AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

Is using S3 endpoints through SSL and a public VIF consider secure?


I’ve done a test exam were there is a question asking how to secure a S3 bucket allowing access only from a VPC and an on-premise network ensuring encryption in transit and at rest. The description talks about a Direct Connect connection with a private VIF to the VPC. 

My understanding is that it’s not possible to access a VPC endpoint through a Direct Connect connection. The only way to access the S3 service using DX and a private VIF is by using some kind of proxy within the VPC. So my guess is that the answer to this question is by using a VPC endpoint and restricting access to the bucket with a policy that allows only IPs from the VPC and accessing the bucket through the proxy when the request comes from the on-premise network. Am I correct?

Another question I have is, in a scenario that where a public VIF is use, is it not enough to connect to the S3 endpoint when the connection is done through SSL to consider it as securely encrypted? The bucket policy could include the IPs of any VPC connected through a VPC endpoint plus the IPs of the on premise network.

Mohamed Asri Badlah

Hi Juan, routing from on-premise to vpc then s3 is not possible because of transitive limitation.

Mohamed Asri Badlah

This link answer your question I think


Thanks for the link, that cleared up my confusion

Juan Manuel

Yes, that was my understanding. That’s what I meant by creating a proxy within the VPC, some kind of farm of NGINX servers to forward requests to the VPC endpoint. Thanks for the link, I read sometime ago about this solution but the link to the document describing it was broken.

1 Answers

To close this out, here’s Mohamed’s answer:

This link answer your question I think

Juan Manuel

Yes, it answers most of it. Could you clarify for me the last point of the question, please? When using a public VIF, isn’t SSL for encryption in transit enough in terms of security? The public VIF doesn’t use the ISP provider as far as I understand as it uses the AWS backbone network. What’s the reason behind deciding to create all the complexity described in the document to access S3 through the VPC instead of just using a public VIF?

Marwan Khanfar

@Juan I assume the question is more related to cost wise

Vikas Sood

Can someone please answer this question? The link in the Mohamed’s answer isn’t working anymore

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?