AWS PrivateLink for S3 on Outposts
S3 on Outposts supports AWS PrivateLink, which provides direct management access to your S3 on Outposts storage through a private endpoint within your virtual private network. This allows you to simplify your internal network architecture and perform management operations on your Outposts object storage by using private IP addresses in your Virtual Private Cloud (VPC). Using AWS PrivateLink eliminates the need to use public IP addresses or proxy servers.
With AWS PrivateLink for Amazon S3 on Outposts, you can provision interface VPC endpoints in your virtual private cloud (VPC) to access your S3 on Outposts bucket management and endpoint management APIs. Interface VPC endpoints are directly accessible from applications deployed in your VPC or on premises over your virtual private network (VPN) or AWS Direct Connect. You can access the bucket and endpoint management APIs through AWS PrivateLink. AWS PrivateLink doesn't support data transfer API operations, such as GET, PUT, and similar APIs. These operations are already transferred privately through the S3 on Outposts endpoint and access point configuration. For more information, see Networking for S3 on Outposts.
Interface endpoints are represented by one or more elastic network interfaces (ENIs) that are assigned private IP addresses from subnets in your VPC. Requests made to interface endpoints for S3 on Outposts are automatically routed to S3 on Outposts bucket and endpoint management APIs on the AWS network. You can also access interface endpoints in your VPC from on-premises applications through AWS Direct Connect or AWS Virtual Private Network (AWS VPN). For more information about how to connect your VPC with your on-premises network, see the AWS Direct Connect User Guide and the AWS Site-to-Site VPN User Guide.
Interface endpoints route requests for S3 on Outposts bucket and endpoint management APIs over the AWS network and through AWS PrivateLink, as illustrated in the following diagram.
For general information about interface endpoints, see Interface VPC endpoints (AWS PrivateLink) in the AWS PrivateLink Guide.
Topics
Restrictions and limitations
When you access S3 on Outposts bucket and endpoint management APIs through AWS PrivateLink, VPC limitations apply. For more information, see Interface endpoint properties and limitations and AWS PrivateLink quotas in the AWS PrivateLink Guide.
In addition, AWS PrivateLink doesn't support the following:
-
S3 on Outposts data transfer APIs, for example, GET, PUT, and similar object API operations.
-
Private DNS
Accessing S3 on Outposts interface endpoints
To access S3 on Outposts bucket and endpoint management APIs using AWS PrivateLink, you must update your applications to use endpoint-specific DNS names. When you create an interface endpoint, AWS PrivateLink generates two types of endpoint-specific S3 on Outposts names: Regional and zonal.
-
Regional DNS names – include a unique VPC endpoint ID, a service identifier, the AWS Region, and
vpce.amazonaws.com
, for example,
.vpce-1a2b3c4d-5e6f
.s3-outposts.us-east-1.vpce.amazonaws.com -
Zonal DNS names – include a unique VPC endpoint ID, the Availability Zone, a service identifier, the AWS Region, and
vpce.amazonaws.com
, for example,
. You might use this option if your architecture isolates Availability Zones. For example, you could use zonal DNS names for fault containment or to reduce Regional data transfer costs.vpce-1a2b3c4d-5e6f
-us-east-1a.s3-outposts.us-east-1.vpce.amazonaws.com
Important
S3 on Outposts interface endpoints are resolved from the public DNS domain.
S3 on Outposts does not support private DNS. Use the --endpoint-url
parameter for all bucket and endpoint management APIs.
AWS CLI examples
Use the --region
and --endpoint-url
parameters to access
bucket management and endpoint management APIs through S3 on Outposts interface endpoints.
Example : Use the endpoint URL to list buckets with the S3 control API
In the following example, replace the Region
, VPC endpoint URL
us-east-1
,
and account ID vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com
with appropriate information.111122223333
aws s3control list-regional-buckets --region
us-east-1
--endpoint-url https://vpce-1a2b3c4d-5e6f.s3-outposts.us-east-1.vpce.amazonaws.com
--account-id111122223333
AWS SDK examples
Update your SDKs to the latest version, and configure your clients to use an endpoint URL for accessing the S3 control API for S3 on Outposts interface endpoints.
Updating an on-premises DNS configuration
When using endpoint-specific DNS names to access the interface endpoints for S3 on Outposts bucket management and endpoint management APIs, you don’t have to update your on-premises DNS resolver. You can resolve the endpoint-specific DNS name with the private IP address of the interface endpoint from the public S3 on Outposts DNS domain.
Creating a VPC endpoint for S3 on Outposts
To create a VPC interface endpoint for S3 on Outposts, see Create a VPC endpoint in the AWS PrivateLink Guide.
Creating bucket policies and VPC endpoint policies for S3 on Outposts
You can attach an endpoint policy to your VPC endpoint that controls access to S3 on Outposts.
You can also use the aws:sourceVpce
condition in S3 on Outposts bucket
policies to restrict access to specific buckets from a specific VPC endpoint. With VPC
endpoint policies, you can control access to S3 on Outposts bucket management APIs and
endpoint management APIs. With bucket policies, you can control access to the
S3 on Outposts bucket management APIs. However, you can't manage access to object actions
for S3 on Outposts using aws:sourceVpce
.
Access policies for S3 on Outposts specify the following information:
-
The AWS Identity and Access Management (IAM) principal for which actions are allowed or denied.
-
The S3 control actions that are allowed or denied.
-
The S3 on Outposts resources on which actions are allowed or denied.
The following examples show policies that restrict access to a bucket or to an endpoint. For more information about VPC connectivity, see Network-to-VPC connectivity options in the AWS whitepaper Amazon Virtual Private Cloud Connectivity Options.
Important
-
When you apply the example policies for VPC endpoints described in this section, you might block your access to the bucket without intending to do so. Bucket permissions that limit bucket access to connections originating from your VPC endpoint can block all connections to the bucket. For information about how to fix this issue, see My bucket policy has the wrong VPC or VPC endpoint ID. How can I fix the policy so that I can access the bucket?
in the AWS Support Knowledge Center. -
Before using the following example bucket policies, replace the VPC endpoint ID with an appropriate value for your use case. Otherwise, you won't be able to access your bucket.
-
If your policy only allows access to an S3 on Outposts bucket from a specific VPC endpoint, it disables console access for that bucket because console requests don't originate from the specified VPC endpoint.
Topics
Example: Restricting access to a specific bucket from a VPC endpoint
You can create an endpoint policy that restricts access to specific S3 on Outposts
buckets only. The following policy restricts access for the GetBucketPolicy action
only to the
. To use
this policy, replace the example values with your own. example-outpost-bucket
{ "Version": "2012-10-17", "Id": "Policy1415115909151", "Statement": [ { "Sid": "Access-to-specific-bucket-only", "Principal": {"AWS":"111122223333"}, "Action": "s3-outposts:GetBucketPolicy", "Effect": "Allow", "Resource": "arn:aws:s3-outposts:
region
:123456789012
:outpost/op-01ac5d28a6a232904
/bucket/example-outpost-bucket
" } ] }
Example: Denying access from a specific VPC endpoint in an S3 on Outposts bucket policy
The following S3 on Outposts bucket policy denies access to GetBucketPolicy on the
bucket
through the example-outpost-bucket
VPC endpoint.vpce-1a2b3c4d
The aws:sourceVpce
condition specifies the endpoint and does not require
an Amazon Resource Name (ARN) for the VPC endpoint resource, only the endpoint ID. To use
this policy, replace the example values with your own.
{ "Version": "2012-10-17", "Id": "Policy1415115909152", "Statement": [ { "Sid": "Deny-access-to-specific-VPCE", "Principal": {"AWS":"111122223333"}, "Action": "s3-outposts:GetBucketPolicy", "Effect": "Deny", "Resource": "arn:aws:s3-outposts:
region
:123456789012
:outpost/op-01ac5d28a6a232904
/bucket/example-outpost-bucket
", "Condition": { "StringEquals": {"aws:sourceVpce": "vpce-1a2b3c4d
"} } } ] }