stackoom
  简体   繁体   中英

Cross account S3 static website access over VPN only

 原文  2022-09-06 07:42:23       amazon-web-services/ amazon-s3/ aws-vpn

Question

I'm trying to allow access to s3 bucket static website over VPN from network aws account, bucket in prod account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": "account-prod",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpc": "vpc-1"
                }
            }
        }
       {
            "Sid": "",
            "Effect": "Allow",
            "Principal": "account-network",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpc": "vpc-2"  <<<>>> tried SourceVpce as well           
                }
            }
        }
    ]
}

I used VPC endpoint interface in the account where VPN is setup, I tried using Condition SourceVpc and SourceVpce but non worked.

I'm using transit gateway and aws client vpn and allowed s3 endpoint IPs on the vpn endpoint + SGs + auth rules. (tgw is used and s3 prefix list, route entry from s3 prefix list via tgw)

bucket uses object owner + private ACL + bucket policy and I tried adding grantee with the canonical account id.

Any ideas what am I doing wrong here?

This currently works in the prod account as we have another VPN solution that runs there, we are trying to migrate everything to network account and move to aws client vpn.

2 answers

solution1
 0  2022-09-06 07:43:21

Any ideas what am I doing wrong here?

Yes. s3 bucket static website can only be accesses over the Internet . You can't access them using private IP addresses from VPC or VPN. If you use VPN, you have to setup some proxy which will access the website using the internet, and then pass it back to your host.

solution2
 0  2022-09-06 08:07:01

Make sure that your VPC Subnet route table has a route to the S3 endpoint, and the policy for the endpoint is giving access.

https://tomgregory.com/when-to-use-an-aws-s3-vpc-endpoint/

next, setup your bucket policy as below, try to give access from the source of your VPC Endpoint, and not the VPC itself. (note the vpce in the policy doc).

https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I restrict access to a static s3 website to a VPN AWS S3 static site with HTTPS and VPN-only access S3 Cross account access S3 Website Cross Account Permissions Not Working add route in route table for aws client vpn endpoint to access S3 static website without exposing 0.0.0.0/0 Only allow EC2 instance to access static website on S3 Give S3 Full access cross account S3 Cross Account Access With Role Cross Account S3 Access for a public buket Cross account S3 access with CannedACL
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM