SalesApp EC2 to Restricted S3 Bucket

SalesApp EC2 to Restricted Bucket. Verify that attempts to write into the restricted bucket (bucket with a bucket policy) from the SalesApp EC2 instance via the Gateway VPC Endpoint will be ALLOWED

  1. Refer to the collected output values from your CloudFormation stack. Note the value of the “RestrictedS3Bucket” output. You will substitute this value into the commands below.

Ensure that your session is connected to the Sales App EC2 instance. You will execute step 2 from the Sales App EC2 bash prompt. If you do not already have a bash session connected to the Sales App EC2 instance execute the following commands from the Cloud9:**

ssh ec2-user@salesapp -i vpce.pem
  1. Execute the commands provided below AFTER replacing the values of with the output value collected in step 1. Make note of the results.

    touch test.txt
    aws sts get-caller-identity
    aws s3 cp test.txt s3://<restrictedS3Bucket>/test.txt

Expected behavior

When Executed from Sales App EC2 Instance is:

The upload to the restricted bucket will succeed. The Gateway VPC Endpoint policy will ALLOW objects to be put into the restricted bucket (bucket with a bucket policy).


Why does this work ?

A. The SalesApp instance is on the private subnet. When you execute the aws s3 cp command, the AWS CLI signs your API request using credentials associated with the identity returned by the aws sts get-caller-identity - the salesapprole. The salesapprole has an IAM policy which authorizes it to perform the S3:putObject API call against both the restricted and unrestricted buckets. The AWS CLI uses DNS to resolve the address for Amazon Simple Storage Service(S3). The prefix list entry in the private route table dynamically resolves to the public CIDR ranges used by S3. The private route table has a prefix list entry for all S3 public IP addresses. The target for this entry is the Gateway VPC Ednpoint. This route table entry is more specific than the route. The more specific route takes precedence and traffic for the S3 public IP address space is sent to the S3 Gateway VPC Endpoint. The S3 Gateway VPC Endpoint Policy will allow access ONLY to the restricted bucket. Requests that reference the restricted s3 bucket resource succeed.