Amazon S3 over VPN
Is it possible to establish V开发者_StackOverflow中文版PN connectivity to Amazon S3 directly without utilizing Elastic cloud EC2?
Since S3 bucket names are globally unique and accessible over http using a unique url, it is not possible to isolate S3 at network level and it requires access control using Bucket Policies, IAM policies or Access control lists. You can also use Bucket Policies to whitelist Source Ip's that could access your buckets.
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
"NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"}
}
}
]
}
The Access Control system available in S3, enforces security in accessing S3. In addition the data in transit is encrypted using https and optionally you can also leverage encryption at rest for objects residing in S3 to further harden the security.
In addition there are multiple ways to establish connections to S3 based on the egress restrictions at the S3 access client locations (e.g. On-premise, VPC private/public subnet & etc.).
- Accessing S3 over the internet if there are no egress restrictions.
- Use VPC Endpoints to S3 if you are accessing S3 from a AWS VPC.
- Direct Connect Connection from On Premise to AWS Data centers to access S3 over a dedicated, private network connection.
Unfortunately since S3 is not providing a feature for network segmentation, it is not possible to use a VPN connection to S3, restricting access at Network Level.
No. Routing in a VPC is non-transitive.
The relevant documentation:
Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, a VPC peering connection, an AWS Direct Connect connection, or a ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.
I don't think so. Amazon Virtual Private Cloud seems like it can do that, but the docs always mention connecting to EC2 instances.
Add one CIDR 52.192.0.0/11
(amazon CIDR) into VPN route and whitelist your VPN public IP into S3 bucket policy. S3 endpoint changes IPs frequently.
精彩评论