Give AWS Private Subnet Access to S3 with VPC Endpoint in CloudFormation

From Bonus Bits
Jump to: navigation, search

Purpose

This article gives the steps to give private subnets access to S3 with a VPC Endpoint in Cloudformation. No NAT needed. You can also setup public subnets for the nodes that don't have public IP Address and to keep the traffic from going on the internet.


Prerequisites

  • AWS Account
  • Cool enough permissions


Environment

  • Create VPC
  • Create 2 public subnets
  • Create 2 private subnets
  • Add S3 "internal" Access Endpoint to all subnets


VPC Endpoint

"S3VpcEndpoint": {
      "Type": "AWS::EC2::VPCEndpoint",
      "DependsOn": [
        "VPC",
        "PrivateRouteTable",
        "PublicRouteTable"
      ],
      "Properties": {
        "PolicyDocument": {
          "Statement": [
            {
              "Action": "*",
              "Effect": "Allow",
              "Resource": "*",
              "Principal": "*"
            }
          ]
        },
        "RouteTableIds": [
          {"Ref": "PrivateRouteTable"},
          {"Ref": "PublicRouteTable"}
        ],
        "ServiceName": { "Fn::Join": [ "", [ "com.amazonaws.", { "Ref": "AWS::Region" }, ".s3" ] ] },
        "VpcId": {
          "Ref": "VPC"
        }
      }
    }


S3 Bucket Policy

Add you VPC Endpoint ID as the Condition. Use only Policy ID and Sid of course.

{
	"Version": "2012-10-17",
	"Id": "Policy3445674452340",
	"Statement": [
		{
			"Sid": "Stmt2445373452640",
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:*",
			"Resource": "arn:aws:s3:::bucket-of-fun/*",
			"Condition": {
				"StringEquals": {
					"aws:sourceVpce": "vpce-8430a1fd"
				}
			}
		},
		{
			"Sid": "Stmt2445373452640",
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:ListBucket",
			"Resource": "arn:aws:s3:::bucket-of-fun",
			"Condition": {
				"StringEquals": {
					"aws:sourceVpce": "vpce-8430a1fd"
				}
			}
		}
	]
}


Related Articles


Sources