPC-Origin Access Point

A VPC-origin access point is an S3 access point configured to only allow traffic originating from a specified VPC, via VPC endpoints (interface endpoints). This means:

·        No internet access is allowed.

·        Access is confined to AWS PrivateLink traffic from your VPC.

·        It uses AWS IAM policies and bucket policies for additional controls.

Key Benefits

·        Enhanced security – Only accessible from specified VPCs.

·        Network isolation – Keeps S3 data inside the AWS network.

·        Granular access control – Different access points for different apps, roles, or users.

 Requirements

1.     VPC in your account.

2.     VPC endpoint for S3 (interface endpoint, not gateway).

3.     S3 bucket with Access Point created.

4.     Access point must have the NetworkOrigin set to VPC.

 Example Setup

Step 1: Create a VPC Interface Endpoint for S3

# bash
aws ec2 create-vpc-endpoint \
  --vpc-id vpc-1234xxxx \
  --service-name com.amazonaws.us-east-2.s3 \
  --vpc-endpoint-type Interface \
  --subnet-ids subnet-12345xxxx \
  --security-group-ids sg-1234xxxx
Step 2: Create a VPC-Origin Access Point
# bash
aws s3control create-access-point \
  --account-id 123456xxxxx \
  --name my-vpc-ap \
  --bucket twtech-s3bucket \
Step 3: Access S3 via Access Point
Use the hostname:
#  perl
twtech-vpc-ap-12345678xxxx.s3-accesspoint.us-east-2.vpce.amazonaws.com
 Access Policy Example
Access Point Policy restricting to VPC:
# json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:us-east-1:1234567xxxxx:accesspoint/twtech-vpc-ap/object/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceVpc": "vpc-12345xxxx"
        }
      }
    }
  ]
}
twtech-tips
·    Must use interface VPC endpoint; gateway endpoints won’t work.
·    Access Point hostname must be used, not the bucket name.
·    twtech needs to configure DNS settings and security groups properly for access.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Kubernetes Clusters | Upstream Vs Downstream.

  The terms "upstream" and "downstream" in the context of Kubernetes clusters often refer to the direction of code fl...