How to allow access to specific S3 bucket from specific VPC on different region

0
votes

I want to allow s3:GetObject access to a S3 bucket from a VPC in a different region.

If the S3 bucket and VPC is in the same region, I know we can use VPC Endpoints. But when we want to allow access from different regions, what options do we have?

Option 1:

Create NAT Gateways for all subnets of all availability zones in the region, and in the S3 bucket policy allow access from the NAT Gateways' Elastic IP.

But this way you need many NAT Gateways (ex:6 for us-east-1 region)

Other options?

2
amazon-web-servicesamazon-s3amazon-vpc
VPN . This is what you need.Abdennour TOUMI
"Create NAT Gateways for all subnets of all availability zones in the region" Not really, no... you'd only "need" one per source VPC, or one per AZ per VPC for fault tolerance.Michael - sqlbot
@Michael-sqlbot if I use the minimum setup: 1 NAT gateway in 1 AZ, then EC2 instances in other AZs can use that NAT gateway?mash
They can, because NAT Gateways are never located in the subnet(s) for which they are actually providing their service -- a NAT Gateway is placed in a public subnet, and provides services for instances in one or more private subnets via the subnets' associated route tables. You will pay a cross-AZ transport charge between the instances and the gateway if the gateway is in another AZ but this may be less than the cost of additional gateways, depending on traffic.Michael - sqlbot

2 Answers

0
votes

You will need to establish a VPN connection between two VPCs :

  • First VPC is in the same region with S3 & enable VPC endpoints.

  • Second VPC is in the other region.

Notice, you cannot leverage VPC peering connection since it is not the same region.

0
votes

The simple answer is that you cannot limit access to an S3 bucket in one region from a VPC in a different region. You can create S3 policies that use IP addresses to control access. Your NAT gateway will have a public IP address, your instances can have public addresses, etc.

When the traffic leaves the VPC, it will use the public IP address space. When the S3 bucket receives these requests, it will not know from which VPC this originated. This is one of the reasons that VPC endpoints and PrivateLink were created.

Below is an example S3 policy that uses IP addresses to control permissions. Modify with real public addresses from your VPC.

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "statement1",
            "Effect": "Allow",
            "Principal": "*",
            "Action":["s3:GetObject"]  ,
            "Resource": "arn:aws:s3:::examplebucket/*",
            "Condition" : {
                "IpAddress" : {
                    "aws:SourceIp": "192.168.143.0/24" 
                },
                "NotIpAddress" : {
                    "aws:SourceIp": "192.168.143.188/32" 
                } 
            } 
        } 
    ]
}