I’ve done a test exam were there is a question asking how to secure a S3 bucket allowing access only from a VPC and an on-premise network ensuring encryption in transit and at rest. The description talks about a Direct Connect connection with a private VIF to the VPC.
My understanding is that it’s not possible to access a VPC endpoint through a Direct Connect connection. The only way to access the S3 service using DX and a private VIF is by using some kind of proxy within the VPC. So my guess is that the answer to this question is by using a VPC endpoint and restricting access to the bucket with a policy that allows only IPs from the VPC and accessing the bucket through the proxy when the request comes from the on-premise network. Am I correct?
Another question I have is, in a scenario that where a public VIF is use, is it not enough to connect to the S3 endpoint when the connection is done through SSL to consider it as securely encrypted? The bucket policy could include the IPs of any VPC connected through a VPC endpoint plus the IPs of the on premise network.