Sending S3 Traffic Through AWS Not The Public Internet

S3 Bucket
Amazon S3 is a great way to store files, perform system backups and share files with others. However, did you know that all S3 communication goes out directly though your IGW (Internet Gateway) or though your NAT depending on how you setup your VPC in AWS?

If you work heavily with S3 and have sensitive data that you do not want to expose via transferring this over the internet there is way to do this very easily. In your VPC console there is a option on the left side called "End Points". With "End Points" it effectively creates a route to utilize the internal AWS AZ (Availability Zone) network to keep all traffic inside the network and not utilize your NAT / IGW on your VPC.  There are a couple of benefits to doing this:

1. Lower latency when connecting to S3 and other AWS services.

2. A more secure connection by not going across the public internet

3. Higher nework throughput as you are not limited by the NAT instance type or the instances you are connecting from (as there are also network and EBS limits which I will cover in future articles).

4. Also, this allows for tighter security as you can attach an IAM Policy to your endpoint that is attached to your VPC. This IAM Policy will allow you to explicitly grant access to specific AWS resources or grant all access.

To setup an Endpoint takes just a couple of minutes.

1. Go to the AWS console and go to the VPC Section
2. Click on "EndPoints" on the left side
3. On the top left click "Create Endpoint"
4. Select the VPC you want to attach the Endpoint.
5. Attach your IAM policy or grant full access for all AWS resources
6. Click Next
7. Select your subnets that you want to use this Endpoint with. (Typically your Private Subnets).

When you use an S3 endpoint, the source IP addresses from your instances in your affected subnets for S3 access in the same region will be private IP addresses, not public IP addresses. Existing connections from your affected subnets to S3 that use public IP addresses may be dropped. Ensure that you don’t have critical tasks running when you create or modify an endpoint

8. Click "Create EndPoint"

Once compete, you will notice that it will create the Endpoint for that VPC and also create a new entry in your route tables:

No Comments Yet.

Leave a comment