Hi,
I’ve done a test exam were there is a question asking how to secure a S3 bucket allowing access only from a VPC and an on-premise network ensuring encryption in transit and at rest. The description talks about a Direct Connect connection with a private VIF to the VPC.
My understanding is that it’s not possible to access a VPC endpoint through a Direct Connect connection. The only way to access the S3 service using DX and a private VIF is by using some kind of proxy within the VPC. So my guess is that the answer to this question is by using a VPC endpoint and restricting access to the bucket with a policy that allows only IPs from the VPC and accessing the bucket through the proxy when the request comes from the on-premise network. Am I correct?
Another question I have is, in a scenario that where a public VIF is use, is it not enough to connect to the S3 endpoint when the connection is done through SSL to consider it as securely encrypted? The bucket policy could include the IPs of any VPC connected through a VPC endpoint plus the IPs of the on premise network.
1 Answers
To close this out, here’s Mohamed’s answer:
This link answer your question I think https://d0.awsstatic.com/aws-answers/Accessing_VPC_Endpoints_from_Remote_Networks.pdf
Yes, it answers most of it. Could you clarify for me the last point of the question, please? When using a public VIF, isn’t SSL for encryption in transit enough in terms of security? The public VIF doesn’t use the ISP provider as far as I understand as it uses the AWS backbone network. What’s the reason behind deciding to create all the complexity described in the document to access S3 through the VPC instead of just using a public VIF?
@Juan I assume the question is more related to cost wise
Can someone please answer this question? The link in the Mohamed’s answer isn’t working anymore
Hi Juan, routing from on-premise to vpc then s3 is not possible because of transitive limitation.
This link answer your question I think https://d0.awsstatic.com/aws-answers/Accessing_VPC_Endpoints_from_Remote_Networks.pdf
Thanks for the link, that cleared up my confusion
Yes, that was my understanding. That’s what I meant by creating a proxy within the VPC, some kind of farm of NGINX servers to forward requests to the VPC endpoint. Thanks for the link, I read sometime ago about this solution but the link to the document describing it was broken.