Build Gateway Endpoints

You will now examine/update configurations to control access to resources and ensure data to S3 is transmitted on private network segments via an S3 Gateway VPC Endpoint

figure10

Securing Access to the S3 Bucket using a Gateway Endpoint

  • 1.1. Gateway Endpoint - IAM Roles. The EC2 instances will use an IAM Role with associated IAM policies that provide permissions to execute API calls against S3. See IAM roles for EC2 instances for more information.
  • 1.2. Gateway Endpoint - Route Tables. Routes to the gateway endpoint are placed in the route tables for the private subnets only. API calls issued from the Cloud9 instance (on the public subnet) will use a route table without an entry that routes traffic to the S3 gateway endpoint. Consequently, traffic destined for S3 IP addresses that originate on the Cloud9 instance will exit the VPC via the Internet Gateway and traverse the Internet. API calls issued from the sales application and report engine E2 instances (on the private subnet) will use a route table entry that routes traffic to the gateway endpoint to access S3.
  • 1.3. Gateway Endpoint – Gateway Endpoint Resource Policy. You will use a gateway endpoint policy to restrict which S3 buckets can be accessed via the gateway.
  • 1.4. Gateway Endpoint – S3 Bucket Resource Policy. You will use a resource policy (an S3 bucket policy) to require that all s3:PutObject API calls (used to write data) occur via the Gateway VPC Endpoint. Using the Gateway Endpoint will ensure that the data written to this Bucket occurs across a private network segment.