We have a complex AWS organization with many accounts. I need to allow web browser access to an S3 HTML bucket that is limited to the VPN private IP subnet users only.
I created a VPC Interface endpoint and gave it a Route 53 alias. It’s in a private subnet in a VPC in one of the accounts. In theory I think it should work from anywhere, given the security groups/NACL allow it, because the interface is just translates to a private IP. The route works according to the Route 53 check.
I have the bucket set up with access allowed from the VPC endpoint in the bucket policy, and ListBucket and GetObject allowed.
There is an index.html at the root of the bucket.
My Route 53 alias is foo.test.company.com and it points to the vpce DNS name.
When I enter foo.test.company.com into the browser I get a timeout. But there is information missing, i.e. the name of the bucket and the key. How do I include that in the url?
I believe that Route 53 is getting my correct private IP address because I can access privately named hosts in the account with my browser.
Of course I will add the VPN private subnet to the bucket conditions for production, but for now I just allow based on the VPC endpoint condition.
Any ideas?
2
Answers
Sadly you can’t do this. Website s3 endpoints are only accessible from the internet. You can’t access them from any private subnet, unless you do this through NAT over the internet.
The only solution is to not to use s3 for hosting your private website not meant for internet access.
You can add a bucket policy that limits access to the Public IP address that traffic from the VPN would appear to come from.
To explain…
Let’s say that you are on the VPN and you access https://dilbert.com/. Your request will ‘appear’ to come from the IP address of the router that connects your VPN to the Internet. You can see this by going to https://icanhazip.com/ — it will show the IP address that you ‘appear’ as on the Internet.
All requests from the VPN will come from this same IP address because they all go through the same router. Therefore, you can create a Bucket Policy that grants access to requests coming from that specific IP address. No VPC endpoints/interfaces/domain names required.