0

We have a complex AWS organization with many accounts. I need to allow web browser access to an S3 HTML bucket that is limited to the VPN private IP subnet users only.

I created a VPC Interface endpoint and gave it a Route 53 alias. It's in a private subnet in a VPC in one of the accounts. In theory I think it should work from anywhere, given the security groups/NACL allow it, because the interface is just translates to a private IP. The route works according to the Route 53 check.

I have the bucket set up with access allowed from the VPC endpoint in the bucket policy, and ListBucket and GetObject allowed.

There is an index.html at the root of the bucket.

My Route 53 alias is foo.test.company.com and it points to the vpce DNS name.

When I enter foo.test.company.com into the browser I get a timeout. But there is information missing, i.e. the name of the bucket and the key. How do I include that in the url?

I believe that Route 53 is getting my correct private IP address because I can access privately named hosts in the account with my browser.

Of course I will add the VPN private subnet to the bucket conditions for production, but for now I just allow based on the VPC endpoint condition.

Any ideas?

joel3000
  • 1,249
  • 11
  • 22
  • 1
    I think that the easier method would be to simply add a bucket policy that limits access to the Public IP address that traffic from the VPN would appear to come from. That is, when somebody on the VPN accesses something on the Internet, they would come from a particular IP address, which you could put in a bucket policy. – John Rotenstein Aug 17 '22 at 05:56
  • "S3 HTML bucket " - you mean s3 in an website mode? – Marcin Aug 17 '22 at 07:00
  • @Marcin, yes html website mode. – joel3000 Aug 17 '22 at 18:00
  • @JohnRotenstein - interesting approach. – joel3000 Aug 17 '22 at 18:00
  • @JohnRotenstein - Do you mean the Private IP range assigned from by the VPN? The problem with that is that private IP addresses are not protected in any way. If someone randomly had assigned themselves a private IP from the VPN subnet range on their local machine they could access the bucket, if I'm understanding you correctly. AWS recommends a VPCE condition and an IP range condition in the bucket policy because neither on their own will guarantee the desired outcome. – joel3000 Aug 17 '22 at 20:22

2 Answers2

0

Sadly you can't do this. Website s3 endpoints are only accessible from the internet. You can't access them from any private subnet, unless you do this through NAT over the internet.

The only solution is to not to use s3 for hosting your private website not meant for internet access.

Marcin
  • 215,873
  • 14
  • 235
  • 294
0

You can add a bucket policy that limits access to the Public IP address that traffic from the VPN would appear to come from.

To explain...

Let's say that you are on the VPN and you access https://dilbert.com/. Your request will 'appear' to come from the IP address of the router that connects your VPN to the Internet. You can see this by going to https://icanhazip.com/ -- it will show the IP address that you 'appear' as on the Internet.

All requests from the VPN will come from this same IP address because they all go through the same router. Therefore, you can create a Bucket Policy that grants access to requests coming from that specific IP address. No VPC endpoints/interfaces/domain names required.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470