stackoom
  简体   繁体   中英

AWS S3 static site with HTTPS and VPN-only access

 原文  2017-02-16 05:39:59       amazon-web-services/ amazon-s3/ https/ vpn/ amazon-cloudfront

Question

Currently we have a static site deployed to ECS (Elastic Container Service) and fronted by an ELB (Elastic Load Balancer). This model doesn't really make sense, since the container is just running NGINX to serve static assets.

However, what we do get from this model, is VPN-only access to the website (our VPN client forwards all 10.x traffic to our VPC), and an HTTPS listener on the ELB, which are both things that we want to keep.

What's the best way to migrate this static site currently accessible only through VPN to being served from S3/Cloudfront via HTTPS and accessible only through VPN?

We have the same VPN configuration as in this answer. That answer would work for us, but it doesn't address the question of S3 bucket IPs possibly changing (which would invalidate the proposed routing rule on the VPN client), and I'm not clear on how to get HTTPS to work with this (AFAIK, you would need to put CF in front of the S3 static site, but I'm not sure how to route traffic to Cloudfront through our VPN.)

1 answers

solution1
 1 ACCPTED  2017-03-17 16:55:28

I decided to use VPC endpoints to control ingress. There's an internal load-balancer (private subnet) accessible only through VPC/VPN that routes traffic to a VPC endpoint.

Bucket policy looks like (Terraform template)

{
  "Version": "2012-10-17",
  "Id": "Policy1415115909152",
  "Statement": [
    {
      "Sid": "deny-get-if-not-from-vpce",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::${bucket}",
        "arn:aws:s3:::${bucket}/*"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:sourceVpce": "${vpce_id}"
        }
      },
      "Principal": "*"
    },
    {
      "Sid": "allow-get-if-from-vpce",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::${bucket}",
        "arn:aws:s3:::${bucket}/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:sourceVpce": "${vpce_id}"
        }
      },
      "Principal": "*"
    }
  ]
}

And it works! We get an SSL connection, and the load balancer zero access outside the VPN (load balancer DNS won't resolve, and 403 on the S3 static site itself).

See http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Host a static site on AWS S3 - granting read only access Cross account S3 static website access over VPN only Can an AWS S3 Static Site access REST API in VPC? AWS S3 static site only for a group of people add route in route table for aws client vpn endpoint to access S3 static website without exposing 0.0.0.0/0 How to host HTTPS site from S3 Static website hosting on AWS? Static Site Deployment in AWS S3 with CloudFront How do I restrict access to a static s3 website to a VPN Connect to AWS s3 from on-premise via site-to-site VPN Restricting Amazon S3 access only on VPN connectivity
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM