SalesApp EC2 to Restricted Bucket. Verify that attempts to write into the restricted bucket (bucket with a bucket policy) from the SalesApp EC2 instance via the Gateway VPC Endpoint will be ALLOWED
Ensure that your session is connected to the Sales App EC2 instance. You will execute step 2 from the Sales App EC2 bash prompt. If you do not already have a bash session connected to the Sales App EC2 instance execute the following commands from the Cloud9:**
ssh ec2-user@salesapp -i vpce.pem
Execute the commands provided below AFTER replacing the values of
touch test.txt aws sts get-caller-identity nslookup s3.amazonaws.com aws s3 cp test.txt s3://<restrictedS3Bucket>/test.txt
When Executed from Sales App EC2 Instance is:
The upload to the restricted bucket will succeed. The Gateway VPC Endpoint policy will ALLOW objects to be put into the restricted bucket (bucket with a bucket policy).
A. The SalesApp instance is on the private subnet. When you execute the aws s3 cp command, the AWS CLI signs your API request using credentials associated with the identity returned by the aws sts get-caller-identity - the salesapprole. The salesapprole has an IAM policy which authorizes it to perform the S3:putObject API call against both the restricted and unrestricted buckets. The AWS CLI uses DNS to resolve the address for Amazon Simple Storage Service(S3). The prefix list entry in the private route table dynamically resolves to the public CIDR ranges used by S3. The private route table has a prefix list entry for all S3 public IP addresses. The target for this entry is the Gateway VPC Ednpoint. This route table entry is more specific than the 0.0.0.0/0 route. The more specific route takes precedence and traffic for the S3 public IP address space is sent to the S3 Gateway VPC Endpoint. The S3 Gateway VPC Endpoint Policy will allow access ONLY to the restricted bucket. Requests that reference the restricted s3 bucket resource succeed.