Allow access to AWS S3 bucket via VPC within AWS without authentication

Question

Is there any way to allow access to objects in an AWS S3 bucket via VPC within AWS without authentication? I don't want to use AWS IAM role or user for this. I don't want to disable access for all except VPC as objects are supposed to be accessed via AWS IAM role outside AWS.

Purpose: To provide AWS S3 bucket access to GitLab Runners running inside AWS EKS Kubernetes cluster on private nodes.

Note: Public access is blocked and will remain blocked. All of the objects are private and will remain private.

Abdullah Khawer · Accepted Answer

Yes, you can allow access to objects in an AWS S3 bucket via VPC within AWS without authentication using an AWS VPC endpoint (VPCE) for S3 and a bucket policy on that AWS S3 bucket.

Points to consider:

AWS VPC endpoint (VPCE) should be created for S3 service with Gateway type in the same region in which the AWS S3 bucket exists with the desired AWS VPC and route tables selected along with Full Access policy.
AWS S3 bucket policy should only allow that AWS VPC endpoint.

A sample AWS S3 bucket policy will be as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "allow-access-to-S3-bucket-via-VPC-endpoint",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::[BUCKET_NAME]/*",
            "Condition": {
                "StringEquals": {
                    "aws:sourceVpce": "[VPCE_ID]"
                }
            }
        }
    ]
}

Where [BUCKET_NAME] and [VPCE_ID] will be replaced with the appropriate values accordingly.

Source: How can I configure my Amazon VPC to privately connect to my S3 bucket without using authentication?

Allow access to AWS S3 bucket via VPC within AWS without authentication

Answers (1)

Related Questions