Sunday, June 29, 2025

Amazon S3 Access Points with VPC Origin | Overview

Amazon S3 Access Points with VPC Origin - Overview

  • Intro,
  • The concept: VPC-Origin Access Point,
  • Key Benefits,
  • Requirements,
  • Sample Setup, Step-by-Step (CLI),
  • Access Policy Sample
  • Tips

Intro:

  • S3 Access Points simplify managing data access at scale by providing unique hostnames and fine-grained permissions for specific use cases.
  • When twtech uses an S3 Access Point with a VPC origin, twtech is enabling access to S3 only from within a specified VPC, effectively restricting internet access and enhancing network-level security.

 The concept: VPC-Origin Access Point

A VPC-origin access point is an S3 access point configured to only allow twtech traffic originating from a specified VPC, via VPC endpoints (interface endpoints)

This means:

  •         No internet access is allowed.
  •         Access is confined to AWS PrivateLink traffic from twtech VPC.
  •         It uses AWS IAM policies and bucket policies for additional controls.

Key Benefits

  •         Enhanced security – Only accessible from specified VPCs.
  •         Network isolation – Keeps S3 data inside the AWS network.
  •         Granular access control – Different access points for different apps, roles, or users.

 Requirements

     1.     VPC in twtech account.
2.     VPC endpoint for S3 (interface endpoint, not gateway).
3.     S3 bucket with Access Point created.
4.     Access point must have the NetworkOrigin set to VPC.

 Sample Setup Step-by-Step (CLI)

Step 1: Create a VPC Interface Endpoint for S3

# bash
aws ec2 create-vpc-endpoint \
  --vpc-id vpc-1234xxxx \
  --service-name com.amazonaws.us-east-2.s3 \
  --vpc-endpoint-type Interface \
  --subnet-ids subnet-12345xxxx \
  --security-group-ids sg-1234xxxx
Step 2: Create a VPC-Origin Access Point
# bash
aws s3control create-access-point \
  --account-id accountID \
  --name twtech-vpc-ap \
  --bucket twtech-s3bucket \
Step 3: Access S3 via Access Point
Use the hostname:
#  hostname
twtech-vpc-ap-accountID.s3-accesspoint.us-east-2.vpce.amazonaws.com
 Access Policy Sample
Access Point Policy restricting to VPC:
# json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:us-east-2:accountID:accesspoint/twtech-vpc-ap/object/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceVpc": "vpc-12345xxxx"
        }
      }
    }
  ]
}
twtech-Tips
  •     Must use interface VPC endpoint; gateway endpoints won’t work.
  •     Access Point hostname must be used, not the bucket name.
  •     twtech needs to configure DNS settings and security groups properly for access.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...