0

I have a static website setup in S3 with a bucket policy that denies access to the website (simple index.html) unless it is from a VPC Endpoint. I configured the VPC Endpoint as com.amazonaws.us-east-1.s3 service: Gateway. If I add 0.0.0.0/0 into my AWS Client VPN route table, I am able to access the website, only when connected to the VPN as expected, but I want to prevent using the VPN for general website traffic, essentially removing 0.0.0.0/0. I think I can do this with split traffic enabled on the VPN, but I don't want to keep 0.0.0.0/0 in the vpn route table if I dont need to.

So in short, is there an ip address for the vpc endpoint or which ip could I use to explicitly direct traffic to the private website?

dataviews
  • 2,466
  • 7
  • 31
  • 64

1 Answers1

1

Sadly you can't do this. S3 buckets in website mode are only available through internet. You can't make S3 website endpoint private and accessible from withing a VPC. The connections must come from the internet.

If you really want a private website, you have to host it yourself, on tiny instance or ecs container. Then you will be able to access it from within VPC only.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • You can restrict the bucket using a bucket policy to prevent access unless it's from a VPC endpoint, which I've done. But I have to open 0.0.0.0/0 in my route table on my AWS Client VPN in order for the client connected to the vpn to reach the s3 website. I'm curious if the VPCE has some ip or something that can be explicitly defined in the route table instead of opening full web traffic. In other words, I only want vpn clients to access internal resources, not have free range to browse whatever they want, which 0.0.0.0/0 would yield – dataviews Dec 09 '21 at 18:45
  • 1
    @dataviews Sadly you can't do this. s3 websites endpoints work only from internet, not from vpc. – Marcin Dec 10 '21 at 00:08
  • I'm assuming the same holds true from cloudfront distributions? – dataviews Dec 10 '21 at 02:51
  • @dataviews Yes. CouldFront is a CDN for a public use. – Marcin Dec 10 '21 at 02:53