SalesApp EC2 to UnRestricted S3 Bucket

SalesApp EC2 to UnRestricted Bucket. Verify that attempts to write into the unrestricted bucket (bucket with no bucket policy) from the SalesApp EC2 will via the Gateway VPC Endpoint will be DENIED

  1. Refer to the collected output values from your CloudFormation stack. Note the value of the “UnrestrictedS3Bucket” output. You will substitute this value into the commands below.

Ensure that your session is connected to the Sales App EC2 instance. You will execute step 2 from the Sales App EC2 bash prompt. If you do not already have a bash session connected to the Sales App EC2 instance execute the following commands from the Cloud9:**

ssh ec2-user@salesapp -i vpce.pem
  1. Execute the commands provided below AFTER replacing the values of with the output value collected in step 1. Make note of the results.

    touch test.txt
    aws sts get-caller-identity
    aws s3 cp test.txt s3://<UnrestrictedS3Bucket>/test.txt

Expected behavior

When Executed from Sales App EC2 Instance is:

Attempts to upload to the unrestricted bucket will be DENIED. The Gateway VPC Endpoint policy will only ALLOW objects to be put into the restricted bucket.


Why does this NOT work ?

A. The SalesApp instance is on the private subnet. When you execute the aws s3 cp command, the AWS CLI signs your API request using credentials associated with the identity returned by the aws sts get-caller-identity - the salesapprole. The salesapprole has an IAM policy which authorizes it to perform the S3:putObject API call against both the restricted and unrestricted buckets. The AWS CLI uses DNS to resolve the address for Amazon Simple Storage Service(S3). The prefix list entry in the private route table dynamically resolves to the public CIDR ranges used by S3. The private route table has a prefix list entry for all S3 public IP addresses. The target for this entry is the Gateway VPC Ednpoint. This route table entry is more specific than the route. The more specific route takes precedence and traffic for the S3 public IP address space is sent to the S3 Gateway VPC Endpoint. The S3 Gateway VPC Endpoint Policy will allow access ONLY to the restricted bucket. Requests that use reference the unrestricted s3 bucket resource fail.