Amazon S3 over VPN


Is it possible to establish VPN connectivity to Amazon S3 directly without utilizing Elastic cloud EC2?


Since S3 bucket names are globally unique and accessible over http using a unique url, it is not possible to isolate S3 at network level and it requires access control using Bucket Policies, IAM policies or Access control lists. You can also use Bucket Policies to whitelist Source Ip’s that could access your buckets.

The Access Control system available in S3, enforces security in accessing S3. In addition the data in transit is encrypted using https and optionally you can also leverage encryption at rest for objects residing in S3 to further harden the security.

In addition there are multiple ways to establish connections to S3 based on the egress restrictions at the S3 access client locations (e.g. On-premise, VPC private/public subnet & etc.).

  • Accessing S3 over the internet if there are no egress restrictions.
  • Use VPC Endpoints to S3 if you are accessing S3 from a AWS VPC.
  • Direct Connect Connection from On Premise to AWS Data centers to access S3 over a dedicated, private network connection.

Unfortunately since S3 is not providing a feature for network segmentation, it is not possible to use a VPN connection to S3, restricting access at Network Level.

Leave a Reply