We need to make two small changes in order to achieve the same. In this example, I have created a bucket named – \u201cs3-access-test-techdemos\u201d with all the default settings. Step 1: <\/strong><\/p>\n\n\n\n I will edit the S3 bucket policy and change it. The bucket policy below is to allow accessing the bucket from my ISP’s router public IP address. You can change it to your\u2019s own. (Run curl ifconfig.me or visit https:\/\/whatismyipaddress.com\/) Code link is given here<\/a> Step 2<\/strong>: <\/p>\n\n\n\n Go to CLI and update the command by appending \u201c As you can see the bucket has been listed. Similarly, we can upload or download files to S3.<\/p>\n\n\n\n When we run an AWS CLI command, in the backend a request URL is generated using the AWS credentials we provide, which determines whether we have access to the bucket or not. Usually, it is called the signed URL. This IP could be our Data Center end router, Ip. but that will not be a very recommended method to access buckets.<\/p>\n\n\n\n Now that we are able to access the bucket we can think of its use cases.<\/p>\n\n\n\n <\/p>\n\n\n\n Since in this article, we are not interested in accessing our S3 bucket\/s using IAM credentials\/roles from an on-premise data center, hence we will use solutions like AWS Direct Connect<\/em><\/strong> to connect the AWS Cloud services<\/em><\/strong> from on-premise.<\/p>\n\n\n\n After AWS Direct Connect connections have been established, we can establish access to Amazon S3 in the following ways:<\/p>\n\n\n\n See this doc here<\/a> to know how to connect to S3 over Direct Connect.<\/p>\n\n\n\n (i) Using Public VIF we can access all Public AWS services. Eg: S3, EC2 using public Ip addresses.<\/p>\n\n\n\n See the document here<\/a> to learn more. (ii) If we use Private VIF (which is basically used to access an Amazon VPC using private Ip addresses) we will have to use an AWS VPC Interface endpoint in between to access S3. It is because – we will use the Amazon private link for S3 to access S3 rather than the public prefix lists<\/a> of S3 which we did in the earlier case.<\/p>\n\n\n\n Note<\/strong>: On-premises traffic can’t traverse the <\/a>Gateway<\/a> VPC endpoint<\/a>.<\/p>\n\n\n\n Interface endpoints are actually one or more elastic network interfaces (ENIs) that are assigned private IP addresses from subnets in your VPC. Requests that are made to interface endpoints for Amazon S3 are automatically routed to Amazon S3 on the Amazon network. And we can access interface endpoints in our VPC from on-premises applications through AWS Direct Connect or AWS Virtual Private Network <\/strong>(AWS VPN).<\/p>\n\n\n\n See these articles to know more – Secure <\/a>hybrid<\/a> access to Amazon S3 using AWS PrivateLink<\/a> and Interface VPC endpoints (AWS PrivateLink)<\/a><\/p>\n\n\n\n Since now we will access S3 through the private link, our bucket policy should allow the VPC Interface endpoint rather than any IP. It would look like below –<\/p>\n\n\n\n Next,<\/p>\n\n\n\n When we use Interface endpoints for S3 access points we would need to modify our API requests slightly.<\/p>\n\n\n\n See Accessing Amazon S3 interface endpoints<\/a><\/p>\n\n\n\n (again <\/p>\n\n\n\n 2. Accessing bucket from a private subnet in a protected zone<\/strong>:-<\/p>\n\n\n\n Next, to access S3 from a private subnet in the protected zone we can use the Gateway Interface endpoint for S3. We could also use an Interface endpoint but Gateway endpoints are not-chargeable and the former is chargeable.<\/p>\n\n\n\n Thanks for reading. Hope you found it useful!<\/p>\n\n\n\n Opstree<\/a><\/strong> <\/a>is an End to End DevOps solution provider<\/p>\n\n\n\n
Now, we can see as I have no AWS credentials configured, hence I am not<\/strong> able to list or access the s3 bucket.<\/p>\n\n\n\n![](\"https:\/\/lh5.googleusercontent.com\/1I0LwxZjM68iTY4grFW4ersnKx5FCyBJiQ7VG3cpsKV86Ka-jb4oHRxdBDknU762RZJwoujk2P8adImjf0rZvL_NFeIA0jotaBFWaIO-DVYJS5P6ogdE7FTmjZL0Gz4dw5SZObG5\")
The bucket policy would look something like below:-<\/p>\n\n\n\n![](\"https:\/\/lh6.googleusercontent.com\/r3opcaGV9MhLN1dA3I8XH4VZDzwr9lri2PccylduEbkbrbvAJQX3Qj3ATP9tpVN9Ilb1NH-_d8jWvA4X3_MQkU_DfcTHvzUUpFmhn3ixFRRGfPuEpvhbzCDwsZrgj3noc7LY5Y5S\")
With this bucket policy we are allowing access to publicly (“Principal”: “*”<\/em>) and hence do not require IAM credentials or roles. But at the same time restricting access from only IpAddress: 45.64.225.122<\/em>
<\/p>\n\n\n\n--no-sign-request<\/code>\u201d <\/p>\n\n\n\naws s3 ls <your-bucket-name> --no-sign-request<\/code>
<\/p>\n\n\n\n![](\"https:\/\/lh3.googleusercontent.com\/BxUFPir2621zH7nNXlobuinhtA1MjSsPdiYSAB2lFlhyie6xwRkgFPCpmp403ygYsQVS89xWsEyClihLMxBdaIyAGlc5Qur07j-mZY9lW-yeXI6nU1tXFI2V6T_exDPKGhSKQ-OI\")
![](\"https:\/\/lh5.googleusercontent.com\/bID6unRPCd9NAFYEZ1LPCX2hFTufPE5QcYS361KQJMwJWVT4jZ982ZYAhaDDtGlyO54VFn1B6E1VDgCOgHpht6RdxjgnwrL2KcSVz90wNz8zx7rdCIw2vtbveHW14uVt0UBl3FrW\")
In our case, we haven\u2019t configured any credentials.
Basically, –no-sign-request (boolean) means AWS CLI will not sign the requests when a request URL is generated. i.e credentials will not be loaded if this argument is provided. We are doing this because our bucket is always accessible from my public IP \u2192 45.64.225.122<\/em>.<\/p>\n\n\n\n
Our bucket policy might look something like this –<\/p>\n\n\n\n{\n \"Version\": \"2012-10-17\",\n \"Id\": \"Policy1415115909152\",\n \"Statement\": [\n {\n \"Sid\": \"Access-to-specific-PublicIP-only\",\n \"Effect\": \"Allow\",\n \"Principal\": \"*\",\n \"Action\": \"s3:*\",\n \"Resource\": [\n \"arn:aws:s3:::s3-access-test-techdemos\",\n \"arn:aws:s3:::s3-access-test-techdemos\/*\"\n ],\n \"Condition\": {\n \"IpAddress\": {\n \"aws:SourceIp\": \"<local peer Ip address>\"\n }\n }\n }\n ]\n}<\/code><\/pre>\n\n\n\n{\n \"Version\": \"2012-10-17\",\n \"Id\": \"Policy1415115909152\",\n \"Statement\": [\n {\n \"Sid\": \"Access-to-specific-VPCE-only\",\n \"Effect\": \"Allow\",\n \"Principal\": \"*\",\n \"Action\": \"s3:*\",\n \"Resource\": [\n \"arn:aws:s3:::s3-access-test-techdemos\",\n \"arn:aws:s3:::s3-access-test-techdemos\/*\"\n ],\n \"Condition\": {\n \"StringEquals\": {\n \"aws:sourceVpce\": \"vpce-0809dxxxxyyyy0045\"\n }\n }\n }\n ]\n}<\/code><\/pre>\n\n\n\n
So our final request Url from the On-premise server\/application would look something like below –aws s3 \u2013no-sign-request --region ap-south-1 --endpoint-url https:\/\/bucket.vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com ls s3:\/\/my-bucket\/<\/code><\/p>\n\n\n\n--no-sign-request<\/code> would be added since we would not be using Aws IAM Credentials)<\/p>\n\n\n\n
We can also access S3 buckets securely and privately without traversing through the public internet from a private subnet in a protected zone (which has no access to the internet i.e no NAT gateway and can be only SSH from a jump server\/bastion host).
(Note:<\/strong> since our instance would not have access to internet we must launch the instance from an AMI which has AWS CLI pre-installed)<\/p>\n\n\n\n
Follow doc here<\/a>
<\/a>If we allow the gateway-vpce<\/strong> in our bucket policy and append --no-sign-request<\/code> <\/strong>in our API request, then we can access the bucket privately even without attaching an IAM role or putting any IAM credentials.<\/p>\n\n\n\n
Blog Pundit:<\/strong> Bhupender Rawat<\/strong><\/a> and Adeel Ahmad<\/strong><\/a><\/p>\n\n\n\n