Cannot access static website hosted on S3 bucket, from within VPC

Question

I am looking to host a static website on AWS, using an S3 bucket.

I followed these steps.

The site is a usual directory with subdirectories:

app
│   index.html   
└───scripts
│   │   things.js
│   │   stuff.js
└───images
    │   img1.png
    │   img2.jpg

I want to make the website accessible only to people inside our VPC. I attached the following type of policy to the bucket holding the site files (adding my specific bucket name and VPC id):

{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
    {
        "Sid": "Access-to-specific-VPCE-only",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::my_bucket*",
        "Condition": {
            "StringEquals": {
                "aws:sourceVpce": "vpce-blahblahblah"
            }
        }
    }
]
}

I also setup a VPC endpoint, with the endpoint ID set as the value for aws:sourceVpce inside the bucket policy.

I setup the VPC endpoint following these steps.

But I still cannot access this site on my browser (I'm assuming that since I am accessing the AWS console with the same browser that AWS is aware I am inside the VPC).

<Error>
    <Code>AccessDenied</Code>
    <Message>Access Denied</Message>
    <RequestId>blahblahblah</RequestId>
    <HostId>blahblahblah</HostId>
</Error>

Marcin Marcin · Accepted Answer · 2021-10-29T00:02:46

S3 static websites require public access. There is no such thing as a private S3 website in a VPC or accessible only through a VPC endpoint.

To make your S3 website work, you must set your bucket to public, or use CloudFront which also is accessible only through the internet. But at least your bucket can be private when you front it with CloudFront (though not the website itself).

Cannot access static website hosted on S3 bucket, from within VPC

1 Answers